stages/password: auto-enable app password backend

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-08-23 16:38:46 +02:00 · 2021-08-23 16:38:46 +02:00 · 4cf76fdcda
parent c4832206fa
commit 4cf76fdcda
5 changed files with 83 additions and 5 deletions
--- a/authentik/core/migrations/0028_alter_token_intent.py
+++ b/authentik/core/migrations/0028_alter_token_intent.py
@ -0,0 +1,26 @@
+# Generated by Django 3.2.6 on 2021-08-23 14:35
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0027_bootstrap_token"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="token",
+            name="intent",
+            field=models.TextField(
+                choices=[
+                    ("verification", "Intent Verification"),
+                    ("api", "Intent Api"),
+                    ("recovery", "Intent Recovery"),
+                    ("app_password", "Intent App Password"),
+                ],
+                default="verification",
+            ),
+        ),
+    ]
--- a/authentik/flows/migrations/0008_default_flows.py
+++ b/authentik/flows/migrations/0008_default_flows.py
@ -6,7 +6,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 from authentik.flows.models import FlowDesignation
 from authentik.stages.identification.models import UserFields
-from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_DJANGO, BACKEND_LDAP


 def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@ -26,7 +26,7 @@ def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSc

    password_stage, _ = PasswordStage.objects.using(db_alias).update_or_create(
        name="default-authentication-password",
-        defaults={"backends": [BACKEND_DJANGO, BACKEND_LDAP]},
+        defaults={"backends": [BACKEND_DJANGO, BACKEND_LDAP, BACKEND_APP_PASSWORD]},
    )

    login_stage, _ = UserLoginStage.objects.using(db_alias).update_or_create(
--- a/authentik/stages/password/init.py
+++ b/authentik/stages/password/init.py
@ -1,4 +1,4 @@
 """Backend paths"""
 BACKEND_DJANGO = "django.contrib.auth.backends.ModelBackend"
 BACKEND_LDAP = "authentik.sources.ldap.auth.LDAPBackend"
-BACKEND_TOKEN = "authentik.core.token_auth.TokenBackend"  # nosec
+BACKEND_APP_PASSWORD = "authentik.core.token_auth.TokenBackend"  # nosec
--- a/authentik/stages/password/migrations/0007_app_password.py
+++ b/authentik/stages/password/migrations/0007_app_password.py
@ -0,0 +1,52 @@
+# Generated by Django 3.2.6 on 2021-08-23 14:34
+import django.contrib.postgres.fields
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+from authentik.stages.password import BACKEND_APP_PASSWORD
+
+
+def update_default_backends(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    PasswordStage = apps.get_model("authentik_stages_password", "passwordstage")
+    db_alias = schema_editor.connection.alias
+
+    stages = PasswordStage.objects.using(db_alias).filter(name="default-authentication-password")
+    if not stages.exists():
+        return
+    stage = stages.first()
+    stage.backends.append(BACKEND_APP_PASSWORD)
+    stage.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0008_default_flows"),
+        ("authentik_stages_password", "0006_passwordchange_rename"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="passwordstage",
+            name="backends",
+            field=django.contrib.postgres.fields.ArrayField(
+                base_field=models.TextField(
+                    choices=[
+                        (
+                            "django.contrib.auth.backends.ModelBackend",
+                            "User database + standard password",
+                        ),
+                        ("authentik.core.token_auth.TokenBackend", "User database + app passwords"),
+                        (
+                            "authentik.sources.ldap.auth.LDAPBackend",
+                            "User database + LDAP password",
+                        ),
+                    ]
+                ),
+                help_text="Selection of backends to test the password against.",
+                size=None,
+            ),
+        ),
+        migrations.RunPython(update_default_backends),
+    ]
--- a/authentik/stages/password/models.py
+++ b/authentik/stages/password/models.py
@ -9,7 +9,7 @@ from rest_framework.serializers import BaseSerializer

 from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, Stage
-from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP, BACKEND_TOKEN
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_DJANGO, BACKEND_LDAP


 def get_authentication_backends():
@ -20,7 +20,7 @@ def get_authentication_backends():
            _("User database + standard password"),
        ),
        (
-            BACKEND_TOKEN,
+            BACKEND_APP_PASSWORD,
            _("User database + app passwords"),
        ),
        (