trustchain-oc1-orchestral/authentik
Archived
10
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
13154 commits 95 branches 330 tags 336 MiB
Commit graph

538 commits

Author SHA1 Message Date
Jens Langhammer 983882f5a0 providers/oauth2: ensure refresh tokens are URL safe 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3185
 2022-06-30 12:43:08 +02:00
Jens L c5a2831665
api: add basic jwt support with required scope (#2624) 
* api: add basic jwt support with required scope

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* api: only set auth_via when actually authenticating via token

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* save consented permissions in user consent, re-prompt when new permissions are required

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update locale

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* translate special scope map

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more api auth tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* build web api in e2e tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* link generated client instead of copying

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-26 17:51:15 +02:00
Jens Langhammer 6c9dc7a15b providers/oauth2: fix OAuth form_post response mode for code response_type 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3113
 2022-06-20 21:52:36 +02:00
Jens Langhammer 7caac1d0c7 providers/oauth2: add test to ensure capitalised redirect_uri isn't changed 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3114
 2022-06-18 13:13:36 +02:00
9p4 45364d6553
providers/oauth2: dont lowercase URL for token requests (#3114) 
this was a leftover from before the migration regex checking for redirect URIs

closes #3076 and #3083
 2022-06-18 13:08:15 +02:00
Jens Langhammer e892ed14da providers/oauth2: include source's user path in M2M created users 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-15 14:07:28 +02:00
Jens L 6821402fef
providers/oauth2: remove deprecated verification_keys (#3071) 
remove verification_keys

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-11 19:48:07 +02:00
Jens L 8dbb0bd2c6
providers/oauth2: token revoke (#3077) 2022-06-11 18:49:16 +02:00
Jens L 0cad56ec73
providers/oauth2: if a redirect_uri cannot be parsed as regex, compare strict (#3070) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-10 23:32:57 +02:00
Jens Langhammer 23023ec727 providers/oauth2: add JWKS URL to OAuth2ProviderSetupURLs 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-07 20:17:06 +02:00
Jens L 0c591a50e3
*: don't dispatch tasks on startup of server (#3033) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-03 18:29:24 +02:00
Jens Langhammer 558c7bba2a lib: add lxml wrapper 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-02 13:25:24 +02:00
Jens Langhammer 8cd1a42fb9 *: fix linting 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-02 11:50:10 +02:00
Jens L 2c6d82593e
root: cleanup session keys to use common format (#3003) 
cleanup session keys to use common format

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-31 21:53:23 +02:00
Jens L 9f2529c886
stages/authentiactor_validate: cookies (#2978) 
* stages/authenticator_validate: rewrite to use signed jwt cookie + expiry as MFA threshold

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add more tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add more tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-29 19:47:34 +02:00
Jens Langhammer 18b48684eb providers/oauth2: add configuration error event when wrong redirect uri is used in token request 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-28 21:15:58 +02:00
Jens Langhammer 2b68363452 providers/oauth2: add migration from "*" to ".*" 
closes #2970

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-27 10:23:13 +02:00
Jens Langhammer a81d5a3d41 providers/oauth2: regex-escape URLs when set to blank 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-26 12:52:56 +02:00
Jens Langhammer 5da47b69dd providers/oauth2: only set expiry on user when it was freshly created 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-25 23:02:33 +02:00
Jens Langhammer 0e0dd2437b providers/oauth2: handle attribute errors when validation JWK contains private key 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-25 22:23:05 +02:00
Jens Langhammer 4a9b788703 providers/oauth2: set related_name for many-to-many so used by detects the connection 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-24 22:12:35 +02:00
Jens L 80c1dbdfbb
ensure all viewsets have filter and search and add tests (#2946) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-24 22:01:18 +02:00
Jens L b4e75218f5
sources/oauth: OIDC well-known and JWKS (#2936) 
* add initial

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add provider

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* include source and jwk key id in event

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add more docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests for source

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix web formatting

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add provider tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix lint error

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-24 21:02:50 +02:00
Jens Langhammer 61a876b582 providers/saml: handle parse error 
AUTHENTIK-1K5

