Compare commits
157 commits
trustchain
...
sources/sc
Author | SHA1 | Date | |
---|---|---|---|
10d76fa4f1 | |||
16bc7408e7 | |||
7f12b14145 | |||
619f356ecc | |||
d99a81d32f | |||
f1426be34c | |||
4698194a4a | |||
1a57f14f59 | |||
2cab4b7cda | |||
51d3511f8b | |||
6a8eae6780 | |||
99cecdb3ca | |||
bac7e034f8 | |||
3d66923310 | |||
95c71016ae | |||
5cfae6e117 | |||
a2e5de1656 | |||
0d59d24989 | |||
01ffece9ff | |||
5b5fc42a0c | |||
8cd352a600 | |||
2a3fd88081 | |||
d39d8e6195 | |||
b3d86374aa | |||
76db5b69de | |||
1ac3d6ddcb | |||
f4c6a0af1f | |||
d0c392f311 | |||
af1fed3308 | |||
deb0cb236e | |||
31592712a4 | |||
627b3bc095 | |||
ce667c6457 | |||
9b89ba0659 | |||
c86d347034 | |||
5b3a15173a | |||
0430c16f8a | |||
554481f81f | |||
2c84e3d955 | |||
dc7ffba8fa | |||
695719540b | |||
0e019e18c9 | |||
f728bbb14b | |||
4080080acd | |||
0a0f87b9ca | |||
7699a119a3 | |||
73fbcde924 | |||
a1efcc4da9 | |||
d594574ffa | |||
dbbb5e75cf | |||
ddb73db287 | |||
143f092153 | |||
d89adef963 | |||
5f3cbf6f7f | |||
a9fdacc60b | |||
9db9ad3d66 | |||
11dcda77fa | |||
4ce5f0931b | |||
f8e2cd5639 | |||
8b4f66e457 | |||
939631c94e | |||
467a149c06 | |||
f62f720c55 | |||
ba8fd9fcb2 | |||
fdc323af62 | |||
44bac0d67b | |||
191514864e | |||
258a4d5283 | |||
62a85fb888 | |||
7685320466 | |||
c30a2406a9 | |||
9232042c55 | |||
d8b1a59dad | |||
1e05d38059 | |||
d5871fef4e | |||
7f4fa70a41 | |||
fa0c4d8410 | |||
aeb24889fd | |||
8ac9042501 | |||
2d821a07c6 | |||
9680106b45 | |||
709358615c | |||
0ad1b42706 | |||
2333e1f434 | |||
4444db9e6d | |||
c5d483a238 | |||
cc1c66aa13 | |||
67d6c0e8af | |||
b9afac5008 | |||
aadda1f314 | |||
293fa2e375 | |||
ddb1597501 | |||
96f8e961ea | |||
f699dba2ae | |||
250e8ee4a1 | |||
ce47755049 | |||
8125a790a9 | |||
b7e653db6a | |||
74958693a1 | |||
cadc311703 | |||
924f3c9075 | |||
a7933c84c1 | |||
fe1a06ebf2 | |||
823e7dbe1a | |||
90b8217eb2 | |||
c897271756 | |||
d1c9d41954 | |||
1906a10b1a | |||
a03cc57473 | |||
e00799b314 | |||
faa5ce3e83 | |||
937d025ef6 | |||
a748a61cd6 | |||
b24420598c | |||
b005ec7684 | |||
6f6ee29738 | |||
ff3fef6d09 | |||
515958157c | |||
dd4e9030b4 | |||
f94670cad7 | |||
b4dd74f2ff | |||
9a2b548bf6 | |||
d6e3de4f48 | |||
30ccaaf97c | |||
3d9f7ee27e | |||
211dcf3272 | |||
1d0b8a065b | |||
7f82b555c8 | |||
f7aec3cf28 | |||
c6c133f67d | |||
73db23f21f | |||
4744f5c6c6 | |||
e92bda2659 | |||
a10392efcc | |||
e52f13afae | |||
07c50a43ae | |||
0cd2f68bf3 | |||
4ef10f1cec | |||
43151c09e2 | |||
871b5f3246 | |||
ed66bdaec4 | |||
345022f1aa | |||
f296862d3c | |||
5aca310d10 | |||
7dab5dc03f | |||
2d6e0984d1 | |||
028c7af00f | |||
6df83e4259 | |||
afdca418e1 | |||
d8728c1749 | |||
e5afabb221 | |||
a0a6ee0769 | |||
a65bb0b29f | |||
3df7b5504e | |||
99f44ea805 | |||
97ccc84796 | |||
a43b2fb17c |
|
@ -1,5 +1,5 @@
|
||||||
[bumpversion]
|
[bumpversion]
|
||||||
current_version = 2023.10.6
|
current_version = 2023.10.3
|
||||||
tag = True
|
tag = True
|
||||||
commit = True
|
commit = True
|
||||||
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
|
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
|
||||||
|
|
21
.github/actions/setup/action.yml
vendored
21
.github/actions/setup/action.yml
vendored
|
@ -2,39 +2,36 @@ name: "Setup authentik testing environment"
|
||||||
description: "Setup authentik testing environment"
|
description: "Setup authentik testing environment"
|
||||||
|
|
||||||
inputs:
|
inputs:
|
||||||
postgresql_version:
|
postgresql_tag:
|
||||||
description: "Optional postgresql image tag"
|
description: "Optional postgresql image tag"
|
||||||
default: "12"
|
default: "12"
|
||||||
|
|
||||||
runs:
|
runs:
|
||||||
using: "composite"
|
using: "composite"
|
||||||
steps:
|
steps:
|
||||||
- name: Install poetry & deps
|
- name: Install poetry
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
pipx install poetry || true
|
pipx install poetry || true
|
||||||
sudo apt-get update
|
sudo apt update
|
||||||
sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
|
sudo apt install -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
|
||||||
- name: Setup python and restore poetry
|
- name: Setup python and restore poetry
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v3
|
||||||
with:
|
with:
|
||||||
python-version-file: 'pyproject.toml'
|
python-version: "3.11"
|
||||||
cache: "poetry"
|
cache: "poetry"
|
||||||
- name: Setup node
|
- name: Setup node
|
||||||
uses: actions/setup-node@v3
|
uses: actions/setup-node@v3
|
||||||
with:
|
with:
|
||||||
node-version-file: web/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- name: Setup go
|
|
||||||
uses: actions/setup-go@v4
|
|
||||||
with:
|
|
||||||
go-version-file: "go.mod"
|
|
||||||
- name: Setup dependencies
|
- name: Setup dependencies
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
export PSQL_TAG=${{ inputs.postgresql_version }}
|
export PSQL_TAG=${{ inputs.postgresql_tag }}
|
||||||
docker-compose -f .github/actions/setup/docker-compose.yml up -d
|
docker-compose -f .github/actions/setup/docker-compose.yml up -d
|
||||||
|
poetry env use python3.11
|
||||||
poetry install
|
poetry install
|
||||||
cd web && npm ci
|
cd web && npm ci
|
||||||
- name: Generate config
|
- name: Generate config
|
||||||
|
|
23
.github/workflows/ci-main.yml
vendored
23
.github/workflows/ci-main.yml
vendored
|
@ -48,38 +48,25 @@ jobs:
|
||||||
- name: run migrations
|
- name: run migrations
|
||||||
run: poetry run python -m lifecycle.migrate
|
run: poetry run python -m lifecycle.migrate
|
||||||
test-migrations-from-stable:
|
test-migrations-from-stable:
|
||||||
name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
continue-on-error: true
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
psql:
|
|
||||||
- 12-alpine
|
|
||||||
- 15-alpine
|
|
||||||
- 16-alpine
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
- name: Setup authentik env
|
- name: Setup authentik env
|
||||||
uses: ./.github/actions/setup
|
uses: ./.github/actions/setup
|
||||||
with:
|
|
||||||
postgresql_version: ${{ matrix.psql }}
|
|
||||||
- name: checkout stable
|
- name: checkout stable
|
||||||
run: |
|
run: |
|
||||||
# Delete all poetry envs
|
|
||||||
rm -rf /home/runner/.cache/pypoetry
|
|
||||||
# Copy current, latest config to local
|
# Copy current, latest config to local
|
||||||
cp authentik/lib/default.yml local.env.yml
|
cp authentik/lib/default.yml local.env.yml
|
||||||
cp -R .github ..
|
cp -R .github ..
|
||||||
cp -R scripts ..
|
cp -R scripts ..
|
||||||
git checkout version/$(python -c "from authentik import __version__; print(__version__)")
|
git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
|
||||||
rm -rf .github/ scripts/
|
rm -rf .github/ scripts/
|
||||||
mv ../.github ../scripts .
|
mv ../.github ../scripts .
|
||||||
- name: Setup authentik env (ensure stable deps are installed)
|
- name: Setup authentik env (ensure stable deps are installed)
|
||||||
uses: ./.github/actions/setup
|
uses: ./.github/actions/setup
|
||||||
with:
|
|
||||||
postgresql_version: ${{ matrix.psql }}
|
|
||||||
- name: run migrations to stable
|
- name: run migrations to stable
|
||||||
run: poetry run python -m lifecycle.migrate
|
run: poetry run python -m lifecycle.migrate
|
||||||
- name: checkout current code
|
- name: checkout current code
|
||||||
|
@ -89,13 +76,9 @@ jobs:
|
||||||
git reset --hard HEAD
|
git reset --hard HEAD
|
||||||
git clean -d -fx .
|
git clean -d -fx .
|
||||||
git checkout $GITHUB_SHA
|
git checkout $GITHUB_SHA
|
||||||
# Delete previous poetry env
|
|
||||||
rm -rf $(poetry env info --path)
|
|
||||||
poetry install
|
poetry install
|
||||||
- name: Setup authentik env (ensure latest deps are installed)
|
- name: Setup authentik env (ensure latest deps are installed)
|
||||||
uses: ./.github/actions/setup
|
uses: ./.github/actions/setup
|
||||||
with:
|
|
||||||
postgresql_version: ${{ matrix.psql }}
|
|
||||||
- name: migrate to latest
|
- name: migrate to latest
|
||||||
run: poetry run python -m lifecycle.migrate
|
run: poetry run python -m lifecycle.migrate
|
||||||
test-unittest:
|
test-unittest:
|
||||||
|
@ -114,7 +97,7 @@ jobs:
|
||||||
- name: Setup authentik env
|
- name: Setup authentik env
|
||||||
uses: ./.github/actions/setup
|
uses: ./.github/actions/setup
|
||||||
with:
|
with:
|
||||||
postgresql_version: ${{ matrix.psql }}
|
postgresql_tag: ${{ matrix.psql }}
|
||||||
- name: run unittest
|
- name: run unittest
|
||||||
run: |
|
run: |
|
||||||
poetry run make test
|
poetry run make test
|
||||||
|
|
2
.github/workflows/ci-outpost.yml
vendored
2
.github/workflows/ci-outpost.yml
vendored
|
@ -130,7 +130,7 @@ jobs:
|
||||||
go-version-file: "go.mod"
|
go-version-file: "go.mod"
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: web/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- name: Generate API
|
- name: Generate API
|
||||||
|
|
10
.github/workflows/ci-web.yml
vendored
10
.github/workflows/ci-web.yml
vendored
|
@ -24,7 +24,7 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: ${{ matrix.project }}/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: ${{ matrix.project }}/package-lock.json
|
cache-dependency-path: ${{ matrix.project }}/package-lock.json
|
||||||
- working-directory: ${{ matrix.project }}/
|
- working-directory: ${{ matrix.project }}/
|
||||||
|
@ -40,7 +40,7 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: web/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- working-directory: web/
|
- working-directory: web/
|
||||||
|
@ -62,7 +62,7 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: ${{ matrix.project }}/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: ${{ matrix.project }}/package-lock.json
|
cache-dependency-path: ${{ matrix.project }}/package-lock.json
|
||||||
- working-directory: ${{ matrix.project }}/
|
- working-directory: ${{ matrix.project }}/
|
||||||
|
@ -78,7 +78,7 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: web/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- working-directory: web/
|
- working-directory: web/
|
||||||
|
@ -110,7 +110,7 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: web/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- working-directory: web/
|
- working-directory: web/
|
||||||
|
|
6
.github/workflows/ci-website.yml
vendored
6
.github/workflows/ci-website.yml
vendored
|
@ -18,7 +18,7 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: website/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: website/package-lock.json
|
cache-dependency-path: website/package-lock.json
|
||||||
- working-directory: website/
|
- working-directory: website/
|
||||||
|
@ -32,7 +32,7 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: website/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: website/package-lock.json
|
cache-dependency-path: website/package-lock.json
|
||||||
- working-directory: website/
|
- working-directory: website/
|
||||||
|
@ -53,7 +53,7 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: website/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: website/package-lock.json
|
cache-dependency-path: website/package-lock.json
|
||||||
- working-directory: website/
|
- working-directory: website/
|
||||||
|
|
2
.github/workflows/release-publish.yml
vendored
2
.github/workflows/release-publish.yml
vendored
|
@ -131,7 +131,7 @@ jobs:
|
||||||
go-version-file: "go.mod"
|
go-version-file: "go.mod"
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: web/package.json
|
node-version: "20"
|
||||||
cache: "npm"
|
cache: "npm"
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- name: Build web
|
- name: Build web
|
||||||
|
|
2
.github/workflows/release-tag.yml
vendored
2
.github/workflows/release-tag.yml
vendored
|
@ -30,7 +30,7 @@ jobs:
|
||||||
private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
||||||
- name: Extract version number
|
- name: Extract version number
|
||||||
id: get_version
|
id: get_version
|
||||||
uses: actions/github-script@v6
|
uses: actions/github-script@v7
|
||||||
with:
|
with:
|
||||||
github-token: ${{ steps.generate_token.outputs.token }}
|
github-token: ${{ steps.generate_token.outputs.token }}
|
||||||
script: |
|
script: |
|
||||||
|
|
3
.github/workflows/translation-advice.yml
vendored
3
.github/workflows/translation-advice.yml
vendored
|
@ -7,7 +7,8 @@ on:
|
||||||
paths:
|
paths:
|
||||||
- "!**"
|
- "!**"
|
||||||
- "locale/**"
|
- "locale/**"
|
||||||
- "web/src/locales/**"
|
- "!locale/en/**"
|
||||||
|
- "web/xliff/**"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
post-comment:
|
post-comment:
|
||||||
|
|
2
.github/workflows/web-api-publish.yml
vendored
2
.github/workflows/web-api-publish.yml
vendored
|
@ -19,7 +19,7 @@ jobs:
|
||||||
token: ${{ steps.generate_token.outputs.token }}
|
token: ${{ steps.generate_token.outputs.token }}
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: web/package.json
|
node-version: "20"
|
||||||
registry-url: "https://registry.npmjs.org"
|
registry-url: "https://registry.npmjs.org"
|
||||||
- name: Generate API Client
|
- name: Generate API Client
|
||||||
run: make gen-client-ts
|
run: make gen-client-ts
|
||||||
|
|
14
Dockerfile
14
Dockerfile
|
@ -1,5 +1,3 @@
|
||||||
# syntax=docker/dockerfile:1
|
|
||||||
|
|
||||||
# Stage 1: Build website
|
# Stage 1: Build website
|
||||||
FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
|
FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
|
||||||
|
|
||||||
|
@ -9,7 +7,7 @@ WORKDIR /work/website
|
||||||
|
|
||||||
RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
|
RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
|
||||||
--mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
|
--mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
|
||||||
--mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
|
--mount=type=cache,target=/root/.npm \
|
||||||
npm ci --include=dev
|
npm ci --include=dev
|
||||||
|
|
||||||
COPY ./website /work/website/
|
COPY ./website /work/website/
|
||||||
|
@ -27,7 +25,7 @@ WORKDIR /work/web
|
||||||
|
|
||||||
RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
|
RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
|
||||||
--mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
|
--mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
|
||||||
--mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
|
--mount=type=cache,target=/root/.npm \
|
||||||
npm ci --include=dev
|
npm ci --include=dev
|
||||||
|
|
||||||
COPY ./web /work/web/
|
COPY ./web /work/web/
|
||||||
|
@ -64,8 +62,8 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
|
||||||
|
|
||||||
ENV CGO_ENABLED=0
|
ENV CGO_ENABLED=0
|
||||||
|
|
||||||
RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
|
RUN --mount=type=cache,target=/go/pkg/mod \
|
||||||
--mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
|
--mount=type=cache,target=/root/.cache/go-build \
|
||||||
GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
|
GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
|
||||||
|
|
||||||
# Stage 4: MaxMind GeoIP
|
# Stage 4: MaxMind GeoIP
|
||||||
|
@ -91,9 +89,7 @@ ENV VENV_PATH="/ak-root/venv" \
|
||||||
POETRY_VIRTUALENVS_CREATE=false \
|
POETRY_VIRTUALENVS_CREATE=false \
|
||||||
PATH="/ak-root/venv/bin:$PATH"
|
PATH="/ak-root/venv/bin:$PATH"
|
||||||
|
|
||||||
RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
|
RUN --mount=type=cache,target=/var/cache/apt \
|
||||||
|
|
||||||
RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
|
|
||||||
apt-get update && \
|
apt-get update && \
|
||||||
# Required for installing pip packages
|
# Required for installing pip packages
|
||||||
apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev
|
apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev
|
||||||
|
|
2
Makefile
2
Makefile
|
@ -110,6 +110,8 @@ gen-diff: ## (Release) generate the changelog diff between the current schema a
|
||||||
--markdown /local/diff.md \
|
--markdown /local/diff.md \
|
||||||
/local/old_schema.yml /local/schema.yml
|
/local/old_schema.yml /local/schema.yml
|
||||||
rm old_schema.yml
|
rm old_schema.yml
|
||||||
|
sed -i 's/{/{/g' diff.md
|
||||||
|
sed -i 's/}/}/g' diff.md
|
||||||
npx prettier --write diff.md
|
npx prettier --write diff.md
|
||||||
|
|
||||||
gen-clean:
|
gen-clean:
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
from os import environ
|
from os import environ
|
||||||
from typing import Optional
|
from typing import Optional
|
||||||
|
|
||||||
__version__ = "2023.10.6"
|
__version__ = "2023.10.3"
|
||||||
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,8 @@ from rest_framework.settings import api_settings
|
||||||
|
|
||||||
from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
|
from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
|
||||||
|
|
||||||
|
from authentik.api.apps import AuthentikAPIConfig
|
||||||
|
|
||||||
|
|
||||||
def build_standard_type(obj, **kwargs):
|
def build_standard_type(obj, **kwargs):
|
||||||
"""Build a basic type with optional add owns."""
|
"""Build a basic type with optional add owns."""
