trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

improved out-of-box experience (#704)

This commit is contained in:
Jens L 2021-04-06 20:25:22 +02:00 committed by GitHub
parent fb409a73a1
commit a2a35e49a9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 321 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
authentik/core/migrations/0003_default_user.py
View File

@ -1,6 +1,8 @@
# Generated by Django 3.0.6 on 2020-05-23 16:40
from os import environ
from django.apps.registry import Apps
from django.conf import settings
from django.db import migrations, models
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
@ -14,7 +16,12 @@ def create_default_user(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
akadmin, _ = User.objects.using(db_alias).get_or_create(
username="akadmin", email="root@localhost", name="authentik Default Admin"
)
akadmin.set_password("akadmin", signal=False) # noqa # nosec
if "TF_BUILD" in environ or "AK_ADMIN_PASS" in environ or settings.TEST:
akadmin.set_password(
environ.get("AK_ADMIN_PASS", "akadmin"), signal=False
) # noqa # nosec
else:
akadmin.set_unusable_password()
akadmin.save()

7
authentik/events/migrations/0014_expiry.py
View File

@ -57,11 +57,12 @@ def progress_bar(
def update_expires(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
db_alias = schema_editor.connection.alias
print("\nAdding expiry to events, this might take a couple of minutes...")
Event = apps.get_model("authentik_events", "event")
all_events = Event.objects.using(db_alias).all()
if all_events.count() < 1:
return
print("\nAdding expiry to events, this might take a couple of minutes...")
for event in progress_bar(all_events):
event.expires = event.created + timedelta(days=365)
event.save()

5
authentik/flows/migrations/0009_source_flows.py
View File

@ -45,7 +45,7 @@ def create_default_source_enrollment_flow(
slug="default-source-enrollment",
designation=FlowDesignation.ENROLLMENT,
defaults={
"name": "Welcome to authentik!",
"name": "Welcome to authentik! Please select a username.",
},
)
PolicyBinding.objects.using(db_alias).update_or_create(
@ -54,7 +54,7 @@ def create_default_source_enrollment_flow(
# PromptStage to ask user for their username
prompt_stage, _ = PromptStage.objects.using(db_alias).update_or_create(
name="Welcome to authentik! Please select a username.",
name="default-source-enrollment-prompt",
)
prompt, _ = Prompt.objects.using(db_alias).update_or_create(
field_key="username",
@ -63,6 +63,7 @@ def create_default_source_enrollment_flow(
"type": FieldTypes.TEXT,
"required": True,
"placeholder": "Username",
"order": 100,
},
)
prompt_stage.fields.add(prompt)

2
authentik/flows/migrations/0011_flow_title.py
View File

@ -8,7 +8,7 @@ def add_title_for_defaults(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
slug_title_map = {
"default-authentication-flow": "Welcome to authentik!",
"default-invalidation-flow": "Default Invalidation Flow",
"default-source-enrollment": "Welcome to authentik!",
"default-source-enrollment": "Welcome to authentik! Please select a username.",
"default-source-authentication": "Welcome to authentik!",
"default-provider-authorization-implicit-consent": "Default Provider Authorization Flow (implicit consent)",
"default-provider-authorization-explicit-consent": "Default Provider Authorization Flow (explicit consent)",