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-23 22:03:12 +02:00
Jens Langhammer 8c9748e4a0 providers/oauth2: improve error handling for invalid regular expressions 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-23 20:47:36 +02:00
Jens Langhammer 11f7935155 providers/oauth2: use regex to check redirect URI 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2799
 2022-05-18 21:22:27 +02:00
Jens Langhammer f391c33bdf providers/oauth2: fix tests 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 12:41:40 +02:00
Jens Langhammer ee36b7f3eb flows: move autosubmit stage into flows package 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 12:06:19 +02:00
Jens Langhammer a9a62bbfc8 providers/oauth2: use correct title based on flow context and translated 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 00:08:29 +02:00
Jens Langhammer ddd785898b providers/saml: add title attribute to autosubmit stage and render correctly 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 00:08:14 +02:00
Jens Langhammer 8ba45a5f6a providers/oauth2: don't create events before client_id can be verified to prevent spam 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 00:02:01 +02:00
Jens Langhammer 7d41e6227b providers/oauth2: add tests for form_post, fix attrs not being flattened 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-13 23:52:50 +02:00
Jens Langhammer 1363226697 providers/saml: make SAML metadata generation consistent 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-13 17:40:18 +02:00
scheibling d4abf5621e
providers/oauth2: add support for form_post response mode (#2818) 
* Added request verification and parameter generation

* response_mode added to OAuthAuthorizationParams return

* Added class OauthPostFulfillmentStage
Check response_mode in initialization

* Corrected typo

* Removed separate class
Added handling for FORM_POST in create_response_uri
Added handling for FORM_POST in return class

* Fixed pylint error (trailing-whitespace)
Removed comment

* Reformatted authorize.py with black
 2022-05-12 21:36:31 +02:00
Jens L ab2299ba1e
outposts/ldap: cached bind (#2824) 
* initial cached ldap bind support

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add web

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* clean up api generation

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use gh action for golangci-lint

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-08 16:48:53 +02:00
scheibling 30c7e6c94c
providers/oauth2: fixed typo (PROMPT_CONSNET => PROMPT_CONSENT) (#2819) 2022-05-06 10:09:09 +02:00
Jens Langhammer f4f9f525d7 providers/oauth2: include application in login event 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-14 22:36:45 +02:00
Jens Langhammer 7561ea15de providers/oauth2: add additional tracing to token view 2022-04-14 16:48:17 +00:00
Jens Langhammer 5a58f6ee64 providers/oauth2: remove test for non sa user 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-12 20:35:13 +02:00
Jens Langhammer e84b17d550 providers/oauth2: don't force service accounts for client_credentials flow 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-12 10:23:25 +02:00
Jens Langhammer 8be04cc013 providers/oauth2: fix elliptic curve keys attempting to use EC256 instead of ES256 
closes #2703

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-11 20:05:58 +02:00
Jens Langhammer f977bf61eb providers/oauth2: make exp optional on jwt client_credentials flow 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-10 17:25:35 +02:00
Jens Langhammer f8f8a9bbb9 providers/oauth2: give keypairs private key preference over certificate in client_credentials jwt flow 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-10 16:27:53 +02:00
Jens Langhammer 5861d41ad3 tenants: add tenant-level attributes, applied to users based on request 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-06 10:41:35 +02:00
Jens Langhammer 4be238018b providers/oauth2: pass scope and other parameters to access policy request context 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2641
 2022-04-01 21:39:05 +02:00
Jens Langhammer 99008252f8 providers/oauth2: fix verification_keys being required 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-03-31 20:19:13 +02:00
Jens Langhammer 8689444954 providers/oauth2: add password grant support (treated as client_credentials) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-03-31 18:02:17 +02:00
Jens L bb8af2f19b
providers/oauth2: add client_assertion_type jwt bearer support (#2618) 2022-03-31 00:30:55 +02:00
Adam G d75a864f0e
providers/oauth2: map internal groups to GitHub teams in GHE OAuth emulation (#2497) 
* providers/oauth2: impl `/user/teams` endpoint for Github OAuth2

This commit adds a functional `/user/teams` endpoint for the emulated Github OAuth2 service.
The teams a user is part of are based on the user's groups in Authentik.

