stages/identification: allow selection of no user fields to only allow login via sources

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-04-30 01:07:37 +02:00
parent bf7d110af3
commit 34c45900c2
8 changed files with 123 additions and 69 deletions

View file

@ -0,0 +1,27 @@
# Generated by Django 3.2 on 2021-04-29 22:56
import django.contrib.postgres.fields
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_stages_identification", "0007_remove_identificationstage_template"),
]
operations = [
migrations.AlterField(
model_name="identificationstage",
name="user_fields",
field=django.contrib.postgres.fields.ArrayField(
base_field=models.CharField(
choices=[("email", "E Mail"), ("username", "Username")],
max_length=100,
),
blank=True,
help_text="Fields of the user object to match against. (Hold shift to select multiple options)",
size=None,
),
),
]

View file

@ -22,6 +22,7 @@ class IdentificationStage(Stage):
user_fields = ArrayField(
models.CharField(max_length=100, choices=UserFields.choices),
blank=True,
help_text=_(
(
"Fields of the user object to match against. "

View file

@ -7,7 +7,7 @@ from django.db.models import Q
from django.http import HttpResponse
from django.urls import reverse
from django.utils.translation import gettext as _
from rest_framework.fields import CharField
from rest_framework.fields import CharField, ListField
from rest_framework.serializers import ValidationError
from structlog.stdlib import get_logger
@ -28,7 +28,7 @@ LOGGER = get_logger()
class IdentificationChallenge(Challenge):
"""Identification challenges with all UI elements"""
input_type = CharField()
user_fields = ListField(CharField(), allow_empty=True, allow_null=True)
application_pre = CharField(required=False)
enroll_url = CharField(required=False)
@ -83,11 +83,9 @@ class IdentificationStageView(ChallengeStageView):
"type": ChallengeTypes.NATIVE.value,
"component": "ak-stage-identification",
"primary_action": _("Log in"),
"input_type": "text",
"user_fields": current_stage.user_fields,
}
)
if current_stage.user_fields == [UserFields.E_MAIL]:
challenge.initial_data["input_type"] = "email"
# If the user has been redirected to us whilst trying to access an
# application, SESSION_KEY_APPLICATION_PRE is set in the session
if SESSION_KEY_APPLICATION_PRE in self.request.session:

View file

@ -17950,7 +17950,6 @@ definitions:
IdentificationStage:
required:
- name
- user_fields
type: object
properties:
pk:

View file

@ -22,7 +22,7 @@ export const PasswordManagerPrefill: {
export interface IdentificationChallenge extends Challenge {
input_type: string;
user_fields?: string[];
primary_action: string;
sources?: UILoginButton[];
@ -154,6 +154,43 @@ export class IdentificationStage extends BaseStage {
</div>`;
}
renderInput(): TemplateResult {
let label = "";
let type = "text";
if (!this.challenge?.user_fields) {
return html`<p>
${t`Select one of the sources below to login.`}
</p>`;
}
if (this.challenge?.user_fields === ["email"]) {
label = t`Email`;
type = "email";
} else if (this.challenge?.user_fields === ["username"]) {
label = t`Username`;
} else {
label = t`Email or username`;
}
return html`<ak-form-element
label=${label}
?required="${true}"
class="pf-c-form__group"
.errors=${(this.challenge?.response_errors || {})["uid_field"]}>
<!-- @ts-ignore -->
<input type=${type}
name="uid_field"
placeholder="Email or Username"
autofocus=""
autocomplete="username"
class="pf-c-form-control"
required>
</ak-form-element>
<div class="pf-c-form__group pf-m-action">
<button type="submit" class="pf-c-button pf-m-primary pf-m-block">
${this.challenge.primary_action}
</button>
</div>`;
}
render(): TemplateResult {
if (!this.challenge) {
return html`<ak-empty-state
@ -173,26 +210,7 @@ export class IdentificationStage extends BaseStage {
${t`Login to continue to ${this.challenge.application_pre}.`}
</p>`:
html``}
<ak-form-element
label="${t`Email or Username`}"
?required="${true}"
class="pf-c-form__group"
.errors=${(this.challenge?.response_errors || {})["uid_field"]}>
<input type="text"
name="uid_field"
placeholder="Email or Username"
autofocus=""
autocomplete="username"
class="pf-c-form-control"
required>
</ak-form-element>
<div class="pf-c-form__group pf-m-action">
<button type="submit" class="pf-c-button pf-m-primary pf-m-block">
${this.challenge.primary_action}
</button>
</div>
${this.renderInput()}
</form>
</div>
<footer class="pf-c-login__main-footer">

