blueprints: docs (#3376)
* further blueprint cleanup Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * more Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * make group users and parent optional Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix api client usage Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
85640d402f
commit
89fef0ae72
|
@ -57,6 +57,7 @@
|
|||
"description": "Commonly available field, may not exist on all models"
|
||||
}
|
||||
},
|
||||
"default": {},
|
||||
"additionalProperties": true
|
||||
},
|
||||
"identifiers": {
|
||||
|
|
|
@ -40,7 +40,7 @@ class BlueprintEntry:
|
|||
|
||||
identifiers: dict[str, Any]
|
||||
model: str
|
||||
attrs: dict[str, Any]
|
||||
attrs: Optional[dict[str, Any]] = field(default_factory=dict)
|
||||
|
||||
# pylint: disable=invalid-name
|
||||
id: Optional[str] = None
|
||||
|
|
|
@ -62,6 +62,11 @@ class GroupSerializer(ModelSerializer):
|
|||
"attributes",
|
||||
"users_obj",
|
||||
]
|
||||
extra_kwargs = {
|
||||
"users": {
|
||||
"default": list,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class GroupFilter(FilterSet):
|
||||
|
|
26
authentik/core/migrations/0022_alter_group_parent.py
Normal file
26
authentik/core/migrations/0022_alter_group_parent.py
Normal file
|
@ -0,0 +1,26 @@
|
|||
# Generated by Django 4.0.6 on 2022-08-05 22:01
|
||||
|
||||
import django.db.models.deletion
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
("authentik_core", "0021_source_user_path_user_path"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterField(
|
||||
model_name="group",
|
||||
name="parent",
|
||||
field=models.ForeignKey(
|
||||
blank=True,
|
||||
default=None,
|
||||
null=True,
|
||||
on_delete=django.db.models.deletion.SET_NULL,
|
||||
related_name="children",
|
||||
to="authentik_core.group",
|
||||
),
|
||||
),
|
||||
]
|
|
@ -82,6 +82,7 @@ class Group(SerializerModel):
|
|||
"Group",
|
||||
blank=True,
|
||||
null=True,
|
||||
default=None,
|
||||
on_delete=models.SET_NULL,
|
||||
related_name="children",
|
||||
)
|
||||
|
|
|
@ -1,12 +1,10 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - Password change flow
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: stage_configuration
|
||||
layout: stacked
|
||||
name: Change Password
|
||||
policy_engine_mode: all
|
||||
title: Change password
|
||||
identifiers:
|
||||
slug: default-password-change
|
||||
|
@ -17,7 +15,6 @@ entries:
|
|||
placeholder: Password
|
||||
placeholder_expression: false
|
||||
required: true
|
||||
sub_text: ''
|
||||
type: password
|
||||
identifiers:
|
||||
field_key: password
|
||||
|
@ -29,7 +26,6 @@ entries:
|
|||
placeholder: Password (repeat)
|
||||
placeholder_expression: false
|
||||
required: true
|
||||
sub_text: ''
|
||||
type: password
|
||||
identifiers:
|
||||
field_key: password_repeat
|
||||
|
@ -40,39 +36,21 @@ entries:
|
|||
fields:
|
||||
- !KeyOf prompt-field-password
|
||||
- !KeyOf prompt-field-password-repeat
|
||||
meta_model_name: authentik_stages_prompt.promptstage
|
||||
validation_policies: []
|
||||
identifiers:
|
||||
name: default-password-change-prompt
|
||||
id: default-password-change-prompt
|
||||
model: authentik_stages_prompt.promptstage
|
||||
- attrs:
|
||||
create_users_as_inactive: false
|
||||
create_users_group: null
|
||||
meta_model_name: authentik_stages_user_write.userwritestage
|
||||
user_path_template: ''
|
||||
identifiers:
|
||||
- identifiers:
|
||||
name: default-password-change-write
|
||||
id: default-password-change-write
|
||||
model: authentik_stages_user_write.userwritestage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
stage: !KeyOf default-password-change-prompt
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 1
|
||||
stage: !KeyOf default-password-change-write
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
version: 1
|
||||
|
|
|
@ -1,13 +1,11 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - Authentication flow
|
||||
entries:
|
||||
- attrs:
|
||||
cache_count: 1
|
||||
compatibility_mode: false
|
||||
designation: authentication
|
||||
layout: stacked
|
||||
name: Welcome to authentik!
|
||||
policy_engine_mode: all
|
||||
title: Welcome to authentik!