* providers/oauth2: Move org template inside loop; Change slug to use Django slugify

* providers/oauth2: Remove placeholder replacement

* Possibly fix complaints from the linters

* Update github.py

* Change organization name

* Update github.py
 2022-03-23 12:05:20 +01:00
Jens Langhammer 53d0205e86 outposts/proxy: use Prefix in ingress for k8s 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-03-15 19:01:08 +01:00
Jens L 920d1f1b0e
providers/oauth2: initial client_credentials grant support (#2437) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-03-05 23:24:55 +01:00
Jens Langhammer 08acc7ba41 providers/oauth2: fix invalid launch URL being generated 2022-03-01 15:29:21 +00:00
Jens Langhammer 72259f6479 events: fix lint 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-14 23:15:45 +01:00
Jens Langhammer 0973c74b9d providers/oauth2: fix redirect_uri being lowercased on successful validation 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-14 23:04:00 +01:00
Jens Langhammer c040b13b29 providers/proxy: remove leading slash to allow subdirectories in proxy 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2305
 2022-02-14 12:51:04 +01:00
Jens Langhammer f61549a60f providers/proxy: enable TLS in ingress via traefik annotation 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1997
 2022-02-12 18:35:24 +01:00
Jens Langhammer b5d43b15f8 providers/oauth2: add support for explicit response_mode 
closes #1953

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-12 16:56:47 +01:00
Jens L 4343246a41
*: rename akprox to outpost.goauthentik.io (#2266) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-08 20:25:38 +01:00
Jens Langhammer eaba8006e6 sources/saml: fix incorrect ProtocolBinding being sent 
closes #2213

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-03 18:20:06 +01:00
Jens Langhammer 88603fa4f7 providers/proxy: set traefik labels using object_naming_template instead of UUID 2022-02-01 17:13:27 +00:00
Jens Langhammer c7ba183dc0 providers/proxy: fix traefik label 
closes #2128

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-01-24 17:45:09 +01:00
Jens Langhammer 82cc1d536a providers/proxy: add PathPrefix to auto-traefik labels 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2128
 2022-01-23 21:55:46 +01:00
Jens Langhammer 4d7d700afa providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-01-12 22:44:57 +01:00
Jens Langhammer c07b8d95d0 outposts/proxy: remove deprecated headers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-01-07 17:01:23 +01:00
Jens Langhammer 90c31c2214 flows: add test helpers to simplify and improve checking of stages, remove force_str 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-01-01 20:25:32 +01:00
Jens Langhammer c249b55ff5 *: use py3.10 syntax for unions, remove old Type[] import when possible 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-30 14:59:01 +01:00
Jens Langhammer 6dc2003e34 providers/oauth2: fix tests validating JWT incorrectly 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 23:00:57 +01:00
Jens Langhammer 0149c89003 providers/oauth2: fix invalid assignments in JWKS view 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:41:28 +01:00
Jens Langhammer f458cae954 providers/proxy: add error handing when field is already gone 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:31:53 +01:00
Jens Langhammer f01d117ce6 providers/proxy: fix imports in migrations 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:25:02 +01:00
Jens Langhammer 2bde43e5dc crypto: use older syntax for type union 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:22:45 +01:00
Jens Langhammer 2f3026084e providers/oauth2: remove jwt_alg field and set algorithm based on selected keypair, select HS256 when no keypair is selected 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:09:49 +01:00
Jens Langhammer 8a60a7e26f providers/proxy: revert to static list of forwarded headers 
wildcard is not usable for this since the regular expression doesn't support negative lookahead, meaning we would always forward all headers, including Connection and others

closes #1969

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-21 12:04:54 +01:00
Jens Langhammer 92b4244e81 providers/proxy: update traefik regex 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1969
 2021-12-20 22:43:58 +01:00
Jens Langhammer dfbf7027bc providers/proxy: add traefik.ingress.kubernetes.io/router.tls annotation for ingress 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-20 22:24:42 +01:00
Jens Langhammer 577b7ee515 providers/proxy: include auth headers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-20 21:37:22 +01:00
Jens Langhammer ef23a0da52 outposts/proxy: fix traefik header regex to only match Remote- and X- headers to prevent websocket errors 
closes #1969

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-20 13:30:19 +01:00
Jens Langhammer b6ff04694f providers/oauth2: don't rely on expiry task for access codes and refresh tokens 
closes #1911

