From 2521073dba2c7aa62b14a0859c1e717f3aee2d30 Mon Sep 17 00:00:00 2001 From: Jens L Date: Thu, 21 Dec 2023 14:43:40 +0100 Subject: [PATCH] providers/scim: use lock for sync (#7948) * providers/scim: use lock for sync Signed-off-by: Jens Langhammer * fix Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- authentik/providers/scim/api/providers.py | 22 ++++++-- authentik/providers/scim/models.py | 12 +++++ authentik/providers/scim/tasks.py | 4 ++ schema.yml | 17 +++++- .../admin-overview/charts/SyncStatusChart.ts | 19 +++---- .../providers/scim/SCIMProviderViewPage.ts | 53 ++++++++++++++----- web/xliff/de.xlf | 3 -- web/xliff/en.xlf | 4 -- web/xliff/es.xlf | 3 -- web/xliff/fr.xlf | 5 -- web/xliff/pl.xlf | 3 -- web/xliff/pseudo-LOCALE.xlf | 5 -- web/xliff/tr.xlf | 3 -- web/xliff/zh-Hans.xlf | 53 +++++++++---------- web/xliff/zh-Hant.xlf | 3 -- web/xliff/zh_TW.xlf | 5 -- 16 files changed, 123 insertions(+), 91 deletions(-) diff --git a/authentik/providers/scim/api/providers.py b/authentik/providers/scim/api/providers.py index 546e62e65..ddca8cfef 100644 --- a/authentik/providers/scim/api/providers.py +++ b/authentik/providers/scim/api/providers.py @@ -2,6 +2,7 @@ from django.utils.text import slugify from drf_spectacular.utils import OpenApiResponse, extend_schema from rest_framework.decorators import action +from rest_framework.fields import BooleanField from rest_framework.request import Request from rest_framework.response import Response from rest_framework.viewsets import ModelViewSet @@ -9,6 +10,7 @@ from rest_framework.viewsets import ModelViewSet from authentik.admin.api.tasks import TaskSerializer from authentik.core.api.providers import ProviderSerializer from authentik.core.api.used_by import UsedByMixin +from authentik.core.api.utils import PassiveSerializer from authentik.events.monitored_tasks import TaskInfo from authentik.providers.scim.models import SCIMProvider @@ -37,6 +39,13 @@ class SCIMProviderSerializer(ProviderSerializer): extra_kwargs = {} +class SCIMSyncStatusSerializer(PassiveSerializer): + """SCIM Provider sync status""" + + is_running = BooleanField(read_only=True) + tasks = TaskSerializer(many=True, read_only=True) + + class SCIMProviderViewSet(UsedByMixin, ModelViewSet): """SCIMProvider Viewset""" @@ -48,15 +57,18 @@ class SCIMProviderViewSet(UsedByMixin, ModelViewSet): @extend_schema( responses={ - 200: TaskSerializer(), + 200: SCIMSyncStatusSerializer(), 404: OpenApiResponse(description="Task not found"), } ) @action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[]) def sync_status(self, request: Request, pk: int) -> Response: """Get provider's sync status""" - provider = self.get_object() + provider: SCIMProvider = self.get_object() task = TaskInfo.by_name(f"scim_sync:{slugify(provider.name)}") - if not task: - return Response(status=404) - return Response(TaskSerializer(task).data) + tasks = [task] if task else [] + status = { + "tasks": tasks, + "is_running": provider.sync_lock.locked(), + } + return Response(SCIMSyncStatusSerializer(status).data) diff --git a/authentik/providers/scim/models.py b/authentik/providers/scim/models.py index ac27288f3..b43a59375 100644 --- a/authentik/providers/scim/models.py +++ b/authentik/providers/scim/models.py @@ -1,11 +1,14 @@ """SCIM Provider models""" +from django.core.cache import cache from django.db import models from django.db.models import QuerySet from django.utils.translation import gettext_lazy as _ from guardian.shortcuts import get_anonymous_user +from redis.lock import Lock from rest_framework.serializers