|
||||||
|
@ -100,3 +102,12 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
|
||||||
comp = result["components"]["schemas"][component]
|
comp = result["components"]["schemas"][component]
|
||||||
comp["additionalProperties"] = {}
|
comp["additionalProperties"] = {}
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
def preprocess_schema_exclude_non_api(endpoints, **kwargs):
|
||||||
|
"""Filter out all API Views which are not mounted under /api"""
|
||||||
|
return [
|
||||||
|
(path, path_regex, method, callback)
|
||||||
|
for path, path_regex, method, callback in endpoints
|
||||||
|
if path.startswith("/" + AuthentikAPIConfig.mountpoint)
|
||||||
|
]
|
||||||
|
|
|
@ -93,10 +93,10 @@ class ConfigView(APIView):
|
||||||
"traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
|
"traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
|
||||||
},
|
},
|
||||||
"capabilities": self.get_capabilities(),
|
"capabilities": self.get_capabilities(),
|
||||||
"cache_timeout": CONFIG.get_int("redis.cache_timeout"),
|
"cache_timeout": CONFIG.get_int("cache.timeout"),
|
||||||
"cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
|
"cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
|
||||||
"cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
|
"cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
|
||||||
"cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
|
"cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -21,9 +21,7 @@ _other_urls = []
|
||||||
for _authentik_app in get_apps():
|
for _authentik_app in get_apps():
|
||||||
try:
|
try:
|
||||||
api_urls = import_module(f"{_authentik_app.name}.urls")
|
api_urls = import_module(f"{_authentik_app.name}.urls")
|
||||||
except ModuleNotFoundError:
|
except (ModuleNotFoundError, ImportError) as exc:
|
||||||
continue
|
|
||||||
except ImportError as exc:
|
|
||||||
LOGGER.warning("Could not import app's URLs", app_name=_authentik_app.name, exc=exc)
|
LOGGER.warning("Could not import app's URLs", app_name=_authentik_app.name, exc=exc)
|
||||||
continue
|
continue
|
||||||
if not hasattr(api_urls, "api_urlpatterns"):
|
if not hasattr(api_urls, "api_urlpatterns"):
|
||||||
|
|
|
@ -40,7 +40,7 @@ class ManagedAppConfig(AppConfig):
|
||||||
meth()
|
meth()
|
||||||
self._logger.debug("Successfully reconciled", name=name)
|
self._logger.debug("Successfully reconciled", name=name)
|
||||||
except (DatabaseError, ProgrammingError, InternalError) as exc:
|
except (DatabaseError, ProgrammingError, InternalError) as exc:
|
||||||
self._logger.warning("Failed to run reconcile", name=name, exc=exc)
|
self._logger.debug("Failed to run reconcile", name=name, exc=exc)
|
||||||
|
|
||||||
|
|
||||||
class AuthentikBlueprintsConfig(ManagedAppConfig):
|
class AuthentikBlueprintsConfig(ManagedAppConfig):
|
||||||
|
|
|
@ -75,13 +75,13 @@ class BlueprintEventHandler(FileSystemEventHandler):
|
||||||
return
|
return
|
||||||
if event.is_directory:
|
if event.is_directory:
|
||||||
return
|
return
|
||||||
root = Path(CONFIG.get("blueprints_dir")).absolute()
|
|
||||||
path = Path(event.src_path).absolute()
|
|
||||||
rel_path = str(path.relative_to(root))
|
|
||||||
if isinstance(event, FileCreatedEvent):
|
if isinstance(event, FileCreatedEvent):
|
||||||
LOGGER.debug("new blueprint file created, starting discovery", path=rel_path)
|
LOGGER.debug("new blueprint file created, starting discovery")
|
||||||
blueprints_discovery.delay(rel_path)
|
blueprints_discovery.delay()
|
||||||
if isinstance(event, FileModifiedEvent):
|
if isinstance(event, FileModifiedEvent):
|
||||||
|
path = Path(event.src_path)
|
||||||
|
root = Path(CONFIG.get("blueprints_dir")).absolute()
|
||||||
|
rel_path = str(path.relative_to(root))
|
||||||
for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
|
for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
|
||||||
LOGGER.debug("modified blueprint file, starting apply", instance=instance)
|
LOGGER.debug("modified blueprint file, starting apply", instance=instance)
|
||||||
apply_blueprint.delay(instance.pk.hex)
|
apply_blueprint.delay(instance.pk.hex)
|
||||||
|
@ -98,32 +98,39 @@ def blueprints_find_dict():
|
||||||
return blueprints
|
return blueprints
|
||||||
|
|
||||||
|
|
||||||
def blueprints_find() -> list[BlueprintFile]:
|
def blueprints_find():
|
||||||
"""Find blueprints and return valid ones"""
|
"""Find blueprints and return valid ones"""
|
||||||
blueprints = []
|
blueprints = []
|
||||||
root = Path(CONFIG.get("blueprints_dir"))
|
root = Path(CONFIG.get("blueprints_dir"))
|
||||||
for path in root.rglob("**/*.yaml"):
|
for path in root.rglob("**/*.yaml"):
|
||||||
rel_path = path.relative_to(root)
|
|
||||||
# Check if any part in the path starts with a dot and assume a hidden file
|
# Check if any part in the path starts with a dot and assume a hidden file
|
||||||
if any(part for part in path.parts if part.startswith(".")):
|
if any(part for part in path.parts if part.startswith(".")):
|
||||||
continue
|
continue
|
||||||
|
LOGGER.debug("found blueprint", path=str(path))
|
||||||
with open(path, "r", encoding="utf-8") as blueprint_file:
|
with open(path, "r", encoding="utf-8") as blueprint_file:
|
||||||
try:
|
try:
|
||||||
raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
|
raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
|
||||||
except YAMLError as exc:
|
except YAMLError as exc:
|
||||||
raw_blueprint = None
|
raw_blueprint = None
|
||||||
LOGGER.warning("failed to parse blueprint", exc=exc, path=str(rel_path))
|
LOGGER.warning("failed to parse blueprint", exc=exc, path=str(path))
|
||||||
if not raw_blueprint:
|
if not raw_blueprint:
|
||||||
continue
|
continue
|
||||||
metadata = raw_blueprint.get("metadata", None)
|
metadata = raw_blueprint.get("metadata", None)
|
||||||
version = raw_blueprint.get("version", 1)
|
version = raw_blueprint.get("version", 1)
|
||||||
if version != 1:
|
if version != 1:
|
||||||
LOGGER.warning("invalid blueprint version", version=version, path=str(rel_path))
|
LOGGER.warning("invalid blueprint version", version=version, path=str(path))
|
||||||
continue
|
continue
|
||||||
file_hash = sha512(path.read_bytes()).hexdigest()
|
file_hash = sha512(path.read_bytes()).hexdigest()
|
||||||
blueprint = BlueprintFile(str(rel_path), version, file_hash, int(path.stat().st_mtime))
|
blueprint = BlueprintFile(
|
||||||
|
str(path.relative_to(root)), version, file_hash, int(path.stat().st_mtime)
|
||||||
|
)
|
||||||
blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
|
blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
|
||||||
blueprints.append(blueprint)
|
blueprints.append(blueprint)
|
||||||
|
LOGGER.debug(
|
||||||
|
"parsed & loaded blueprint",
|
||||||
|
hash=file_hash,
|
||||||
|
path=str(path),
|
||||||
|
)
|
||||||
return blueprints
|
return blueprints
|
||||||
|
|
||||||
|
|
||||||
|
@ -131,12 +138,10 @@ def blueprints_find() -> list[BlueprintFile]:
|
||||||
throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
|
throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
|
||||||
)
|
)
|
||||||
@prefill_task
|
@prefill_task
|
||||||
def blueprints_discovery(self: MonitoredTask, path: Optional[str] = None):
|
def blueprints_discovery(self: MonitoredTask):
|
||||||
"""Find blueprints and check if they need to be created in the database"""
|
"""Find blueprints and check if they need to be created in the database"""
|
||||||
count = 0
|
count = 0
|
||||||
for blueprint in blueprints_find():
|
for blueprint in blueprints_find():
|
||||||
if path and blueprint.path != path:
|
|
||||||
continue
|
|
||||||
check_blueprint_v1_file(blueprint)
|
check_blueprint_v1_file(blueprint)
|
||||||
count += 1
|
count += 1
|
||||||
self.set_status(
|
self.set_status(
|
||||||
|
@ -166,11 +171,7 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
|
||||||
metadata={},
|
metadata={},
|
||||||
)
|
)
|
||||||
instance.save()
|
instance.save()
|
||||||
LOGGER.info(
|
|
||||||
"Creating new blueprint instance from file", instance=instance, path=instance.path
|
|
||||||
)
|
|
||||||
if instance.last_applied_hash != blueprint.hash:
|
if instance.last_applied_hash != blueprint.hash:
|
||||||
LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
|
|
||||||
apply_blueprint.delay(str(instance.pk))
|
apply_blueprint.delay(str(instance.pk))
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -38,7 +38,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
|
||||||
|
|
||||||
managed = ReadOnlyField()
|
managed = ReadOnlyField()
|
||||||
component = SerializerMethodField()
|
component = SerializerMethodField()
|
||||||
icon = ReadOnlyField(source="icon_url")
|
icon = ReadOnlyField(source="get_icon")
|
||||||
|
|
||||||
def get_component(self, obj: Source) -> str:
|
def get_component(self, obj: Source) -> str:
|
||||||
"""Get object component so that we know how to edit the object"""
|
"""Get object component so that we know how to edit the object"""
|
||||||
|
|
|
@ -171,11 +171,6 @@ class UserSerializer(ModelSerializer):
|
||||||
raise ValidationError("Setting a user to internal service account is not allowed.")
|
raise ValidationError("Setting a user to internal service account is not allowed.")
|
||||||
return user_type
|
return user_type
|
||||||
|
|
||||||
def validate(self, attrs: dict) -> dict:
|
|
||||||
if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
|
|
||||||
raise ValidationError("Can't modify internal service account users")
|
|
||||||
return super().validate(attrs)
|
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
model = User
|
model = User
|
||||||
fields = [
|
fields = [
|
||||||
|
|
|
@ -44,7 +44,6 @@ class PropertyMappingEvaluator(BaseEvaluator):
|
||||||
if request:
|
if request:
|
||||||
req.http_request = request
|
req.http_request = request
|
||||||
self._context["request"] = req
|
self._context["request"] = req
|
||||||
req.context.update(**kwargs)
|
|
||||||
self._context.update(**kwargs)
|
self._context.update(**kwargs)
|
||||||
self.dry_run = dry_run
|
self.dry_run = dry_run
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
{% block head_before %}
|
{% block head_before %}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
<link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
|
<link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
|
||||||
|
<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
|
||||||
<link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
|
<link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
|
||||||
<script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
|
<script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
|
||||||
<script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
|
<script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
|
||||||
|
|
|
@ -6,7 +6,6 @@
|
||||||
{% block head_before %}
|
{% block head_before %}
|
||||||
<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
|
<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
|
||||||
<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
|
<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
|
||||||
<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
|
|
||||||
{% include "base/header_js.html" %}
|
{% include "base/header_js.html" %}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,6 @@ from authentik.lib.sentry import before_send
|
||||||
from authentik.lib.utils.errors import exception_to_string
|
from authentik.lib.utils.errors import exception_to_string
|
||||||
from authentik.outposts.models import OutpostServiceConnection
|
from authentik.outposts.models import OutpostServiceConnection
|
||||||
from authentik.policies.models import Policy, PolicyBindingModel
|
from authentik.policies.models import Policy, PolicyBindingModel
|
||||||
from authentik.policies.reputation.models import Reputation
|
|
||||||
from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
|
from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
|
||||||
from authentik.providers.scim.models import SCIMGroup, SCIMUser
|
from authentik.providers.scim.models import SCIMGroup, SCIMUser
|
||||||
from authentik.stages.authenticator_static.models import StaticToken
|
from authentik.stages.authenticator_static.models import StaticToken
|
||||||
|
@ -53,13 +52,11 @@ IGNORED_MODELS = (
|
||||||
RefreshToken,
|
RefreshToken,
|
||||||
SCIMUser,
|
SCIMUser,
|
||||||
SCIMGroup,
|
SCIMGroup,
|
||||||
Reputation,
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
def should_log_model(model: Model) -> bool:
|
def should_log_model(model: Model) -> bool:
|
||||||
"""Return true if operation on `model` should be logged"""
|
"""Return true if operation on `model` should be logged"""
|
||||||
# Check for silk by string so this comparison doesn't fail when silk isn't installed
|
|
||||||
if model.__module__.startswith("silk"):
|
if model.__module__.startswith("silk"):
|
||||||
return False
|
return False
|
||||||
return model.__class__ not in IGNORED_MODELS
|
return model.__class__ not in IGNORED_MODELS
|
||||||
|
@ -96,30 +93,21 @@ class AuditMiddleware:
|
||||||
of models"""
|
of models"""
|
||||||
|
|
||||||
get_response: Callable[[HttpRequest], HttpResponse]
|
get_response: Callable[[HttpRequest], HttpResponse]
|
||||||
anonymous_user: User = None
|
|
||||||
|
|
||||||
def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
|
def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
|
||||||
self.get_response = get_response
|
self.get_response = get_response
|
||||||
|
|
||||||
def _ensure_fallback_user(self):
|
|
||||||
"""Defer fetching anonymous user until we have to"""
|
|
||||||
if self.anonymous_user:
|
|
||||||
return
|
|
||||||
from guardian.shortcuts import get_anonymous_user
|
|
||||||
|
|
||||||
self.anonymous_user = get_anonymous_user()
|
|
||||||
|
|
||||||
def connect(self, request: HttpRequest):
|
def connect(self, request: HttpRequest):
|
||||||
"""Connect signal for automatic logging"""
|
"""Connect signal for automatic logging"""
|
||||||
self._ensure_fallback_user()
|
if not hasattr(request, "user"):
|
||||||
user = getattr(request, "user", self.anonymous_user)
|
return
|
||||||
if not user.is_authenticated:
|
if not getattr(request.user, "is_authenticated", False):
|
||||||
user = self.anonymous_user
|
return
|
||||||
if not hasattr(request, "request_id"):
|
if not hasattr(request, "request_id"):
|
||||||
return
|
return
|
||||||
post_save_handler = partial(self.post_save_handler, user=user, request=request)
|
post_save_handler = partial(self.post_save_handler, user=request.user, request=request)
|
||||||
pre_delete_handler = partial(self.pre_delete_handler, user=user, request=request)
|
pre_delete_handler = partial(self.pre_delete_handler, user=request.user, request=request)
|
||||||
m2m_changed_handler = partial(self.m2m_changed_handler, user=user, request=request)
|
m2m_changed_handler = partial(self.m2m_changed_handler, user=request.user, request=request)
|
||||||
post_save.connect(
|
post_save.connect(
|
||||||
post_save_handler,
|
post_save_handler,
|
||||||
dispatch_uid=request.request_id,
|
dispatch_uid=request.request_id,
|
||||||
|
|
|
@ -217,7 +217,6 @@ class Event(SerializerModel, ExpiringModel):
|
||||||
"path": request.path,
|
"path": request.path,
|
||||||
"method": request.method,
|
"method": request.method,
|
||||||
"args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
|
"args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
|
||||||
"user_agent": request.META.get("HTTP_USER_AGENT", ""),
|
|
||||||
}
|
}
|
||||||
# Special case for events created during flow execution
|
# Special case for events created during flow execution
|
||||||
# since they keep the http query within a wrapped query
|
# since they keep the http query within a wrapped query
|
||||||
|
|
|
@ -53,15 +53,7 @@ class TestEvents(TestCase):
|
||||||
"""Test plain from_http"""
|
"""Test plain from_http"""
|
||||||
event = Event.new("unittest").from_http(self.factory.get("/"))
|
event = Event.new("unittest").from_http(self.factory.get("/"))
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
event.context,
|
event.context, {"http_request": {"args": {}, "method": "GET", "path": "/"}}
|
||||||
{
|
|
||||||
"http_request": {
|
|
||||||
"args": {},
|
|
||||||
"method": "GET",
|
|
||||||
"path": "/",
|
|
||||||
"user_agent": "",
|
|
||||||
}
|
|
||||||
},
|
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_from_http_clean_querystring(self):
|
def test_from_http_clean_querystring(self):
|
||||||
|
@ -75,7 +67,6 @@ class TestEvents(TestCase):
|
||||||
"args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
|
"args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
|
||||||
"method": "GET",
|
"method": "GET",
|
||||||
"path": "/",
|
"path": "/",
|
||||||
"user_agent": "",
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
@ -92,7 +83,6 @@ class TestEvents(TestCase):
|
||||||
"args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
|
"args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
|
||||||
"method": "GET",
|
"method": "GET",
|
||||||
"path": "/",
|
"path": "/",
|
||||||
"user_agent": "",
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
|
@ -5,13 +5,12 @@ from dataclasses import asdict, is_dataclass
|
||||||
from datetime import date, datetime, time, timedelta
|
from datetime import date, datetime, time, timedelta
|
||||||
from enum import Enum
|
from enum import Enum
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from types import GeneratorType, NoneType
|
from types import GeneratorType
|
||||||
from typing import Any, Optional
|
from typing import Any, Optional
|
||||||
from uuid import UUID
|
from uuid import UUID
|
||||||
|
|
||||||
from django.contrib.auth.models import AnonymousUser
|
from django.contrib.auth.models import AnonymousUser
|
||||||
from django.core.handlers.wsgi import WSGIRequest
|
from django.core.handlers.wsgi import WSGIRequest
|
||||||
from django.core.serializers.json import DjangoJSONEncoder
|
|
||||||
from django.db import models
|
from django.db import models
|
||||||
from django.db.models.base import Model
|
from django.db.models.base import Model
|
||||||
from django.http.request import HttpRequest
|
from django.http.request import HttpRequest
|
||||||
|
@ -160,14 +159,7 @@ def sanitize_item(value: Any) -> Any:
|
||||||
"name": value.__name__,
|
"name": value.__name__,
|
||||||
"module": value.__module__,
|
"module": value.__module__,
|
||||||
}
|
}
|
||||||
# List taken from the stdlib's JSON encoder (_make_iterencode, encoder.py:415)
|
|
||||||
if isinstance(value, (bool, int, float, NoneType, list, tuple, dict)):
|
|
||||||
return value
|
return value
|
||||||
try:
|
|
||||||
return DjangoJSONEncoder().default(value)
|
|
||||||
except TypeError:
|
|
||||||
return str(value)
|
|
||||||
return str(value)
|
|
||||||
|
|
||||||
|
|
||||||
def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:
|
def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:
|
||||||
|
|
|
@ -33,7 +33,7 @@ PLAN_CONTEXT_SOURCE = "source"
|
||||||
# Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
|
# Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
|
||||||
# was restored.
|
# was restored.
|
||||||
PLAN_CONTEXT_IS_RESTORED = "is_restored"
|
PLAN_CONTEXT_IS_RESTORED = "is_restored"
|
||||||
CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_flows")
|
CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
|
||||||
CACHE_PREFIX = "goauthentik.io/flows/planner/"
|
CACHE_PREFIX = "goauthentik.io/flows/planner/"
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -167,11 +167,7 @@ class ChallengeStageView(StageView):
|
||||||
stage_type=self.__class__.__name__, method="get_challenge"
|
stage_type=self.__class__.__name__, method="get_challenge"
|
||||||
).time(),
|
).time(),
|
||||||
):
|
):
|
||||||
try:
|
|
||||||
challenge = self.get_challenge(*args, **kwargs)
|
challenge = self.get_challenge(*args, **kwargs)
|
||||||
except StageInvalidException as exc:
|
|
||||||
self.logger.debug("Got StageInvalidException", exc=exc)
|
|
||||||
return self.executor.stage_invalid()
|
|
||||||
with Hub.current.start_span(
|
with Hub.current.start_span(
|
||||||
op="authentik.flow.stage._get_challenge",
|
op="authentik.flow.stage._get_challenge",
|
||||||
description=self.__class__.__name__,
|
description=self.__class__.__name__,
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
"""authentik core config loader"""
|
"""authentik core config loader"""
|
||||||
|
import base64
|
||||||
|
import json
|
||||||
import os
|
import os
|
||||||
from collections.abc import Mapping
|
from collections.abc import Mapping
|
||||||
from contextlib import contextmanager
|
from contextlib import contextmanager
|
||||||
|
@ -22,6 +24,25 @@ SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] +
|
||||||
ENV_PREFIX = "AUTHENTIK"
|
ENV_PREFIX = "AUTHENTIK"
|
||||||
ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
|
ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
|
||||||
|
|
||||||
|
REDIS_ENV_KEYS = [
|
||||||
|
f"{ENV_PREFIX}_REDIS__HOST",
|
||||||
|
f"{ENV_PREFIX}_REDIS__PORT",
|
||||||
|
f"{ENV_PREFIX}_REDIS__DB",
|
||||||
|
f"{ENV_PREFIX}_REDIS__USERNAME",
|
||||||
|
f"{ENV_PREFIX}_REDIS__PASSWORD",
|
||||||
|
f"{ENV_PREFIX}_REDIS__TLS",
|
||||||
|
f"{ENV_PREFIX}_REDIS__TLS_REQS",
|
||||||
|
]
|
||||||
|
|
||||||
|
DEPRECATIONS = {
|
||||||
|
"redis.broker_url": "broker.url",
|
||||||
|
"redis.broker_transport_options": "broker.transport_options",
|
||||||
|
"redis.cache_timeout": "cache.timeout",
|
||||||
|
"redis.cache_timeout_flows": "cache.timeout_flows",
|
||||||
|
"redis.cache_timeout_policies": "cache.timeout_policies",
|
||||||
|
"redis.cache_timeout_reputation": "cache.timeout_reputation",
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
|
def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
|
||||||
"""Recursively walk through `root`, checking each part of `path` separated by `sep`.
|
"""Recursively walk through `root`, checking each part of `path` separated by `sep`.
|
||||||
|
@ -81,6 +102,10 @@ class AttrEncoder(JSONEncoder):
|
||||||
return super().default(o)
|
return super().default(o)
|
||||||
|
|
||||||
|
|
||||||
|
class UNSET:
|
||||||
|
"""Used to test whether configuration key has not been set."""
|
||||||
|
|
||||||
|
|
||||||
class ConfigLoader:
|
class ConfigLoader:
|
||||||
"""Search through SEARCH_PATHS and load configuration. Environment variables starting with
|
"""Search through SEARCH_PATHS and load configuration. Environment variables starting with
|
||||||
`ENV_PREFIX` are also applied.
|
`ENV_PREFIX` are also applied.
|
||||||
|
@ -113,6 +138,40 @@ class ConfigLoader:
|
||||||
self.update_from_file(env_file)
|
self.update_from_file(env_file)
|
||||||
self.update_from_env()
|
self.update_from_env()
|
||||||
self.update(self.__config, kwargs)
|
self.update(self.__config, kwargs)
|
||||||
|
self.check_deprecations()
|
||||||
|
|
||||||
|
def check_deprecations(self):
|
||||||
|
"""Warn if any deprecated configuration options are used"""
|
||||||
|
|
||||||
|
def _pop_deprecated_key(current_obj, dot_parts, index):
|
||||||
|
"""Recursive function to remove deprecated keys in configuration"""
|
||||||
|
dot_part = dot_parts[index]
|
||||||
|
if index == len(dot_parts) - 1:
|
||||||
|
return current_obj.pop(dot_part)
|
||||||
|
value = _pop_deprecated_key(current_obj[dot_part], dot_parts, index + 1)
|
||||||
|
if not current_obj[dot_part]:
|
||||||
|
current_obj.pop(dot_part)
|
||||||
|
return value
|
||||||
|
|
||||||
|
for deprecation, replacement in DEPRECATIONS.items():
|
||||||
|
if self.get(deprecation, default=UNSET) is not UNSET:
|
||||||
|
message = (
|
||||||
|
f"'{deprecation}' has been deprecated in favor of '{replacement}'! "
|
||||||
|
+ "Please update your configuration."
|
||||||
|
)
|
||||||
|
self.log(
|
||||||
|
"warning",
|
||||||
|
message,
|
||||||
|
)
|
||||||
|
try:
|
||||||
|
from authentik.events.models import Event, EventAction
|
||||||
|
|
||||||
|
Event.new(EventAction.CONFIGURATION_ERROR, message=message).save()
|
||||||
|
except ImportError:
|
||||||
|
continue
|
||||||
|
|
||||||
|
deprecated_attr = _pop_deprecated_key(self.__config, deprecation.split("."), 0)
|
||||||
|
self.set(replacement, deprecated_attr.value)
|
||||||
|
|
||||||
def log(self, level: str, message: str, **kwargs):
|
def log(self, level: str, message: str, **kwargs):
|
||||||
"""Custom Log method, we want to ensure ConfigLoader always logs JSON even when
|
"""Custom Log method, we want to ensure ConfigLoader always logs JSON even when
|
||||||
|
@ -180,6 +239,10 @@ class ConfigLoader:
|
||||||
error=str(exc),
|
error=str(exc),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def update_from_dict(self, update: dict):
|
||||||
|
"""Update config from dict"""
|
||||||
|
self.__config.update(update)
|
||||||
|
|
||||||
def update_from_env(self):
|
def update_from_env(self):
|
||||||
"""Check environment variables"""
|
"""Check environment variables"""
|
||||||
outer = {}
|
outer = {}
|
||||||
|
@ -188,19 +251,13 @@ class ConfigLoader:
|
||||||
if not key.startswith(ENV_PREFIX):
|
if not key.startswith(ENV_PREFIX):
|
||||||
continue
|
continue
|
||||||
relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
|
relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
|
||||||
# Recursively convert path from a.b.c into outer[a][b][c]
|
|
||||||
current_obj = outer
|
|
||||||
dot_parts = relative_key.split(".")