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-18 17:42:41 +01:00
NeroPcStation 273f5211a0
providers/saml: Fix typo (#1950) 2021-12-17 11:00:20 +00:00
Jens Langhammer fec6de1ba2 providers/oauth2: add additional logging to show with token path is taken 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-13 22:49:42 +01:00
Jens Langhammer 69678dcfa6 providers/oauth2: use generate_key instead of uuid4 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-13 22:13:20 +01:00
Jens Langhammer f2b3a2ec91 providers/saml: optimise excessive queries to user when evaluating attributes 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-13 16:38:38 +01:00
Jens Langhammer 326b574d54 root: update dependencies 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-07 16:25:10 +01:00
Jens Langhammer 873aa4bb22 providers/saml: remove SESSION_KEY_POST from session after using it 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1873
 2021-12-06 12:47:25 +01:00
Jens Langhammer ada2a16412 tests/e2e: add post binding test 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-05 11:18:01 +01:00
Jens Langhammer 6a3f7e45cf providers/saml: add ?force_binding to limit bindings for metadata endpoint 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-05 11:14:42 +01:00
Jens Langhammer 2b78c4ba86 *: use request.query_params instead of accessing the django request 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-05 11:14:20 +01:00
Jens Langhammer 680ef641fb providers/saml: fix error when propertymapping returns invalid data in list 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-05 10:31:16 +01:00
Jens Langhammer 4bd1cd127b providers/saml: fix IndexError in signature check 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-02 20:30:03 +01:00
Jens Langhammer 4f54ce6afb providers/saml: fix error when using post bindings and user freshly logged in 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1873
 2021-12-02 13:00:21 +01:00
Jens Langhammer b4963bec76 providers/proxy: fix defaults for traefik integration 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-01 21:47:13 +01:00
Jens Langhammer 7aa8e35f87 providers/proxy: use wildcard for traefik headers copy 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-01 20:19:35 +01:00
Jens Langhammer 60b95271eb outposts/proxy: add additional headers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-01 20:19:09 +01:00
Jens Langhammer 0b8cfd437b *: fix typo'd signing pair name 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-24 09:55:10 +01:00
Jens L 9bb0d04aeb
root: Random tests (#1825) 
* root: add pytest-randomly to randomise tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: generate flows for testing instead of relying on existing ones

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: generate users for testing instead of relying on existing ones

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: use generated certificate

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* tests/e2e: keep containers

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* tests/e2e: use websockets test case

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-22 22:56:02 +01:00
Jens Langhammer b0fac9c9f1 providers/saml: fix SessionNotOnOrAfter not being included 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-16 12:36:40 +01:00
dependabot[bot] f7044e41c6
build(deps-dev): bump bandit from 1.7.0 to 1.7.1 (#1793) 
* build(deps-dev): bump bandit from 1.7.0 to 1.7.1

Bumps [bandit](https://github.com/PyCQA/bandit) from 1.7.0 to 1.7.1.
- [Release notes](https://github.com/PyCQA/bandit/releases)
- [Commits](https://github.com/PyCQA/bandit/compare/1.7.0...1.7.1)

---
updated-dependencies:
- dependency-name: bandit
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* *: fix bandit false positives

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-15 09:16:16 +01:00
Jens Langhammer c98bdbacc5 providers/proxy: return list of configured scope names so outpost requests custom scopes 
closes #1762

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-10 23:06:21 +01:00
Jens Langhammer 2cef220a3e providers/ldap: add/squash migrations 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-05 10:41:50 +01:00
Jens L 5a8c66d325
providers/ldap: memory Query (#1681) 
* outposts/ldap: modularise ldap outpost, to allow different searchers and binders

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts/ldap: add basic in-memory searcher

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/ldap: add search mode field

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outpost: add search mode field

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-05 10:37:30 +01:00
Jens Langhammer 3005ca17bd web/admin: show warning on provider when not used with outpost 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-05 01:15:33 +01:00
Jens Langhammer 909461e533 providers/*: include list of outposts 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-05 01:06:04 +01:00
Jens Langhammer 6036d88392 providers/proxy: allow configuring of additional scope mappings for proxy 
closes #1255

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-31 22:25:51 +01:00
Jens Langhammer 335d6edd11 providers/saml: fix error on missing AssertionConsumerServiceURL, fall back to default ACS 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-31 17:21:15 +01:00
Jens Langhammer 1b21b50b77 providers/oauth2: fallback to uid if UPN was selected but isn't available 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-27 16:11:35 +02:00
Jens Langhammer 8eb4d53810 providers/oauth2: fix events being created from /application/o/authorize/ 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-21 22:59:01 +02:00
Jens Langhammer 98a56c77e3 providers/proxy: update ingress controller to work with k8s 1.22 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-18 10:00:24 +02:00
Jens Langhammer 2b09d97522 core: fix squash migrations error when AK_ADMIN_TOKEN is set 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-12 17:45:10 +02:00
Jens L e4f141c6c0
*: Squash Migrations (#1593) 
* *: first squash pass