139
authentik/flows/migrations/0018_oob_flows.py Normal file
View File

@ -0,0 +1,139 @@
# Generated by Django 3.1.7 on 2021-04-06 13:25
from django.apps.registry import Apps
from django.contrib.auth.hashers import is_password_usable
from django.db import migrations
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
from authentik.flows.models import FlowDesignation
PW_USABLE_POLICY_EXPRESSION = """# This policy ensures that the setup flow can only be
# executed when the admin user doesn't have a password set
akadmin = ak_user_by(username="akadmin")
return not akadmin.has_usable_password()"""
PREFILL_POLICY_EXPRESSION = """# This policy sets the user for the currently running flow
# by injecting "pending_user"
akadmin = ak_user_by(username="akadmin")
context["pending_user"] = akadmin
# We're also setting the backend for the user, so we can
# directly login without having to identify again
context["user_backend"] = "django.contrib.auth.backends.ModelBackend"
return True"""
def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
from authentik.stages.prompt.models import FieldTypes
User = apps.get_model("authentik_core", "User")
PolicyBinding = apps.get_model("authentik_policies", "PolicyBinding")
Flow = apps.get_model("authentik_flows", "Flow")
FlowStageBinding = apps.get_model("authentik_flows", "FlowStageBinding")
UserLoginStage = apps.get_model("authentik_stages_user_login", "UserLoginStage")
UserWriteStage = apps.get_model("authentik_stages_user_write", "UserWriteStage")
PromptStage = apps.get_model("authentik_stages_prompt", "PromptStage")
Prompt = apps.get_model("authentik_stages_prompt", "Prompt")
ExpressionPolicy = apps.get_model(
"authentik_policies_expression", "ExpressionPolicy"
)
db_alias = schema_editor.connection.alias
# Only create the flow if the akadmin user exists,
# and has an un-usable password
akadmins = User.objects.filter(username="akadmin")
if not akadmins.exists():
return
akadmin = akadmins.first()
if is_password_usable(akadmin.password):
return
# Create a policy that sets the flow's user
prefill_policy, _ = ExpressionPolicy.objects.using(db_alias).update_or_create(
name="default-oob-prefill-user",
defaults={"expression": PREFILL_POLICY_EXPRESSION},
)
password_usable_policy, _ = ExpressionPolicy.objects.using(
db_alias
).update_or_create(
name="default-oob-password-usable",
defaults={"expression": PW_USABLE_POLICY_EXPRESSION},
)
prompt_header, _ = Prompt.objects.using(db_alias).update_or_create(
field_key="oob-header-text",
defaults={
"label": "oob-header-text",
"type": FieldTypes.STATIC,
"placeholder": "Welcome to authentik! Please set a password for the default admin user, akadmin.",
"order": 100,
},
)
password_first = Prompt.objects.using(db_alias).get(field_key="password")
password_second = Prompt.objects.using(db_alias).get(field_key="password_repeat")
prompt_stage, _ = PromptStage.objects.using(db_alias).update_or_create(
name="default-oob-password",
)
prompt_stage.fields.set([prompt_header, password_first, password_second])
prompt_stage.save()
user_write, _ = UserWriteStage.objects.using(db_alias).update_or_create(
name="default-password-change-write"
)
login_stage, _ = UserLoginStage.objects.using(db_alias).update_or_create(
name="default-authentication-login"
)
flow, _ = Flow.objects.using(db_alias).update_or_create(
slug="initial-setup",
designation=FlowDesignation.STAGE_CONFIGURATION,
defaults={
"name": "default-oob-setup",
"title": "Welcome to authentik!",
},
)
PolicyBinding.objects.using(db_alias).update_or_create(
policy=password_usable_policy, target=flow, defaults={"order": 0}
)
FlowStageBinding.objects.using(db_alias).update_or_create(
target=flow,
stage=prompt_stage,
defaults={
"order": 10,
},
)
user_write_binding, _ = FlowStageBinding.objects.using(db_alias).update_or_create(
target=flow,
stage=user_write,
defaults={"order": 20, "evaluate_on_plan": False, "re_evaluate_policies": True},
)
PolicyBinding.objects.using(db_alias).update_or_create(
policy=prefill_policy, target=user_write_binding, defaults={"order": 0}
)
FlowStageBinding.objects.using(db_alias).update_or_create(
target=flow,
stage=login_stage,
defaults={
"order": 100,
},
)
class Migration(migrations.Migration):
dependencies = [
("authentik_flows", "0017_auto_20210329_1334"),
("authentik_stages_user_write", "__latest__"),
("authentik_stages_user_login", "__latest__"),
("authentik_stages_password", "0002_passwordstage_change_flow"),
("authentik_policies", "0001_initial"),
("authentik_policies_expression", "0001_initial"),
]
operations = [
migrations.RunPython(create_default_oob_flow),
]

4
authentik/stages/password/migrations/0002_passwordstage_change_flow.py
View File