|
|
||||||
for dot_part in dot_parts[:-1]:
|
|
||||||
if dot_part not in current_obj:
|
|
||||||
current_obj[dot_part] = {}
|
|
||||||
current_obj = current_obj[dot_part]
|
|
||||||
# Check if the value is json, and try to load it
|
# Check if the value is json, and try to load it
|
||||||
try:
|
try:
|
||||||
value = loads(value)
|
value = loads(value)
|
||||||
except JSONDecodeError:
|
except JSONDecodeError:
|
||||||
pass
|
pass
|
||||||
current_obj[dot_parts[-1]] = Attr(value, Attr.Source.ENV, key)
|
attr_value = Attr(value, Attr.Source.ENV, relative_key)
|
||||||
|
set_path_in_dict(outer, relative_key, attr_value)
|
||||||
idx += 1
|
idx += 1
|
||||||
if idx > 0:
|
if idx > 0:
|
||||||
self.log("debug", "Loaded environment variables", count=idx)
|
self.log("debug", "Loaded environment variables", count=idx)
|
||||||
|
@ -241,6 +298,23 @@ class ConfigLoader:
|
||||||
"""Wrapper for get that converts value into boolean"""
|
"""Wrapper for get that converts value into boolean"""
|
||||||
return str(self.get(path, default)).lower() == "true"
|
return str(self.get(path, default)).lower() == "true"
|
||||||
|
|
||||||
|
def get_dict_from_b64_json(self, path: str, default=None) -> dict:
|
||||||
|
"""Wrapper for get that converts value from Base64 encoded string into dictionary"""
|
||||||
|
config_value = self.get(path)
|
||||||
|
if config_value is None:
|
||||||
|
return {}
|
||||||
|
try:
|
||||||
|
b64decoded_str = base64.b64decode(config_value).decode("utf-8")
|
||||||
|
b64decoded_str = b64decoded_str.strip().lstrip("{").rstrip("}")
|
||||||
|
b64decoded_str = "{" + b64decoded_str + "}"
|
||||||
|
return json.loads(b64decoded_str)
|
||||||
|
except (JSONDecodeError, TypeError, ValueError) as exc:
|
||||||
|
self.log(
|
||||||
|
"warning",
|
||||||
|
f"Ignored invalid configuration for '{path}' due to exception: {str(exc)}",
|
||||||
|
)
|
||||||
|
return default if isinstance(default, dict) else {}
|
||||||
|
|
||||||
def set(self, path: str, value: Any, sep="."):
|
def set(self, path: str, value: Any, sep="."):
|
||||||
"""Set value using same syntax as get()"""
|
"""Set value using same syntax as get()"""
|
||||||
set_path_in_dict(self.raw, path, Attr(value), sep=sep)
|
set_path_in_dict(self.raw, path, Attr(value), sep=sep)
|
||||||
|
|
|
@ -28,14 +28,28 @@ listen:
|
||||||
redis:
|
redis:
|
||||||
host: localhost
|
host: localhost
|
||||||
port: 6379
|
port: 6379
|
||||||
|
db: 0
|
||||||
|
username: ""
|
||||||
password: ""
|
password: ""
|
||||||
tls: false
|
tls: false
|
||||||
tls_reqs: "none"
|
tls_reqs: "none"
|
||||||
db: 0
|
|
||||||
cache_timeout: 300
|
# broker:
|
||||||
cache_timeout_flows: 300
|
# url: ""
|
||||||
cache_timeout_policies: 300
|
# transport_options: ""
|
||||||
cache_timeout_reputation: 300
|
|
||||||
|
cache:
|
||||||
|
# url: ""
|
||||||
|
timeout: 300
|
||||||
|
timeout_flows: 300
|
||||||
|
timeout_policies: 300
|
||||||
|
timeout_reputation: 300
|
||||||
|
|
||||||
|
# channel:
|
||||||
|
# url: ""
|
||||||
|
|
||||||
|
# result_backend:
|
||||||
|
# url: ""
|
||||||
|
|
||||||
paths:
|
paths:
|
||||||
media: ./media
|
media: ./media
|
||||||
|
|
|
@ -1,20 +1,32 @@
|
||||||
"""Test config loader"""
|
"""Test config loader"""
|
||||||
|
import base64
|
||||||
|
from json import dumps
|
||||||
from os import chmod, environ, unlink, write
|
from os import chmod, environ, unlink, write
|
||||||
from tempfile import mkstemp
|
from tempfile import mkstemp
|
||||||
|
from unittest import mock
|
||||||
|
|
||||||
from django.conf import ImproperlyConfigured
|
from django.conf import ImproperlyConfigured
|
||||||
from django.test import TestCase
|
from django.test import TestCase
|
||||||
|
|
||||||
from authentik.lib.config import ENV_PREFIX, ConfigLoader
|
from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
|
||||||
|
|
||||||
|
|
||||||
class TestConfig(TestCase):
|
class TestConfig(TestCase):
|
||||||
"""Test config loader"""
|
"""Test config loader"""
|
||||||
|
|
||||||
|
check_deprecations_env_vars = {
|
||||||
|
ENV_PREFIX + "_REDIS__BROKER_URL": "redis://myredis:8327/43",
|
||||||
|
ENV_PREFIX + "_REDIS__BROKER_TRANSPORT_OPTIONS": "bWFzdGVybmFtZT1teW1hc3Rlcg==",
|
||||||
|
ENV_PREFIX + "_REDIS__CACHE_TIMEOUT": "124s",
|
||||||
|
ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_FLOWS": "32m",
|
||||||
|
ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_POLICIES": "3920ns",
|
||||||
|
ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_REPUTATION": "298382us",
|
||||||
|
}
|
||||||
|
|
||||||
|
@mock.patch.dict(environ, {ENV_PREFIX + "_test__test": "bar"})
|
||||||
def test_env(self):
|
def test_env(self):
|
||||||
"""Test simple instance"""
|
"""Test simple instance"""
|
||||||
config = ConfigLoader()
|
config = ConfigLoader()
|
||||||
environ[ENV_PREFIX + "_test__test"] = "bar"
|
|
||||||
config.update_from_env()
|
config.update_from_env()
|
||||||
self.assertEqual(config.get("test.test"), "bar")
|
self.assertEqual(config.get("test.test"), "bar")
|
||||||
|
|
||||||
|
@ -27,12 +39,20 @@ class TestConfig(TestCase):
|
||||||
self.assertEqual(config.get("foo.bar"), "baz")
|
self.assertEqual(config.get("foo.bar"), "baz")
|
||||||
self.assertEqual(config.get("foo.bar"), "bar")
|
self.assertEqual(config.get("foo.bar"), "bar")
|
||||||
|
|
||||||
|
@mock.patch.dict(environ, {"foo": "bar"})
|
||||||
def test_uri_env(self):
|
def test_uri_env(self):
|
||||||
"""Test URI parsing (environment)"""
|
"""Test URI parsing (environment)"""
|
||||||
config = ConfigLoader()
|
config = ConfigLoader()
|
||||||
environ["foo"] = "bar"
|
foo_uri = "env://foo"
|
||||||
self.assertEqual(config.parse_uri("env://foo").value, "bar")
|
foo_parsed = config.parse_uri(foo_uri)
|
||||||
self.assertEqual(config.parse_uri("env://foo?bar").value, "bar")
|
self.assertEqual(foo_parsed.value, "bar")
|
||||||
|
self.assertEqual(foo_parsed.source_type, Attr.Source.URI)
|
||||||
|
self.assertEqual(foo_parsed.source, foo_uri)
|
||||||
|
foo_bar_uri = "env://foo?bar"
|
||||||
|
foo_bar_parsed = config.parse_uri(foo_bar_uri)
|
||||||
|
self.assertEqual(foo_bar_parsed.value, "bar")
|
||||||
|
self.assertEqual(foo_bar_parsed.source_type, Attr.Source.URI)
|
||||||
|
self.assertEqual(foo_bar_parsed.source, foo_bar_uri)
|
||||||
|
|
||||||
def test_uri_file(self):
|
def test_uri_file(self):
|
||||||
"""Test URI parsing (file load)"""
|
"""Test URI parsing (file load)"""
|
||||||
|
@ -91,3 +111,60 @@ class TestConfig(TestCase):
|
||||||
config = ConfigLoader()
|
config = ConfigLoader()
|
||||||
config.set("foo", "bar")
|
config.set("foo", "bar")
|
||||||
self.assertEqual(config.get_int("foo", 1234), 1234)
|
self.assertEqual(config.get_int("foo", 1234), 1234)
|
||||||
|
|
||||||
|
def test_get_dict_from_b64_json(self):
|
||||||
|
"""Test get_dict_from_b64_json"""
|
||||||
|
config = ConfigLoader()
|
||||||
|
test_value = ' { "foo": "bar" } '.encode("utf-8")
|
||||||
|
b64_value = base64.b64encode(test_value)
|
||||||
|
config.set("foo", b64_value)
|
||||||
|
self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
|
||||||
|
|
||||||
|
def test_get_dict_from_b64_json_missing_brackets(self):
|
||||||
|
"""Test get_dict_from_b64_json with missing brackets"""
|
||||||
|
config = ConfigLoader()
|
||||||
|
test_value = ' "foo": "bar" '.encode("utf-8")
|
||||||
|
b64_value = base64.b64encode(test_value)
|
||||||
|
config.set("foo", b64_value)
|
||||||
|
self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
|
||||||
|
|
||||||
|
def test_get_dict_from_b64_json_invalid(self):
|
||||||
|
"""Test get_dict_from_b64_json with invalid value"""
|
||||||
|
config = ConfigLoader()
|
||||||
|
config.set("foo", "bar")
|
||||||
|
self.assertEqual(config.get_dict_from_b64_json("foo"), {})
|
||||||
|
|
||||||
|
def test_attr_json_encoder(self):
|
||||||
|
"""Test AttrEncoder"""
|
||||||
|
test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_REDIS__USERNAME")
|
||||||
|
json_attr = dumps(test_attr, indent=4, cls=AttrEncoder)
|
||||||
|
self.assertEqual(json_attr, '"foo"')
|
||||||
|
|
||||||
|
def test_attr_json_encoder_no_attr(self):
|
||||||
|
"""Test AttrEncoder if no Attr is passed"""
|
||||||
|
|
||||||
|
class Test:
|
||||||
|
"""Non Attr class"""
|
||||||
|
|
||||||
|
with self.assertRaises(TypeError):
|
||||||
|
test_obj = Test()
|
||||||
|
dumps(test_obj, indent=4, cls=AttrEncoder)
|
||||||
|
|
||||||
|
@mock.patch.dict(environ, check_deprecations_env_vars)
|
||||||
|
def test_check_deprecations(self):
|
||||||
|
"""Test config key re-write for deprecated env vars"""
|
||||||
|
config = ConfigLoader()
|
||||||
|
config.update_from_env()
|
||||||
|
config.check_deprecations()
|
||||||
|
self.assertEqual(config.get("redis.broker_url", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.broker_transport_options", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.cache_timeout", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.cache_timeout_flows", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.cache_timeout_policies", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.cache_timeout_reputation", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("broker.url"), "redis://myredis:8327/43")
|
||||||
|
self.assertEqual(config.get("broker.transport_options"), "bWFzdGVybmFtZT1teW1hc3Rlcg==")
|
||||||
|
self.assertEqual(config.get("cache.timeout"), "124s")
|
||||||
|
self.assertEqual(config.get("cache.timeout_flows"), "32m")
|
||||||
|
self.assertEqual(config.get("cache.timeout_policies"), "3920ns")
|
||||||
|
self.assertEqual(config.get("cache.timeout_reputation"), "298382us")
|
||||||
|
|
|
@ -18,7 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
|
||||||
from authentik.core.api.utils import PassiveSerializer, is_dict
|
from authentik.core.api.utils import PassiveSerializer, is_dict
|
||||||
from authentik.core.models import Provider
|
from authentik.core.models import Provider
|
||||||
from authentik.outposts.api.service_connections import ServiceConnectionSerializer
|
from authentik.outposts.api.service_connections import ServiceConnectionSerializer
|
||||||
from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
|
from authentik.outposts.apps import MANAGED_OUTPOST
|
||||||
from authentik.outposts.models import (
|
from authentik.outposts.models import (
|
||||||
Outpost,
|
Outpost,
|
||||||
OutpostConfig,
|
OutpostConfig,
|
||||||
|
@ -47,16 +47,6 @@ class OutpostSerializer(ModelSerializer):
|
||||||
source="service_connection", read_only=True
|
source="service_connection", read_only=True
|
||||||
)
|
)
|
||||||
|
|
||||||
def validate_name(self, name: str) -> str:
|
|
||||||
"""Validate name (especially for embedded outpost)"""
|
|
||||||
if not self.instance:
|
|
||||||
return name
|
|
||||||
if self.instance.managed == MANAGED_OUTPOST and name != MANAGED_OUTPOST_NAME:
|
|
||||||
raise ValidationError("Embedded outpost's name cannot be changed")
|
|
||||||
if self.instance.name == MANAGED_OUTPOST_NAME:
|
|
||||||
self.instance.managed = MANAGED_OUTPOST
|
|
||||||
return name
|
|
||||||
|
|
||||||
def validate_providers(self, providers: list[Provider]) -> list[Provider]:
|
def validate_providers(self, providers: list[Provider]) -> list[Provider]:
|
||||||
"""Check that all providers match the type of the outpost"""
|
"""Check that all providers match the type of the outpost"""
|
||||||
type_map = {
|
type_map = {
|
||||||
|
|
|
@ -15,7 +15,6 @@ GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
|
||||||
["outpost", "uid", "version"],
|
["outpost", "uid", "version"],
|
||||||
)
|
)
|
||||||
MANAGED_OUTPOST = "goauthentik.io/outposts/embedded"
|
MANAGED_OUTPOST = "goauthentik.io/outposts/embedded"
|
||||||
MANAGED_OUTPOST_NAME = "authentik Embedded Outpost"
|
|
||||||
|
|
||||||
|
|
||||||
class AuthentikOutpostConfig(ManagedAppConfig):
|
class AuthentikOutpostConfig(ManagedAppConfig):
|
||||||
|
@ -36,17 +35,14 @@ class AuthentikOutpostConfig(ManagedAppConfig):
|
||||||
DockerServiceConnection,
|
DockerServiceConnection,
|
||||||
KubernetesServiceConnection,
|
KubernetesServiceConnection,
|
||||||
Outpost,
|
Outpost,
|
||||||
|
OutpostConfig,
|
||||||
OutpostType,
|
OutpostType,
|
||||||
)
|
)
|
||||||
|
|
||||||
if outpost := Outpost.objects.filter(name=MANAGED_OUTPOST_NAME, managed="").first():
|
|
||||||
outpost.managed = MANAGED_OUTPOST
|
|
||||||
outpost.save()
|
|
||||||
return
|
|
||||||
outpost, updated = Outpost.objects.update_or_create(
|
outpost, updated = Outpost.objects.update_or_create(
|
||||||
defaults={
|
defaults={
|
||||||
|
"name": "authentik Embedded Outpost",
|
||||||
"type": OutpostType.PROXY,
|
"type": OutpostType.PROXY,
|
||||||
"name": MANAGED_OUTPOST_NAME,
|
|
||||||
},
|
},
|
||||||
managed=MANAGED_OUTPOST,
|
managed=MANAGED_OUTPOST,
|
||||||
)
|
)
|
||||||
|
@ -55,4 +51,10 @@ class AuthentikOutpostConfig(ManagedAppConfig):
|
||||||
outpost.service_connection = KubernetesServiceConnection.objects.first()
|
outpost.service_connection = KubernetesServiceConnection.objects.first()
|
||||||
elif DockerServiceConnection.objects.exists():
|
elif DockerServiceConnection.objects.exists():
|
||||||
outpost.service_connection = DockerServiceConnection.objects.first()
|
outpost.service_connection = DockerServiceConnection.objects.first()
|
||||||
|
outpost.config = OutpostConfig(
|
||||||
|
kubernetes_disabled_components=[
|
||||||
|
"deployment",
|
||||||
|
"secret",
|
||||||
|
]
|
||||||
|
)
|
||||||
outpost.save()
|
outpost.save()
|
||||||
|
|
|
@ -93,7 +93,7 @@ class OutpostConsumer(AuthJsonConsumer):
|
||||||
expected=self.outpost.config.kubernetes_replicas,
|
expected=self.outpost.config.kubernetes_replicas,
|
||||||
).dec()
|
).dec()
|
||||||
|
|
||||||
def receive_json(self, content: Data):
|
def receive_json(self, content: Data, **kwargs):
|
||||||
msg = from_dict(WebsocketMessage, content)
|
msg = from_dict(WebsocketMessage, content)
|
||||||
uid = msg.args.get("uuid", self.channel_name)
|
uid = msg.args.get("uuid", self.channel_name)
|
||||||
self.last_uid = uid
|
self.last_uid = uid
|
||||||
|
|
|
@ -43,10 +43,6 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
|
||||||
self.api = AppsV1Api(controller.client)
|
self.api = AppsV1Api(controller.client)
|
||||||
self.outpost = self.controller.outpost
|
self.outpost = self.controller.outpost
|
||||||
|
|
||||||
@property
|
|
||||||
def noop(self) -> bool:
|
|
||||||
return self.is_embedded
|
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def reconciler_name() -> str:
|
def reconciler_name() -> str:
|
||||||
return "deployment"
|
return "deployment"
|
||||||
|
|
|
@ -24,10 +24,6 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]):
|
||||||
super().__init__(controller)
|
super().__init__(controller)
|
||||||
self.api = CoreV1Api(controller.client)
|
self.api = CoreV1Api(controller.client)
|
||||||
|
|
||||||
@property
|
|
||||||
def noop(self) -> bool:
|
|
||||||
return self.is_embedded
|
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def reconciler_name() -> str:
|
def reconciler_name() -> str:
|
||||||
return "secret"
|
return "secret"
|
||||||
|
|
|
@ -77,10 +77,7 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def noop(self) -> bool:
|
def noop(self) -> bool:
|
||||||
if not self._crd_exists():
|
return (not self._crd_exists()) or (self.is_embedded)
|
||||||
self.logger.debug("CRD doesn't exist")
|
|
||||||
return True
|
|
||||||
return self.is_embedded
|
|
||||||
|
|
||||||
def _crd_exists(self) -> bool:
|
def _crd_exists(self) -> bool:
|
||||||
"""Check if the Prometheus ServiceMonitor exists"""
|
"""Check if the Prometheus ServiceMonitor exists"""
|
||||||
|
|
|
@ -344,21 +344,11 @@ class Outpost(SerializerModel, ManagedModel):
|
||||||
user_created = False
|
user_created = False
|
||||||
if not user:
|
if not user:
|
||||||
user: User = User.objects.create(username=self.user_identifier)
|
user: User = User.objects.create(username=self.user_identifier)
|
||||||
user_created = True
|
|
||||||
attrs = {
|
|
||||||
"type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
|
|
||||||
"name": f"Outpost {self.name} Service-Account",
|
|
||||||
"path": USER_PATH_OUTPOSTS,
|
|
||||||
}
|
|
||||||
dirty = False
|
|
||||||
for key, value in attrs.items():
|
|
||||||
if getattr(user, key) != value:
|
|
||||||
dirty = True
|
|
||||||
setattr(user, key, value)
|
|
||||||
if user.has_usable_password():
|
|
||||||
user.set_unusable_password()
|
user.set_unusable_password()
|
||||||
dirty = True
|
user_created = True
|
||||||
if dirty:
|
user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
|
||||||
|
user.name = f"Outpost {self.name} Service-Account"
|
||||||
|
user.path = USER_PATH_OUTPOSTS
|
||||||
user.save()
|
user.save()
|
||||||
if user_created:
|
if user_created:
|
||||||
self.build_user_permissions(user)
|
self.build_user_permissions(user)
|
||||||
|
|
|
@ -2,13 +2,11 @@
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
from rest_framework.test import APITestCase
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
from authentik.blueprints.tests import reconcile_app
|
|
||||||
from authentik.core.models import PropertyMapping
|
from authentik.core.models import PropertyMapping
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
||||||
from authentik.lib.generators import generate_id
|
from authentik.lib.generators import generate_id
|
||||||
from authentik.outposts.api.outposts import OutpostSerializer
|
from authentik.outposts.api.outposts import OutpostSerializer
|
||||||
from authentik.outposts.apps import MANAGED_OUTPOST
|
from authentik.outposts.models import OutpostType, default_outpost_config
|
||||||
from authentik.outposts.models import Outpost, OutpostType, default_outpost_config
|
|
||||||
from authentik.providers.ldap.models import LDAPProvider
|
from authentik.providers.ldap.models import LDAPProvider
|
||||||
from authentik.providers.proxy.models import ProxyProvider
|
from authentik.providers.proxy.models import ProxyProvider
|
||||||
|
|
||||||
|
@ -24,36 +22,7 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
|
||||||
self.user = create_test_admin_user()
|
self.user = create_test_admin_user()
|
||||||
self.client.force_login(self.user)
|
self.client.force_login(self.user)
|
||||||
|
|
||||||
@reconcile_app("authentik_outposts")
|
def test_outpost_validaton(self):
|
||||||
def test_managed_name_change(self):
|
|
||||||
"""Test name change for embedded outpost"""
|
|
||||||
embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
|
|
||||||
self.assertIsNotNone(embedded_outpost)
|
|
||||||
response = self.client.patch(
|
|
||||||
reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
|
|
||||||
{"name": "foo"},
|
|
||||||
)
|
|
||||||
self.assertEqual(response.status_code, 400)
|
|
||||||
self.assertJSONEqual(
|
|
||||||
response.content, {"name": ["Embedded outpost's name cannot be changed"]}
|
|
||||||
)
|
|
||||||
|
|
||||||
@reconcile_app("authentik_outposts")
|
|
||||||
def test_managed_without_managed(self):
|
|
||||||
"""Test name change for embedded outpost"""
|
|
||||||
embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
|
|
||||||
self.assertIsNotNone(embedded_outpost)
|
|
||||||
embedded_outpost.managed = ""
|
|
||||||
embedded_outpost.save()
|
|
||||||
response = self.client.patch(
|
|
||||||
reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
|
|
||||||
{"name": "foo"},
|
|
||||||
)
|
|
||||||
self.assertEqual(response.status_code, 200)
|
|
||||||
embedded_outpost.refresh_from_db()
|
|
||||||
self.assertEqual(embedded_outpost.managed, MANAGED_OUTPOST)
|
|
||||||
|
|
||||||
def test_outpost_validation(self):
|
|
||||||
"""Test Outpost validation"""
|
"""Test Outpost validation"""
|
||||||
valid = OutpostSerializer(
|
valid = OutpostSerializer(
|
||||||
data={
|
data={
|
||||||
|
|
|
@ -39,6 +39,7 @@ class Migration(migrations.Migration):
|
||||||
("authentik.sources.oauth", "authentik Sources.OAuth"),
|
("authentik.sources.oauth", "authentik Sources.OAuth"),
|
||||||
("authentik.sources.plex", "authentik Sources.Plex"),
|
("authentik.sources.plex", "authentik Sources.Plex"),
|
||||||
("authentik.sources.saml", "authentik Sources.SAML"),
|
("authentik.sources.saml", "authentik Sources.SAML"),
|
||||||
|
("authentik.sources.scim", "authentik Sources.SCIM"),
|
||||||
("authentik.stages.authenticator_duo", "authentik Stages.Authenticator.Duo"),
|
("authentik.stages.authenticator_duo", "authentik Stages.Authenticator.Duo"),
|
||||||
("authentik.stages.authenticator_sms", "authentik Stages.Authenticator.SMS"),
|
("authentik.stages.authenticator_sms", "authentik Stages.Authenticator.SMS"),
|
||||||
(
|
(
|
||||||
|
|
|
@ -20,7 +20,7 @@ from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
|
||||||
FORK_CTX = get_context("fork")
|
FORK_CTX = get_context("fork")
|
||||||
CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_policies")
|
CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_policies")
|
||||||
PROCESS_CLASS = FORK_CTX.Process
|
PROCESS_CLASS = FORK_CTX.Process
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@ from authentik.policies.reputation.tasks import save_reputation
|
||||||
from authentik.stages.identification.signals import identification_failed
|
from authentik.stages.identification.signals import identification_failed
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_reputation")
|
CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_reputation")
|
||||||
|
|
||||||
|
|
||||||
def update_score(request: HttpRequest, identifier: str, amount: int):
|
def update_score(request: HttpRequest, identifier: str, amount: int):
|
||||||
|
|
|
@ -1,27 +0,0 @@
|
||||||
# Generated by Django 5.0 on 2023-12-22 23:20
|
|
||||||
|
|
||||||
from django.db import migrations, models
|
|
||||||
|
|
||||||
|
|
||||||
class Migration(migrations.Migration):
|
|
||||||
dependencies = [
|
|
||||||
("authentik_providers_oauth2", "0016_alter_refreshtoken_token"),
|
|
||||||
]
|
|
||||||
|
|
||||||
operations = [
|
|
||||||
migrations.AddField(
|
|
||||||
model_name="accesstoken",
|
|
||||||
name="session_id",
|
|
||||||
field=models.CharField(blank=True, default=""),
|
|
||||||
),
|
|
||||||
migrations.AddField(
|
|
||||||
model_name="authorizationcode",
|
|
||||||
name="session_id",
|
|
||||||
field=models.CharField(blank=True, default=""),
|
|
||||||
),
|
|
||||||
migrations.AddField(
|
|
||||||
model_name="refreshtoken",
|
|
||||||
name="session_id",
|
|
||||||
field=models.CharField(blank=True, default=""),
|
|
||||||
),
|
|
||||||
]
|
|
|
@ -296,7 +296,6 @@ class BaseGrantModel(models.Model):
|
||||||
revoked = models.BooleanField(default=False)
|
revoked = models.BooleanField(default=False)
|
||||||
_scope = models.TextField(default="", verbose_name=_("Scopes"))
|
_scope = models.TextField(default="", verbose_name=_("Scopes"))
|
||||||
auth_time = models.DateTimeField(verbose_name="Authentication time")
|
auth_time = models.DateTimeField(verbose_name="Authentication time")
|
||||||
session_id = models.CharField(default="", blank=True)
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def scope(self) -> list[str]:
|
def scope(self) -> list[str]:
|
||||||
|
|
|
@ -85,25 +85,6 @@ class TestAuthorize(OAuthTestCase):
|
||||||
)
|
)
|
||||||
OAuthAuthorizationParams.from_request(request)
|
OAuthAuthorizationParams.from_request(request)
|
||||||
|
|
||||||
def test_blocked_redirect_uri(self):
|
|
||||||
"""test missing/invalid redirect URI"""
|
|
||||||
OAuth2Provider.objects.create(
|
|
||||||
name=generate_id(),
|
|
||||||
client_id="test",
|
|
||||||
authorization_flow=create_test_flow(),
|
|
||||||
redirect_uris="data:local.invalid",
|
|
||||||
)
|
|
||||||
with self.assertRaises(RedirectUriError):
|
|
||||||
request = self.factory.get(
|
|
||||||
"/",
|
|
||||||
data={
|
|
||||||
"response_type": "code",
|
|
||||||
"client_id": "test",
|
|
||||||
"redirect_uri": "data:localhost",
|
|
||||||
},
|
|
||||||
)
|
|
||||||
OAuthAuthorizationParams.from_request(request)
|
|
||||||
|
|
||||||
def test_invalid_redirect_uri_empty(self):
|
def test_invalid_redirect_uri_empty(self):
|
||||||
"""test missing/invalid redirect URI"""
|
"""test missing/invalid redirect URI"""
|
||||||
provider = OAuth2Provider.objects.create(
|
provider = OAuth2Provider.objects.create(
|
||||||
|
|
|
@ -1,187 +0,0 @@
|
||||||
"""Test token view"""
|
|
||||||
from base64 import b64encode, urlsafe_b64encode
|
|
||||||
from hashlib import sha256
|
|
||||||
|
|
||||||
from django.test import RequestFactory
|
|
||||||
from django.urls import reverse
|
|
||||||
|
|
||||||
from authentik.core.models import Application
|
|
||||||
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
|
|
||||||
from authentik.flows.challenge import ChallengeTypes
|
|
||||||
from authentik.lib.generators import generate_id
|
|
||||||
from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
|
|
||||||
from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
|
|
||||||
from authentik.providers.oauth2.tests.utils import OAuthTestCase
|
|
||||||
|
|
||||||
|
|
||||||
class TestTokenPKCE(OAuthTestCase):
|
|
||||||
"""Test token view"""
|
|
||||||
|
|
||||||
def setUp(self) -> None:
|
|
||||||
super().setUp()
|
|
||||||
self.factory = RequestFactory()
|
|
||||||
self.app = Application.objects.create(name=generate_id(), slug="test")
|
|
||||||
|
|
||||||
def test_pkce_missing_in_token(self):
|
|
||||||
"""Test full with pkce"""
|
|
||||||
flow = create_test_flow()
|
|
||||||
provider = OAuth2Provider.objects.create(
|
|
||||||
name=generate_id(),
|
|
||||||
client_id="test",
|
|
||||||
authorization_flow=flow,
|
|
||||||
redirect_uris="foo://localhost",
|
|
||||||
access_code_validity="seconds=100",
|
|
||||||
)
|
|
||||||
Application.objects.create(name="app", slug="app", provider=provider)
|
|
||||||
state = generate_id()
|
|
||||||
user = create_test_admin_user()
|
|
||||||
self.client.force_login(user)
|
|
||||||
challenge = generate_id()
|
|
||||||
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
|
||||||
# Step 1, initiate params and get redirect to flow
|
|
||||||
self.client.get(
|
|
||||||
reverse("authentik_providers_oauth2:authorize"),
|
|
||||||
data={
|
|
||||||
"response_type": "code",
|
|
||||||
"client_id": "test",
|
|
||||||
"state": state,
|
|
||||||
"redirect_uri": "foo://localhost",
|
|
||||||
"code_challenge": challenge,
|
|
||||||
"code_challenge_method": "S256",
|
|
||||||
},
|
|
||||||
)
|
|
||||||
response = self.client.get(
|
|
||||||
reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
|
|
||||||
)
|
|
||||||
code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
|
|
||||||
self.assertJSONEqual(
|
|
||||||
response.content.decode(),
|
|
||||||
{
|
|
||||||
"component": "xak-flow-redirect",
|
|
||||||
"type": ChallengeTypes.REDIRECT.value,
|
|
||||||
"to": f"foo://localhost?code={code.code}&state={state}",
|
|
||||||
},
|
|
||||||
)
|
|
||||||
response = self.client.post(
|
|
||||||
reverse("authentik_providers_oauth2:token"),
|
|
||||||
data={
|
|
||||||
"grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
|
|
||||||
"code": code.code,
|
|
||||||
# Missing the code_verifier here
|
|
||||||
"redirect_uri": "foo://localhost",
|
|
||||||
},
|
|
||||||
HTTP_AUTHORIZATION=f"Basic {header}",
|
|
||||||
)
|
|
||||||
self.assertJSONEqual(
|
|
||||||
response.content,
|
|
||||||
{"error": "invalid_request", "error_description": "The request is otherwise malformed"},
|
|
||||||
)
|
|
||||||
self.assertEqual(response.status_code, 400)
|
|
||||||
|
|
||||||
def test_pkce_correct_s256(self):
|
|
||||||
"""Test full with pkce"""
|
|
||||||
flow = create_test_flow()
|
|
||||||
provider = OAuth2Provider.objects.create(
|
|
||||||
name=generate_id(),
|
|
||||||
client_id="test",
|
|
||||||
authorization_flow=flow,
|
|
||||||
redirect_uris="foo://localhost",
|
|
||||||
access_code_validity="seconds=100",
|
|
||||||
)
|
|
||||||
Application.objects.create(name="app", slug="app", provider=provider)
|
|
||||||
state = generate_id()
|
|
||||||
user = create_test_admin_user()
|
|
||||||
self.client.force_login(user)
|
|
||||||
verifier = generate_id()
|
|
||||||
challenge = (
|
|
||||||
urlsafe_b64encode(sha256(verifier.encode("ascii")).digest())
|
|
||||||
.decode("utf-8")
|
|
||||||
.replace("=", "")
|
|
||||||
)
|
|
||||||
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
|
||||||
# Step 1, initiate params and get redirect to flow
|
|
||||||
self.client.get(
|
|
||||||
reverse("authentik_providers_oauth2:authorize"),
|
|
||||||
data={
|
|
||||||
"response_type": "code",
|
|
||||||
"client_id": "test",
|
|
||||||
"state": state,
|
|
||||||
"redirect_uri": "foo://localhost",
|
|
||||||
"code_challenge": challenge,
|
|
||||||
"code_challenge_method": "S256",
|
|
||||||
},
|
|
||||||
)
|
|
||||||
response = self.client.get(
|
|
||||||
reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
|
|
||||||
)
|
|
||||||
code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
|
|
||||||
self.assertJSONEqual(
|
|
||||||
response.content.decode(),
|
|
||||||
{
|
|
||||||
"component": "xak-flow-redirect",
|
|
||||||
"type": ChallengeTypes.REDIRECT.value,
|
|
||||||
"to": f"foo://localhost?code={code.code}&state={state}",
|
|
||||||
},
|
|
||||||
)
|
|
||||||
response = self.client.post(
|
|
||||||
reverse("authentik_providers_oauth2:token"),
|
|
||||||
data={
|
|
||||||
"grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
|
|
||||||
"code": code.code,
|
|
||||||
"code_verifier": verifier,
|
|
||||||
"redirect_uri": "foo://localhost",
|
|
||||||
},
|
|
||||||
HTTP_AUTHORIZATION=f"Basic {header}",
|
|
||||||
)
|
|
||||||
self.assertEqual(response.status_code, 200)
|
|
||||||
|
|
||||||
def test_pkce_correct_plain(self):
|
|
||||||
"""Test full with pkce"""
|
|
||||||
flow = create_test_flow()
|
|
||||||
provider = OAuth2Provider.objects.create(
|
|
||||||
name=generate_id(),
|
|
||||||
client_id="test",
|
|
||||||
authorization_flow=flow,
|
|
||||||
redirect_uris="foo://localhost",
|
|
||||||
access_code_validity="seconds=100",
|
|
||||||
)
|
|
||||||
Application.objects.create(name="app", slug="app", provider=provider)
|
|
||||||
state = generate_id()
|
|
||||||
user = create_test_admin_user()
|
|
||||||
self.client.force_login(user)
|
|
||||||
verifier = generate_id()
|
|
||||||
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
|
|
||||||
# Step 1, initiate params and get redirect to flow
|
|
||||||
self.client.get(
|
|
||||||
reverse("authentik_providers_oauth2:authorize"),
|
|
||||||
data={
|
|
||||||
"response_type": "code",
|
|
||||||
"client_id": "test",
|
|
||||||
"state": state,
|
|
||||||
"redirect_uri": "foo://localhost",
|
|
||||||
"code_challenge": verifier,
|
|
||||||
},
|
|
||||||
)
|
|
||||||
response = self.client.get(
|
|
||||||
reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
|
|
||||||
)
|
|
||||||
code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
|
|
||||||
self.assertJSONEqual(
|
|
||||||
response.content.decode(),
|
|
||||||
{
|
|
||||||
"component": "xak-flow-redirect",
|
|
||||||
"type": ChallengeTypes.REDIRECT.value,
|
|
||||||
"to": f"foo://localhost?code={code.code}&state={state}",
|
|
||||||
},
|
|
||||||
)
|
|
||||||
response = self.client.post(
|
|
||||||
reverse("authentik_providers_oauth2:token"),
|
|
||||||
data={
|
|
||||||
"grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
|
|
||||||
"code": code.code,
|
|
||||||
"code_verifier": verifier,
|
|
||||||
"redirect_uri": "foo://localhost",
|
|
||||||
},
|
|
||||||
HTTP_AUTHORIZATION=f"Basic {header}",
|
|
||||||
)
|
|
||||||
self.assertEqual(response.status_code, 200)
|
|
|
@ -1,7 +1,6 @@
|
||||||
"""authentik OAuth2 Authorization views"""
|
"""authentik OAuth2 Authorization views"""
|
||||||
from dataclasses import dataclass, field
|
from dataclasses import dataclass, field
|
||||||
from datetime import timedelta
|
from datetime import timedelta
|
||||||
from hashlib import sha256
|
|
||||||
from json import dumps
|
from json import dumps
|
||||||
from re import error as RegexError
|
from re import error as RegexError
|
||||||
from re import fullmatch
|
from re import fullmatch
|
||||||
|
@ -75,7 +74,6 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
|
||||||
SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
|
SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
|
||||||
|
|
||||||
ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
|
ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
|
||||||
FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
|
|
||||||
|
|
||||||
|
|
||||||
@dataclass(slots=True)
|
@dataclass(slots=True)
|
||||||
|
@ -176,10 +174,6 @@ class OAuthAuthorizationParams:
|
||||||
self.check_scope()
|
self.check_scope()
|
||||||
self.check_nonce()
|
self.check_nonce()
|
||||||
self.check_code_challenge()
|
self.check_code_challenge()
|
||||||
if self.request:
|
|
||||||
raise AuthorizeError(
|
|
||||||
self.redirect_uri, "request_not_supported", self.grant_type, self.state
|
|
||||||
)
|
|
||||||
|
|
||||||
def check_redirect_uri(self):
|
def check_redirect_uri(self):
|
||||||
"""Redirect URI validation."""
|
"""Redirect URI validation."""
|
||||||
|
@ -217,9 +211,10 @@ class OAuthAuthorizationParams:
|
||||||
expected=allowed_redirect_urls,
|
expected=allowed_redirect_urls,
|
||||||
)
|
)
|
||||||
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
||||||
# Check against forbidden schemes
|
if self.request:
|
||||||
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
|
raise AuthorizeError(
|
||||||
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
self.redirect_uri, "request_not_supported", self.grant_type, self.state
|
||||||
|
)
|
||||||
|
|
||||||
def check_scope(self):
|
def check_scope(self):
|
||||||
"""Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
|
"""Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
|
||||||
|
@ -287,7 +282,6 @@ class OAuthAuthorizationParams:
|
||||||
expires=now + timedelta_from_string(self.provider.access_code_validity),
|
expires=now + timedelta_from_string(self.provider.access_code_validity),
|
||||||
scope=self.scope,
|
scope=self.scope,
|
||||||
nonce=self.nonce,
|
nonce=self.nonce,
|
||||||
session_id=sha256(request.session.session_key.encode("ascii")).hexdigest(),
|
|
||||||
)
|
)
|
||||||
|
|
||||||
if self.code_challenge and self.code_challenge_method:
|
if self.code_challenge and self.code_challenge_method:
|
||||||
|
@ -575,7 +569,6 @@ class OAuthFulfillmentStage(StageView):
|
||||||
expires=access_token_expiry,
|
expires=access_token_expiry,
|
||||||
provider=self.provider,
|
provider=self.provider,
|
||||||
auth_time=auth_event.created if auth_event else now,
|
auth_time=auth_event.created if auth_event else now,
|
||||||
session_id=sha256(self.request.session.session_key.encode("ascii")).hexdigest(),
|
|
||||||
)
|
)
|
||||||
|
|
||||||
id_token = IDToken.new(self.provider, token, self.request)
|
id_token = IDToken.new(self.provider, token, self.request)
|
||||||
|
|
|
@ -6,7 +6,6 @@ from hashlib import sha256
|
||||||
from re import error as RegexError
|
from re import error as RegexError
|
||||||
from re import fullmatch
|
from re import fullmatch
|
||||||
from typing import Any, Optional
|
from typing import Any, Optional
|
||||||
from urllib.parse import urlparse
|
|
||||||
|
|
||||||
from django.http import HttpRequest, HttpResponse
|
from django.http import HttpRequest, HttpResponse
|
||||||
from django.utils import timezone
|
from django.utils import timezone
|
||||||
|
@ -55,7 +54,6 @@ from authentik.providers.oauth2.models import (
|
||||||
RefreshToken,
|
RefreshToken,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
|
from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
|
||||||
from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
|
|
||||||
from authentik.sources.oauth.models import OAuthSource
|
from authentik.sources.oauth.models import OAuthSource
|
||||||
from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
|
from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
|
||||||
|
|
||||||
|
@ -207,10 +205,6 @@ class TokenParams:
|
||||||
).from_http(request)
|
).from_http(request)
|
||||||
raise TokenError("invalid_client")
|
raise TokenError("invalid_client")
|
||||||
|
|
||||||
# Check against forbidden schemes
|
|
||||||
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
|
|
||||||
raise TokenError("invalid_request")
|
|
||||||
|
|
||||||
self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
|
self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
|
||||||
if not self.authorization_code:
|
if not self.authorization_code:
|
||||||
LOGGER.warning("Code does not exist", code=raw_code)
|
LOGGER.warning("Code does not exist", code=raw_code)
|
||||||
|
@ -228,10 +222,7 @@ class TokenParams:
|
||||||
raise TokenError("invalid_grant")
|
raise TokenError("invalid_grant")
