trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

core: bundle geoip (#4250) 

* bundle geoip

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* correctly pass secrets

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add geoip docs and release notes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-12-20 22:09:30 +01:00 committed by GitHub
parent 980d2a022c
commit f4990bb5da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 348 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.dockerignore
View File

@ -1,8 +1,8 @@
env
static
htmlcov
*.env.yml
**/node_modules
dist/**
build/**
build_docs/**
Dockerfile

3
.github/workflows/ci-main.yml vendored
View File

@ -208,6 +208,9 @@ jobs:
- name: Building Docker Image
uses: docker/build-push-action@v3
with:
secrets: |
GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
tags: |
ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}

11
.github/workflows/release-publish.yml vendored
View File

@ -31,6 +31,9 @@ jobs:
uses: docker/build-push-action@v3
with:
push: ${{ github.event_name == 'release' }}
secrets:
GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
tags: |
beryju/authentik:${{ steps.ev.outputs.version }},
beryju/authentik:${{ steps.ev.outputs.versionFamily }},
@ -39,7 +42,8 @@ jobs:
ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }},
ghcr.io/goauthentik/server:latest
platforms: linux/amd64,linux/arm64
context: .
build-args: |
VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
build-outpost:
runs-on: ubuntu-latest
strategy:
@ -84,6 +88,11 @@ jobs:
ghcr.io/goauthentik/${{ matrix.type }}:latest
file: ${{ matrix.type }}.Dockerfile
platforms: linux/amd64,linux/arm64
secrets: |
GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
build-args: |
VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
build-outpost-binary:
timeout-minutes: 120
runs-on: ubuntu-latest

17
Dockerfile
View File

@ -46,7 +46,21 @@ COPY ./go.sum /work/go.sum
RUN go build -o /work/authentik ./cmd/server/
# Stage 5: Run
# Stage 5: MaxMind GeoIP
FROM docker.io/maxmindinc/geoipupdate:v4.10 as geoip
ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
--mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
mkdir -p /usr/share/GeoIP && \
/bin/sh -c "\
export GEOIPUPDATE_ACCOUNT_ID=$(cat /run/secrets/GEOIPUPDATE_ACCOUNT_ID); \
export GEOIPUPDATE_LICENSE_KEY=$(cat /run/secrets/GEOIPUPDATE_LICENSE_KEY); \
/usr/bin/entry.sh || exit 0 \
"
# Stage 6: Run
FROM docker.io/python:3.11.1-slim-bullseye AS final-image
LABEL org.opencontainers.image.url https://goauthentik.io
@ -60,6 +74,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
COPY --from=poetry-locker /work/requirements.txt /
COPY --from=poetry-locker /work/requirements-dev.txt /
COPY --from=geoip /usr/share/GeoIP /geoip
RUN apt-get update && \
# Required for installing pip packages

13
docker-compose.yml
View File

@ -44,7 +44,6 @@ services:
volumes:
- ./media:/media
- ./custom-templates:/templates
- geoip:/geoip
env_file:
- .env
ports:
@ -72,16 +71,6 @@ services:
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
- geoip:/geoip
env_file:
- .env
geoipupdate:
image: "maxmindinc/geoipupdate:latest"
volumes:
- "geoip:/usr/share/GeoIP"
environment:
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
GEOIPUPDATE_FREQUENCY: "8"
env_file:
- .env
@ -90,5 +79,3 @@ volumes:
driver: local
redis:
driver: local
geoip:
driver: local

105
website/docs/core/geoip.mdx Normal file
View File

@ -0,0 +1,105 @@
# GeoIP
authentik supports GeoIP to add additional information to login/authorization/enrollment requests, and make policy decisions based on the lookup result.
### Configuration
:::info
Starting with authentik 2022.12, GeoIP is bundled and does not require any additional setup.
:::
By default, the GeoIP database is loaded from `/geoip/GeoLite2-City.mmdb`. If more frequent database updates are desired, a volume can be mounted to `/geoip` to update this file externally. authentik will automatically re-load the file when it changes.
### Deactivating GeoIP
If you want to disable GeoIP, you can set the path to a non-existent path and authentik will skip the GeoIP.
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
<Tabs
defaultValue="docker-compose"
values={[
{label: 'docker-compose', value: 'docker-compose'},
{label: 'Kubernetes', value: 'kubernetes'},
]}>
<TabItem value="docker-compose">
Add the following block to your `.env` file:
```shell
AUTHENTIK_GEOIP=/tmp/non-existent-file
```
Afterwards, run the upgrade commands from the latest release notes.
</TabItem>
<TabItem value="kubernetes">
Add the following block to your `values.yml` file:
```yaml
authentik:
geoip: /tmp/non-existent-file
```
Afterwards, run the upgrade commands from the latest release notes.
</TabItem>
</Tabs>
### External updates
Sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup).
<Tabs
defaultValue="docker-compose"
values={[
{label: 'docker-compose', value: 'docker-compose'},
{label: 'Kubernetes', value: 'kubernetes'},
]}>
<TabItem value="docker-compose">
Add the following block to a `docker-compose.override.yml` file in the same folder as the authentik docker-compose file:
```yaml
version: "3.2"
services:
server:
volumes:
- geoip:/geoip
worker:
volumes:
- geoip:/geoip
geoipupdate:
image: "maxmindinc/geoipupdate:latest"
volumes:
- "geoip:/usr/share/GeoIP"
environment:
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
GEOIPUPDATE_FREQUENCY: "8"
GEOIPUPDATE_ACCOUNT_ID: "*your account ID*"
GEOIPUPDATE_LICENSE_KEY: "*your license key*"
volumes:
geoip:
driver: local
```
Afterwards, run the upgrade commands from the latest release notes.
</TabItem>
<TabItem value="kubernetes">
Add the following block to your `values.yml` file:
```yaml
geoip:
enabled: true
accountId: "*your account ID*"
licenseKey: "*your license key*"
editionIds: "GeoLite2-City"
image: maxmindinc/geoipupdate:v4.8
updateInterval: 8
```
Afterwards, run the upgrade commands from the latest release notes.
</TabItem>
</Tabs>