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* sources/saml: squash less

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts: fix docker controller not correctly checking image

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* tests/e2e: fix old migration reference

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-11 21:39:35 +02:00
Jens Langhammer 83150d9920 outposts: fix circular import in kubernetes controller 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-03 19:25:18 +02:00
Jens Langhammer d30dcda814 providers/proxy: always check ingress secret in kubernetes controller 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-03 19:14:27 +02:00
Jens Langhammer 3c1ac4c7ec outposts/proxy: add new headers with unified naming 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-02 22:00:23 +02:00
Jens L f9ad102915
flows: inspector (#1469) 
* flows: add initial inspector

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: change naming a bit

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/flow: add inspector frame

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* core: don't use shadydom when inspecting

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: add current stage to api

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* stages/*: fix imports

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: deep-copy plan instead of just adding

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/flows: ui

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: restrict inspector to admin

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: add buttons to launch flow with inspector

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/flows: don't automatically follow redirects when inspector is open

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: make current_plan optional, only require historry

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/flows: handle error messages in inspector

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/flows: improve UI when flow is done

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: add is_completed flag to inspector

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: fix monkeypatches for tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: add inspector tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* ci: re-enable cache

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-28 09:36:48 +02:00
pemontto aea1736f70
outposts/proxy: Fix failing traefik healtcheck (#1470) 2021-09-26 11:33:18 +02:00
Jens Langhammer 4f3583cd7e providers/proxy: make token_validity float and optional for backwards compat 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-25 15:54:32 +02:00
Jens Langhammer f7408626a8 providers/proxy: return token_validity as total seconds instead of expression 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-25 15:44:16 +02:00
Jens Langhammer 28eeb4798e providers/proxy: add token_validity field for outpost configuration 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1462
 2021-09-25 15:00:06 +02:00
Jens Langhammer 79b92e764e *: fix typos in code 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-25 00:01:11 +02:00
Jens Langhammer ae07f13a87 outposts: don't map port 9300 on docker, only expose port 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-21 21:40:08 +02:00
Jens L 13e2eea72f
web/user: new end-user interface (#1404) 
* web/user: migrate to top navbar

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/user: prepare config from server

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* re-sort

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* remove old interface

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update issue template

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use notification badge

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/user: re-add go-to-admin button

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: fix remaining redirects directly to admin

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* make settings better

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* api: ensure sources and stages are sorted

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/user: add sessions and consent

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/oauth2: add post wrapper to stage

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* website/docs: add new interface to release notes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-16 22:17:05 +02:00
Jens Langhammer ae26d2756f providers/saml: improved error handling 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-16 10:58:51 +02:00
Jens Langhammer 916530f0d8 providers/oauth2: use access_code_validity for id_tokens generated when using an implicit flow, improve wording in web ui 
closes #1369

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-15 17:14:53 +02:00
Jens Langhammer ba6849f29c *: remove string.format() 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-14 12:06:47 +02:00
Jens Langhammer df4c8003b8 api: fix items of list fields having nullable set 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-10 18:15:59 +02:00
Jens Langhammer 4448145aa9 providers/proxy: use auth/traefik subpath 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-10 13:53:04 +02:00
Jens L 7158c9d2ea
core: metrics v2 (#1370) 
* outposts: add ldap metrics, move ping to 9100

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outpost: add flow_executor metrics

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use port 9300 for metrics, add core metrics port

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts/controllers/k8s: add service monitor creation support

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-09 15:52:24 +02:00
Jens Langhammer da58796768 providers/proxy: fix defaults for old proxy providers (load providers directly) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-09 13:54:24 +02:00
Jens Langhammer d98499a3fa providers/proxy: fix defaults for old proxy providers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-09 13:26:36 +02:00
Jens Langhammer f3ff398a44 providers/proxy: add metrics port to controllers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-08 23:01:22 +02:00
Jens L 3c1b70c355
outposts/proxyv2 (#1365) 
* outposts/proxyv2: initial commit