|
||||
identifiers:
|
||||
slug: default-authentication-flow
|
||||
|
@ -21,32 +19,23 @@ entries:
|
|||
- authentik.core.auth.TokenBackend
|
||||
configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
|
||||
failed_attempts_before_cancel: 5
|
||||
meta_model_name: authentik_stages_password.passwordstage
|
||||
identifiers:
|
||||
name: default-authentication-password
|
||||
id: default-authentication-password
|
||||
model: authentik_stages_password.passwordstage
|
||||
- attrs:
|
||||
configuration_stages: []
|
||||
device_classes:
|
||||
- static
|
||||
- totp
|
||||
- webauthn
|
||||
- duo
|
||||
- sms
|
||||
last_auth_threshold: seconds=0
|
||||
meta_model_name: authentik_stages_authenticator_validate.authenticatorvalidatestage
|
||||
not_configured_action: skip
|
||||
identifiers:
|
||||
name: default-authentication-mfa-validation
|
||||
id: default-authentication-mfa-validation
|
||||
model: authentik_stages_authenticator_validate.authenticatorvalidatestage
|
||||
- attrs:
|
||||
case_insensitive_matching: true
|
||||
meta_model_name: authentik_stages_identification.identificationstage
|
||||
show_matched_user: true
|
||||
show_source_labels: false
|
||||
sources: []
|
||||
user_fields:
|
||||
- email
|
||||
- username
|
||||
|
@ -55,50 +44,28 @@ entries:
|
|||
id: default-authentication-identification
|
||||
model: authentik_stages_identification.identificationstage
|
||||
- attrs:
|
||||
meta_model_name: authentik_stages_user_login.userloginstage
|
||||
session_duration: seconds=0
|
||||
identifiers:
|
||||
name: default-authentication-login
|
||||
id: default-authentication-login
|
||||
model: authentik_stages_user_login.userloginstage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 10
|
||||
stage: !KeyOf default-authentication-identification
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 20
|
||||
stage: !KeyOf default-authentication-password
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: any
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 30
|
||||
stage: !KeyOf default-authentication-mfa-validation
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 100
|
||||
stage: !KeyOf default-authentication-login
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
version: 1
|
||||
|
|
|
@ -1,32 +1,21 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - Invalidation flow
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: invalidation
|
||||
layout: stacked
|
||||
name: Logout
|
||||
policy_engine_mode: all
|
||||
title: Default Invalidation Flow
|
||||
identifiers:
|
||||
pk: 46979d76-94d3-43b5-ad07-43e924c15d2c
|
||||
slug: default-invalidation-flow
|
||||
model: authentik_flows.flow
|
||||
id: flow
|
||||
- attrs:
|
||||
meta_model_name: authentik_stages_user_logout.userlogoutstage
|
||||
identifiers:
|
||||
- identifiers:
|
||||
name: default-invalidation-logout
|
||||
id: default-invalidation-logout
|
||||
model: authentik_stages_user_logout.userlogoutstage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
stage: !KeyOf default-invalidation-logout
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
version: 1
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - Static MFA setup flow
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: stage_configuration
|
||||
layout: stacked
|
||||
name: default-authenticator-static-setup
|
||||
policy_engine_mode: any
|
||||
title: Setup Static OTP Tokens
|
||||
|
@ -14,20 +13,13 @@ entries:
|
|||
id: flow
|
||||
- attrs:
|
||||
configure_flow: !KeyOf flow
|
||||
meta_model_name: authentik_stages_authenticator_static.authenticatorstaticstage
|
||||
token_count: 6
|
||||
identifiers:
|
||||
name: default-authenticator-static-setup
|
||||
id: default-authenticator-static-setup
|
||||
model: authentik_stages_authenticator_static.authenticatorstaticstage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: any
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
stage: !KeyOf default-authenticator-static-setup
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
version: 1
|
||||
|
|
|
@ -1,12 +1,10 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - TOTP MFA setup flow
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: stage_configuration
|
||||
layout: stacked
|
||||
name: default-authenticator-totp-setup
|
||||
policy_engine_mode: any
|
||||
title: Setup Two-Factor authentication
|
||||
identifiers:
|
||||
slug: default-authenticator-totp-setup
|
||||
|
@ -15,19 +13,12 @@ entries:
|
|||
- attrs:
|
||||
configure_flow: !KeyOf flow
|
||||
digits: 6
|
||||
meta_model_name: authentik_stages_authenticator_totp.authenticatortotpstage
|
||||
identifiers:
|
||||
name: default-authenticator-totp-setup
|
||||
id: default-authenticator-totp-setup