12
website/docs/flow/stages/captcha/index.md
View File

@ -2,8 +2,18 @@
title: Captcha stage
---
This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html).
This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html) or compatible services.
### Google ReCaptcha
This stage has two required fields: Public key and private key. These can both be acquired at https://www.google.com/recaptcha/admin.
![](captcha-admin.png)
### hCaptcha
See https://docs.hcaptcha.com/switch
### Turnstile
See https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha

4
website/docs/installation/configuration.md
View File

@ -78,6 +78,10 @@ Defaults to `info`.
Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under.
### `AUTHENTIK_GEOIP`
Path to the GeoIP database. Defaults to `/geoip/GeoLite2-City.mmdb`. If the file is not found, authentik will skip GeoIP support.
### `AUTHENTIK_DISABLE_UPDATE_CHECK`
Disable the inbuilt update-checker. Defaults to `false`.

16
website/docs/installation/docker-compose.md
View File

@ -49,22 +49,6 @@ AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM=authentik@localhost
```
## GeoIP configuration (optional)
authentik can use a MaxMind-formatted GeoIP Database to extract location data from IPs. You can then use this location data in policies, and location data is saved in events.
To configure GeoIP, sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup).
After you have your account ID and license key, add the following block to your `.env` file:
```shell
GEOIPUPDATE_ACCOUNT_ID=*your account ID*
GEOIPUPDATE_LICENSE_KEY=* your license key*
AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb
```
The GeoIP database will automatically be updated every 8 hours.
## Running on Port 80/443
By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can set the following variables in `.env`:

2
website/docs/policies/expression.mdx
View File

@ -70,7 +70,7 @@ import Objects from "../expressions/_objects.md";
- `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
- `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
- `geoip`: GeoIP object, which is added when GeoIP is enabled. See [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
- `geoip`: GeoIP object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example

194
website/docs/releases/v2022.12.md Normal file
View File

@ -0,0 +1,194 @@
---
title: Release 2022.12
slug: "2022.12"
---
## New features
- Bundled GeoIP City database
authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more [here](../core/geoip)
- Customisable Captcha stage
The captcha stage now supports alternate compatible providers, like [hCaptcha](https://docs.hcaptcha.com/switch/) and [Turnstile](https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha/).
## Upgrading
This release does not introduce any new requirements.
### docker-compose
Download the docker-compose file for 2022.12 from [here](https://goauthentik.io/version/2022.12/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
### Kubernetes
Update your values to use the new images:
```yaml
image:
repository: ghcr.io/goauthentik/server
tag: 2022.12.0
```
## Minor changes/fixes
## API Changes
#### What's Changed
---
##### `GET` /stages/captcha/{stage_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `js_url` (string)
- Added property `api_url` (string)
- Changed property `public_key` (string)
> Public key, acquired your captcha Provider.
##### `PUT` /stages/captcha/{stage_uuid}/
###### Request:
Changed content type : `application/json`
- Added property `js_url` (string)
- Added property `api_url` (string)
- Changed property `public_key` (string)
> Public key, acquired your captcha Provider.
- Changed property `private_key` (string)
> Private key, acquired your captcha Provider.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `js_url` (string)
- Added property `api_url` (string)
- Changed property `public_key` (string)
> Public key, acquired your captcha Provider.
##### `PATCH` /stages/captcha/{stage_uuid}/
###### Request:
Changed content type : `application/json`
- Added property `js_url` (string)
- Added property `api_url` (string)
- Changed property `public_key` (string)
> Public key, acquired your captcha Provider.
- Changed property `private_key` (string)
> Private key, acquired your captcha Provider.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `js_url` (string)
- Added property `api_url` (string)
- Changed property `public_key` (string)
> Public key, acquired your captcha Provider.
##### `GET` /flows/executor/{flow_slug}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
Updated `ak-stage-captcha` component:
New required properties:
- `js_url`
* Added property `js_url` (string)
##### `POST` /flows/executor/{flow_slug}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
Updated `ak-stage-captcha` component:
New required properties:
- `js_url`
* Added property `js_url` (string)
##### `POST` /stages/captcha/
###### Request:
Changed content type : `application/json`
- Added property `js_url` (string)
- Added property `api_url` (string)
- Changed property `public_key` (string)
> Public key, acquired your captcha Provider.
- Changed property `private_key` (string)
> Private key, acquired your captcha Provider.
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Added property `js_url` (string)
- Added property `api_url` (string)
- Changed property `public_key` (string)
> Public key, acquired your captcha Provider.
##### `GET` /stages/captcha/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > CaptchaStage Serializer
- Added property `js_url` (string)
- Added property `api_url` (string)
- Changed property `public_key` (string)
> Public key, acquired your captcha Provider.

4
website/sidebars.js
View File

@ -34,6 +34,7 @@ module.exports = {
"core/applications",
"core/tenants",
"core/certificates",
"core/geoip",
],
},
{
@ -217,13 +218,14 @@ module.exports = {
description: "Release notes for recent authentik versions",
},
items: [
"releases/v2022.12",
"releases/v2022.11",
"releases/v2022.10",
"releases/v2022.9",
{
type: "category",
label: "Previous versions",
items: [
"releases/v2022.9",
"releases/v2022.8",
"releases/v2022.7",
"releases/v2022.6",