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

add rs256

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

more stuff

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

add forward auth an sign_out

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

match cookie name

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

re-add support for rs256 for backwards compat

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

add error handler

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

ensure unique user-agent is used

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

set cookie duration based on id_token expiry

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

build proxy v2

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

add ssl

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

add basic auth and custom header support

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

add application cert loading

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

implement whitelist

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

add redis

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

migrate embedded outpost to v2

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

remove old proxy

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

providers/proxy: make token expiration configurable

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

add metrics

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

fix tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: only allow one redirect URI

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix docker build for proxy

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* remove default port offset

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add AUTHENTIK_HOST_BROWSER

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* tests: fix e2e/integration tests not using proper tags

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* remove references of old port

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix user_attributes not being loaded correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup dependencies

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-08 18:04:56 +00:00
Jens Langhammer d92d8e6dbb api: add additional filters for ldap and proxy providers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-09-03 10:43:09 +02:00
Jens Langhammer 3e9f5ec5ef providers/proxy: improve error handling for non-tls ingresses 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-30 14:43:57 +02:00
Jens Langhammer 0c6e781e5b providers/proxy: fix traefik middleware being generated with wrong ports for embedded outposts 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-29 20:49:11 +02:00
Jens Langhammer 2d8b4f543b providers/proxy: fix url parsing for traefik labels on docker containers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-27 22:21:16 +02:00
Jens Langhammer 8542dc10ab providers/proxy: fix docker container labels not being inherited correctly 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-27 20:20:34 +02:00
Jens Langhammer 2ae164df78 *: cleanup api schema warnings 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-26 09:36:41 +02:00
Jens Langhammer cba255eaaa Merge branch 'master' into app-passwords 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

# Conflicts:
#	authentik/core/tests/test_source_flow_manager.py
#	authentik/stages/authenticator_validate/tests.py
#	authentik/stages/password/tests.py
#	scripts/generate_ci_config.py
 2021-08-23 21:21:12 +02:00
Jens L 859cf2bd8f
lib: move id and key generators to lib (#1286) 
* lib: move generators to lib

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* core: bump default token key size

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: fix split being used for http basic auth instead of partition

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/elements: don't rethrow error in ActionButton

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-23 20:27:38 +02:00
Jens Langhammer a2578ffaad core: add token tests for invalid intent and token auth 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-23 20:21:54 +02:00
Jens Langhammer d18e829d80 providers/ldap: fix error in outpost when certificate is configured 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-09 20:47:26 +02:00
Jens Langhammer f496b8b5d7 providers/oauth2: add more test cases for token view 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-09 00:20:32 +02:00
Jens Langhammer 665c1aa81b providers/proxy: don't create ingress when no hosts are defined 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-08 21:46:05 +02:00
Jens Langhammer ccfc1dbcc2 *: make all PropertyMappings filterable by multiple managed attributes 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-08 16:06:44 +02:00
Jens Langhammer 3367b83368 providers/saml: use idp-initiated sso flow as launch url 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-08 15:01:52 +02:00
Jens Langhammer 9a8240bdd1 proviers/saml: fix validation error not being raised 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-07 21:39:30 +02:00
Jens Langhammer f6ab241219 providers/oauth2: fix accessing undefined variable 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-07 21:35:17 +02:00
Jens Langhammer b0f09eb2c4 web/admin: fix Table not updating selectedElements correctly after update 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-07 20:53:28 +02:00
Jens Langhammer 9c9addb0ce *: ensure all resources can be filtered 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-07 16:34:14 +02:00
Jens Langhammer a449f9c69b providers/saml: fix error when PropertyMapping return value isn't string 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-03 22:40:56 +02:00
Jens Langhammer 36b346662c providers/saml: add WantAssertionsSigned 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-03 22:40:13 +02:00
Jens Langhammer 9d392931df root: fix lint errors from re-format 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-03 18:09:16 +02:00
Jens Langhammer 77ed25ae34 root: reformat to 100 line width 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-03 17:45:16 +02:00
Jens Langhammer f875149983 providers/saml: fix metadata being inaccessible without authentication 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-01 14:50:17 +02:00
Jens Langhammer d70b81fe43 providers/saml: fix Error when getting metadata for invalid ID 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-08-01 13:50:54 +02:00
Jens Langhammer 8495ff9fc0 providers/oauth2: fix error when requesting jwks keys with no rs256 aet 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-29 21:22:31 +02:00
Jens Langhammer 75ff2480e2 providers/proxy: fix hosts for ingress not being compared correctly 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-28 16:08:06 +02:00
Jens Langhammer e7b7bfddd6 providers/oauth2: fix blank redirect_uri not working with TokenView 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-26 11:29:16 +02:00
Jens Langhammer 0a3fade1fd providers/proxy: remove deprecated field 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-22 16:20:26 +02:00
Jens Langhammer 66bfa6879d outposts/proxy: add X-Auth-Groups header to pass groups 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-22 10:47:58 +02:00
Jens Langhammer 70e000d327 providers/saml: improve error handling for property mappings 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-21 23:14:03 +02:00
Jens Langhammer a7467e6740 providers/oauth2: handler PropertyMapping exceptions and create event 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-21 22:51:39 +02:00
Jens Langhammer ba9a4efc9b providers/oauth2: fix nonce field not being optional 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-21 00:34:01 +02:00
Jens Langhammer 902378af53 providers/oauth2: fix redirect_uris not having blank set 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-21 00:22:09 +02:00
Jens Langhammer 2352a7f4d6 providers/oauth2: nonce is only required for implicit flows, don't check or fallback for other flows 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-21 00:21:08 +02:00
Jens Langhammer 7c2decf5ec providers/ldap: squash migrations 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-14 09:22:25 +02:00
Lukas Söder 7f39399c32
providers/ldap: Added auto-generated uidNumber and guidNumber generated attributes for use with SSSD and similar software. (#1138) 
* Added auto-generated uidNumber and guidNumber generated attributes for
use with SSSD and similar software.