View file

@ -428,7 +428,7 @@ msgstr "Can be in the format of 'unix://' when connecting to a local docker daem
msgid "Cancel"
msgstr "Cancel"
#: src/pages/stages/identification/IdentificationStageForm.ts:92
#: src/pages/stages/identification/IdentificationStageForm.ts:91
msgid "Case insensitive matching"
msgstr "Case insensitive matching"
@ -1086,8 +1086,9 @@ msgstr "Edit User"
msgid "Either no applications are defined, or you don't have access to any."
msgstr "Either no applications are defined, or you don't have access to any."
#: src/flows/stages/identification/IdentificationStage.ts:138
#: src/pages/events/TransportForm.ts:46
#: src/pages/stages/identification/IdentificationStageForm.ts:82
#: src/pages/stages/identification/IdentificationStageForm.ts:81
#: src/pages/user-settings/UserDetailsPage.ts:71
#: src/pages/users/UserForm.ts:61
#: src/pages/users/UserViewPage.ts:100
@ -1098,9 +1099,9 @@ msgstr "Email"
msgid "Email address"
msgstr "Email address"
#: src/flows/stages/identification/IdentificationStage.ts:150
msgid "Email or Username"
msgstr "Email or Username"
#: src/flows/stages/identification/IdentificationStage.ts:145
msgid "Email or username"
msgstr "Email or username"
#: src/pages/stages/prompt/PromptForm.ts:51
msgid "Email: Text field with Email type."
@ -1145,7 +1146,7 @@ msgstr "Enrollment"
#: src/pages/sources/oauth/OAuthSourceForm.ts:210
#: src/pages/sources/saml/SAMLSourceForm.ts:266
#: src/pages/stages/identification/IdentificationStageForm.ts:107
#: src/pages/stages/identification/IdentificationStageForm.ts:106
msgid "Enrollment flow"
msgstr "Enrollment flow"
@ -1342,9 +1343,9 @@ msgstr "Field which contains members of a group."
msgid "Fields"
msgstr "Fields"
#: src/pages/stages/identification/IdentificationStageForm.ts:85
msgid "Fields a user can identify themselves with."
msgstr "Fields a user can identify themselves with."
#: src/pages/stages/identification/IdentificationStageForm.ts:84
msgid "Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources."
msgstr "Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources."
#: src/pages/flows/FlowImportForm.ts:34
#: src/pages/flows/FlowListPage.ts:79
@ -1510,7 +1511,7 @@ msgstr "Hide managed mappings"
#: src/pages/sources/ldap/LDAPSourceForm.ts:167
#: src/pages/sources/ldap/LDAPSourceForm.ts:193
#: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:114
#: src/pages/stages/identification/IdentificationStageForm.ts:86
#: src/pages/stages/identification/IdentificationStageForm.ts:85
#: src/pages/stages/password/PasswordStageForm.ts:86
#: src/pages/stages/prompt/PromptStageForm.ts:87
#: src/pages/stages/prompt/PromptStageForm.ts:121
@ -1704,7 +1705,7 @@ msgstr "Library"
#: src/flows/stages/consent/ConsentStage.ts:28
#: src/flows/stages/dummy/DummyStage.ts:27
#: src/flows/stages/email/EmailStage.ts:26
#: src/flows/stages/identification/IdentificationStage.ts:133
#: src/flows/stages/identification/IdentificationStage.ts:170
#: src/flows/stages/password/PasswordStage.ts:31
#: src/flows/stages/prompt/PromptStage.ts:126
#: src/pages/applications/ApplicationViewPage.ts:43
@ -1757,8 +1758,8 @@ msgstr "Loading"
#: src/pages/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts:96
#: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:131
#: src/pages/stages/email/EmailStageForm.ts:170
#: src/pages/stages/identification/IdentificationStageForm.ts:120
#: src/pages/stages/identification/IdentificationStageForm.ts:138
#: src/pages/stages/identification/IdentificationStageForm.ts:119
#: src/pages/stages/identification/IdentificationStageForm.ts:137
#: src/pages/stages/password/PasswordStageForm.ts:106
#: src/pages/stages/prompt/PromptStageForm.ts:85