|
||||||
|
|
||||||
# Validate PKCE parameters.
|
# Validate PKCE parameters.
|
||||||
if self.authorization_code.code_challenge:
|
if self.code_verifier:
|
||||||
# Authorization code had PKCE but we didn't get one
|
|
||||||
if not self.code_verifier:
|
|
||||||
raise TokenError("invalid_request")
|
|
||||||
if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
|
if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
|
||||||
new_code_challenge = (
|
new_code_challenge = (
|
||||||
urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
|
urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
|
||||||
|
@ -493,7 +484,6 @@ class TokenView(View):
|
||||||
# Keep same scopes as previous token
|
# Keep same scopes as previous token
|
||||||
scope=self.params.authorization_code.scope,
|
scope=self.params.authorization_code.scope,
|
||||||
auth_time=self.params.authorization_code.auth_time,
|
auth_time=self.params.authorization_code.auth_time,
|
||||||
session_id=self.params.authorization_code.session_id,
|
|
||||||
)
|
)
|
||||||
access_token.id_token = IDToken.new(
|
access_token.id_token = IDToken.new(
|
||||||
self.provider,
|
self.provider,
|
||||||
|
@ -509,7 +499,6 @@ class TokenView(View):
|
||||||
expires=refresh_token_expiry,
|
expires=refresh_token_expiry,
|
||||||
provider=self.provider,
|
provider=self.provider,
|
||||||
auth_time=self.params.authorization_code.auth_time,
|
auth_time=self.params.authorization_code.auth_time,
|
||||||
session_id=self.params.authorization_code.session_id,
|
|
||||||
)
|
)
|
||||||
id_token = IDToken.new(
|
id_token = IDToken.new(
|
||||||
self.provider,
|
self.provider,
|
||||||
|
@ -547,7 +536,6 @@ class TokenView(View):
|
||||||
# Keep same scopes as previous token
|
# Keep same scopes as previous token
|
||||||
scope=self.params.refresh_token.scope,
|
scope=self.params.refresh_token.scope,
|
||||||
auth_time=self.params.refresh_token.auth_time,
|
auth_time=self.params.refresh_token.auth_time,
|
||||||
session_id=self.params.refresh_token.session_id,
|
|
||||||
)
|
)
|
||||||
access_token.id_token = IDToken.new(
|
access_token.id_token = IDToken.new(
|
||||||
self.provider,
|
self.provider,
|
||||||
|
@ -563,7 +551,6 @@ class TokenView(View):
|
||||||
expires=refresh_token_expiry,
|
expires=refresh_token_expiry,
|
||||||
provider=self.provider,
|
provider=self.provider,
|
||||||
auth_time=self.params.refresh_token.auth_time,
|
auth_time=self.params.refresh_token.auth_time,
|
||||||
session_id=self.params.refresh_token.session_id,
|
|
||||||
)
|
)
|
||||||
id_token = IDToken.new(
|
id_token = IDToken.new(
|
||||||
self.provider,
|
self.provider,
|
||||||
|
|
|
@ -1,6 +1,4 @@
|
||||||
"""proxy provider tasks"""
|
"""proxy provider tasks"""
|
||||||
from hashlib import sha256
|
|
||||||
|
|
||||||
from asgiref.sync import async_to_sync
|
from asgiref.sync import async_to_sync
|
||||||
from channels.layers import get_channel_layer
|
from channels.layers import get_channel_layer
|
||||||
from django.db import DatabaseError, InternalError, ProgrammingError
|
from django.db import DatabaseError, InternalError, ProgrammingError
|
||||||
|
@ -25,7 +23,6 @@ def proxy_set_defaults():
|
||||||
def proxy_on_logout(session_id: str):
|
def proxy_on_logout(session_id: str):
|
||||||
"""Update outpost instances connected to a single outpost"""
|
"""Update outpost instances connected to a single outpost"""
|
||||||
layer = get_channel_layer()
|
layer = get_channel_layer()
|
||||||
hashed_session_id = sha256(session_id.encode("ascii")).hexdigest()
|
|
||||||
for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
|
for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
|
||||||
group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
|
group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
|
||||||
async_to_sync(layer.group_send)(
|
async_to_sync(layer.group_send)(
|
||||||
|
@ -33,6 +30,6 @@ def proxy_on_logout(session_id: str):
|
||||||
{
|
{
|
||||||
"type": "event.provider.specific",
|
"type": "event.provider.specific",
|
||||||
"sub_type": "logout",
|
"sub_type": "logout",
|
||||||
"session_id": hashed_session_id,
|
"session_id": session_id,
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
|
@ -93,7 +93,7 @@ class SCIMMembershipTests(TestCase):
|
||||||
"emails": [],
|
"emails": [],
|
||||||
"active": True,
|
"active": True,
|
||||||
"externalId": user.uid,
|
"externalId": user.uid,
|
||||||
"name": {"familyName": " ", "formatted": " ", "givenName": ""},
|
"name": {"familyName": "", "formatted": "", "givenName": ""},
|
||||||
"displayName": "",
|
"displayName": "",
|
||||||
"userName": user.username,
|
"userName": user.username,
|
||||||
},
|
},
|
||||||
|
@ -184,7 +184,7 @@ class SCIMMembershipTests(TestCase):
|
||||||
"displayName": "",
|
"displayName": "",
|
||||||
"emails": [],
|
"emails": [],
|
||||||
"externalId": user.uid,
|
"externalId": user.uid,
|
||||||
"name": {"familyName": " ", "formatted": " ", "givenName": ""},
|
"name": {"familyName": "", "formatted": "", "givenName": ""},
|
||||||
"userName": user.username,
|
"userName": user.username,
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
|
@ -57,7 +57,7 @@ class SCIMUserTests(TestCase):
|
||||||
uid = generate_id()
|
uid = generate_id()
|
||||||
user = User.objects.create(
|
user = User.objects.create(
|
||||||
username=uid,
|
username=uid,
|
||||||
name=f"{uid} {uid}",
|
name=uid,
|
||||||
email=f"{uid}@goauthentik.io",
|
email=f"{uid}@goauthentik.io",
|
||||||
)
|
)
|
||||||
self.assertEqual(mock.call_count, 2)
|
self.assertEqual(mock.call_count, 2)
|
||||||
|
@ -77,11 +77,11 @@ class SCIMUserTests(TestCase):
|
||||||
],
|
],
|
||||||
"externalId": user.uid,
|
"externalId": user.uid,
|
||||||
"name": {
|
"name": {
|
||||||
"familyName": uid,
|
"familyName": "",
|
||||||
"formatted": f"{uid} {uid}",
|
"formatted": uid,
|
||||||
"givenName": uid,
|
"givenName": uid,
|
||||||
},
|
},
|
||||||
"displayName": f"{uid} {uid}",
|
"displayName": uid,
|
||||||
"userName": uid,
|
"userName": uid,
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
@ -110,7 +110,7 @@ class SCIMUserTests(TestCase):
|
||||||
uid = generate_id()
|
uid = generate_id()
|
||||||
user = User.objects.create(
|
user = User.objects.create(
|
||||||
username=uid,
|
username=uid,
|
||||||
name=f"{uid} {uid}",
|
name=uid,
|
||||||
email=f"{uid}@goauthentik.io",
|
email=f"{uid}@goauthentik.io",
|
||||||
)
|
)
|
||||||
self.assertEqual(mock.call_count, 2)
|
self.assertEqual(mock.call_count, 2)
|
||||||
|
@ -131,11 +131,11 @@ class SCIMUserTests(TestCase):
|
||||||
"value": f"{uid}@goauthentik.io",
|
"value": f"{uid}@goauthentik.io",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"displayName": f"{uid} {uid}",
|
"displayName": uid,
|
||||||
"externalId": user.uid,
|
"externalId": user.uid,
|
||||||
"name": {
|
"name": {
|
||||||
"familyName": uid,
|
"familyName": "",
|
||||||
"formatted": f"{uid} {uid}",
|
"formatted": uid,
|
||||||
"givenName": uid,
|
"givenName": uid,
|
||||||
},
|
},
|
||||||
"userName": uid,
|
"userName": uid,
|
||||||
|
@ -166,7 +166,7 @@ class SCIMUserTests(TestCase):
|
||||||
uid = generate_id()
|
uid = generate_id()
|
||||||
user = User.objects.create(
|
user = User.objects.create(
|
||||||
username=uid,
|
username=uid,
|
||||||
name=f"{uid} {uid}",
|
name=uid,
|
||||||
email=f"{uid}@goauthentik.io",
|
email=f"{uid}@goauthentik.io",
|
||||||
)
|
)
|
||||||
self.assertEqual(mock.call_count, 2)
|
self.assertEqual(mock.call_count, 2)
|
||||||
|
@ -186,11 +186,11 @@ class SCIMUserTests(TestCase):
|
||||||
],
|
],
|
||||||
"externalId": user.uid,
|
"externalId": user.uid,
|
||||||
"name": {
|
"name": {
|
||||||
"familyName": uid,
|
"familyName": "",
|
||||||
"formatted": f"{uid} {uid}",
|
"formatted": uid,
|
||||||
"givenName": uid,
|
"givenName": uid,
|
||||||
},
|
},
|
||||||
"displayName": f"{uid} {uid}",
|
"displayName": uid,
|
||||||
"userName": uid,
|
"userName": uid,
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
@ -230,7 +230,7 @@ class SCIMUserTests(TestCase):
|
||||||
)
|
)
|
||||||
user = User.objects.create(
|
user = User.objects.create(
|
||||||
username=uid,
|
username=uid,
|
||||||
name=f"{uid} {uid}",
|
name=uid,
|
||||||
email=f"{uid}@goauthentik.io",
|
email=f"{uid}@goauthentik.io",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -254,11 +254,11 @@ class SCIMUserTests(TestCase):
|
||||||
],
|
],
|
||||||
"externalId": user.uid,
|
"externalId": user.uid,
|
||||||
"name": {
|
"name": {
|
||||||
"familyName": uid,
|
"familyName": "",
|
||||||
"formatted": f"{uid} {uid}",
|
"formatted": uid,
|
||||||
"givenName": uid,
|
"givenName": uid,
|
||||||
},
|
},
|
||||||
"displayName": f"{uid} {uid}",
|
"displayName": uid,
|
||||||
"userName": uid,
|
"userName": uid,
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
|
@ -24,10 +24,7 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
|
||||||
|
|
||||||
def get_app_label_verbose(self, instance: GroupObjectPermission) -> str:
|
def get_app_label_verbose(self, instance: GroupObjectPermission) -> str:
|
||||||
"""Get app label from permission's model"""
|
"""Get app label from permission's model"""
|
||||||
try:
|
|
||||||
return apps.get_app_config(instance.content_type.app_label).verbose_name
|
return apps.get_app_config(instance.content_type.app_label).verbose_name
|
||||||
except LookupError:
|
|
||||||
return instance.content_type.app_label
|
|
||||||
|
|
||||||
def get_model_verbose(self, instance: GroupObjectPermission) -> str:
|
def get_model_verbose(self, instance: GroupObjectPermission) -> str:
|
||||||
"""Get model label from permission's model"""
|
"""Get model label from permission's model"""
|
||||||
|
|
|
@ -24,10 +24,7 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
|
||||||
|
|
||||||
def get_app_label_verbose(self, instance: UserObjectPermission) -> str:
|
def get_app_label_verbose(self, instance: UserObjectPermission) -> str:
|
||||||
"""Get app label from permission's model"""
|
"""Get app label from permission's model"""
|
||||||
try:
|
|
||||||
return apps.get_app_config(instance.content_type.app_label).verbose_name
|
return apps.get_app_config(instance.content_type.app_label).verbose_name
|
||||||
except LookupError:
|
|
||||||
return instance.content_type.app_label
|
|
||||||
|
|
||||||
def get_model_verbose(self, instance: UserObjectPermission) -> str:
|
def get_model_verbose(self, instance: UserObjectPermission) -> str:
|
||||||
"""Get model label from permission's model"""
|
"""Get model label from permission's model"""
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
"""root settings for authentik"""
|
"""root settings for authentik"""
|
||||||
|
|
||||||
import importlib
|
import importlib
|
||||||
import os
|
import os
|
||||||
from hashlib import sha512
|
from hashlib import sha512
|
||||||
|
@ -83,6 +82,7 @@ INSTALLED_APPS = [
|
||||||
"authentik.sources.oauth",
|
"authentik.sources.oauth",
|
||||||
"authentik.sources.plex",
|
"authentik.sources.plex",
|
||||||
"authentik.sources.saml",
|
"authentik.sources.saml",
|
||||||
|
"authentik.sources.scim",
|
||||||
"authentik.stages.authenticator",
|
"authentik.stages.authenticator",
|
||||||
"authentik.stages.authenticator_duo",
|
"authentik.stages.authenticator_duo",
|
||||||
"authentik.stages.authenticator_sms",
|
"authentik.stages.authenticator_sms",
|
||||||
|
@ -147,6 +147,9 @@ SPECTACULAR_SETTINGS = {
|
||||||
"UserTypeEnum": "authentik.core.models.UserTypes",
|
"UserTypeEnum": "authentik.core.models.UserTypes",
|
||||||
},
|
},
|
||||||
"ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
|
"ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
|
||||||
|
"PREPROCESSING_HOOKS": [
|
||||||
|
"authentik.api.schema.preprocess_schema_exclude_non_api",
|
||||||
|
],
|
||||||
"POSTPROCESSING_HOOKS": [
|
"POSTPROCESSING_HOOKS": [
|
||||||
"authentik.api.schema.postprocess_schema_responses",
|
"authentik.api.schema.postprocess_schema_responses",
|
||||||
"drf_spectacular.hooks.postprocess_schema_enums",
|
"drf_spectacular.hooks.postprocess_schema_enums",
|
||||||
|
@ -195,8 +198,8 @@ _redis_url = (
|
||||||
CACHES = {
|
CACHES = {
|
||||||
"default": {
|
"default": {
|
||||||
"BACKEND": "django_redis.cache.RedisCache",
|
"BACKEND": "django_redis.cache.RedisCache",
|
||||||
"LOCATION": f"{_redis_url}/{CONFIG.get('redis.db')}",
|
"LOCATION": CONFIG.get("cache.url") or f"{_redis_url}/{CONFIG.get('redis.db')}",
|
||||||
"TIMEOUT": CONFIG.get_int("redis.cache_timeout", 300),
|
"TIMEOUT": CONFIG.get_int("cache.timeout", 300),
|
||||||
"OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
|
"OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
|
||||||
"KEY_PREFIX": "authentik_cache",
|
"KEY_PREFIX": "authentik_cache",
|
||||||
}
|
}
|
||||||
|
@ -256,7 +259,7 @@ CHANNEL_LAYERS = {
|
||||||
"default": {
|
"default": {
|
||||||
"BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
|
"BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
|
||||||
"CONFIG": {
|
"CONFIG": {
|
||||||
"hosts": [f"{_redis_url}/{CONFIG.get('redis.db')}"],
|
"hosts": [CONFIG.get("channel.url", f"{_redis_url}/{CONFIG.get('redis.db')}")],
|
||||||
"prefix": "authentik_channels_",
|
"prefix": "authentik_channels_",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -349,8 +352,11 @@ CELERY = {
|
||||||
},
|
},
|
||||||
"task_create_missing_queues": True,
|
"task_create_missing_queues": True,
|
||||||
"task_default_queue": "authentik",
|
"task_default_queue": "authentik",
|
||||||
"broker_url": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
|
"broker_url": CONFIG.get("broker.url")
|
||||||
"result_backend": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
|
or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
|
||||||
|
"broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
|
||||||
|
"result_backend": CONFIG.get("result_backend.url")
|
||||||
|
or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
|
||||||
}
|
}
|
||||||
|
|
||||||
# Sentry integration
|
# Sentry integration
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
"""Source API Views"""
|
"""Source API Views"""
|
||||||
from typing import Any
|
from typing import Any, Optional
|
||||||
|
|
||||||
|
from django.core.cache import cache
|
||||||
from django_filters.filters import AllValuesMultipleFilter
|
from django_filters.filters import AllValuesMultipleFilter
|
||||||
from django_filters.filterset import FilterSet
|
from django_filters.filterset import FilterSet
|
||||||
from drf_spectacular.types import OpenApiTypes
|
from drf_spectacular.types import OpenApiTypes
|
||||||
from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
|
from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
|
||||||
from rest_framework.decorators import action
|
from rest_framework.decorators import action
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.exceptions import ValidationError
|
||||||
from rest_framework.fields import DictField, ListField
|
from rest_framework.fields import BooleanField, DictField, ListField, SerializerMethodField
|
||||||
from rest_framework.relations import PrimaryKeyRelatedField
|
from rest_framework.relations import PrimaryKeyRelatedField
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
@ -17,15 +18,17 @@ from authentik.admin.api.tasks import TaskSerializer
|
||||||
from authentik.core.api.propertymappings import PropertyMappingSerializer
|
from authentik.core.api.propertymappings import PropertyMappingSerializer
|
||||||
from authentik.core.api.sources import SourceSerializer
|
from authentik.core.api.sources import SourceSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.crypto.models import CertificateKeyPair
|
from authentik.crypto.models import CertificateKeyPair
|
||||||
from authentik.events.monitored_tasks import TaskInfo
|
from authentik.events.monitored_tasks import TaskInfo
|
||||||
from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
|
from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
|
||||||
from authentik.sources.ldap.tasks import SYNC_CLASSES
|
from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES
|
||||||
|
|
||||||
|
|
||||||
class LDAPSourceSerializer(SourceSerializer):
|
class LDAPSourceSerializer(SourceSerializer):
|
||||||
"""LDAP Source Serializer"""
|
"""LDAP Source Serializer"""
|
||||||
|
|
||||||
|
connectivity = SerializerMethodField()
|
||||||
client_certificate = PrimaryKeyRelatedField(
|
client_certificate = PrimaryKeyRelatedField(
|
||||||
allow_null=True,
|
allow_null=True,
|
||||||
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
|
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
|
||||||
|
@ -35,6 +38,10 @@ class LDAPSourceSerializer(SourceSerializer):
|
||||||
required=False,
|
required=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def get_connectivity(self, source: LDAPSource) -> Optional[dict[str, dict[str, str]]]:
|
||||||
|
"""Get cached source connectivity"""
|
||||||
|
return cache.get(CACHE_KEY_STATUS + source.slug, None)
|
||||||
|
|
||||||
def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
|
def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
|
||||||
"""Check that only a single source has password_sync on"""
|
"""Check that only a single source has password_sync on"""
|
||||||
sync_users_password = attrs.get("sync_users_password", True)
|
sync_users_password = attrs.get("sync_users_password", True)
|
||||||
|
@ -75,10 +82,18 @@ class LDAPSourceSerializer(SourceSerializer):
|
||||||
"sync_parent_group",
|
"sync_parent_group",
|
||||||
"property_mappings",
|
"property_mappings",
|
||||||
"property_mappings_group",
|
"property_mappings_group",
|
||||||
|
"connectivity",
|
||||||
]
|
]
|
||||||
extra_kwargs = {"bind_password": {"write_only": True}}
|
extra_kwargs = {"bind_password": {"write_only": True}}
|
||||||
|
|
||||||
|
|
||||||
|
class LDAPSyncStatusSerializer(PassiveSerializer):
|
||||||
|
"""LDAP Source sync status"""
|
||||||
|
|
||||||
|
is_running = BooleanField(read_only=True)
|
||||||
|
tasks = TaskSerializer(many=True, read_only=True)
|
||||||
|
|
||||||
|
|
||||||
class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
|
class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
|
||||||
"""LDAP Source Viewset"""
|
"""LDAP Source Viewset"""
|
||||||
|
|
||||||
|
@ -114,19 +129,19 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
|
||||||
|
|
||||||
@extend_schema(
|
@extend_schema(
|
||||||
responses={
|
responses={
|
||||||
200: TaskSerializer(many=True),
|
200: LDAPSyncStatusSerializer(),
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
|
@action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
|
||||||
def sync_status(self, request: Request, slug: str) -> Response:
|
def sync_status(self, request: Request, slug: str) -> Response:
|
||||||
"""Get source's sync status"""
|
"""Get source's sync status"""
|
||||||
source = self.get_object()
|
source: LDAPSource = self.get_object()
|
||||||
results = []
|
tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*") or []
|
||||||
tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*")
|
status = {
|
||||||
if tasks:
|
"tasks": tasks,
|
||||||
for task in tasks:
|
"is_running": source.sync_lock.locked(),
|
||||||
results.append(task)
|
}
|
||||||
return Response(TaskSerializer(results, many=True).data)
|
return Response(LDAPSyncStatusSerializer(status).data)
|
||||||
|
|
||||||
@extend_schema(
|
@extend_schema(
|
||||||
responses={
|
responses={
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
"""LDAP Connection check"""
|
||||||
|
from json import dumps
|
||||||
|
|
||||||
|
from django.core.management.base import BaseCommand
|
||||||
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
|
from authentik.sources.ldap.models import LDAPSource
|
||||||
|
|
||||||
|
LOGGER = get_logger()
|
||||||
|
|
||||||
|
|
||||||
|
class Command(BaseCommand):
|
||||||
|
"""Check connectivity to LDAP servers for a source"""
|
||||||
|
|
||||||
|
def add_arguments(self, parser):
|
||||||
|
parser.add_argument("source_slugs", nargs="?", type=str)
|
||||||
|
|
||||||
|
def handle(self, **options):
|
||||||
|
sources = LDAPSource.objects.filter(enabled=True)
|
||||||
|
if options["source_slugs"]:
|
||||||
|
sources = LDAPSource.objects.filter(slug__in=options["source_slugs"])
|
||||||
|
for source in sources.order_by("slug"):
|
||||||
|
status = source.check_connection()
|
||||||
|
self.stdout.write(dumps(status, indent=4))
|
|
@ -4,10 +4,12 @@ from ssl import CERT_REQUIRED
|
||||||
from tempfile import NamedTemporaryFile, mkdtemp
|
from tempfile import NamedTemporaryFile, mkdtemp
|
||||||
from typing import Optional
|
from typing import Optional
|
||||||
|
|
||||||
|
from django.core.cache import cache
|
||||||
from django.db import models
|
from django.db import models
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
|
from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
|
||||||
from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
|
from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
|
||||||
|
from redis.lock import Lock
|
||||||
from rest_framework.serializers import Serializer
|
from rest_framework.serializers import Serializer
|
||||||
|
|
||||||
from authentik.core.models import Group, PropertyMapping, Source
|
from authentik.core.models import Group, PropertyMapping, Source
|
||||||
|
@ -117,7 +119,7 @@ class LDAPSource(Source):
|
||||||
|
|
||||||
return LDAPSourceSerializer
|
return LDAPSourceSerializer
|
||||||
|
|
||||||
def server(self, **kwargs) -> Server:
|
def server(self, **kwargs) -> ServerPool:
|
||||||
"""Get LDAP Server/ServerPool"""
|
"""Get LDAP Server/ServerPool"""
|
||||||
servers = []
|
servers = []
|
||||||
tls_kwargs = {}
|
tls_kwargs = {}
|
||||||
|
@ -154,7 +156,10 @@ class LDAPSource(Source):
|
||||||
return ServerPool(servers, RANDOM, active=5, exhaust=True)
|
return ServerPool(servers, RANDOM, active=5, exhaust=True)
|
||||||
|
|
||||||
def connection(
|
def connection(
|
||||||
self, server_kwargs: Optional[dict] = None, connection_kwargs: Optional[dict] = None
|
self,
|
||||||
|
server: Optional[Server] = None,
|
||||||
|
server_kwargs: Optional[dict] = None,
|
||||||
|
connection_kwargs: Optional[dict] = None,
|
||||||
) -> Connection:
|
) -> Connection:
|
||||||
"""Get a fully connected and bound LDAP Connection"""
|
"""Get a fully connected and bound LDAP Connection"""
|
||||||
server_kwargs = server_kwargs or {}
|
server_kwargs = server_kwargs or {}
|
||||||
|
@ -164,7 +169,7 @@ class LDAPSource(Source):
|
||||||
if self.bind_password is not None:
|
if self.bind_password is not None:
|
||||||
connection_kwargs.setdefault("password", self.bind_password)
|
connection_kwargs.setdefault("password", self.bind_password)
|
||||||
connection = Connection(
|
connection = Connection(
|
||||||
self.server(**server_kwargs),
|
server or self.server(**server_kwargs),
|
||||||
raise_exceptions=True,
|
raise_exceptions=True,
|
||||||
receive_timeout=LDAP_TIMEOUT,
|
receive_timeout=LDAP_TIMEOUT,
|
||||||
**connection_kwargs,
|
**connection_kwargs,
|
||||||
|
@ -183,9 +188,55 @@ class LDAPSource(Source):
|
||||||
if server_kwargs.get("get_info", ALL) == NONE:
|
if server_kwargs.get("get_info", ALL) == NONE:
|
||||||
raise exc
|
raise exc
|
||||||
server_kwargs["get_info"] = NONE
|
server_kwargs["get_info"] = NONE
|
||||||
return self.connection(server_kwargs, connection_kwargs)
|
return self.connection(server, server_kwargs, connection_kwargs)
|
||||||
return RuntimeError("Failed to bind")
|
return RuntimeError("Failed to bind")
|
||||||
|
|
||||||
|
@property
|
||||||
|
def sync_lock(self) -> Lock:
|
||||||
|
"""Redis lock for syncing LDAP to prevent multiple parallel syncs happening"""
|
||||||
|
return Lock(
|
||||||
|
cache.client.get_client(),
|
||||||
|
name=f"goauthentik.io/sources/ldap/sync-{self.slug}",
|
||||||
|
# Convert task timeout hours to seconds, and multiply times 3
|
||||||
|
# (see authentik/sources/ldap/tasks.py:54)
|
||||||
|
# multiply by 3 to add even more leeway
|
||||||
|
timeout=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3,
|
||||||
|
)
|
||||||
|
|
||||||
|
def check_connection(self) -> dict[str, dict[str, str]]:
|
||||||
|
"""Check LDAP Connection"""
|
||||||
|
from authentik.sources.ldap.sync.base import flatten
|
||||||
|
|
||||||
|
servers = self.server()
|
||||||
|
server_info = {}
|
||||||
|
# Check each individual server
|
||||||
|
for server in servers.servers:
|
||||||
|
server: Server
|
||||||
|
try:
|
||||||
|
connection = self.connection(server=server)
|
||||||
|
server_info[server.host] = {
|
||||||
|
"vendor": str(flatten(connection.server.info.vendor_name)),
|
||||||
|
"version": str(flatten(connection.server.info.vendor_version)),
|
||||||
|
"status": "ok",
|
||||||
|
}
|
||||||
|
except LDAPException as exc:
|
||||||
|
server_info[server.host] = {
|
||||||
|
"status": str(exc),
|
||||||
|
}
|
||||||
|
# Check server pool
|
||||||
|
try:
|
||||||
|
connection = self.connection()
|
||||||
|
server_info["__all__"] = {
|
||||||
|
"vendor": str(flatten(connection.server.info.vendor_name)),
|
||||||
|
"version": str(flatten(connection.server.info.vendor_version)),
|
||||||
|
"status": "ok",
|
||||||
|
}
|
||||||
|
except LDAPException as exc:
|
||||||
|
server_info["__all__"] = {
|
||||||
|
"status": str(exc),
|
||||||
|
}
|
||||||
|
return server_info
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
verbose_name = _("LDAP Source")
|
verbose_name = _("LDAP Source")
|
||||||
verbose_name_plural = _("LDAP Sources")
|
verbose_name_plural = _("LDAP Sources")
|
||||||
|
|
|
@ -8,5 +8,10 @@ CELERY_BEAT_SCHEDULE = {
|
||||||
"task": "authentik.sources.ldap.tasks.ldap_sync_all",
|
"task": "authentik.sources.ldap.tasks.ldap_sync_all",
|
||||||
"schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
|
"schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
|
||||||
"options": {"queue": "authentik_scheduled"},
|
"options": {"queue": "authentik_scheduled"},
|
||||||
}
|
},
|
||||||
|
"sources_ldap_connectivity_check": {
|
||||||
|
"task": "authentik.sources.ldap.tasks.ldap_connectivity_check",
|
||||||
|
"schedule": crontab(minute=fqdn_rand("sources_ldap_connectivity_check"), hour="*"),
|
||||||
|
"options": {"queue": "authentik_scheduled"},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,7 @@ from authentik.events.models import Event, EventAction
|
||||||
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
|
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
|
||||||
from authentik.sources.ldap.models import LDAPSource
|
from authentik.sources.ldap.models import LDAPSource
|
||||||
from authentik.sources.ldap.password import LDAPPasswordChanger
|
from authentik.sources.ldap.password import LDAPPasswordChanger
|
||||||
from authentik.sources.ldap.tasks import ldap_sync_single
|
from authentik.sources.ldap.tasks import ldap_connectivity_check, ldap_sync_single
|
||||||
from authentik.stages.prompt.signals import password_validate
|
from authentik.stages.prompt.signals import password_validate
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
@ -32,6 +32,7 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
|
||||||
if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
|
if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
|
||||||
return
|
return
|
||||||
ldap_sync_single.delay(instance.pk)
|
ldap_sync_single.delay(instance.pk)
|
||||||
|
ldap_connectivity_check.delay(instance.pk)
|
||||||
|
|
||||||
|
|
||||||
@receiver(password_validate)
|
@receiver(password_validate)
|
||||||
|
|
|
@ -17,6 +17,15 @@ from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
|
||||||
LDAP_UNIQUENESS = "ldap_uniq"
|
LDAP_UNIQUENESS = "ldap_uniq"
|
||||||
|
|
||||||
|
|
||||||
|
def flatten(value: Any) -> Any:
|
||||||
|
"""Flatten `value` if its a list"""
|
||||||
|
if isinstance(value, list):
|
||||||
|
if len(value) < 1:
|
||||||
|
return None
|
||||||
|
return value[0]
|
||||||
|
return value
|
||||||
|
|
||||||
|
|
||||||
class BaseLDAPSynchronizer:
|
class BaseLDAPSynchronizer:
|
||||||
"""Sync LDAP Users and groups into authentik"""
|
"""Sync LDAP Users and groups into authentik"""
|
||||||
|
|
||||||
|
@ -122,14 +131,6 @@ class BaseLDAPSynchronizer:
|
||||||
cookie = None
|
cookie = None
|
||||||
yield self._connection.response
|
yield self._connection.response
|
||||||
|
|
||||||
def _flatten(self, value: Any) -> Any:
|
|
||||||
"""Flatten `value` if its a list"""
|
|
||||||
if isinstance(value, list):
|
|
||||||
if len(value) < 1:
|
|
||||||
return None
|
|
||||||
return value[0]
|
|
||||||
return value
|
|
||||||
|
|
||||||
def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
|
def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
|
||||||
"""Build attributes for User object based on property mappings."""