@ -36,7 +36,7 @@ def create_default_password_change(apps: Apps, schema_editor: BaseDatabaseSchema
"type": FieldTypes.PASSWORD,
"required": True,
"placeholder": "Password",
"order": 0,
"order": 300,
},
)
password_rep_prompt, _ = Prompt.objects.using(db_alias).update_or_create(
@ -46,7 +46,7 @@ def create_default_password_change(apps: Apps, schema_editor: BaseDatabaseSchema
"type": FieldTypes.PASSWORD,
"required": True,
"placeholder": "Password (repeat)",
"order": 1,
"order": 301,
},
)

2
authentik/stages/prompt/stage.py
View File

@ -30,7 +30,7 @@ class PromptSerializer(PassiveSerializer):
"""Serializer for a single Prompt field"""
field_key = CharField()
label = CharField()
label = CharField(allow_blank=True)
type = CharField()
required = BooleanField()
placeholder = CharField()

4
authentik/stages/user_write/stage.py
View File

@ -69,6 +69,10 @@ class UserWriteStageView(StageView):
LOGGER.debug("discarding key", key=key)
continue
user.attributes[key.replace("attribute_", "", 1)] = value
# Extra check to prevent flows from saving a user with a blank username
if user.username == "":
LOGGER.warning("Aborting write to empty username", user=user)
return self.executor.stage_invalid()
user.save()
user_write.send(
sender=self, request=request, user=user, data=data, created=user_created

33
authentik/stages/user_write/tests.py
View File

@ -134,3 +134,36 @@ class TestUserWriteStage(TestCase):
"type": ChallengeTypes.NATIVE.value,
},
)
@patch(
"authentik.flows.views.to_stage_response",
TO_STAGE_RESPONSE_MOCK,
)
def test_with_blank_username(self):
"""Test with blank username results in error"""
plan = FlowPlan(
flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
)
session = self.client.session
plan.context[PLAN_CONTEXT_PROMPT] = {
"username": "",
"attribute_some-custom-attribute": "test",
"some_ignored_attribute": "bar",
}
session[SESSION_KEY_PLAN] = plan
session.save()
response = self.client.get(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
)
self.assertEqual(response.status_code, 200)
self.assertJSONEqual(
force_str(response.content),
{
"component": "ak-stage-access-denied",
"error_message": None,
"title": "",
"type": ChallengeTypes.NATIVE.value,
},
)

10
helm/templates/NOTES.txt
View File

@ -1,5 +1,11 @@
1. Access authentik using the following URL:
Access authentik using the following URL:
{{- if .Release.IsUpgrade -}}
{{- range .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
{{- end }}
2. Login to authentik using the user "akadmin" and the password "akadmin".
{{- else -}}
{{- range .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}/if/flow/initial-setup/
{{- end }}
To configure your authentik instance, and set a password for the akadmin user.
{{- end }}

3
web/src/elements/messages/MessageContainer.ts
View File

@ -78,8 +78,7 @@ export class MessageContainer extends LitElement {
this.addMessage(data);
this.requestUpdate();
});
this.messageSocket.addEventListener("error", (e) => {
console.warn(`authentik/messages: error ${e}`);
this.messageSocket.addEventListener("error", () => {
this.retryDelay = this.retryDelay * 2;
});
}

