From ae91689fd8c158b4c92dc9cbc4c76c193e65866c Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Tue, 5 Sep 2023 22:15:14 +0200
Subject: [PATCH] policies/reputation: require either check to be enabled
 (#6764)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/policies/reputation/api.py                      | 7 +++++++
 authentik/policies/reputation/tests.py                    | 7 +++++++
 web/src/admin/policies/reputation/ReputationPolicyForm.ts | 2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/authentik/policies/reputation/api.py b/authentik/policies/reputation/api.py
index fc9eafcab..9e9d95e13 100644
--- a/authentik/policies/reputation/api.py
+++ b/authentik/policies/reputation/api.py
@@ -1,5 +1,7 @@
 """Reputation policy API Views"""
+from django.utils.translation import gettext_lazy as _
 from rest_framework import mixins
+from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 
@@ -11,6 +13,11 @@ from authentik.policies.reputation.models import Reputation, ReputationPolicy
 class ReputationPolicySerializer(PolicySerializer):
     """Reputation Policy Serializer"""
 
+    def validate(self, attrs: dict) -> dict:
+        if not attrs.get("check_ip", False) and not attrs.get("check_username", False):
+            raise ValidationError(_("Either IP or Username must be checked"))
+        return super().validate(attrs)
+
     class Meta:
         model = ReputationPolicy
         fields = PolicySerializer.Meta.fields + [
diff --git a/authentik/policies/reputation/tests.py b/authentik/policies/reputation/tests.py
index 65910b89b..76a8cea4a 100644
--- a/authentik/policies/reputation/tests.py
+++ b/authentik/policies/reputation/tests.py
@@ -3,6 +3,8 @@ from django.core.cache import cache
 from django.test import RequestFactory, TestCase
 
 from authentik.core.models import User
+from authentik.lib.generators import generate_id
+from authentik.policies.reputation.api import ReputationPolicySerializer
 from authentik.policies.reputation.models import CACHE_KEY_PREFIX, Reputation, ReputationPolicy
 from authentik.policies.reputation.tasks import save_reputation
 from authentik.policies.types import PolicyRequest
@@ -61,3 +63,8 @@ class TestReputationPolicy(TestCase):
             name="reputation-test", threshold=0
         )
         self.assertTrue(policy.passes(request).passing)
+
+    def test_api(self):
+        """Test API Validation"""
+        no_toggle = ReputationPolicySerializer(data={"name": generate_id(), "threshold": -5})
+        self.assertFalse(no_toggle.is_valid())
diff --git a/web/src/admin/policies/reputation/ReputationPolicyForm.ts b/web/src/admin/policies/reputation/ReputationPolicyForm.ts
index 4d6088fb3..33903caab 100644
--- a/web/src/admin/policies/reputation/ReputationPolicyForm.ts
+++ b/web/src/admin/policies/reputation/ReputationPolicyForm.ts
@@ -93,7 +93,7 @@ doesn't pass when either or both of the selected options are equal or above the
                             <input
                                 class="pf-c-switch__input"
                                 type="checkbox"
-                                ?checked=${first(this.instance?.checkIp, false)}
+                                ?checked=${first(this.instance?.checkIp, true)}
                             />
                             <span class="pf-c-switch__toggle">
                                 <span class="pf-c-switch__toggle-icon">