make sure embedded outpost is disabled when tenants are enabled
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
This commit is contained in:
parent
e14f1e2cfb
commit
fc851a8eff
|
@ -111,9 +111,8 @@ cert_discovery_dir: /certs
|
||||||
default_token_length: 60
|
default_token_length: 60
|
||||||
|
|
||||||
tenants:
|
tenants:
|
||||||
api:
|
|
||||||
enabled: false
|
enabled: false
|
||||||
key: ""
|
api_key: ""
|
||||||
|
|
||||||
blueprints_dir: /blueprints
|
blueprints_dir: /blueprints
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
"""Serializer for tenants models"""
|
"""Serializer for tenants models"""
|
||||||
from hmac import compare_digest
|
from hmac import compare_digest
|
||||||
|
|
||||||
|
from django.http import Http404
|
||||||
from django_tenants.utils import get_tenant
|
from django_tenants.utils import get_tenant
|
||||||
from rest_framework import permissions
|
from rest_framework import permissions
|
||||||
from rest_framework.authentication import get_authorization_header
|
from rest_framework.authentication import get_authorization_header
|
||||||
|
@ -23,7 +24,7 @@ class TenantManagementKeyPermission(permissions.BasePermission):
|
||||||
|
|
||||||
def has_permission(self, request: Request, view: View) -> bool:
|
def has_permission(self, request: Request, view: View) -> bool:
|
||||||
token = validate_auth(get_authorization_header(request))
|
token = validate_auth(get_authorization_header(request))
|
||||||
key = CONFIG.get("tenants.api.key")
|
key = CONFIG.get("tenants.api_key")
|
||||||
if compare_digest("", key):
|
if compare_digest("", key):
|
||||||
return False
|
return False
|
||||||
return compare_digest(token, key)
|
return compare_digest(token, key)
|
||||||
|
@ -55,6 +56,11 @@ class TenantViewSet(ModelViewSet):
|
||||||
permission_classes = [TenantManagementKeyPermission]
|
permission_classes = [TenantManagementKeyPermission]
|
||||||
filter_backends = [OrderingFilter, SearchFilter]
|
filter_backends = [OrderingFilter, SearchFilter]
|
||||||
|
|
||||||
|
def dispatch(self, request, *args, **kwargs):
|
||||||
|
if not CONFIG.get_bool("tenants.enabled", True):
|
||||||
|
return Http404()
|
||||||
|
return super().dispatch(request, *args, **kwargs)
|
||||||
|
|
||||||
|
|
||||||
class DomainSerializer(ModelSerializer):
|
class DomainSerializer(ModelSerializer):
|
||||||
"""Domain Serializer"""
|
"""Domain Serializer"""
|
||||||
|
|
17
authentik/tenants/checks.py
Normal file
17
authentik/tenants/checks.py
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
from django.core.checks import Error, register
|
||||||
|
|
||||||
|
from authentik.lib.config import CONFIG
|
||||||
|
|
||||||
|
|
||||||
|
@register()
|
||||||
|
def check_embedded_outpost_disabled(app_configs, **kwargs):
|
||||||
|
if CONFIG.get_bool("tenants.enabled", False) and not CONFIG.get_bool(
|
||||||
|
"outposts.disable_embedded_outpost"
|
||||||
|
):
|
||||||
|
return [
|
||||||
|
Error(
|
||||||
|
"Embedded outpost must be disabled when tenants API is enabled.",
|
||||||
|
hint="Disable embedded outpost by setting outposts.disable_embedded_outpost to False, or disable the tenants API by setting tenants.enabled to False",
|
||||||
|
)
|
||||||
|
]
|
||||||
|
return []
|
|
@ -1,17 +1,12 @@
|
||||||
"""API URLs"""
|
"""API URLs"""
|
||||||
from django.urls import path
|
from django.urls import path
|
||||||
|
|
||||||
from authentik.lib.config import CONFIG
|
|
||||||
from authentik.tenants.api import SettingsView, TenantViewSet
|
from authentik.tenants.api import SettingsView, TenantViewSet
|
||||||
|
|
||||||
api_urlpatterns = [
|
api_urlpatterns = [
|
||||||
path("admin/settings/", SettingsView.as_view(), name="tenant_settings"),
|
path("admin/settings/", SettingsView.as_view(), name="tenant_settings"),
|
||||||
]
|
|
||||||
|
|
||||||
if CONFIG.get_bool("tenants.api.enabled", False):
|
|
||||||
api_urlpatterns += [
|
|
||||||
(
|
(
|
||||||
"tenants",
|
"tenants",
|
||||||
TenantViewSet,
|
TenantViewSet,
|
||||||
),
|
),
|
||||||
]
|
]
|
||||||
|
|
|
@ -14,15 +14,14 @@ with open("local.env.yml", "w", encoding="utf-8") as _config:
|
||||||
},
|
},
|
||||||
"outposts": {
|
"outposts": {
|
||||||
"container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
|
"container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
|
||||||
|
"disable_embedded_outpost": False,
|
||||||
},
|
},
|
||||||
"blueprints_dir": "./blueprints",
|
"blueprints_dir": "./blueprints",
|
||||||
"cert_discovery_dir": "./certs",
|
"cert_discovery_dir": "./certs",
|
||||||
"geoip": "tests/GeoLite2-City-Test.mmdb",
|
"geoip": "tests/GeoLite2-City-Test.mmdb",
|
||||||
"tenants": {
|
"tenants": {
|
||||||
"api": {
|
"enabled": False,
|
||||||
"enabled": True,
|
"api_key": generate_id(),
|
||||||
"key": generate_id(),
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
_config,
|
_config,
|
||||||
|
|
Reference in a new issue