22
web/src/flows/FlowExecutor.ts
View File

@ -6,6 +6,7 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";
import PFTitle from "@patternfly/patternfly/components/Title/title.css";
import PFBackgroundImage from "@patternfly/patternfly/components/BackgroundImage/background-image.css";
import PFList from "@patternfly/patternfly/components/List/list.css";
import PFButton from "@patternfly/patternfly/components/Button/button.css";
import AKGlobal from "../authentik.css";
import { unsafeHTML } from "lit-html/directives/unsafe-html";
@ -58,7 +59,7 @@ export class FlowExecutor extends LitElement implements StageHost {
config?: Config;
static get styles(): CSSResult[] {
return [PFBase, PFLogin, PFTitle, PFList, PFBackgroundImage, AKGlobal].concat(css`
return [PFBase, PFLogin, PFButton, PFTitle, PFList, PFBackgroundImage, AKGlobal].concat(css`
.ak-loading {
display: flex;
height: 100%;
@ -115,8 +116,8 @@ export class FlowExecutor extends LitElement implements StageHost {
}).then((data) => {
this.challenge = data;
this.postUpdate();
}).catch((e) => {
this.errorMessage(e);
}).catch((e: Response) => {
this.errorMessage(e.statusText);
}).finally(() => {
this.loading = false;
});
@ -139,9 +140,9 @@ export class FlowExecutor extends LitElement implements StageHost {
this.setBackground(this.challenge.background);
}
this.postUpdate();
}).catch((e) => {
}).catch((e: Response) => {
// Catch JSON or Update errors
this.errorMessage(e);
this.errorMessage(e.statusText);
}).finally(() => {
this.loading = false;
});
@ -158,7 +159,16 @@ export class FlowExecutor extends LitElement implements StageHost {
<div class="pf-c-login__main-body">
<h3>${t`Something went wrong! Please try again later.`}</h3>
<pre class="ak-exception">${error}</pre>
</div>`
</div>
<footer class="pf-c-login__main-footer">
<ul class="pf-c-login__main-footer-links">
<li class="pf-c-login__main-footer-links-item">
<a class="pf-c-button pf-m-primary pf-m-block" href="/">
${t`Return`}
</a>
</li>
</ul>
</footer>`
};
}

37
web/src/flows/stages/prompt/PromptStage.ts
View File

@ -7,11 +7,13 @@ import PFFormControl from "@patternfly/patternfly/components/FormControl/form-co
import PFTitle from "@patternfly/patternfly/components/Title/title.css";
import PFButton from "@patternfly/patternfly/components/Button/button.css";
import PFBase from "@patternfly/patternfly/patternfly-base.css";
import PFAlert from "@patternfly/patternfly/components/Alert/alert.css";
import AKGlobal from "../../../authentik.css";
import { BaseStage } from "../base";
import "../../../elements/forms/FormElement";
import "../../../elements/EmptyState";
import { Challenge } from "../../../api/Flows";
import "../../../elements/Divider";
import { Challenge, Error } from "../../../api/Flows";
export interface Prompt {
field_key: string;
@ -33,7 +35,7 @@ export class PromptStage extends BaseStage {
challenge?: PromptChallenge;
static get styles(): CSSResult[] {
return [PFBase, PFLogin, PFForm, PFFormControl, PFTitle, PFButton, AKGlobal];
return [PFBase, PFLogin, PFAlert, PFForm, PFFormControl, PFTitle, PFButton, AKGlobal];
}
renderPromptInner(prompt: Prompt): string {
@ -101,7 +103,7 @@ export class PromptStage extends BaseStage {
class="pf-c-form-control"
?required=${prompt.required}>`;
case "separator":
return "<hr>";
return `<ak-divider>${prompt.placeholder}</ak-divider>`;
case "hidden":
return `<input
type="hidden"
@ -110,13 +112,29 @@ export class PromptStage extends BaseStage {
class="pf-c-form-control"
?required=${prompt.required}>`;
case "static":
return `<p
class="pf-c-form-control">${prompt.placeholder}
</p>`;
return `<p>${prompt.placeholder}</p>`;
}
return "";
}
renderNonFieldErrors(errors: Error[]): TemplateResult {
if (!errors) {
return html``;
}
return html`<div class="pf-c-form__alert">
${errors.map(err => {
return html`<div class="pf-c-alert pf-m-inline pf-m-danger">
<div class="pf-c-alert__icon">
<i class="fas fa-exclamation-circle"></i>
</div>
<h4 class="pf-c-alert__title">
${err.string}
</h4>
</div>`;
})}
</div>`;
}
render(): TemplateResult {
if (!this.challenge) {
return html`<ak-empty-state
@ -132,6 +150,10 @@ export class PromptStage extends BaseStage {
<div class="pf-c-login__main-body">
<form class="pf-c-form" @submit=${(e: Event) => {this.submitForm(e);}}>
${this.challenge.fields.map((prompt) => {
// Special types that aren't rendered in a wrapper
if (prompt.type === "static" || prompt.type === "hidden" || prompt.type === "separator") {
return unsafeHTML(this.renderPromptInner(prompt));
}
return html`<ak-form-element
label="${prompt.label}"
?required="${prompt.required}"
@ -140,6 +162,9 @@ export class PromptStage extends BaseStage {
${unsafeHTML(this.renderPromptInner(prompt))}
</ak-form-element>`;
})}
${"non_field_errors" in (this.challenge?.response_errors || {}) ?
this.renderNonFieldErrors(this.challenge?.response_errors?.non_field_errors || []):
html``}
<div class="pf-c-form__group pf-m-action">
<button type="submit" class="pf-c-button pf-m-primary pf-m-block">
${t`Continue`}