|
"""Build attributes for User object based on property mappings."""
|
||||||
props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
|
props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
|
||||||
|
@ -163,10 +164,10 @@ class BaseLDAPSynchronizer:
|
||||||
object_field = mapping.object_field
|
object_field = mapping.object_field
|
||||||
if object_field.startswith("attributes."):
|
if object_field.startswith("attributes."):
|
||||||
# Because returning a list might desired, we can't
|
# Because returning a list might desired, we can't
|
||||||
# rely on self._flatten here. Instead, just save the result as-is
|
# rely on flatten here. Instead, just save the result as-is
|
||||||
set_path_in_dict(properties, object_field, value)
|
set_path_in_dict(properties, object_field, value)
|
||||||
else:
|
else:
|
||||||
properties[object_field] = self._flatten(value)
|
properties[object_field] = flatten(value)
|
||||||
except PropertyMappingExpressionException as exc:
|
except PropertyMappingExpressionException as exc:
|
||||||
Event.new(
|
Event.new(
|
||||||
EventAction.CONFIGURATION_ERROR,
|
EventAction.CONFIGURATION_ERROR,
|
||||||
|
@ -177,7 +178,7 @@ class BaseLDAPSynchronizer:
|
||||||
self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
|
self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
|
||||||
continue
|
continue
|
||||||
if self._source.object_uniqueness_field in kwargs:
|
if self._source.object_uniqueness_field in kwargs:
|
||||||
properties["attributes"][LDAP_UNIQUENESS] = self._flatten(
|
properties["attributes"][LDAP_UNIQUENESS] = flatten(
|
||||||
kwargs.get(self._source.object_uniqueness_field)
|
kwargs.get(self._source.object_uniqueness_field)
|
||||||
)
|
)
|
||||||
properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn
|
properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn
|
||||||
|
|
|
@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
|
||||||
|
|
||||||
from authentik.core.models import Group
|
from authentik.core.models import Group
|
||||||
from authentik.events.models import Event, EventAction
|
from authentik.events.models import Event, EventAction
|
||||||
from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
|
from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
|
||||||
|
|
||||||
|
|
||||||
class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
|
class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
|
@ -39,7 +39,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
if "attributes" not in group:
|
if "attributes" not in group:
|
||||||
continue
|
continue
|
||||||
attributes = group.get("attributes", {})
|
attributes = group.get("attributes", {})
|
||||||
group_dn = self._flatten(self._flatten(group.get("entryDN", group.get("dn"))))
|
group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
|
||||||
if self._source.object_uniqueness_field not in attributes:
|
if self._source.object_uniqueness_field not in attributes:
|
||||||
self.message(
|
self.message(
|
||||||
f"Cannot find uniqueness field in attributes: '{group_dn}'",
|
f"Cannot find uniqueness field in attributes: '{group_dn}'",
|
||||||
|
@ -47,7 +47,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
dn=group_dn,
|
dn=group_dn,
|
||||||
)
|
)
|
||||||
continue
|
continue
|
||||||
uniq = self._flatten(attributes[self._source.object_uniqueness_field])
|
uniq = flatten(attributes[self._source.object_uniqueness_field])
|
||||||
try:
|
try:
|
||||||
defaults = self.build_group_properties(group_dn, **attributes)
|
defaults = self.build_group_properties(group_dn, **attributes)
|
||||||
defaults["parent"] = self._source.sync_parent_group
|
defaults["parent"] = self._source.sync_parent_group
|
||||||
|
|
|
@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
|
||||||
|
|
||||||
from authentik.core.models import User
|
from authentik.core.models import User
|
||||||
from authentik.events.models import Event, EventAction
|
from authentik.events.models import Event, EventAction
|
||||||
from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
|
from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
|
||||||
from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
|
from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
|
||||||
from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
|
from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
|
||||||
|
|
||||||
|
@ -41,7 +41,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
if "attributes" not in user:
|
if "attributes" not in user:
|
||||||
continue
|
continue
|
||||||
attributes = user.get("attributes", {})
|
attributes = user.get("attributes", {})
|
||||||
user_dn = self._flatten(user.get("entryDN", user.get("dn")))
|
user_dn = flatten(user.get("entryDN", user.get("dn")))
|
||||||
if self._source.object_uniqueness_field not in attributes:
|
if self._source.object_uniqueness_field not in attributes:
|
||||||
self.message(
|
self.message(
|
||||||
f"Cannot find uniqueness field in attributes: '{user_dn}'",
|
f"Cannot find uniqueness field in attributes: '{user_dn}'",
|
||||||
|
@ -49,7 +49,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
dn=user_dn,
|
dn=user_dn,
|
||||||
)
|
)
|
||||||
continue
|
continue
|
||||||
uniq = self._flatten(attributes[self._source.object_uniqueness_field])
|
uniq = flatten(attributes[self._source.object_uniqueness_field])
|
||||||
try:
|
try:
|
||||||
defaults = self.build_user_properties(user_dn, **attributes)
|
defaults = self.build_user_properties(user_dn, **attributes)
|
||||||
self._logger.debug("Writing user with attributes", **defaults)
|
self._logger.debug("Writing user with attributes", **defaults)
|
||||||
|
|
|
@ -5,7 +5,7 @@ from typing import Any, Generator
|
||||||
from pytz import UTC
|
from pytz import UTC
|
||||||
|
|
||||||
from authentik.core.models import User
|
from authentik.core.models import User
|
||||||
from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
|
from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer, flatten
|
||||||
|
|
||||||
|
|
||||||
class FreeIPA(BaseLDAPSynchronizer):
|
class FreeIPA(BaseLDAPSynchronizer):
|
||||||
|
@ -47,7 +47,7 @@ class FreeIPA(BaseLDAPSynchronizer):
|
||||||
return
|
return
|
||||||
# For some reason, nsaccountlock is not defined properly in the schema as bool
|
# For some reason, nsaccountlock is not defined properly in the schema as bool
|
||||||
# hence we get it as a list of strings
|
# hence we get it as a list of strings
|
||||||
_is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
|
_is_locked = str(flatten(attributes.get("nsaccountlock", ["FALSE"])))
|
||||||
# So we have to attempt to convert it to a bool
|
# So we have to attempt to convert it to a bool
|
||||||
is_locked = _is_locked.lower() == "true"
|
is_locked = _is_locked.lower() == "true"
|
||||||
# And then invert it since freeipa saves locked and we save active
|
# And then invert it since freeipa saves locked and we save active
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
"""LDAP Sync tasks"""
|
"""LDAP Sync tasks"""
|
||||||
|
from typing import Optional
|
||||||
from uuid import uuid4
|
from uuid import uuid4
|
||||||
|
|
||||||
from celery import chain, group
|
from celery import chain, group
|
||||||
from django.core.cache import cache
|
from django.core.cache import cache
|
||||||
from ldap3.core.exceptions import LDAPException
|
from ldap3.core.exceptions import LDAPException
|
||||||
from redis.exceptions import LockError
|
from redis.exceptions import LockError
|
||||||
from redis.lock import Lock
|
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
|
from authentik.events.monitored_tasks import CACHE_KEY_PREFIX as CACHE_KEY_PREFIX_TASKS
|
||||||
from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
|
from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
|
||||||
from authentik.lib.config import CONFIG
|
from authentik.lib.config import CONFIG
|
||||||
from authentik.lib.utils.errors import exception_to_string
|
from authentik.lib.utils.errors import exception_to_string
|
||||||
|
@ -26,6 +27,7 @@ SYNC_CLASSES = [
|
||||||
MembershipLDAPSynchronizer,
|
MembershipLDAPSynchronizer,
|
||||||
]
|
]
|
||||||
CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
|
CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
|
||||||
|
CACHE_KEY_STATUS = "goauthentik.io/sources/ldap/status/"
|
||||||
|
|
||||||
|
|
||||||
@CELERY_APP.task()
|
@CELERY_APP.task()
|
||||||
|
@ -35,6 +37,19 @@ def ldap_sync_all():
|
||||||
ldap_sync_single.apply_async(args=[source.pk])
|
ldap_sync_single.apply_async(args=[source.pk])
|
||||||
|
|
||||||
|
|
||||||
|
@CELERY_APP.task()
|
||||||
|
def ldap_connectivity_check(pk: Optional[str] = None):
|
||||||
|
"""Check connectivity for LDAP Sources"""
|
||||||
|
# 2 hour timeout, this task should run every hour
|
||||||
|
timeout = 60 * 60 * 2
|
||||||
|
sources = LDAPSource.objects.filter(enabled=True)
|
||||||
|
if pk:
|
||||||
|
sources = sources.filter(pk=pk)
|
||||||
|
for source in sources:
|
||||||
|
status = source.check_connection()
|
||||||
|
cache.set(CACHE_KEY_STATUS + source.slug, status, timeout=timeout)
|
||||||
|
|
||||||
|
|
||||||
@CELERY_APP.task(
|
@CELERY_APP.task(
|
||||||
# We take the configured hours timeout time by 2.5 as we run user and
|
# We take the configured hours timeout time by 2.5 as we run user and
|
||||||
# group in parallel and then membership, so 2x is to cover the serial tasks,
|
# group in parallel and then membership, so 2x is to cover the serial tasks,
|
||||||
|
@ -47,12 +62,15 @@ def ldap_sync_single(source_pk: str):
|
||||||
source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
|
source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
|
||||||
if not source:
|
if not source:
|
||||||
return
|
return
|
||||||
lock = Lock(cache.client.get_client(), name=f"goauthentik.io/sources/ldap/sync-{source.slug}")
|
lock = source.sync_lock
|
||||||
if lock.locked():
|
if lock.locked():
|
||||||
LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
|
LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
|
||||||
return
|
return
|
||||||
try:
|
try:
|
||||||
with lock:
|
with lock:
|
||||||
|
# Delete all sync tasks from the cache
|
||||||
|
keys = cache.keys(f"{CACHE_KEY_PREFIX_TASKS}ldap_sync:{source.slug}*")
|
||||||
|
cache.delete_many(keys)
|
||||||
task = chain(
|
task = chain(
|
||||||
# User and group sync can happen at once, they have no dependencies on each other
|
# User and group sync can happen at once, they have no dependencies on each other
|
||||||
group(
|
group(
|
||||||
|
|
|
@ -4,8 +4,8 @@ from typing import Any
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
|
from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
|
||||||
from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
|
|
||||||
from authentik.sources.oauth.types.registry import SourceType, registry
|
from authentik.sources.oauth.types.registry import SourceType, registry
|
||||||
|
from authentik.sources.oauth.views.callback import OAuthCallback
|
||||||
from authentik.sources.oauth.views.redirect import OAuthRedirect
|
from authentik.sources.oauth.views.redirect import OAuthRedirect
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
@ -20,7 +20,7 @@ class AzureADOAuthRedirect(OAuthRedirect):
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
|
class AzureADOAuthCallback(OAuthCallback):
|
||||||
"""AzureAD OAuth2 Callback"""
|
"""AzureAD OAuth2 Callback"""
|
||||||
|
|
||||||
client_class = UserprofileHeaderAuthClient
|
client_class = UserprofileHeaderAuthClient
|
||||||
|
@ -50,7 +50,7 @@ class AzureADType(SourceType):
|
||||||
|
|
||||||
authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
|
authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
|
||||||
access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token" # nosec
|
access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token" # nosec
|
||||||
profile_url = "https://login.microsoftonline.com/common/openid/userinfo"
|
profile_url = "https://graph.microsoft.com/v1.0/me"
|
||||||
oidc_well_known_url = (
|
oidc_well_known_url = (
|
||||||
"https://login.microsoftonline.com/common/.well-known/openid-configuration"
|
"https://login.microsoftonline.com/common/.well-known/openid-configuration"
|
||||||
)
|
)
|
||||||
|
|
|
@ -23,7 +23,7 @@ class OpenIDConnectOAuth2Callback(OAuthCallback):
|
||||||
client_class = UserprofileHeaderAuthClient
|
client_class = UserprofileHeaderAuthClient
|
||||||
|
|
||||||
def get_user_id(self, info: dict[str, str]) -> str:
|
def get_user_id(self, info: dict[str, str]) -> str:
|
||||||
return info.get("sub", None)
|
return info.get("sub", "")
|
||||||
|
|
||||||
def get_user_enroll_context(
|
def get_user_enroll_context(
|
||||||
self,
|
self,
|
||||||
|
|
|
@ -3,8 +3,8 @@ from typing import Any
|
||||||
|
|
||||||
from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
|
from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
|
||||||
from authentik.sources.oauth.models import OAuthSource
|
from authentik.sources.oauth.models import OAuthSource
|
||||||
from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
|
|
||||||
from authentik.sources.oauth.types.registry import SourceType, registry
|
from authentik.sources.oauth.types.registry import SourceType, registry
|
||||||
|
from authentik.sources.oauth.views.callback import OAuthCallback
|
||||||
from authentik.sources.oauth.views.redirect import OAuthRedirect
|
from authentik.sources.oauth.views.redirect import OAuthRedirect
|
||||||
|
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@ class OktaOAuthRedirect(OAuthRedirect):
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
class OktaOAuth2Callback(OpenIDConnectOAuth2Callback):
|
class OktaOAuth2Callback(OAuthCallback):
|
||||||
"""Okta OAuth2 Callback"""
|
"""Okta OAuth2 Callback"""
|
||||||
|
|
||||||
# Okta has the same quirk as azure and throws an error if the access token
|
# Okta has the same quirk as azure and throws an error if the access token
|
||||||
|
@ -25,6 +25,9 @@ class OktaOAuth2Callback(OpenIDConnectOAuth2Callback):
|
||||||
# see https://github.com/goauthentik/authentik/issues/1910
|
# see https://github.com/goauthentik/authentik/issues/1910
|
||||||
client_class = UserprofileHeaderAuthClient
|
client_class = UserprofileHeaderAuthClient
|
||||||
|
|
||||||
|
def get_user_id(self, info: dict[str, str]) -> str:
|
||||||
|
return info.get("sub", "")
|
||||||
|
|
||||||
def get_user_enroll_context(
|
def get_user_enroll_context(
|
||||||
self,
|
self,
|
||||||
info: dict[str, Any],
|
info: dict[str, Any],
|
||||||
|
|
|
@ -3,8 +3,8 @@ from json import dumps
|
||||||
from typing import Any, Optional
|
from typing import Any, Optional
|
||||||
|
|
||||||
from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
|
from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
|
||||||
from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
|
|
||||||
from authentik.sources.oauth.types.registry import SourceType, registry
|
from authentik.sources.oauth.types.registry import SourceType, registry
|
||||||
|
from authentik.sources.oauth.views.callback import OAuthCallback
|
||||||
from authentik.sources.oauth.views.redirect import OAuthRedirect
|
from authentik.sources.oauth.views.redirect import OAuthRedirect
|
||||||
|
|
||||||
|
|
||||||
|
@ -27,11 +27,14 @@ class TwitchOAuthRedirect(OAuthRedirect):
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
class TwitchOAuth2Callback(OpenIDConnectOAuth2Callback):
|
class TwitchOAuth2Callback(OAuthCallback):
|
||||||
"""Twitch OAuth2 Callback"""
|
"""Twitch OAuth2 Callback"""
|
||||||
|
|
||||||
client_class = TwitchClient
|
client_class = TwitchClient
|
||||||
|
|
||||||
|
def get_user_id(self, info: dict[str, str]) -> str:
|
||||||
|
return info.get("sub", "")
|
||||||
|
|
||||||
def get_user_enroll_context(
|
def get_user_enroll_context(
|
||||||
self,
|
self,
|
||||||
info: dict[str, Any],
|
info: dict[str, Any],
|
||||||
|
|
0
authentik/sources/scim/__init__.py
Normal file
0
authentik/sources/scim/__init__.py
Normal file
62
authentik/sources/scim/api.py
Normal file
62
authentik/sources/scim/api.py
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
"""SCIMSource API Views"""
|
||||||
|
from django.urls import reverse_lazy
|
||||||
|
from rest_framework.fields import SerializerMethodField
|
||||||
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
|
from authentik.core.api.sources import SourceSerializer
|
||||||
|
from authentik.core.api.tokens import TokenSerializer
|
||||||
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
|
from authentik.core.models import Token, TokenIntents, User, UserTypes
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMSourceSerializer(SourceSerializer):
|
||||||
|
"""SCIMSource Serializer"""
|
||||||
|
|
||||||
|
root_url = SerializerMethodField()
|
||||||
|
token_obj = TokenSerializer(source="token", required=False, read_only=True)
|
||||||
|
|
||||||
|
def get_root_url(self, instance: SCIMSource) -> str:
|
||||||
|
"""Get Root URL"""
|
||||||
|
relative_url = reverse_lazy(
|
||||||
|
"authentik_sources_scim:v2-root",
|
||||||
|
kwargs={"source_slug": instance.slug},
|
||||||
|
)
|
||||||
|
if "request" not in self.context:
|
||||||
|
return relative_url
|
||||||
|
return self.context["request"].build_absolute_uri(relative_url)
|
||||||
|
|
||||||
|
def create(self, validated_data):
|
||||||
|
instance: SCIMSource = super().create(validated_data)
|
||||||
|
identifier = f"ak-source-scim-{instance.pk}"
|
||||||
|
user = User.objects.create(
|
||||||
|
username=identifier,
|
||||||
|
name=f"SCIM Source {instance.name} Service-Account",
|
||||||
|
type=UserTypes.SERVICE_ACCOUNT,
|
||||||
|
)
|
||||||
|
token = Token.objects.create(
|
||||||
|
user=user,
|
||||||
|
identifier=identifier,
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
expiring=False,
|
||||||
|
managed=f"goauthentik.io/sources/scim/{instance.pk}",
|
||||||
|
)
|
||||||
|
instance.token = token
|
||||||
|
instance.save()
|
||||||
|
return instance
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
model = SCIMSource
|
||||||
|
fields = SourceSerializer.Meta.fields + ["token", "root_url", "token_obj"]
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
|
||||||
|
"""SCIMSource Viewset"""
|
||||||
|
|
||||||
|
queryset = SCIMSource.objects.all()
|
||||||
|
serializer_class = SCIMSourceSerializer
|
||||||
|
lookup_field = "slug"
|
||||||
|
filterset_fields = ["name", "slug"]
|
||||||
|
search_fields = ["name", "slug", "token__identifier", "token__user__username"]
|
||||||
|
ordering = ["name"]
|
11
authentik/sources/scim/apps.py
Normal file
11
authentik/sources/scim/apps.py
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
"""Authentik SCIM app config"""
|
||||||
|
|
||||||
|
from django.apps import AppConfig
|
||||||
|
|
||||||
|
|
||||||
|
class AuthentikSourceSCIMConfig(AppConfig):
|
||||||
|
"""authentik SCIM Source app config"""
|
||||||
|
|
||||||
|
name = "authentik.sources.scim"
|
||||||
|
label = "authentik_sources_scim"
|
||||||
|
verbose_name = "authentik Sources.SCIM"
|
8
authentik/sources/scim/errors.py
Normal file
8
authentik/sources/scim/errors.py
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
"""SCIM Errors"""
|
||||||
|
|
||||||
|
from authentik.lib.sentry import SentryIgnoredException
|
||||||
|
|
||||||
|
|
||||||
|
class PatchError(SentryIgnoredException):
|
||||||
|
"""Error raised within an atomic block when an error happened
|
||||||
|
so nothing is saved"""
|
61
authentik/sources/scim/filters/ScimFilter.g4
Normal file
61
authentik/sources/scim/filters/ScimFilter.g4
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
grammar ScimFilter;
|
||||||
|
|
||||||
|
parse
|
||||||
|
: filter
|
||||||
|
;
|
||||||
|
|
||||||
|
filter
|
||||||
|
: attrPath SP PR #presentExp
|
||||||
|
| attrPath SP COMPAREOPERATOR SP VALUE #operatorExp
|
||||||
|
| NOT? SP* '(' filter ')' #braceExp
|
||||||
|
| attrPath '[' valPathFilter ']' #valPathExp
|
||||||
|
| filter SP AND SP filter #andExp
|
||||||
|
| filter SP OR SP filter #orExp
|
||||||
|
;
|
||||||
|
|
||||||
|
valPathFilter
|
||||||
|
: attrPath SP PR #valPathPresentExp
|
||||||
|
| attrPath SP COMPAREOPERATOR SP VALUE #valPathOperatorExp
|
||||||
|
| NOT? SP* '(' valPathFilter ')' #valPathBraceExp
|
||||||
|
| valPathFilter SP AND SP valPathFilter #valPathAndExp
|
||||||
|
| valPathFilter SP OR SP valPathFilter #valPathOrExp
|
||||||
|
;
|
||||||
|
|
||||||
|
attrPath
|
||||||
|
: (SCHEMA)? ATTRNAME ('.' ATTRNAME)?