#: src/pages/stages/prompt/PromptStageForm.ts:118
@ -1779,7 +1780,7 @@ msgstr "Log the currently pending user in."
msgid "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
msgstr "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
#: src/flows/stages/identification/IdentificationStage.ts:145
#: src/flows/stages/identification/IdentificationStage.ts:182
msgid "Login to continue to {0}."
msgstr "Login to continue to {0}."
@ -2165,11 +2166,11 @@ msgstr "Optional URL if the IDP supports Single-Logout."
msgid "Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON."
msgstr "Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON."
#: src/pages/stages/identification/IdentificationStageForm.ts:122
#: src/pages/stages/identification/IdentificationStageForm.ts:121
msgid "Optional enrollment flow, which is linked at the bottom of the page."
msgstr "Optional enrollment flow, which is linked at the bottom of the page."
#: src/pages/stages/identification/IdentificationStageForm.ts:140
#: src/pages/stages/identification/IdentificationStageForm.ts:139
msgid "Optional recovery flow, which is linked at the bottom of the page."
msgstr "Optional recovery flow, which is linked at the bottom of the page."
@ -2503,7 +2504,7 @@ msgstr "Re-evaluate policies"
msgid "Recovery"
msgstr "Recovery"
#: src/pages/stages/identification/IdentificationStageForm.ts:125
#: src/pages/stages/identification/IdentificationStageForm.ts:124
msgid "Recovery flow"
msgstr "Recovery flow"
@ -2709,6 +2710,10 @@ msgstr "Select all rows"
msgid "Select an identification method."
msgstr "Select an identification method."
#: src/flows/stages/identification/IdentificationStage.ts:134
msgid "Select one of the sources below to login."
msgstr "Select one of the sources below to login."
#: src/pages/groups/MemberSelectModal.ts:68
msgid "Select users to add"
msgstr "Select users to add"
@ -2807,7 +2812,7 @@ msgstr "Severity"
msgid "Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable."
msgstr "Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable."
#: src/pages/stages/identification/IdentificationStageForm.ts:101
#: src/pages/stages/identification/IdentificationStageForm.ts:100
msgid "Show matched user"
msgstr "Show matched user"
@ -3741,7 +3746,8 @@ msgstr "User/Group Attribute used for the user part of the HTTP-Basic Header. If
msgid "Userinfo URL"
msgstr "Userinfo URL"
#: src/pages/stages/identification/IdentificationStageForm.ts:79
#: src/flows/stages/identification/IdentificationStage.ts:142
#: src/pages/stages/identification/IdentificationStageForm.ts:78
#: src/pages/user-settings/UserDetailsPage.ts:57
#: src/pages/users/UserForm.ts:47
#: src/pages/users/UserViewPage.ts:84
@ -3863,7 +3869,7 @@ msgstr "Webhook (generic)"
msgid "Webhook URL"
msgstr "Webhook URL"
#: src/pages/stages/identification/IdentificationStageForm.ts:104
#: src/pages/stages/identification/IdentificationStageForm.ts:103
msgid "When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown."
msgstr "When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown."
@ -3871,7 +3877,7 @@ msgstr "When a valid username/email has been entered, and this option is enabled
msgid "When enabled, global Email connection settings will be used and connection settings below will be ignored."
msgstr "When enabled, global Email connection settings will be used and connection settings below will be ignored."
#: src/pages/stages/identification/IdentificationStageForm.ts:95
#: src/pages/stages/identification/IdentificationStageForm.ts:94
msgid "When enabled, user fields are matched regardless of their casing."
msgstr "When enabled, user fields are matched regardless of their casing."