|
||||
model: authentik_stages_authenticator_totp.authenticatortotpstage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: any
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
stage: !KeyOf default-authenticator-totp-setup
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
version: 1
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - WebAuthn MFA setup flow
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: stage_configuration
|
||||
layout: stacked
|
||||
name: default-authenticator-webauthn-setup
|
||||
policy_engine_mode: any
|
||||
title: Setup WebAuthn
|
||||
|
@ -13,23 +12,13 @@ entries:
|
|||
model: authentik_flows.flow
|
||||
id: flow
|
||||
- attrs:
|
||||
authenticator_attachment: null
|
||||
configure_flow: !KeyOf flow
|
||||
meta_model_name: authentik_stages_authenticator_webauthn.authenticatewebauthnstage
|
||||
resident_key_requirement: preferred
|
||||
user_verification: preferred
|
||||
identifiers:
|
||||
name: default-authenticator-webauthn-setup
|
||||
id: default-authenticator-webauthn-setup
|
||||
model: authentik_stages_authenticator_webauthn.authenticatewebauthnstage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: any
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
stage: !KeyOf default-authenticator-webauthn-setup
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
version: 1
|
||||
|
|
|
@ -1,33 +1,21 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - Provider authorization flow (explicit consent)
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: authorization
|
||||
layout: stacked
|
||||
name: Authorize Application
|
||||
policy_engine_mode: all
|
||||
title: Redirecting to %(app)s
|
||||
identifiers:
|
||||
slug: default-provider-authorization-explicit-consent
|
||||
model: authentik_flows.flow
|
||||
id: flow
|
||||
- attrs:
|
||||
consent_expire_in: weeks=4
|
||||
meta_model_name: authentik_stages_consent.consentstage
|
||||
mode: always_require
|
||||
identifiers:
|
||||
- identifiers:
|
||||
name: default-provider-authorization-consent
|
||||
id: default-provider-authorization-consent
|
||||
model: authentik_stages_consent.consentstage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
stage: !KeyOf default-provider-authorization-consent
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
version: 1
|
||||
|
|
|
@ -1,14 +1,11 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - Provider authorization flow (implicit consent)
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: authorization
|
||||
layout: stacked
|
||||
name: Authorize Application
|
||||
policy_engine_mode: all
|
||||
title: Redirecting to %(app)s
|
||||
identifiers:
|
||||
slug: default-provider-authorization-implicit-consent
|
||||
model: authentik_flows.flow
|
||||
version: 1
|
||||
|
|
|
@ -1,52 +1,37 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - Source authentication flow
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: authentication
|
||||
layout: stacked
|
||||
name: Welcome to authentik!
|
||||
policy_engine_mode: all
|
||||
title: Welcome to authentik!
|
||||
identifiers:
|
||||
slug: default-source-authentication
|
||||
model: authentik_flows.flow
|
||||
id: flow
|
||||
- attrs:
|
||||
execution_logging: false
|
||||
expression: |
|
||||
# This policy ensures that this flow can only be used when the user
|
||||
# is in a SSO Flow (meaning they come from an external IdP)
|
||||
return ak_is_sso_flow
|
||||
meta_model_name: authentik_policies_expression.expressionpolicy
|
||||
identifiers:
|
||||
name: default-source-authentication-if-sso
|
||||
id: default-source-authentication-if-sso
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
- attrs:
|
||||
meta_model_name: authentik_stages_user_login.userloginstage
|
||||
session_duration: seconds=0
|
||||
identifiers:
|
||||
name: default-source-authentication-login
|
||||
id: default-source-authentication-login
|
||||
model: authentik_stages_user_login.userloginstage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
stage: !KeyOf default-source-authentication-login
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
enabled: true
|
||||
negate: false
|
||||
timeout: 30
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf default-source-authentication-if-sso
|
||||
target: !KeyOf flow
|
||||
model: authentik_policies.policybinding
|
||||
version: 1
|
||||
|
|
|
@ -1,12 +1,10 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - Source enrollment flow
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: enrollment
|
||||
layout: stacked
|
||||
name: Welcome to authentik! Please select a username.
|
||||
policy_engine_mode: all
|
||||
title: Welcome to authentik! Please select a username.