|
||||||
|
;
|
||||||
|
|
||||||
|
COMPAREOPERATOR : EQ | NE | CO | SW | EW | GT | GE | LT | LE;
|
||||||
|
|
||||||
|
EQ : [eE][qQ];
|
||||||
|
NE : [nN][eE];
|
||||||
|
CO : [cC][oO];
|
||||||
|
SW : [sS][wW];
|
||||||
|
EW : [eE][wW];
|
||||||
|
PR : [pP][rR];
|
||||||
|
GT : [gG][tT];
|
||||||
|
GE : [gG][eE];
|
||||||
|
LT : [lL][tT];
|
||||||
|
LE : [lL][eE];
|
||||||
|
|
||||||
|
NOT : [nN][oO][tT];
|
||||||
|
AND : [aA][nN][dD];
|
||||||
|
OR : [oO][rR];
|
||||||
|
|
||||||
|
SP : ' ';
|
||||||
|
|
||||||
|
SCHEMA : 'urn:' (SEGMENT ':')+;
|
||||||
|
|
||||||
|
ATTRNAME : ALPHA (ALPHA | DIGIT | '_' | '-')+;
|
||||||
|
|
||||||
|
fragment SEGMENT : (ALPHA | DIGIT | '_' | '-' | '.')+;
|
||||||
|
|
||||||
|
fragment DIGIT : [0-9];
|
||||||
|
|
||||||
|
fragment ALPHA : [a-z] | [A-Z];
|
||||||
|
|
||||||
|
ESCAPED_QUOTE : '\\"';
|
||||||
|
|
||||||
|
VALUE : '"'(ESCAPED_QUOTE | ~'"')*'"' | 'true' | 'false' | 'null' | DIGIT+('.'DIGIT+)?;
|
||||||
|
|
||||||
|
EXCLUDE : [\b | \t | \r | \n]+ -> skip;
|
65
authentik/sources/scim/filters/ScimFilter.interp
Normal file
65
authentik/sources/scim/filters/ScimFilter.interp
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
token literal names:
|
||||||
|
null
|
||||||
|
'('
|
||||||
|
')'
|
||||||
|
'['
|
||||||
|
']'
|
||||||
|
'.'
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
' '
|
||||||
|
null
|
||||||
|
null
|
||||||
|
'\\"'
|
||||||
|
null
|
||||||
|
null
|
||||||
|
|
||||||
|
token symbolic names:
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
COMPAREOPERATOR
|
||||||
|
EQ
|
||||||
|
NE
|
||||||
|
CO
|
||||||
|
SW
|
||||||
|
EW
|
||||||
|
PR
|
||||||
|
GT
|
||||||
|
GE
|
||||||
|
LT
|
||||||
|
LE
|
||||||
|
NOT
|
||||||
|
AND
|
||||||
|
OR
|
||||||
|
SP
|
||||||
|
SCHEMA
|
||||||
|
ATTRNAME
|
||||||
|
ESCAPED_QUOTE
|
||||||
|
VALUE
|
||||||
|
EXCLUDE
|
||||||
|
|
||||||
|
rule names:
|
||||||
|
parse
|
||||||
|
filter
|
||||||
|
valPathFilter
|
||||||
|
attrPath
|
||||||
|
|
||||||
|
|
||||||
|
atn:
|
||||||
|
[4, 1, 25, 106, 2, 0, 7, 0, 2, 1, 7, 1, 2, 2, 7, 2, 2, 3, 7, 3, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 23, 8, 1, 1, 1, 5, 1, 26, 8, 1, 10, 1, 12, 1, 29, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 40, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 5, 1, 52, 8, 1, 10, 1, 12, 1, 55, 9, 1, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 69, 8, 2, 1, 2, 5, 2, 72, 8, 2, 10, 2, 12, 2, 75, 9, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 81, 8, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 5, 2, 93, 8, 2, 10, 2, 12, 2, 96, 9, 2, 1, 3, 3, 3, 99, 8, 3, 1, 3, 1, 3, 1, 3, 3, 3, 104, 8, 3, 1, 3, 0, 2, 2, 4, 4, 0, 2, 4, 6, 0, 0, 116, 0, 8, 1, 0, 0, 0, 2, 39, 1, 0, 0, 0, 4, 80, 1, 0, 0, 0, 6, 98, 1, 0, 0, 0, 8, 9, 3, 2, 1, 0, 9, 1, 1, 0, 0, 0, 10, 11, 6, 1, -1, 0, 11, 12, 3, 6, 3, 0, 12, 13, 5, 20, 0, 0, 13, 14, 5, 12, 0, 0, 14, 40, 1, 0, 0, 0, 15, 16, 3, 6, 3, 0, 16, 17, 5, 20, 0, 0, 17, 18, 5, 6, 0, 0, 18, 19, 5, 20, 0, 0, 19, 20, 5, 24, 0, 0, 20, 40, 1, 0, 0, 0, 21, 23, 5, 17, 0, 0, 22, 21, 1, 0, 0, 0, 22, 23, 1, 0, 0, 0, 23, 27, 1, 0, 0, 0, 24, 26, 5, 20, 0, 0, 25, 24, 1, 0, 0, 0, 26, 29, 1, 0, 0, 0, 27, 25, 1, 0, 0, 0, 27, 28, 1, 0, 0, 0, 28, 30, 1, 0, 0, 0, 29, 27, 1, 0, 0, 0, 30, 31, 5, 1, 0, 0, 31, 32, 3, 2, 1, 0, 32, 33, 5, 2, 0, 0, 33, 40, 1, 0, 0, 0, 34, 35, 3, 6, 3, 0, 35, 36, 5, 3, 0, 0, 36, 37, 3, 4, 2, 0, 37, 38, 5, 4, 0, 0, 38, 40, 1, 0, 0, 0, 39, 10, 1, 0, 0, 0, 39, 15, 1, 0, 0, 0, 39, 22, 1, 0, 0, 0, 39, 34, 1, 0, 0, 0, 40, 53, 1, 0, 0, 0, 41, 42, 10, 2, 0, 0, 42, 43, 5, 20, 0, 0, 43, 44, 5, 18, 0, 0, 44, 45, 5, 20, 0, 0, 45, 52, 3, 2, 1, 3, 46, 47, 10, 1, 0, 0, 47, 48, 5, 20, 0, 0, 48, 49, 5, 19, 0, 0, 49, 50, 5, 20, 0, 0, 50, 52, 3, 2, 1, 2, 51, 41, 1, 0, 0, 0, 51, 46, 1, 0, 0, 0, 52, 55, 1, 0, 0, 0, 53, 51, 1, 0, 0, 0, 53, 54, 1, 0, 0, 0, 54, 3, 1, 0, 0, 0, 55, 53, 1, 0, 0, 0, 56, 57, 6, 2, -1, 0, 57, 58, 3, 6, 3, 0, 58, 59, 5, 20, 0, 0, 59, 60, 5, 12, 0, 0, 60, 81, 1, 0, 0, 0, 61, 62, 3, 6, 3, 0, 62, 63, 5, 20, 0, 0, 63, 64, 5, 6, 0, 0, 64, 65, 5, 20, 0, 0, 65, 66, 5, 24, 0, 0, 66, 81, 1, 0, 0, 0, 67, 69, 5, 17, 0, 0, 68, 67, 1, 0, 0, 0, 68, 69, 1, 0, 0, 0, 69, 73, 1, 0, 0, 0, 70, 72, 5, 20, 0, 0, 71, 70, 1, 0, 0, 0, 72, 75, 1, 0, 0, 0, 73, 71, 1, 0, 0, 0, 73, 74, 1, 0, 0, 0, 74, 76, 1, 0, 0, 0, 75, 73, 1, 0, 0, 0, 76, 77, 5, 1, 0, 0, 77, 78, 3, 4, 2, 0, 78, 79, 5, 2, 0, 0, 79, 81, 1, 0, 0, 0, 80, 56, 1, 0, 0, 0, 80, 61, 1, 0, 0, 0, 80, 68, 1, 0, 0, 0, 81, 94, 1, 0, 0, 0, 82, 83, 10, 2, 0, 0, 83, 84, 5, 20, 0, 0, 84, 85, 5, 18, 0, 0, 85, 86, 5, 20, 0, 0, 86, 93, 3, 4, 2, 3, 87, 88, 10, 1, 0, 0, 88, 89, 5, 20, 0, 0, 89, 90, 5, 19, 0, 0, 90, 91, 5, 20, 0, 0, 91, 93, 3, 4, 2, 2, 92, 82, 1, 0, 0, 0, 92, 87, 1, 0, 0, 0, 93, 96, 1, 0, 0, 0, 94, 92, 1, 0, 0, 0, 94, 95, 1, 0, 0, 0, 95, 5, 1, 0, 0, 0, 96, 94, 1, 0, 0, 0, 97, 99, 5, 21, 0, 0, 98, 97, 1, 0, 0, 0, 98, 99, 1, 0, 0, 0, 99, 100, 1, 0, 0, 0, 100, 103, 5, 22, 0, 0, 101, 102, 5, 5, 0, 0, 102, 104, 5, 22, 0, 0, 103, 101, 1, 0, 0, 0, 103, 104, 1, 0, 0, 0, 104, 7, 1, 0, 0, 0, 12, 22, 27, 39, 51, 53, 68, 73, 80, 92, 94, 98, 103]
|
32
authentik/sources/scim/filters/ScimFilter.tokens
Normal file
32
authentik/sources/scim/filters/ScimFilter.tokens
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
T__0=1
|
||||||
|
T__1=2
|
||||||
|
T__2=3
|
||||||
|
T__3=4
|
||||||
|
T__4=5
|
||||||
|
COMPAREOPERATOR=6
|
||||||
|
EQ=7
|
||||||
|
NE=8
|
||||||
|
CO=9
|
||||||
|
SW=10
|
||||||
|
EW=11
|
||||||
|
PR=12
|
||||||
|
GT=13
|
||||||
|
GE=14
|
||||||
|
LT=15
|
||||||
|
LE=16
|
||||||
|
NOT=17
|
||||||
|
AND=18
|
||||||
|
OR=19
|
||||||
|
SP=20
|
||||||
|
SCHEMA=21
|
||||||
|
ATTRNAME=22
|
||||||
|
ESCAPED_QUOTE=23
|
||||||
|
VALUE=24
|
||||||
|
EXCLUDE=25
|
||||||
|
'('=1
|
||||||
|
')'=2
|
||||||
|
'['=3
|
||||||
|
']'=4
|
||||||
|
'.'=5
|
||||||
|
' '=20
|
||||||
|
'\\"'=23
|
95
authentik/sources/scim/filters/ScimFilterLexer.interp
Normal file
95
authentik/sources/scim/filters/ScimFilterLexer.interp
Normal file
File diff suppressed because one or more lines are too long
2072
authentik/sources/scim/filters/ScimFilterLexer.py
Normal file
2072
authentik/sources/scim/filters/ScimFilterLexer.py
Normal file
File diff suppressed because it is too large
Load diff
32
authentik/sources/scim/filters/ScimFilterLexer.tokens
Normal file
32
authentik/sources/scim/filters/ScimFilterLexer.tokens
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
T__0=1
|
||||||
|
T__1=2
|
||||||
|
T__2=3
|
||||||
|
T__3=4
|
||||||
|
T__4=5
|
||||||
|
COMPAREOPERATOR=6
|
||||||
|
EQ=7
|
||||||
|
NE=8
|
||||||
|
CO=9
|
||||||
|
SW=10
|
||||||
|
EW=11
|
||||||
|
PR=12
|
||||||
|
GT=13
|
||||||
|
GE=14
|
||||||
|
LT=15
|
||||||
|
LE=16
|
||||||
|
NOT=17
|
||||||
|
AND=18
|
||||||
|
OR=19
|
||||||
|
SP=20
|
||||||
|
SCHEMA=21
|
||||||
|
ATTRNAME=22
|
||||||
|
ESCAPED_QUOTE=23
|
||||||
|
VALUE=24
|
||||||
|
EXCLUDE=25
|
||||||
|
'('=1
|
||||||
|
')'=2
|
||||||
|
'['=3
|
||||||
|
']'=4
|
||||||
|
'.'=5
|
||||||
|
' '=20
|
||||||
|
'\\"'=23
|
118
authentik/sources/scim/filters/ScimFilterListener.py
Normal file
118
authentik/sources/scim/filters/ScimFilterListener.py
Normal file
|
@ -0,0 +1,118 @@
|
||||||
|
# pylint: skip-file
|
||||||
|
# Generated from ScimFilter.g4 by ANTLR 4.10.1
|
||||||
|
from antlr4 import *
|
||||||
|
|
||||||
|
if __name__ is not None and "." in __name__:
|
||||||
|
from .ScimFilterParser import ScimFilterParser
|
||||||
|
else:
|
||||||
|
from ScimFilterParser import ScimFilterParser
|
||||||
|
|
||||||
|
# This class defines a complete listener for a parse tree produced by ScimFilterParser.
|
||||||
|
class ScimFilterListener(ParseTreeListener):
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#parse.
|
||||||
|
def enterParse(self, ctx: ScimFilterParser.ParseContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#parse.
|
||||||
|
def exitParse(self, ctx: ScimFilterParser.ParseContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#andExp.
|
||||||
|
def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#andExp.
|
||||||
|
def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathExp.
|
||||||
|
def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathExp.
|
||||||
|
def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#presentExp.
|
||||||
|
def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#presentExp.
|
||||||
|
def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#operatorExp.
|
||||||
|
def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#operatorExp.
|
||||||
|
def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#braceExp.
|
||||||
|
def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#braceExp.
|
||||||
|
def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#orExp.
|
||||||
|
def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#orExp.
|
||||||
|
def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathOperatorExp.
|
||||||
|
def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathOperatorExp.
|
||||||
|
def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathPresentExp.
|
||||||
|
def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathPresentExp.
|
||||||
|
def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathAndExp.
|
||||||
|
def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathAndExp.
|
||||||
|
def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathOrExp.
|
||||||
|
def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathOrExp.
|
||||||
|
def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathBraceExp.
|
||||||
|
def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathBraceExp.
|
||||||
|
def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#attrPath.
|
||||||
|
def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#attrPath.