48
web/src/locales/en.po
View File

@ -32,16 +32,22 @@ msgstr "ACS URL"
#: src/pages/applications/ApplicationForm.ts:110
#: src/pages/flows/FlowForm.ts:109
#: src/pages/flows/StageBindingForm.ts:142
msgid "ALL, all policies must match to grant access."
msgstr "ALL, all policies must match to grant access."
#: src/pages/flows/StageBindingForm.ts:144
msgid "ALL, all policies must match to include this stage access."
msgstr "ALL, all policies must match to include this stage access."
#: src/pages/applications/ApplicationForm.ts:107
#: src/pages/flows/FlowForm.ts:106
#: src/pages/flows/StageBindingForm.ts:139
msgid "ANY, any policy must match to grant access."
msgstr "ANY, any policy must match to grant access."
#: src/pages/flows/StageBindingForm.ts:141
msgid "ANY, any policy must match to include this stage access."
msgstr "ANY, any policy must match to include this stage access."
#: src/elements/notifications/APIDrawer.ts:61
msgid "API Requests"
msgstr "API Requests"
@ -625,7 +631,7 @@ msgstr "Context"
#: src/flows/stages/consent/ConsentStage.ts:60
#: src/flows/stages/dummy/DummyStage.ts:39
#: src/flows/stages/password/PasswordStage.ts:71
#: src/flows/stages/prompt/PromptStage.ts:130
#: src/flows/stages/prompt/PromptStage.ts:155
#: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:91
msgid "Continue"
msgstr "Continue"
@ -1084,17 +1090,17 @@ msgstr "Error: unsupported source settings: {0}"
msgid "Error: unsupported stage settings: {0}"
msgstr "Error: unsupported stage settings: {0}"
#: src/pages/flows/StageBindingForm.ts:113
#: src/pages/flows/StageBindingForm.ts:119
msgid "Evaluate on plan"
msgstr "Evaluate on plan"
#: src/pages/flows/StageBindingForm.ts:116
msgid "Evaluate policies during the Flow planning process. Disable this for input-based policies."
msgstr "Evaluate policies during the Flow planning process. Disable this for input-based policies."
#: src/pages/flows/StageBindingForm.ts:133
msgid "Evaluate policies before the Stage is present to the user."
msgstr "Evaluate policies before the Stage is present to the user."
#: src/pages/flows/StageBindingForm.ts:125
msgid "Evaluate policies when the Stage is present to the user."
msgstr "Evaluate policies when the Stage is present to the user."
#: src/pages/flows/StageBindingForm.ts:123
msgid "Evaluate policies during the Flow planning process. Disable this for input-based policies. Should be used in conjunction with 'Re-evaluate policies', as with this option disabled, policies are **not** evaluated."
msgstr "Evaluate policies during the Flow planning process. Disable this for input-based policies. Should be used in conjunction with 'Re-evaluate policies', as with this option disabled, policies are **not** evaluated."
#: src/pages/events/EventListPage.ts:22
msgid "Event Log"