The starting number for uid/gid can be configured iva environtment
variables and is by default 2000 which should work fine for most instances unless there are more than
999 local accounts on the server/computer.

The uidNumber is just the users Pk + the starting number.
The guidNumber is calculated by the last couple of bytes in the uuid of
the group + the starting number, this should have a low enough chance
for collisions that it's going to be fine for most use cases.

I have not added any interface stuff for configuring the environment variables as I couldn't really find my way around all the places I'd have to edit to add it and the default values should in my opinion be fine for 99% use cases.

* Add a 'fake' primary group for each user

* First attempt att adding config to interface

* Updated API to support new fields

* Refactor code, update documentation and remove obsolete comment

Simplify `GetRIDForGroup`, was a bit overcomplicated before.

Add an additional class/struct `LDAPGroup` which is the new argument
for `pi.GroupEntry` and util functions to create `LDAPGroup` from api.Group and api.User

Add proper support in the interface for changing gidNumber and uidNumber starting points

* make lint-fix for the migration files
 2021-07-14 09:17:01 +02:00
Jens L 7dfc621ae4
LDAP Provider: TLS support (#1137) 2021-07-13 18:24:18 +02:00
Jens Langhammer 90fe1c2ce8 providers/oauth2: allow blank redirect_uris to allow any redirect_uri 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-08 19:28:35 +02:00
Jens Langhammer 40428f5a82 providers/saml: fix parsing of POST bindings 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-06 16:54:58 +02:00
Jens Langhammer 77a507d2f8 providers/oauth2: add revoked field, create suspicious event when previous token is used 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-03 15:59:01 +02:00
Jens Langhammer 3e60e956f4 providers/oauth2: fix CORS headers not being set for unsuccessful requests 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-03 15:49:00 +02:00
Jens Langhammer 84ec70c2a2 providers/oauth2: use self.expires for exp field instead of calculating it again 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-03 15:32:58 +02:00
Jens Langhammer 3e26170f4b providers/oauth2: deepmerge claims 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-07-01 17:33:46 +02:00
dependabot[bot] d102c59654
build(deps-dev): bump pylint from 2.8.3 to 2.9.0 (#1095) 
* build(deps-dev): bump pylint from 2.8.3 to 2.9.0

Bumps [pylint](https://github.com/PyCQA/pylint) from 2.8.3 to 2.9.0.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Changelog](https://github.com/PyCQA/pylint/blob/master/ChangeLog)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.8.3...v2.9.0)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* *: update source for new pylint version