|
||||
identifiers:
|
||||
slug: default-source-enrollment
|
||||
|
@ -17,7 +15,6 @@ entries:
|
|||
placeholder: Username
|
||||
placeholder_expression: false
|
||||
required: true
|
||||
sub_text: ''
|
||||
type: text
|
||||
identifiers:
|
||||
field_key: username
|
||||
|
@ -25,29 +22,24 @@ entries:
|
|||
id: prompt-field-username
|
||||
model: authentik_stages_prompt.prompt
|
||||
- attrs:
|
||||
execution_logging: false
|
||||
expression: |
|
||||
# Check if we''ve not been given a username by the external IdP
|
||||
# and trigger the enrollment flow
|
||||
return 'username' not in context.get('prompt_data', {})
|
||||
meta_model_name: authentik_policies_expression.expressionpolicy
|
||||
identifiers:
|
||||
name: default-source-enrollment-if-username
|
||||
id: default-source-enrollment-if-username
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
- attrs:
|
||||
execution_logging: false
|
||||
expression: |
|
||||
# This policy ensures that this flow can only be used when the user
|
||||
# is in a SSO Flow (meaning they come from an external IdP)
|
||||
return ak_is_sso_flow
|
||||
meta_model_name: authentik_policies_expression.expressionpolicy
|
||||
identifiers:
|
||||
name: default-source-enrollment-if-sso
|
||||
id: default-source-enrollment-if-sso
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
- attrs:
|
||||
meta_model_name: authentik_stages_user_login.userloginstage
|
||||
session_duration: seconds=0
|
||||
identifiers:
|
||||
name: default-source-enrollment-login
|
||||
|
@ -56,25 +48,15 @@ entries:
|
|||
- attrs:
|
||||
fields:
|
||||
- !KeyOf prompt-field-username
|
||||
meta_model_name: authentik_stages_prompt.promptstage
|
||||
validation_policies: []
|
||||
identifiers:
|
||||
name: default-source-enrollment-prompt
|
||||
id: default-source-enrollment-prompt
|
||||
model: authentik_stages_prompt.promptstage
|
||||
- attrs:
|
||||
create_users_as_inactive: false
|
||||
create_users_group: null
|
||||
meta_model_name: authentik_stages_user_write.userwritestage
|
||||
user_path_template: ''
|
||||
identifiers:
|
||||
- identifiers:
|
||||
name: default-source-enrollment-write
|
||||
id: default-source-enrollment-write
|
||||
model: authentik_stages_user_write.userwritestage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: true
|
||||
identifiers:
|
||||
order: 0
|
||||
|
@ -82,42 +64,23 @@ entries:
|
|||
target: !KeyOf flow
|
||||
id: prompt-binding
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 1
|
||||
stage: !KeyOf default-source-enrollment-write
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 2
|
||||
stage: !KeyOf default-source-enrollment-login
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
enabled: true
|
||||
negate: false
|
||||
timeout: 30
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf default-source-enrollment-if-sso
|
||||
target: !KeyOf flow
|
||||
model: authentik_policies.policybinding
|
||||
- attrs:
|
||||
enabled: true
|
||||
negate: false
|
||||
timeout: 30
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf default-source-enrollment-if-username
|
||||
target: !KeyOf prompt-binding
|
||||
model: authentik_policies.policybinding
|
||||
version: 1
|
||||
|
|
|
@ -1,14 +1,11 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - Source pre-authentication flow
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: stage_configuration
|
||||
layout: stacked
|
||||
name: Pre-Authentication
|
||||
policy_engine_mode: any
|
||||
title: Pre-authentication
|
||||
identifiers:
|
||||
slug: default-source-pre-authentication
|
||||
model: authentik_flows.flow
|
||||
version: 1
|
||||
|
|
|
@ -1,12 +1,10 @@
|
|||
version: 1
|
||||
metadata:
|
||||
name: Default - User settings flow
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
designation: stage_configuration
|
||||
layout: stacked
|
||||
name: User settings
|
||||
policy_engine_mode: any
|
||||
title: Update your info
|
||||
identifiers:
|
||||
slug: default-user-settings-flow
|
||||
|
@ -21,7 +19,6 @@ entries:
|
|||
return ''
|
||||
placeholder_expression: true
|
||||
required: true
|
||||
sub_text: ''
|
||||
type: text
|
||||
identifiers:
|
||||
field_key: username
|
||||
|
@ -37,7 +34,6 @@ entries:
|
|||
return ''
|
||||
placeholder_expression: true
|
||||
required: true
|
||||
sub_text: ''