@ -1594,8 +1600,8 @@ msgid "Library"
msgstr "Library"
#: src/elements/table/Table.ts:113
#: src/flows/FlowExecutor.ts:154
#: src/flows/FlowExecutor.ts:200
#: src/flows/FlowExecutor.ts:164
#: src/flows/FlowExecutor.ts:210
#: src/flows/access_denied/FlowAccessDenied.ts:27
#: src/flows/stages/authenticator_static/AuthenticatorStaticStage.ts:43
#: src/flows/stages/authenticator_totp/AuthenticatorTOTPStage.ts:33
@ -1608,7 +1614,7 @@ msgstr "Library"
#: src/flows/stages/email/EmailStage.ts:26
#: src/flows/stages/identification/IdentificationStage.ts:134
#: src/flows/stages/password/PasswordStage.ts:31
#: src/flows/stages/prompt/PromptStage.ts:108
#: src/flows/stages/prompt/PromptStage.ts:126
#: src/pages/applications/ApplicationViewPage.ts:55
#: src/pages/user-settings/UserDetailsPage.ts:38
#: src/utils.ts:40
@ -2072,7 +2078,7 @@ msgid "Optionally set the 'FriendlyName' value of the Assertion attribute."
msgstr "Optionally set the 'FriendlyName' value of the Assertion attribute."
#: src/pages/flows/BoundStagesList.ts:38
#: src/pages/flows/StageBindingForm.ts:128
#: src/pages/flows/StageBindingForm.ts:110
#: src/pages/policies/BoundPoliciesList.ts:38
#: src/pages/policies/PolicyBindingForm.ts:203
#: src/pages/stages/prompt/PromptForm.ts:119
@ -2199,7 +2205,7 @@ msgstr "Policy binding"
#: src/pages/applications/ApplicationForm.ts:102
#: src/pages/flows/FlowForm.ts:101
#: src/pages/flows/StageBindingForm.ts:134
#: src/pages/flows/StageBindingForm.ts:136
msgid "Policy engine mode"
msgstr "Policy engine mode"
@ -2229,7 +2235,7 @@ msgstr "Post binding"
msgid "Post binding (auto-submit)"
msgstr "Post binding (auto-submit)"
#: src/flows/FlowExecutor.ts:242
#: src/flows/FlowExecutor.ts:252
msgid "Powered by authentik"
msgstr "Powered by authentik"
@ -2374,7 +2380,7 @@ msgstr "RSA-SHA384"
msgid "RSA-SHA512"
msgstr "RSA-SHA512"
#: src/pages/flows/StageBindingForm.ts:122
#: src/pages/flows/StageBindingForm.ts:130
msgid "Re-evaluate policies"
msgstr "Re-evaluate policies"
@ -2469,6 +2475,10 @@ msgstr "Retry Task"
msgid "Retry authentication"
msgstr "Retry authentication"
#: src/flows/FlowExecutor.ts:142
msgid "Return"
msgstr "Return"
#: src/elements/router/Router404.ts:28
msgid "Return home"
msgstr "Return home"
@ -2701,7 +2711,7 @@ msgstr "Skip path regex"
msgid "Slug"
msgstr "Slug"
#: src/flows/FlowExecutor.ts:134
#: src/flows/FlowExecutor.ts:135
msgid "Something went wrong! Please try again later."
msgstr "Something went wrong! Please try again later."
@ -3662,7 +3672,7 @@ msgstr "When selected, incoming assertion's Signatures will be validated against
msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
msgstr "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
#: src/flows/FlowExecutor.ts:130
#: src/flows/FlowExecutor.ts:131
msgid "Whoops!"
msgstr "Whoops!"