View file

@ -424,7 +424,7 @@ msgstr ""
msgid "Cancel"
msgstr ""
#: src/pages/stages/identification/IdentificationStageForm.ts:92
#: src/pages/stages/identification/IdentificationStageForm.ts:91
msgid "Case insensitive matching"
msgstr ""
@ -1078,8 +1078,9 @@ msgstr ""
msgid "Either no applications are defined, or you don't have access to any."
msgstr ""
#: src/flows/stages/identification/IdentificationStage.ts:138
#: src/pages/events/TransportForm.ts:46
#: src/pages/stages/identification/IdentificationStageForm.ts:82
#: src/pages/stages/identification/IdentificationStageForm.ts:81
#: src/pages/user-settings/UserDetailsPage.ts:71
#: src/pages/users/UserForm.ts:61
#: src/pages/users/UserViewPage.ts:100
@ -1090,8 +1091,8 @@ msgstr ""
msgid "Email address"
msgstr ""
#: src/flows/stages/identification/IdentificationStage.ts:150
msgid "Email or Username"
#: src/flows/stages/identification/IdentificationStage.ts:145
msgid "Email or username"
msgstr ""
#: src/pages/stages/prompt/PromptForm.ts:51
@ -1137,7 +1138,7 @@ msgstr ""
#: src/pages/sources/oauth/OAuthSourceForm.ts:210
#: src/pages/sources/saml/SAMLSourceForm.ts:266
#: src/pages/stages/identification/IdentificationStageForm.ts:107
#: src/pages/stages/identification/IdentificationStageForm.ts:106
msgid "Enrollment flow"
msgstr ""
@ -1334,8 +1335,8 @@ msgstr ""
msgid "Fields"
msgstr ""
#: src/pages/stages/identification/IdentificationStageForm.ts:85
msgid "Fields a user can identify themselves with."
#: src/pages/stages/identification/IdentificationStageForm.ts:84
msgid "Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources."
msgstr ""
#: src/pages/flows/FlowImportForm.ts:34
@ -1502,7 +1503,7 @@ msgstr ""
#: src/pages/sources/ldap/LDAPSourceForm.ts:167
#: src/pages/sources/ldap/LDAPSourceForm.ts:193
#: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:114
#: src/pages/stages/identification/IdentificationStageForm.ts:86
#: src/pages/stages/identification/IdentificationStageForm.ts:85
#: src/pages/stages/password/PasswordStageForm.ts:86
#: src/pages/stages/prompt/PromptStageForm.ts:87
#: src/pages/stages/prompt/PromptStageForm.ts:121
@ -1696,7 +1697,7 @@ msgstr ""
#: src/flows/stages/consent/ConsentStage.ts:28
#: src/flows/stages/dummy/DummyStage.ts:27
#: src/flows/stages/email/EmailStage.ts:26
#: src/flows/stages/identification/IdentificationStage.ts:133
#: src/flows/stages/identification/IdentificationStage.ts:170
#: src/flows/stages/password/PasswordStage.ts:31
#: src/flows/stages/prompt/PromptStage.ts:126
#: src/pages/applications/ApplicationViewPage.ts:43
@ -1749,8 +1750,8 @@ msgstr ""
#: src/pages/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts:96
#: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:131
#: src/pages/stages/email/EmailStageForm.ts:170
#: src/pages/stages/identification/IdentificationStageForm.ts:120
#: src/pages/stages/identification/IdentificationStageForm.ts:138
#: src/pages/stages/identification/IdentificationStageForm.ts:119
#: src/pages/stages/identification/IdentificationStageForm.ts:137
#: src/pages/stages/password/PasswordStageForm.ts:106
#: src/pages/stages/prompt/PromptStageForm.ts:85
#: src/pages/stages/prompt/PromptStageForm.ts:118
@ -1771,7 +1772,7 @@ msgstr ""
msgid "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
msgstr ""
#: src/flows/stages/identification/IdentificationStage.ts:145