|
||||
type: text
|
||||
identifiers:
|
||||
field_key: name
|
||||
|
@ -53,7 +49,6 @@ entries:
|
|||
return ''
|
||||
placeholder_expression: true
|
||||
required: true
|
||||
sub_text: ''
|
||||
type: email
|
||||
identifiers:
|
||||
field_key: email
|
||||
|
@ -69,7 +64,6 @@ entries:
|
|||
return ''
|
||||
placeholder_expression: true
|
||||
required: true
|
||||
sub_text: ''
|
||||
type: ak-locale
|
||||
identifiers:
|
||||
field_key: attributes.settings.locale
|
||||
|
@ -77,7 +71,6 @@ entries:
|
|||
id: prompt-field-locale
|
||||
model: authentik_stages_prompt.prompt
|
||||
- attrs:
|
||||
execution_logging: false
|
||||
expression: |
|
||||
from authentik.lib.config import CONFIG
|
||||
from authentik.core.models import (
|
||||
|
@ -109,17 +102,11 @@ entries:
|
|||
return False
|
||||
|
||||
return True
|
||||
meta_model_name: authentik_policies_expression.expressionpolicy
|
||||
identifiers:
|
||||
name: default-user-settings-authorization
|
||||
id: default-user-settings-authorization
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
- attrs:
|
||||
create_users_as_inactive: false
|
||||
create_users_group: null
|
||||
meta_model_name: authentik_stages_user_write.userwritestage
|
||||
user_path_template: ''
|
||||
identifiers:
|
||||
- identifiers:
|
||||
name: default-user-settings-write
|
||||
id: default-user-settings-write
|
||||
model: authentik_stages_user_write.userwritestage
|
||||
|
@ -129,31 +116,19 @@ entries:
|
|||
- !KeyOf prompt-field-name
|
||||
- !KeyOf prompt-field-email
|
||||
- !KeyOf prompt-field-locale
|
||||
meta_model_name: authentik_stages_prompt.promptstage
|
||||
validation_policies:
|
||||
- !KeyOf default-user-settings-authorization
|
||||
identifiers:
|
||||
name: default-user-settings
|
||||
id: default-user-settings
|
||||
model: authentik_stages_prompt.promptstage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: any
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 20
|
||||
stage: !KeyOf default-user-settings
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: any
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 100
|
||||
stage: !KeyOf default-user-settings-write
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
version: 1
|
||||
|
|
|
@ -18,10 +18,6 @@ entries:
|
|||
id: group
|
||||
identifiers:
|
||||
name: authentik Admins
|
||||
attrs:
|
||||
is_superuser: true
|
||||
users: []
|
||||
parent: null
|
||||
|
||||
- model: authentik_policies_event_matcher.eventmatcherpolicy
|
||||
id: default-match-configuration-error
|
||||
|
@ -40,10 +36,6 @@ entries:
|
|||
- !KeyOf default-email-transport
|
||||
- !KeyOf default-local-transport
|
||||
- model: authentik_policies.policybinding
|
||||
attrs:
|
||||
enabled: true
|
||||
negate: false
|
||||
timeout: 30
|
||||
identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf default-match-configuration-error
|
||||
|
@ -66,10 +58,6 @@ entries:
|
|||
- !KeyOf default-email-transport
|
||||
- !KeyOf default-local-transport
|
||||
- model: authentik_policies.policybinding
|
||||
attrs:
|
||||
enabled: true
|
||||
negate: false
|
||||
timeout: 30
|
||||
identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf default-match-update
|
||||
|
@ -98,19 +86,11 @@ entries:
|
|||
- !KeyOf default-email-transport
|
||||
- !KeyOf default-local-transport
|
||||
- model: authentik_policies.policybinding
|
||||
attrs:
|
||||
enabled: true
|
||||
negate: false
|
||||
timeout: 30
|
||||
identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf default-match-policy-exception
|
||||
target: !KeyOf default-notify-exception
|
||||
- model: authentik_policies.policybinding
|
||||
attrs:
|
||||
enabled: true
|
||||
negate: false
|
||||
timeout: 30
|
||||
identifiers:
|
||||
order: 1
|
||||
policy: !KeyOf default-match-property-mapping-exception
|
||||
|
|
|
@ -9,4 +9,4 @@ entries:
|
|||
identifiers:
|
||||
domain: authentik-default
|
||||
default: True
|
||||
model: authentik_tenants.Tenant
|
||||
model: authentik_tenants.tenant
|
||||
|
|
|
@ -3,11 +3,9 @@ metadata:
|
|||
version: 1
|
||||
entries:
|
||||
- attrs:
|
||||
compatibility_mode: false
|
||||
denied_action: message_continue
|
||||
designation: stage_configuration
|
||||
name: default-oobe-setup
|
||||
policy_engine_mode: all
|
||||
title: Welcome to authentik!