44
web/src/locales/pseudo-LOCALE.po
View File

@ -32,16 +32,22 @@ msgstr ""
#: src/pages/applications/ApplicationForm.ts:110
#: src/pages/flows/FlowForm.ts:109
#: src/pages/flows/StageBindingForm.ts:142
msgid "ALL, all policies must match to grant access."
msgstr ""
#: src/pages/flows/StageBindingForm.ts:144
msgid "ALL, all policies must match to include this stage access."
msgstr ""
#: src/pages/applications/ApplicationForm.ts:107
#: src/pages/flows/FlowForm.ts:106
#: src/pages/flows/StageBindingForm.ts:139
msgid "ANY, any policy must match to grant access."
msgstr ""
#: src/pages/flows/StageBindingForm.ts:141
msgid "ANY, any policy must match to include this stage access."
msgstr ""
#: src/elements/notifications/APIDrawer.ts:61
msgid "API Requests"
msgstr ""
@ -621,7 +627,7 @@ msgstr ""
#: src/flows/stages/consent/ConsentStage.ts:60
#: src/flows/stages/dummy/DummyStage.ts:39
#: src/flows/stages/password/PasswordStage.ts:71
#: src/flows/stages/prompt/PromptStage.ts:130
#: src/flows/stages/prompt/PromptStage.ts:155
#: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:91
msgid "Continue"
msgstr ""
@ -1080,16 +1086,16 @@ msgstr ""
msgid "Error: unsupported stage settings: {0}"
msgstr ""
#: src/pages/flows/StageBindingForm.ts:113
#: src/pages/flows/StageBindingForm.ts:119
msgid "Evaluate on plan"
msgstr ""
#: src/pages/flows/StageBindingForm.ts:116
msgid "Evaluate policies during the Flow planning process. Disable this for input-based policies."
#: src/pages/flows/StageBindingForm.ts:133
msgid "Evaluate policies before the Stage is present to the user."
msgstr ""
#: src/pages/flows/StageBindingForm.ts:125
msgid "Evaluate policies when the Stage is present to the user."
#: src/pages/flows/StageBindingForm.ts:123
msgid "Evaluate policies during the Flow planning process. Disable this for input-based policies. Should be used in conjunction with 'Re-evaluate policies', as with this option disabled, policies are **not** evaluated."
msgstr ""
#: src/pages/events/EventListPage.ts:22
@ -1590,8 +1596,8 @@ msgid "Library"
msgstr ""
#: src/elements/table/Table.ts:113
#: src/flows/FlowExecutor.ts:154
#: src/flows/FlowExecutor.ts:200
#: src/flows/FlowExecutor.ts:164
#: src/flows/FlowExecutor.ts:210
#: src/flows/access_denied/FlowAccessDenied.ts:27
#: src/flows/stages/authenticator_static/AuthenticatorStaticStage.ts:43
#: src/flows/stages/authenticator_totp/AuthenticatorTOTPStage.ts:33
@ -1604,7 +1610,7 @@ msgstr ""
#: src/flows/stages/email/EmailStage.ts:26
#: src/flows/stages/identification/IdentificationStage.ts:134
#: src/flows/stages/password/PasswordStage.ts:31
#: src/flows/stages/prompt/PromptStage.ts:108
#: src/flows/stages/prompt/PromptStage.ts:126
#: src/pages/applications/ApplicationViewPage.ts:55
#: src/pages/user-settings/UserDetailsPage.ts:38
#: src/utils.ts:40
@ -2068,7 +2074,7 @@ msgid "Optionally set the 'FriendlyName' value of the Assertion attribute."
msgstr ""
#: src/pages/flows/BoundStagesList.ts:38
#: src/pages/flows/StageBindingForm.ts:128
#: src/pages/flows/StageBindingForm.ts:110
#: src/pages/policies/BoundPoliciesList.ts:38
#: src/pages/policies/PolicyBindingForm.ts:203
#: src/pages/stages/prompt/PromptForm.ts:119
@ -2195,7 +2201,7 @@ msgstr ""
#: src/pages/applications/ApplicationForm.ts:102
#: src/pages/flows/FlowForm.ts:101
#: src/pages/flows/StageBindingForm.ts:134
#: src/pages/flows/StageBindingForm.ts:136
msgid "Policy engine mode"
msgstr ""
@ -2225,7 +2231,7 @@ msgstr ""
msgid "Post binding (auto-submit)"
msgstr ""
#: src/flows/FlowExecutor.ts:242
#: src/flows/FlowExecutor.ts:252
msgid "Powered by authentik"
msgstr ""
@ -2370,7 +2376,7 @@ msgstr ""
msgid "RSA-SHA512"
msgstr ""
#: src/pages/flows/StageBindingForm.ts:122
#: src/pages/flows/StageBindingForm.ts:130
msgid "Re-evaluate policies"
msgstr ""
@ -2465,6 +2471,10 @@ msgstr ""
msgid "Retry authentication"
msgstr ""
#: src/flows/FlowExecutor.ts:142
msgid "Return"
msgstr ""
#: src/elements/router/Router404.ts:28
msgid "Return home"
msgstr ""
@ -2697,7 +2707,7 @@ msgstr ""
msgid "Slug"
msgstr ""
#: src/flows/FlowExecutor.ts:134
#: src/flows/FlowExecutor.ts:135
msgid "Something went wrong! Please try again later."
msgstr ""
@ -3656,7 +3666,7 @@ msgstr ""
msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
msgstr ""
#: src/flows/FlowExecutor.ts:130
#: src/flows/FlowExecutor.ts:131
msgid "Whoops!"
msgstr ""