import Serializer from authentik.core.models import BackchannelProvider, Group, PropertyMapping, User, UserTypes +from authentik.providers.scim.clients import PAGE_TIMEOUT class SCIMProvider(BackchannelProvider): @@ -27,6 +30,15 @@ class SCIMProvider(BackchannelProvider): help_text=_("Property mappings used for group creation/updating."), ) + @property + def sync_lock(self) -> Lock: + """Redis lock for syncing SCIM to prevent multiple parallel syncs happening""" + return Lock( + cache.client.get_client(), + name=f"goauthentik.io/providers/scim/sync-{str(self.pk)}", + timeout=(60 * 60 * PAGE_TIMEOUT) * 3, + ) + def get_user_qs(self) -> QuerySet[User]: """Get queryset of all users with consistent ordering according to the provider's settings""" diff --git a/authentik/providers/scim/tasks.py b/authentik/providers/scim/tasks.py index c0c074ea4..7b16b293e 100644 --- a/authentik/providers/scim/tasks.py +++ b/authentik/providers/scim/tasks.py @@ -47,6 +47,10 @@ def scim_sync(self: MonitoredTask, provider_pk: int) -> None: ).first() if not provider: return + lock = provider.sync_lock + if lock.locked(): + LOGGER.debug("SCIM sync locked, skipping task", source=provider.name) + return self.set_uid(slugify(provider.name)) result = TaskResult(TaskResultStatus.SUCCESSFUL, []) result.messages.append(_("Starting full SCIM sync")) diff --git a/schema.yml b/schema.yml index fee6b8d3d..daded5c6d 100644 --- a/schema.yml +++ b/schema.yml @@ -17079,7 +17079,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Task' + $ref: '#/components/schemas/SCIMSyncStatus' description: '' '404': description: Task not found @@ -40645,6 +40645,21 @@ components: - name - token - url + SCIMSyncStatus: + type: object + description: SCIM Provider sync status + properties: + is_running: + type: boolean + readOnly: true + tasks: + type: array + items: + $ref: '#/components/schemas/Task' + readOnly: true + required: + - is_running + - tasks SMSDevice: type: object description: Serializer for sms authenticator devices diff --git a/web/src/admin/admin-overview/charts/SyncStatusChart.ts b/web/src/admin/admin-overview/charts/SyncStatusChart.ts index 28747d682..d9a3cce6c 100644 --- a/web/src/admin/admin-overview/charts/SyncStatusChart.ts +++ b/web/src/admin/admin-overview/charts/SyncStatusChart.ts @@ -93,15 +93,16 @@ export class LDAPSyncStatusChart extends AKChart { const health = await api.providersScimSyncStatusRetrieve({ id: element.pk, }); - - if (health.status !== TaskStatusEnum.Successful) { - sourceKey = "failed"; - } - const now = new Date().getTime(); - const maxDelta = 3600000; // 1 hour - if (!health || now - health.taskFinishTimestamp.getTime() > maxDelta) { - sourceKey = "unsynced"; - } + health.tasks.forEach((task) => { + if (task.status !== TaskStatusEnum.Successful) { + sourceKey = "failed"; + } + const now = new Date().getTime(); + const maxDelta = 3600000; // 1 hour + if (!health || now - task.taskFinishTimestamp.getTime() > maxDelta) { + sourceKey = "unsynced"; + } + }); } catch { sourceKey = "unsynced"; } diff --git a/web/src/admin/providers/scim/SCIMProviderViewPage.ts b/web/src/admin/providers/scim/SCIMProviderViewPage.ts index 3998c7c81..d745ed55e 100644 --- a/web/src/admin/providers/scim/SCIMProviderViewPage.ts +++ b/web/src/admin/providers/scim/SCIMProviderViewPage.ts @@ -10,7 +10,7 @@ import "@goauthentik/elements/Tabs"; import "@goauthentik/elements/buttons/ActionButton"; import "@goauthentik/elements/buttons/ModalButton"; -import { msg } from "@lit/localize"; +import { msg, str } from "@lit/localize"; import { CSSResult, TemplateResult, html } from "lit"; import { customElement, property, state } from "lit/decorators.js"; @@ -31,7 +31,8 @@ import { ProvidersApi, RbacPermissionsAssignedByUsersListModelEnum, SCIMProvider, - Task, + SCIMSyncStatus, + TaskStatusEnum, } from "@goauthentik/api"; @customElement("ak-provider-scim-view") @@ -54,7 +55,7 @@ export class SCIMProviderViewPage extends AKElement { provider?: SCIMProvider; @state() - syncState?: Task; + syncState?: SCIMSyncStatus; static get styles(): CSSResult[] { return [ @@ -128,6 +129,41 @@ export class SCIMProviderViewPage extends AKElement { `; } + renderSyncStatus(): TemplateResult { + if (!this.syncState) { + return html`${msg("No sync status.")}`; + } + if (this.syncState.isRunning) { + return html`${msg("Sync currently running.")}`; + } + if (this.syncState.tasks.length < 1) { + return html`${msg("Not synced yet.")}`; + } + return html` +
    + ${this.syncState.tasks.map((task) => { + let header = ""; + if (task.status === TaskStatusEnum.Warning) { + header = msg("Task finished with warnings"); + } else if (task.status === TaskStatusEnum.Error) { + header = msg("Task finished with errors"); + } else { + header = msg(str`Last sync: ${task.taskFinishTimestamp.toLocaleString()}`); + } + return html`
  • +

    ${task.taskName}

    +
      +
    • ${header}
      • + ${task.messages.map((m) => { + return html`
    • ${m}
      • `; + })} +
    +
    • `; + })} +
+ `; + } + renderTabOverview(): TemplateResult { if (!this.provider) { return html``; @@ -186,16 +222,7 @@ export class SCIMProviderViewPage extends AKElement {

${msg("Sync status")}

-
- ${this.syncState - ? html`
    - ${this.syncState.messages.map((m) => { - return html`
  • ${m}
    • `; - })} -
` - : html` ${msg("Sync not run yet.")} `} -
- +
${this.renderSyncStatus()}
Update SCIM Provider - - Sync not run yet. - Run sync again Synchronisation erneut ausführen diff --git a/web/xliff/en.xlf b/web/xliff/en.xlf index 6b64a65bc..29f454e9b 100644 --- a/web/xliff/en.xlf +++ b/web/xliff/en.xlf @@ -1779,10 +1779,6 @@ Update SCIM Provider Update SCIM Provider - - Sync not run yet. - Sync not run yet. - Run sync again Run sync again diff --git a/web/xliff/es.xlf b/web/xliff/es.xlf index 3b5585585..3d45d2983 100644 --- a/web/xliff/es.xlf +++ b/web/xliff/es.xlf @@ -1660,9 +1660,6 @@ Update SCIM Provider - - Sync not run yet. - Run sync again Vuelve a ejecutar la sincronización diff --git a/web/xliff/fr.xlf b/web/xliff/fr.xlf index 6a1a04d0e..63b478d2a 100644 --- a/web/xliff/fr.xlf +++ b/web/xliff/fr.xlf @@ -2216,11 +2216,6 @@ Il y a jour(s) Update SCIM Provider Mettre à jour le fournisseur SCIM - - - Sync not run yet. - La synchronisation n'a pas encore été lancée. - Run sync again diff --git a/web/xliff/pl.xlf b/web/xliff/pl.xlf index 3032efbe7..3dbed2422 100644 --- a/web/xliff/pl.xlf +++ b/web/xliff/pl.xlf @@ -1714,9 +1714,6 @@ Update SCIM Provider - - Sync not run yet. - Run sync again Uruchom ponownie synchronizację diff --git a/web/xliff/pseudo-LOCALE.xlf b/web/xliff/pseudo-LOCALE.xlf index 4ba11cc6a..ecd85ea7c 100644 --- a/web/xliff/pseudo-LOCALE.xlf +++ b/web/xliff/pseudo-LOCALE.xlf @@ -2196,11 +2196,6 @@ Update SCIM Provider Ũƥďàţē ŚĆĨM Ƥŕōvĩďēŕ - - - Sync not run yet. - Śŷńć ńōţ ŕũń ŷēţ. - Run sync again diff --git a/web/xliff/tr.xlf b/web/xliff/tr.xlf index 798c86b63..1b95f3f75 100644 --- a/web/xliff/tr.xlf +++ b/web/xliff/tr.xlf @@ -1659,9 +1659,6 @@ Update SCIM Provider - - Sync not run yet. - Run sync again Eşzamanlamayı tekrar çalıştır diff --git a/web/xliff/zh-Hans.xlf b/web/xliff/zh-Hans.xlf index e616d5e7b..5d5a436a7 100644 --- a/web/xliff/zh-Hans.xlf +++ b/web/xliff/zh-Hans.xlf @@ -1,4 +1,4 @@ - + @@ -613,9 +613,9 @@ - The URL "" was not found. - 未找到 URL " - "。 + The URL "" was not found. + 未找到 URL " + "。 @@ -1057,8 +1057,8 @@ - To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. - 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 + To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. + 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 @@ -1799,8 +1799,8 @@ - Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". - 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 + Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". + 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 @@ -2217,11 +2217,6 @@ Update SCIM Provider 更新 SCIM 提供程序 - - - Sync not run yet. - 尚未同步过。 - Run sync again @@ -2988,8 +2983,8 @@ doesn't pass when either or both of the selected options are equal or above the - Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' - 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' + Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' + 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' @@ -3781,8 +3776,8 @@ doesn't pass when either or both of the selected options are equal or above the - When using an external logging solution for archiving, this can be set to "minutes=5". - 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 + When using an external logging solution for archiving, this can be set to "minutes=5". + 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 @@ -3791,8 +3786,8 @@ doesn't pass when either or both of the selected options are equal or above the - Format: "weeks=3;days=2;hours=3,seconds=2". - 格式:"weeks=3;days=2;hours=3,seconds=2"。 + Format: "weeks=3;days=2;hours=3,seconds=2". + 格式:"weeks=3;days=2;hours=3,seconds=2"。 @@ -3988,10 +3983,10 @@ doesn't pass when either or both of the selected options are equal or above the - Are you sure you want to update ""? + Are you sure you want to update ""? 您确定要更新 - " - " 吗? + " + " 吗? @@ -5077,7 +5072,7 @@ doesn't pass when either or both of the selected options are equal or above the - A "roaming" authenticator, like a YubiKey + A "roaming" authenticator, like a YubiKey 像 YubiKey 这样的“漫游”身份验证器 @@ -5412,10 +5407,10 @@ doesn't pass when either or both of the selected options are equal or above the - ("", of type ) + ("", of type ) - (" - ",类型为 + (" + ",类型为 @@ -5464,7 +5459,7 @@ doesn't pass when either or both of the selected options are equal or above the - If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. + If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. 如果设置时长大于 0,用户可以选择“保持登录”选项,这将使用户的会话延长此处设置的时间。 @@ -7970,7 +7965,7 @@ Bindings to groups/users are checked against the user of the event. 成功创建用户并添加到组 - This user will be added to the group "". + This user will be added to the group "". 此用户将会被添加到组 &quot;&quot;。 @@ -8051,4 +8046,4 @@ Bindings to groups/users are checked against the user of the event. - \ No newline at end of file + diff --git a/web/xliff/zh-Hant.xlf b/web/xliff/zh-Hant.xlf index 63ba2b4ec..ff31e2854 100644 --- a/web/xliff/zh-Hant.xlf +++ b/web/xliff/zh-Hant.xlf @@ -1673,9 +1673,6 @@ Update SCIM Provider - - Sync not run yet. - Run sync again 再次运行同步 diff --git a/web/xliff/zh_TW.xlf b/web/xliff/zh_TW.xlf index 376197f66..66c5d3228 100644 --- a/web/xliff/zh_TW.xlf +++ b/web/xliff/zh_TW.xlf @@ -2198,11 +2198,6 @@ Update SCIM Provider 更新 SCIM 供應商 - - - Sync not run yet. - 尚未執行同步。 - Run sync again