|
||||
id: flow
|
||||
identifiers:
|
||||
|
@ -63,7 +61,6 @@ entries:
|
|||
label: Password (repeat)
|
||||
model: authentik_stages_prompt.prompt
|
||||
- attrs:
|
||||
execution_logging: false
|
||||
expression: |
|
||||
# This policy sets the user for the currently running flow
|
||||
# by injecting "pending_user"
|
||||
|
@ -75,7 +72,6 @@ entries:
|
|||
name: default-oobe-prefill-user
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
- attrs:
|
||||
execution_logging: false
|
||||
expression: |
|
||||
# This policy ensures that the setup flow can only be
|
||||
# executed when the admin user doesn''t have a password set
|
||||
|
@ -102,18 +98,13 @@ entries:
|
|||
identifiers:
|
||||
name: default-authentication-login
|
||||
model: authentik_stages_user_login.userloginstage
|
||||
- attrs:
|
||||
create_users_as_inactive: false
|
||||
create_users_group: null
|
||||
user_path_template: ''
|
||||
id: stage-default-password-change-write
|
||||
- id: stage-default-password-change-write
|
||||
identifiers:
|
||||
name: default-password-change-write
|
||||
model: authentik_stages_user_write.userwritestage
|
||||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
order: 10
|
||||
|
@ -123,7 +114,6 @@ entries:
|
|||
- attrs:
|
||||
evaluate_on_plan: false
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: true
|
||||
id: binding-password-write
|
||||
identifiers:
|
||||
|
@ -134,27 +124,18 @@ entries:
|
|||
- attrs:
|
||||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
policy_engine_mode: all
|
||||
re_evaluate_policies: false
|
||||
identifiers:
|
||||
order: 100
|
||||
stage: !KeyOf stage-default-authentication-login
|
||||
target: !KeyOf flow
|
||||
model: authentik_flows.flowstagebinding
|
||||
- attrs:
|
||||
enabled: true
|
||||
negate: false
|
||||
timeout: 30
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf policy-default-oobe-password-usable
|
||||
target: !KeyOf flow
|
||||
model: authentik_policies.policybinding
|
||||
- attrs:
|
||||
enabled: true
|
||||
negate: false
|
||||
timeout: 30
|
||||
identifiers:
|
||||
- identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf policy-default-oobe-prefill-user
|
||||
target: !KeyOf binding-password-write
|
||||
|
|
|
@ -17,7 +17,6 @@ entries:
|
|||
id: test-not-app-password
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
attrs:
|
||||
execution_logging: false
|
||||
expression: |
|
||||
return context["auth_method"] != "app_password"
|
||||
- identifiers:
|
||||
|
@ -35,13 +34,10 @@ entries:
|
|||
- email
|
||||
- username
|
||||
template: stages/identification/login.html
|
||||
enrollment_flow: null
|
||||
recovery_flow: null
|
||||
- identifiers:
|
||||
name: default-authentication-flow-mfa
|
||||
id: default-authentication-flow-mfa
|
||||
model: authentik_stages_authenticator_validate.AuthenticatorValidateStage
|
||||
attrs: {}
|
||||
model: authentik_stages_authenticator_validate.authenticatorvalidatestage
|
||||
- identifiers:
|
||||
name: default-authentication-password
|
||||
id: default-authentication-password
|
||||
|
@ -56,15 +52,11 @@ entries:
|
|||
stage: !KeyOf default-authentication-identification
|
||||
order: 10
|
||||
model: authentik_flows.flowstagebinding
|
||||
attrs:
|
||||
re_evaluate_policies: false
|
||||
- identifiers:
|
||||
target: !KeyOf flow
|
||||
stage: !KeyOf default-authentication-password
|
||||
order: 20
|
||||
model: authentik_flows.flowstagebinding
|
||||
attrs:
|
||||
re_evaluate_policies: false
|
||||
- identifiers:
|
||||
target: !KeyOf flow
|
||||
stage: !KeyOf default-authentication-flow-mfa
|
||||
|
@ -72,23 +64,14 @@ entries:
|
|||
model: authentik_flows.flowstagebinding
|
||||
id: flow-binding-mfa
|
||||
attrs:
|
||||
evaluate_on_plan: false
|
||||