22
web/src/pages/flows/StageBindingForm.ts
View File

@ -106,6 +106,12 @@ export class StageBindingForm extends Form<FlowStageBinding> {
}), html`<option>${t`Loading...`}</option>`)}
</select>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Order`}
?required=${true}
name="order">
<input type="number" value="${until(this.getOrder())}" class="pf-c-form-control" required>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="evaluateOnPlan">
<div class="pf-c-check">
<input type="checkbox" class="pf-c-check__input" ?checked=${first(this.fsb?.evaluateOnPlan, true)}>
@ -113,7 +119,9 @@ export class StageBindingForm extends Form<FlowStageBinding> {
${t`Evaluate on plan`}
</label>
</div>
<p class="pf-c-form__helper-text">${t`Evaluate policies during the Flow planning process. Disable this for input-based policies.`}</p>
<p class="pf-c-form__helper-text">
${t`Evaluate policies during the Flow planning process. Disable this for input-based policies. Should be used in conjunction with 'Re-evaluate policies', as with this option disabled, policies are **not** evaluated.`}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="reEvaluatePolicies">
<div class="pf-c-check">
@ -122,13 +130,7 @@ export class StageBindingForm extends Form<FlowStageBinding> {
${t`Re-evaluate policies`}
</label>
</div>
<p class="pf-c-form__helper-text">${t`Evaluate policies when the Stage is present to the user.`}</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Order`}
?required=${true}
name="order">
<input type="number" value="${until(this.getOrder())}" class="pf-c-form-control" required>
<p class="pf-c-form__helper-text">${t`Evaluate policies before the Stage is present to the user.`}</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Policy engine mode`}
@ -136,10 +138,10 @@ export class StageBindingForm extends Form<FlowStageBinding> {
name="policyEngineMode">
<select class="pf-c-form-control">
<option value=${FlowStageBindingPolicyEngineModeEnum.Any} ?selected=${this.fsb?.policyEngineMode === FlowStageBindingPolicyEngineModeEnum.Any}>
${t`ANY, any policy must match to grant access.`}
${t`ANY, any policy must match to include this stage access.`}
</option>
<option value=${FlowStageBindingPolicyEngineModeEnum.All} ?selected=${this.fsb?.policyEngineMode === FlowStageBindingPolicyEngineModeEnum.All}>
${t`ALL, all policies must match to grant access.`}
${t`ALL, all policies must match to include this stage access.`}
</option>
</select>
</ak-form-element-horizontal>

2
website/docs/installation/docker-compose.md
View File

@ -78,4 +78,4 @@ The compose file statically references the latest version available at the time
authentik will then be reachable HTTPS on port 443. You can optionally configure the packaged traefik to use Let's Encrypt certificates for TLS Encryption.
The initial setup process also creates a default admin user, the username and password for which is `akadmin`. It is highly recommended to change this password as soon as you log in.
To start the initial setup, navigate to `https://<your server>/if/flow/initial-setup/`. There you will be prompted to set a password for the akadmin user.

2
website/docs/installation/kubernetes.md
View File

@ -12,7 +12,7 @@ helm repo update
helm install authentik/authentik --devel -f values.yaml
```
This installation automatically applies database migrations on startup. After the installation is done, you can use `akadmin` as username and password.
This installation automatically applies database migrations on startup. After the installation is done, navigate to the `https://<ingress you've specified>/if/flow/initial-setup/`, to set a password for the akadmin user.
It is also recommended to configure global email credentials. These are used by authentik to notify you about alerts, configuration issues. They can also be used by [Email stages](flow/stages/email/index.md) to send verification/recovery emails.