|
||||||
|
def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
del ScimFilterParser
|
1814
authentik/sources/scim/filters/ScimFilterParser.py
Normal file
1814
authentik/sources/scim/filters/ScimFilterParser.py
Normal file
File diff suppressed because it is too large
Load diff
0
authentik/sources/scim/filters/__init__.py
Normal file
0
authentik/sources/scim/filters/__init__.py
Normal file
101
authentik/sources/scim/filters/django.py
Normal file
101
authentik/sources/scim/filters/django.py
Normal file
|
@ -0,0 +1,101 @@
|
||||||
|
"""Django listener"""
|
||||||
|
from django.db.models import Q
|
||||||
|
from django.utils.tree import Node
|
||||||
|
|
||||||
|
from authentik.sources.scim.filters.ScimFilterListener import ScimFilterListener
|
||||||
|
from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
|
||||||
|
|
||||||
|
|
||||||
|
class DjangoQueryListener(ScimFilterListener):
|
||||||
|
"""SCIM filter listener that converts it to a query"""
|
||||||
|
|
||||||
|
_query: Node
|
||||||
|
_last_node: Node
|
||||||
|
|
||||||
|
def __init__(self) -> None:
|
||||||
|
super().__init__()
|
||||||
|
self._query = Q()
|
||||||
|
self._last_node = Q()
|
||||||
|
|
||||||
|
@property
|
||||||
|
def query(self) -> Node:
|
||||||
|
return self._query
|
||||||
|
|
||||||
|
def enterParse(self, ctx: ScimFilterParser.ParseContext):
|
||||||
|
print("enterParse", ctx)
|
||||||
|
|
||||||
|
def exitParse(self, ctx: ScimFilterParser.ParseContext):
|
||||||
|
print("exitParse", ctx)
|
||||||
|
|
||||||
|
def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
|
||||||
|
print("enterAndExp", ctx)
|
||||||
|
|
||||||
|
def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
|
||||||
|
print("exitAndExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
|
||||||
|
print("enterValPathExp", ctx.getText())
|
||||||
|
|
||||||
|
def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
|
||||||
|
print("exitValPathExp", ctx)
|
||||||
|
|
||||||
|
def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
|
||||||
|
print("enterPresentExp", ctx)
|
||||||
|
|
||||||
|
def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
|
||||||
|
print("exitPresentExp", ctx)
|
||||||
|
|
||||||
|
def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
|
||||||
|
print("enterOperatorExp", ctx)
|
||||||
|
|
||||||
|
def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
|
||||||
|
print("exitOperatorExp", ctx)
|
||||||
|
|
||||||
|
def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
|
||||||
|
print("enterBraceExp", ctx)
|
||||||
|
|
||||||
|
def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
|
||||||
|
print("exitBraceExp", ctx)
|
||||||
|
|
||||||
|
def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
|
||||||
|
print("enterOrExp", ctx)
|
||||||
|
|
||||||
|
def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
|
||||||
|
print("exitOrExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
|
||||||
|
print("enterValPathOperatorExp", ctx)
|
||||||
|
|
||||||
|
def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
|
||||||
|
print("exitValPathOperatorExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
|
||||||
|
print("enterValPathPresentExp", ctx)
|
||||||
|
|
||||||
|
def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
|
||||||
|
print("exitValPathPresentExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
|
||||||
|
print("enterValPathAndExp", ctx.getText())
|
||||||
|
|
||||||
|
def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
|
||||||
|
print("exitValPathAndExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
|
||||||
|
print("enterValPathOrExp", ctx)
|
||||||
|
|
||||||
|
def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
|
||||||
|
print("exitValPathOrExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
|
||||||
|
print("enterValPathBraceExp", ctx)
|
||||||
|
|
||||||
|
def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
|
||||||
|
print("exitValPathBraceExp", ctx)
|
||||||
|
|
||||||
|
def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
|
||||||
|
self._last_node = Q(ctx.getText())
|
||||||
|
|
||||||
|
def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
|
||||||
|
self._query = self._last_node
|
||||||
|
self._last_node = Q()
|
46
authentik/sources/scim/migrations/0001_initial.py
Normal file
46
authentik/sources/scim/migrations/0001_initial.py
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
# Generated by Django 4.0.5 on 2022-06-06 21:37
|
||||||
|
|
||||||
|
import django.db.models.deletion
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
initial = True
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
("authentik_core", "0020_application_open_in_new_tab"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.CreateModel(
|
||||||
|
name="SCIMSource",
|
||||||
|
fields=[
|
||||||
|
(
|
||||||
|
"source_ptr",
|
||||||
|
models.OneToOneField(
|
||||||
|
auto_created=True,
|
||||||
|
on_delete=django.db.models.deletion.CASCADE,
|
||||||
|
parent_link=True,
|
||||||
|
primary_key=True,
|
||||||
|
serialize=False,
|
||||||
|
to="authentik_core.source",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
(
|
||||||
|
"token",
|
||||||
|
models.ForeignKey(
|
||||||
|
default=None,
|
||||||
|
null=True,
|
||||||
|
on_delete=django.db.models.deletion.CASCADE,
|
||||||
|
to="authentik_core.token",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
],
|
||||||
|
options={
|
||||||
|
"verbose_name": "SCIM Source",
|
||||||
|
"verbose_name_plural": "SCIM Sources",
|
||||||
|
},
|
||||||
|
bases=("authentik_core.source",),
|
||||||
|
),
|
||||||
|
]
|
0
authentik/sources/scim/migrations/__init__.py
Normal file
0
authentik/sources/scim/migrations/__init__.py
Normal file
36
authentik/sources/scim/models.py
Normal file
36
authentik/sources/scim/models.py
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
"""SCIM Source"""
|
||||||
|
from django.db import models
|
||||||
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
from rest_framework.serializers import BaseSerializer
|
||||||
|
|
||||||
|
from authentik.core.models import Source, Token
|
||||||
|
|
||||||
|
USER_ATTRIBUTE_SCIM_ID = "goauthentik.io/sources/scim/id"
|
||||||
|
USER_ATTRIBUTE_SCIM_ADDRESS = "goauthentik.io/sources/scim/address"
|
||||||
|
USER_ATTRIBUTE_SCIM_ENTERPRISE = "goauthentik.io/sources/scim/enterprise"
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMSource(Source):
|
||||||
|
"""System for Cross-domain Identity Management Source, allows for
|
||||||
|
cross-system user provisioning"""
|
||||||
|
|
||||||
|
token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def component(self) -> str:
|
||||||
|
"""Return component used to edit this object"""
|
||||||
|
return "ak-source-scim-form"
|
||||||
|
|
||||||
|
@property
|
||||||
|
def serializer(self) -> BaseSerializer:
|
||||||
|
from authentik.sources.scim.api import SCIMSourceSerializer
|
||||||
|
|
||||||
|
return SCIMSourceSerializer
|
||||||
|
|
||||||
|
def __str__(self) -> str:
|
||||||
|
return f"SCIM Source {self.name}"
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
verbose_name = _("SCIM Source")
|
||||||
|
verbose_name_plural = _("SCIM Sources")
|
1796
authentik/sources/scim/schemas/schema.json
Normal file
1796
authentik/sources/scim/schemas/schema.json
Normal file
File diff suppressed because it is too large
Load diff
0
authentik/sources/scim/tests/__init__.py
Normal file
0
authentik/sources/scim/tests/__init__.py
Normal file
86
authentik/sources/scim/tests/test_auth.py
Normal file
86
authentik/sources/scim/tests/test_auth.py
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
"""Test SCIM Auth"""
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMAuth(APITestCase):
|
||||||
|
"""Test SCIM Auth view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.token2 = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.token3 = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
self.source2 = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token2
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_auth_ok(self):
|
||||||
|
"""Test successful auth"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_auth_missing(self):
|
||||||
|
"""Test without header"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 403)
|
||||||
|
|
||||||
|
def test_auth_wrong_token(self):
|
||||||
|
"""Test with wrong token"""
|
||||||
|
# Token for wrong source
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token2.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 403)
|
||||||
|
# Token for no source
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token3.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 403)
|
64
authentik/sources/scim/tests/test_resource_types.py
Normal file
64
authentik/sources/scim/tests/test_resource_types.py
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
"""Test SCIM ResourceTypes"""
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMResourceTypes(APITestCase):
|
||||||
|
"""Test SCIM ResourceTypes view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_resource_type(self):
|
||||||
|
"""Test full resource type view"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_resource_type_single(self):
|
||||||
|
"""Test single resource type"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"resource_type": "ServiceProviderConfig",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_resource_type_single_404(self):
|
||||||
|
"""Test single resource type (404"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"resource_type": "foo",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
64
authentik/sources/scim/tests/test_schemas.py
Normal file
64
authentik/sources/scim/tests/test_schemas.py
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
"""Test SCIM Schema"""
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMSchemas(APITestCase):
|
||||||
|
"""Test SCIM Schema view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_schema(self):
|
||||||
|
"""Test full schema view"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_schema_single(self):
|
||||||
|
"""Test single schema"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"schema_uri": "urn:ietf:params:scim:schemas:core:2.0:Meta",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_schema_single_404(self):
|
||||||
|
"""Test single schema (404"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"schema_uri": "foo",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
36
authentik/sources/scim/tests/test_service_provider_config.py
Normal file
36
authentik/sources/scim/tests/test_service_provider_config.py
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
"""Test SCIM ServiceProviderConfig"""
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMServiceProviderConfig(APITestCase):
|
||||||
|
"""Test SCIM ServiceProviderConfig view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_config(self):
|
||||||
|
"""Test full config view"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-service-provider-config",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
83
authentik/sources/scim/tests/test_users.py
Normal file
83
authentik/sources/scim/tests/test_users.py
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
"""Test SCIM User"""
|
||||||
|
from json import dumps
|
||||||
|
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents, User
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import USER_ATTRIBUTE_SCIM_ID, SCIMSource
|
||||||
|
from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMUsers(APITestCase):
|
||||||
|
"""Test SCIM User view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_user_list(self):
|
||||||
|
"""Test full user list"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-users",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_user_list_single(self):
|
||||||
|
"""Test full user list (single user)"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-users",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"user_id": str(self.user.pk),
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_user_create(self):
|
||||||
|
"""Test user create"""
|
||||||
|
ext_id = generate_id()
|
||||||
|
response = self.client.post(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-users",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
data=dumps(
|
||||||
|
{
|
||||||
|
"userName": generate_id(),
|
||||||
|
"externalId": ext_id,
|
||||||
|
"emails": [
|
||||||
|
{
|
||||||
|
"primary": True,
|
||||||
|
"value": self.user.email,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
}
|
||||||
|
),
|
||||||
|
content_type=SCIM_CONTENT_TYPE,
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 201)
|
||||||
|
self.assertTrue(
|
||||||
|
User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_SCIM_ID}": ext_id}).exists()
|
||||||
|
)
|
64
authentik/sources/scim/urls.py
Normal file
64
authentik/sources/scim/urls.py
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
"""SCIM URLs"""
|
||||||
|
from django.urls import path
|
||||||
|
|
||||||
|
from authentik.sources.scim.views.v2 import (
|
||||||
|
base,
|
||||||
|
groups,
|
||||||
|
resource_types,
|
||||||
|
schemas,
|
||||||
|
service_provider_config,
|
||||||
|
users,
|
||||||
|
)
|
||||||
|
|
||||||
|
urlpatterns = [
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2",
|
||||||
|
base.SCIMRootView.as_view(),
|
||||||
|
name="v2-root",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Users",
|
||||||
|
users.UsersView.as_view(),
|
||||||
|
name="v2-users",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Users/<str:user_id>",
|
||||||
|
users.UsersView.as_view(),
|
||||||
|
name="v2-users",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Groups",
|
||||||
|
groups.GroupsView.as_view(),
|
||||||
|
name="v2-groups",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Groups/<str:group_id>",
|
||||||
|
groups.GroupsView.as_view(),
|
||||||
|
name="v2-groups",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Schemas",
|
||||||
|
schemas.SchemaView.as_view(),
|
||||||
|
name="v2-schema",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Schemas/<str:schema_uri>",
|
||||||
|
schemas.SchemaView.as_view(),
|
||||||
|
name="v2-schema",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/ServiceProviderConfig",
|
||||||
|
service_provider_config.ServiceProviderConfigView.as_view(),
|
||||||
|
name="v2-service-provider-config",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/ResourceTypes",
|
||||||
|
resource_types.ResourceTypesView.as_view(),
|
||||||
|
name="v2-resource-types",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/ResourceTypes/<str:resource_type>",
|
||||||
|
resource_types.ResourceTypesView.as_view(),
|
||||||
|
name="v2-resource-types",
|
||||||
|
),
|
||||||
|
]
|
0
authentik/sources/scim/views/__init__.py
Normal file
0
authentik/sources/scim/views/__init__.py
Normal file
0
authentik/sources/scim/views/v2/__init__.py
Normal file
0
authentik/sources/scim/views/v2/__init__.py
Normal file
46
authentik/sources/scim/views/v2/auth.py
Normal file
46
authentik/sources/scim/views/v2/auth.py
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
"""SCIM Token auth"""
|
||||||
|
from base64 import b64decode
|
||||||
|
from typing import Any, Optional, Union
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
|
from rest_framework.authentication import BaseAuthentication, get_authorization_header
|
||||||
|
from rest_framework.request import Request
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents, User
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMTokenAuth(BaseAuthentication):
|
||||||
|
"""SCIM Token auth"""
|
||||||
|
|
||||||
|
def legacy(self, key: str, source_slug: str) -> Optional[Token]: # pragma: no cover
|
||||||
|
"""Legacy HTTP-Basic auth for testing"""
|
||||||
|
if not settings.TEST and not settings.DEBUG:
|
||||||
|
return None
|
||||||
|
_username, _, password = b64decode(key.encode()).decode().partition(":")
|
||||||
|
token = self.check_token(password, source_slug)
|
||||||
|
if token:
|
||||||
|
return (token.user, token)
|
||||||
|
return None
|
||||||
|
|
||||||
|
def check_token(self, key: str, source_slug: str) -> Optional[Token]:
|
||||||
|
"""Check that a token exists, is not expired, and is assigned to the correct source"""
|
||||||
|
token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first()
|
||||||
|
if not token:
|
||||||
|
return None
|
||||||
|
if not token.scimsource_set.exists():
|
||||||
|
return None
|
||||||
|
if token.scimsource_set.first().slug != source_slug:
|
||||||
|
return None
|
||||||
|
return token
|
||||||
|
|
||||||
|
def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
|
||||||
|
kwargs = request._request.resolver_match.kwargs
|
||||||
|
source_slug = kwargs.get("source_slug", None)
|
||||||
|
auth = get_authorization_header(request).decode()
|
||||||
|
auth_type, _, key = auth.partition(" ")
|
||||||
|
if auth_type != "Bearer":
|
||||||
|
return self.legacy(key, source_slug)
|
||||||
|
token = self.check_token(key, source_slug)
|
||||||
|
if not token:
|
||||||
|
return None
|
||||||
|
return (token.user, token)
|
81
authentik/sources/scim/views/v2/base.py
Normal file
81
authentik/sources/scim/views/v2/base.py
Normal file
|
@ -0,0 +1,81 @@
|
||||||
|
"""SCIM Utils"""
|
||||||
|
from typing import Optional
|
||||||
|
from urllib.parse import urlparse
|
||||||
|
|
||||||
|
from antlr4 import CommonTokenStream, InputStream, ParseTreeWalker
|
||||||
|
from django.urls import resolve
|
||||||
|
from rest_framework.parsers import JSONParser
|
||||||
|
from rest_framework.permissions import IsAuthenticated
|
||||||
|
from rest_framework.renderers import JSONRenderer
|
||||||
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.views import APIView
|
||||||
|
|
||||||
|
from authentik.core.models import Group, User
|
||||||
|
from authentik.sources.scim.filters.django import DjangoQueryListener
|
||||||
|
from authentik.sources.scim.filters.ScimFilterLexer import ScimFilterLexer
|
||||||
|
from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
|
||||||
|
from authentik.sources.scim.views.v2.auth import SCIMTokenAuth
|
||||||
|
|
||||||
|
SCIM_CONTENT_TYPE = "application/scim+json"
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMParser(JSONParser):
|
||||||
|
"""SCIM clients use a custom content type"""
|
||||||
|
|
||||||
|
media_type = SCIM_CONTENT_TYPE
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMRenderer(JSONRenderer):
|
||||||
|
"""SCIM clients also expect a custom content type"""
|
||||||
|
|
||||||
|
media_type = SCIM_CONTENT_TYPE
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMView(APIView):
|
||||||
|
"""Base class for SCIM Views"""
|
||||||
|
|
||||||
|
authentication_classes = [SCIMTokenAuth]
|
||||||
|
permission_classes = [IsAuthenticated]
|
||||||
|
parser_classes = [SCIMParser]
|
||||||
|
renderer_classes = [SCIMRenderer]
|
||||||
|
|
||||||
|
def patch_resolve_value(self, raw_value: dict) -> Optional[User | Group]:
|
||||||
|
"""Attempt to resolve a raw `value` attribute of a patch operation into
|
||||||
|
a database model"""
|
||||||
|
model = User
|
||||||
|
query = {}
|
||||||
|
if "$ref" in raw_value:
|
||||||
|
url = urlparse(raw_value["$ref"])
|
||||||
|
if match := resolve(url.path):
|
||||||
|
if match.url_name == "v2-users":
|
||||||
|
model = User
|
||||||
|
query = {"pk": int(match.kwargs["user_id"])}
|
||||||
|
elif "type" in raw_value:
|
||||||
|
match raw_value["tyoe"]:
|
||||||
|
case "User":
|
||||||
|
model = User
|
||||||
|
query = {"pk": int(raw_value["value"])}
|
||||||
|
case "Group":
|
||||||
|
model = Group
|
||||||
|
else:
|
||||||
|
return None
|
||||||
|
return model.objects.filter(**query).first()
|
||||||
|
|
||||||
|
def patch_parse_path(self, path: str):
|
||||||
|
"""Parse the path of a Patch Operation"""
|
||||||
|
lexer = ScimFilterLexer(InputStream(path))
|
||||||
|
stream = CommonTokenStream(lexer)
|
||||||
|
parser = ScimFilterParser(stream)
|
||||||
|
tree = parser.filter_()
|
||||||
|
listener = DjangoQueryListener()
|
||||||
|
walker = ParseTreeWalker()
|
||||||
|
walker.walk(listener, tree)
|
||||||
|
return listener.query
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMRootView(SCIMView):
|
||||||
|
"""Root SCIM View"""
|
||||||
|
|
||||||
|
def dispatch(self, request: Request, *args, **kwargs) -> Response:
|
||||||
|
return Response({"message": "Use this base-URL with an SCIM-compatible system."})
|
126
authentik/sources/scim/views/v2/groups.py
Normal file
126
authentik/sources/scim/views/v2/groups.py
Normal file
|
@ -0,0 +1,126 @@
|
||||||
|
"""SCIM Group Views"""
|
||||||
|
from typing import Optional
|
||||||
|
|
||||||
|
from django.core.paginator import Paginator
|
||||||
|
from django.db.transaction import atomic
|
||||||
|
from django.http import Http404, QueryDict
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.response import Response
|
||||||
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
|
from authentik.core.models import Group
|
||||||
|
from authentik.sources.scim.errors import PatchError
|
||||||
|
from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
|
||||||
|
|
||||||
|
LOGGER = get_logger()
|
||||||
|
|
||||||
|
|
||||||
|
class GroupsView(SCIMView):
|
||||||
|
"""SCIM Group View"""
|
||||||
|
|
||||||
|
def group_to_scim(self, group: Group) -> dict:
|
||||||
|
"""Convert group to SCIM"""
|
||||||
|
return {
|
||||||
|
"id": str(group.pk),
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "Group",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-groups",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"group_id": str(group.pk),
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"displayName": group.name,
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
|
||||||
|
}
|
||||||
|
|
||||||
|
def get(self, request: Request, group_id: Optional[str] = None, **kwargs) -> Response:
|
||||||
|
"""List Group handler"""
|
||||||
|
if group_id:
|
||||||
|
group = Group.objects.filter(pk=group_id).first()
|
||||||
|
if not group:
|
||||||
|
raise Http404
|
||||||
|
return Response(self.group_to_scim(group))
|
||||||
|
groups = Group.objects.all().order_by("pk")
|
||||||
|
per_page = 50
|
||||||
|
paginator = Paginator(groups, per_page=per_page)
|
||||||
|
start_index = int(request.query_params.get("startIndex", 1))
|
||||||
|
page = paginator.page(int(max(start_index / per_page, 1)))
|
||||||
|
return Response(
|
||||||
|
{
|
||||||
|
"totalResults": paginator.count,
|
||||||
|
"itemsPerPage": per_page,
|
||||||
|
"startIndex": page.start_index(),
|
||||||
|
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
|
||||||
|
"Resources": [self.group_to_scim(group) for group in page],
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
def update_group(self, group: Group, data: QueryDict) -> Group:
|
||||||
|
"""Partial update a group"""
|
||||||
|
if "displayName" in data:
|
||||||
|
group.name = data.get("displayName")
|
||||||
|
return group
|
||||||
|
|
||||||
|
def post(self, request: Request, **kwargs) -> Response:
|
||||||
|
"""Create group handler"""
|
||||||
|
group = Group.objects.filter(name=request.data.get("displayName")).first()
|
||||||
|
if group:
|
||||||
|
LOGGER.debug("Found existing group")
|
||||||
|
return Response(status=409)
|
||||||
|
group = self.update_group(Group(), request.data)
|
||||||
|
group.save()
|
||||||
|
return Response(self.group_to_scim(group), status=201)
|
||||||
|
|
||||||
|
def patch(self, request: Request, group_id: str, **kwargs) -> Response:
|
||||||
|
"""Update group handler"""
|
||||||
|
group: Optional[Group] = Group.objects.filter(pk=group_id).first()
|
||||||
|
if not group:
|
||||||
|
raise Http404
|
||||||
|
if request.data.get("schemas", []) != ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]:
|
||||||
|
return Response(status=400)
|
||||||
|
try:
|
||||||
|
with atomic():
|
||||||
|
for op in request.data.get("Operations", []):
|
||||||
|
path = self.patch_parse_path(op["path"])
|
||||||
|
operation = op["op"]
|
||||||
|
raw_value = op.get("value", None)
|
||||||
|
values = []
|
||||||
|
for value in raw_value:
|
||||||
|
values.append(self.patch_resolve_value(value))
|
||||||
|
match operation:
|
||||||
|
case "add":
|
||||||
|
group.users.add(*[x.pk for x in values])
|
||||||
|
case "remove":
|
||||||
|
pass
|
||||||
|
return Response(self.group_to_scim(group), status=200)
|
||||||
|
except (KeyError, PatchError):
|
||||||
|
return Response(status=400)
|
||||||
|
|
||||||
|
def put(self, request: Request, group_id: str, **kwargs) -> Response:
|
||||||
|
"""Update group handler"""
|
||||||
|
group: Optional[Group] = Group.objects.filter(pk=group_id).first()
|
||||||
|
if not group:
|
||||||
|
raise Http404
|
||||||
|
self.update_group(group, request.data)
|
||||||
|
group.save()
|
||||||
|
return Response(self.group_to_scim(group), status=200)
|
||||||
|
|
||||||
|
def delete(self, request: Request, group_id: str, **kwargs) -> Response:
|
||||||
|
"""Delete group handler"""
|
||||||
|
group: Optional[Group] = Group.objects.filter(pk=group_id).first()
|
||||||
|
if not group:
|
||||||
|
raise Http404
|
||||||
|
group.delete()
|
||||||
|
return Response(
|
||||||
|
{},
|
||||||
|
status=204,
|
||||||
|
headers={
|
||||||
|
"Content-Type": SCIM_CONTENT_TYPE,
|
||||||
|
},
|
||||||
|
)
|
153
authentik/sources/scim/views/v2/resource_types.py
Normal file
153
authentik/sources/scim/views/v2/resource_types.py
Normal file
|
@ -0,0 +1,153 @@
|
||||||
|
"""SCIM Meta views"""
|
||||||
|
from typing import Optional
|
||||||
|
|
||||||
|
from django.http import Http404
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.response import Response
|
||||||
|
|
||||||
|
from authentik.sources.scim.views.v2.base import SCIMView
|
||||||
|
|
||||||
|
|
||||||
|
class ResourceTypesView(SCIMView):
|
||||||
|
"""https://ldapwiki.com/wiki/SCIM%20ResourceTypes%20endpoint"""
|
||||||
|
|
||||||
|
def get_resource_types(self):
|
||||||
|
"""List all resource types"""
|
||||||
|
return [
|
||||||
|
{
|
||||||
|
"id": "ServiceProviderConfig",
|
||||||
|
"name": "ServiceProviderConfig",
|
||||||
|
"description": "the service providers configuration",
|
||||||
|
"endpoint": "/ServiceProviderConfig",
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
|
||||||
|
"schemas": [
|
||||||
|
"urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "ServiceProviderConfig",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "ResourceType",
|
||||||
|
"name": "ResourceType",
|
||||||
|
"description": "ResourceType",
|
||||||
|
"endpoint": "/ResourceTypes",
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
"schemas": [
|
||||||
|
"urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "ResourceType",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "Schema",
|
||||||
|
"name": "Schema",
|
||||||
|
"description": "Schema endpoint description",
|
||||||
|
"endpoint": "/Schemas",
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:Schema",
|
||||||
|
"schemas": [
|
||||||
|
"urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "Schema",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "User",
|
||||||
|
"name": "User",
|
||||||
|
"endpoint": "/Users",
|
||||||
|
"description": "https://tools.ietf.org/html/rfc7643#section-8.7.1",
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
|
||||||
|
"schemaExtensions": [
|
||||||
|
{
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
|
||||||
|
"required": True,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "User",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "Group",
|
||||||
|
"name": "Group",
|
||||||
|
"description": "Group",
|
||||||
|
"endpoint": "/Groups",
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
|
||||||
|
"schemas": [
|
||||||
|
"urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "Group",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
]
|
||||||
|
|
||||||
|
# pylint: disable=unused-argument
|
||||||
|
def get(
|
||||||
|
self, request: Request, source_slug: str, resource_type: Optional[str] = None
|
||||||
|
) -> Response:
|
||||||
|
"""Get resource types as SCIM response"""
|
||||||
|
resource_types = self.get_resource_types()
|
||||||
|
if resource_type:
|
||||||
|
resource = [x for x in resource_types if x.get("id") == resource_type]
|
||||||
|
if resource:
|
||||||
|
return Response(resource[0])
|
||||||
|
raise Http404
|
||||||
|
return Response(
|
||||||
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
|
||||||
|
"totalResults": len(resource_types),
|
||||||
|
"itemsPerPage": len(resource_types),
|
||||||
|
"startIndex": 1,
|
||||||
|
"Resources": resource_types,
|
||||||
|
}
|
||||||
|
)
|
Some files were not shown because too many files have changed in this diff Show more
Reference in a new issue