re_evaluate_policies: true
|
||||
policy_engine_mode: any
|
||||
invalid_response_action: retry
|
||||
- identifiers:
|
||||
target: !KeyOf flow
|
||||
stage: !KeyOf default-authentication-login
|
||||
order: 100
|
||||
model: authentik_flows.flowstagebinding
|
||||
attrs:
|
||||
re_evaluate_policies: false
|
||||
- identifiers:
|
||||
policy: !KeyOf test-not-app-password
|
||||
target: !KeyOf flow-binding-mfa
|
||||
order: 0
|
||||
model: authentik_policies.policybinding
|
||||
attrs:
|
||||
negate: false
|
||||
enabled: true
|
||||
timeout: 30
|
||||
|
|
|
@ -34,8 +34,6 @@ entries:
|
|||
- email
|
||||
- username
|
||||
template: stages/identification/login.html
|
||||
enrollment_flow: null
|
||||
recovery_flow: null
|
||||
- identifiers:
|
||||
name: default-authentication-password
|
||||
id: default-authentication-password
|
||||
|
@ -50,15 +48,11 @@ entries:
|
|||
stage: !KeyOf default-authentication-identification
|
||||
order: 10
|
||||
model: authentik_flows.flowstagebinding
|
||||
attrs:
|
||||
re_evaluate_policies: false
|
||||
- identifiers:
|
||||
target: !KeyOf flow
|
||||
stage: !KeyOf default-authentication-password
|
||||
order: 20
|
||||
model: authentik_flows.flowstagebinding
|
||||
attrs:
|
||||
re_evaluate_policies: false
|
||||
- identifiers:
|
||||
target: !KeyOf flow
|
||||
stage: !KeyOf default-authentication-flow-captcha
|
||||
|
@ -73,8 +67,6 @@ entries:
|
|||
stage: !KeyOf default-authentication-login
|
||||
order: 100
|
||||
model: authentik_flows.flowstagebinding
|
||||
attrs:
|
||||
re_evaluate_policies: false
|
||||
- identifiers:
|
||||
name: default-authentication-flow-conditional-captcha
|
||||
id: default-authentication-flow-conditional-captcha
|
||||
|
@ -88,6 +80,3 @@ entries:
|
|||
target: !KeyOf flow-binding-captcha
|
||||
order: 0
|
||||
model: authentik_policies.policybinding
|
||||
attrs:
|
||||
enabled: true
|
||||
timeout: 30
|
||||
|
|
|
@ -12,10 +12,6 @@ entries:
|
|||
name: Default recovery flow
|
||||
title: Reset your password
|
||||
designation: recovery
|
||||
cache_count: 0
|
||||
policy_engine_mode: any
|
||||
compatibility_mode: false
|
||||
layout: stacked
|
||||
- identifiers:
|
||||
field_key: password
|
||||
label: Password
|
||||
|
@ -45,7 +41,6 @@ entries:
|
|||
id: default-recovery-skip-if-restored
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
attrs:
|
||||
execution_logging: false
|
||||
expression: |
|
||||
return request.context.get('is_restored', False)
|
||||
- identifiers:
|
||||
|
@ -69,10 +64,6 @@ entries:
|
|||
name: default-recovery-user-write
|
||||
id: default-recovery-user-write
|
||||
model: authentik_stages_user_write.userwritestage
|
||||
attrs:
|
||||
create_users_as_inactive: false
|
||||
create_users_group: null
|
||||
user_path_template: ""
|
||||
- identifiers:
|
||||
name: default-recovery-identification
|
||||
id: default-recovery-identification
|
||||
|
@ -81,14 +72,6 @@ entries:
|
|||
user_fields:
|
||||
- email
|
||||
- username
|
||||
password_stage: null
|
||||
case_insensitive_matching: true
|
||||
show_matched_user: true
|
||||
enrollment_flow: null
|
||||
recovery_flow: null
|
||||
passwordless_flow: null
|
||||
sources: []
|
||||
show_source_labels: false
|
||||
- identifiers:
|
||||
name: default-recovery-user-login
|
||||
id: default-recovery-user-login
|
||||
|
|
|
@ -135,6 +135,7 @@
|
|||
"description": "Commonly available field, may not exist on all models"
|
||||
}
|
||||
},
|
||||
"default": {},
|
||||
"additionalProperties": true
|
||||
},
|
||||
"identifiers": {
|
||||
|
|
|
@ -135,7 +135,11 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
|||
for _, u := range g.UsersObj {
|
||||
if flags.UserPk == u.Pk {
|
||||
//TODO: Is there a better way to clone this object?