#: src/flows/stages/identification/IdentificationStage.ts:182
msgid "Login to continue to {0}."
msgstr ""
@ -2157,11 +2158,11 @@ msgstr ""
msgid "Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON."
msgstr ""
#: src/pages/stages/identification/IdentificationStageForm.ts:122
#: src/pages/stages/identification/IdentificationStageForm.ts:121
msgid "Optional enrollment flow, which is linked at the bottom of the page."
msgstr ""
#: src/pages/stages/identification/IdentificationStageForm.ts:140
#: src/pages/stages/identification/IdentificationStageForm.ts:139
msgid "Optional recovery flow, which is linked at the bottom of the page."
msgstr ""
@ -2495,7 +2496,7 @@ msgstr ""
msgid "Recovery"
msgstr ""
#: src/pages/stages/identification/IdentificationStageForm.ts:125
#: src/pages/stages/identification/IdentificationStageForm.ts:124
msgid "Recovery flow"
msgstr ""
@ -2701,6 +2702,10 @@ msgstr ""
msgid "Select an identification method."
msgstr ""
#: src/flows/stages/identification/IdentificationStage.ts:134
msgid "Select one of the sources below to login."
msgstr ""
#: src/pages/groups/MemberSelectModal.ts:68
msgid "Select users to add"
msgstr ""
@ -2799,7 +2804,7 @@ msgstr ""
msgid "Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable."
msgstr ""
#: src/pages/stages/identification/IdentificationStageForm.ts:101
#: src/pages/stages/identification/IdentificationStageForm.ts:100
msgid "Show matched user"
msgstr ""
@ -3729,7 +3734,8 @@ msgstr ""
msgid "Userinfo URL"
msgstr ""
#: src/pages/stages/identification/IdentificationStageForm.ts:79
#: src/flows/stages/identification/IdentificationStage.ts:142
#: src/pages/stages/identification/IdentificationStageForm.ts:78
#: src/pages/user-settings/UserDetailsPage.ts:57
#: src/pages/users/UserForm.ts:47
#: src/pages/users/UserViewPage.ts:84
@ -3851,7 +3857,7 @@ msgstr ""
msgid "Webhook URL"
msgstr ""
#: src/pages/stages/identification/IdentificationStageForm.ts:104
#: src/pages/stages/identification/IdentificationStageForm.ts:103
msgid "When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown."
msgstr ""
@ -3859,7 +3865,7 @@ msgstr ""
msgid "When enabled, global Email connection settings will be used and connection settings below will be ignored."
msgstr ""
#: src/pages/stages/identification/IdentificationStageForm.ts:95
#: src/pages/stages/identification/IdentificationStageForm.ts:94
msgid "When enabled, user fields are matched regardless of their casing."
msgstr ""

View file

@ -69,7 +69,6 @@ export class IdentificationStageForm extends Form<IdentificationStage> {
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal
label=${t`User fields`}
?required=${true}
name="userFields">
<select name="users" class="pf-c-form-control" multiple>
<option value=${IdentificationStageUserFieldsEnum.Username} ?selected=${this.isUserFieldSelected(IdentificationStageUserFieldsEnum.Username)}>
@ -79,7 +78,7 @@ export class IdentificationStageForm extends Form<IdentificationStage> {
${t`Email`}
</option>
</select>
<p class="pf-c-form__helper-text">${t`Fields a user can identify themselves with.`}</p>
<p class="pf-c-form__helper-text">${t`Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources.`}</p>
<p class="pf-c-form__helper-text">${t`Hold control/command to select multiple items.`}</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="caseInsensitiveMatching">