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-30 10:37:28 +02:00
Jens Langhammer ba9edd6c44 flows: handle possible errors with FlowPlans received from cache 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-27 22:03:48 +02:00
Jens Langhammer 3b2b3262d7 flows: add FlowStageBinding to flow plan instead of just stage 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-27 18:47:04 +02:00
Jens Langhammer a3ff7cea23 providers/oauth2: fix usage of timedelta.seconds 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-25 11:55:00 +02:00
Jens Langhammer 9b5e3921cb providers/saml: better handle decoding errors 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-21 22:48:34 +02:00
Jens Langhammer 831b32c279 core: fix PropertyMapping's globals not matching Expression policy 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-21 15:54:43 +02:00
Jens Langhammer 19cac4bf43 providers/saml: fix error when getting transient user identifier 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-17 13:52:10 +02:00
Jens Langhammer 4ca564490e providers/saml: add support for NameID type unspecified 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-17 12:45:53 +02:00
Jens Langhammer fcb795c273 providers/saml: fix NameIDPolicy not being parsed correctly, improve error handling 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-17 12:22:40 +02:00
Jens Langhammer 0e02925a3d stages/authenticator_validate: add tests for authenticator validation 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-14 16:32:36 +02:00
Jens Langhammer 5b837c3ccc providers/saml: improve error handling for signature errors 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-14 12:51:42 +02:00
Jens Langhammer 31d2ea65fd provider/proxy: mark forward_auth flag as deprecated 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-13 12:39:25 +02:00
Jens Langhammer d878d2140e providers/saml: add metadata download link to api 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-10 14:06:44 +02:00
Jens L 34ae9e6dab
API: add endpoint to show by what objects an object is used (#995) 
* core: add used_by API to show what objects are affected before deletion

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/elements: add support for used_by API

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* core: add authentik_used_by_shadows to shadow other models

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: implement used_by API

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: fix duplicate imports

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* core: add action field to used_by api

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: add UI for used_by action

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: add notice to tenant form

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* core: fix naming in used_by

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: check length for used_by

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* core: fix used_by for non-pk models

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: improve __str__ on models

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* core: add support for many to many in used_by

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-10 11:58:12 +02:00
Jens L dad24c03ff
outposts: set cookies for a domain to authenticate an entire domain (#971) 
* outposts: initial cookie domain implementation

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: add cookie domain setting

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: replace forward_auth_mode with general mode

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: rebuild proxy provider form

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: re-add forward_auth_mode for backwards compat

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: fix data.mode not being set

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* root: always set log level to debug when testing

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: use new mode attribute

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: only ingress /akprox on forward_domain

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/proxy: fix lint error

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: fix error on ProxyProviderForm when not using proxy mode

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: fix default for outpost form's type missing

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/admin: add additional desc for proxy modes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts: fix service account permissions not always being updated

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outpost/proxy: fix redirecting to incorrect host for domain mode

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: improve error handling for network errors

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outpost: fix image naming not matching main imaeg

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts/proxy: fix redirects for domain mode and traefik

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: fix colour for paragraphs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/flows: fix consent stage not showing permissions correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* website/docs: add domain-level docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* website/docs: fix broken links

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts/proxy: remove dead code

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web/flows: fix missing id for #header-text

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-08 23:10:17 +02:00
Jens Langhammer 029d58191e sources/saml: include metadata download link in API response 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-08 17:22:03 +02:00
Jens Langhammer 9180d448df core: move end-session to core 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-06 13:56:38 +02:00
Jens Langhammer cec47c3cfc providers/oauth2: show id_token issues for refresh token 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-02 22:05:04 +02:00
Jens Langhammer b50ac96605 providers/oauth2: remove size limit on Access code nonce 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-06-02 20:20:07 +02:00
Jens Langhammer 14f85ec980 tenants: migrate context_processor to tenants 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-05-29 18:01:48 +02:00
Jens Langhammer 58a4b20297 outposts: handle disconnects without outpost better 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-05-25 12:06:55 +02:00
Jens Langhammer c6bb6709fd flows: add default challenge response 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-05-24 20:27:50 +02:00
Jens Langhammer fb4e0723ee stages: fix stage unittests 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-05-24 17:12:48 +02:00
Jens Langhammer 6f6ae7831e flows: make use of oneOf OpenAPI to annotate all challenge types 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-05-24 14:11:23 +02:00
Jens Langhammer 9b57f0b81d Merge branch 'version-2021.5' into next 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

# Conflicts:
#	web/src/locales/en.po
#	web/src/locales/pseudo-LOCALE.po
 2021-05-22 20:01:16 +02:00
Jens Langhammer 2c816e6162 providers/proxy: don't use https to communicate with outpost 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-05-22 18:56:38 +02:00
Jens Langhammer bb89b9b572 Merge branch 'version-2021.5' into next 2021-05-21 23:50:43 +02:00