|
||||
fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.Parent, g.ParentName, []int32{flags.UserPk}, []api.GroupMember{u})
|
||||
fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.ParentName, []api.GroupMember{u})
|
||||
fg.SetUsers([]int32{flags.UserPk})
|
||||
if g.Parent.IsSet() {
|
||||
fg.SetParent(*g.Parent.Get())
|
||||
}
|
||||
fg.SetAttributes(g.Attributes)
|
||||
fg.SetIsSuperuser(*g.IsSuperuser)
|
||||
groups = append(groups, group.FromAPIGroup(*fg, ms.si))
|
||||
|
|
|
@ -22723,10 +22723,8 @@ components:
|
|||
required:
|
||||
- name
|
||||
- num_pk
|
||||
- parent
|
||||
- parent_name
|
||||
- pk
|
||||
- users
|
||||
- users_obj
|
||||
GroupMember:
|
||||
type: object
|
||||
|
@ -22833,8 +22831,6 @@ components:
|
|||
additionalProperties: {}
|
||||
required:
|
||||
- name
|
||||
- parent
|
||||
- users
|
||||
HaveIBeenPwendPolicy:
|
||||
type: object
|
||||
description: Have I Been Pwned Policy Serializer
|
||||
|
|
9
website/developer-docs/blueprints/index.md
Normal file
9
website/developer-docs/blueprints/index.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
title: Blueprints
|
||||
---
|
||||
|
||||
:::info
|
||||
Requires authentik 2022.8
|
||||
:::
|
||||
|
||||
Blueprints offer a new way to template, automate and distribute authentik configuration. Blueprints can be used to automatically configure instances, manage config as code without any external tools, and to distribute application configs.
|
61
website/developer-docs/blueprints/v1/structure.md
Normal file
61
website/developer-docs/blueprints/v1/structure.md
Normal file
|
@ -0,0 +1,61 @@
|
|||
---
|
||||
title: File structure
|
||||
---
|
||||
|
||||
Blueprints are YAML files, which can use some additional tags to ease blueprint creation.
|
||||
|
||||
## Additional Tags
|
||||
|
||||
#### `!KeyOf`
|
||||
|
||||
Example: `policy: !KeyOf my-policy-id`
|
||||
|
||||
Resolves to the primary key of the model instance defined by id _my-policy-id_.
|
||||
|
||||
If no matching entry can be found, an error is raised and the blueprint is invalid.
|
||||
|
||||
#### `!Find`
|
||||
|
||||
Example: `configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]`
|
||||
|
||||
Looks up any model and resolves to the the matches' primary key.
|
||||
First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for.
|
||||
|
||||
## Structure
|
||||
|
||||
```yaml
|
||||
# The version of this blueprint, currently 1
|
||||
version: 1
|
||||
# Optional block of metadata, name is required if metadata is set
|
||||
metadata:
|
||||
# Arbitrary key=value store, special labels are listed below
|
||||
labels:
|
||||
foo: bar
|
||||
name: example-blueprint
|
||||
# List of entries (required)
|
||||
entries:
|
||||
- # Model in app.model notation, possibilities are listed in the schema (required)
|
||||
model: authentik_flows.flow
|
||||
# Key:value filters to uniquely identify this object (required)
|
||||
identifiers:
|
||||
slug: initial-setup
|
||||
# Optional ID for use with !KeyOf
|
||||
id: flow
|
||||
# Attributes to set on the object. Only explicitly required settings should be stated
|
||||
# as these values will override existing attributes
|
||||
attrs:
|
||||
denied_action: message_continue
|
||||
designation: stage_configuration
|
||||
name: default-oobe-setup
|
||||
title: Welcome to authentik!
|
||||
```
|
||||
|
||||
## Special Labels
|
||||
|
||||
#### `blueprints.goauthentik.io/system`:
|
||||
|
||||
Used by authentik's packaged blueprints to keep globals up-to-date. Should only be removed in special cases.
|
||||
|
||||
#### `blueprints.goauthentik.io/example`:
|
||||
|
||||
Blueprints with this label are not automatically imported. They are still available when creating a new instance.
|
|
@ -6,9 +6,21 @@ module.exports = {
|
|||
},
|
||||
{
|
||||
type: "category",
|
||||
label: "Using the API",
|
||||
label: "Blueprints",
|
||||
link: {
|
||||
type: "doc",
|
||||
id: "blueprints/index",
|
||||
},
|
||||
items: ["blueprints/v1/structure"],
|
||||
},
|
||||
{
|
||||
type: "category",
|
||||
label: "API",
|
||||
link: {
|
||||
type: "doc",
|
||||
id: "api/api",
|
||||
},
|
||||
items: [
|
||||
"api/api",
|
||||
"api/flow-executor",
|
||||
"api/making-schema-changes",
|
||||
"api/websocket",
|
||||
|
|
Reference in a new issue