e28babb0b8
* rename consent permission Signed-off-by: Jens Langhammer <jens@goauthentik.io> * the user version Signed-off-by: Jens Langhammer <jens@goauthentik.io> t Signed-off-by: Jens Langhammer <jens@goauthentik.io> * initial role Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start form Signed-off-by: Jens Langhammer <jens@goauthentik.io> * some minor table refactoring Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix user, add assign Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add roles ui Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix backend Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add assign API for roles Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start adding toggle buttons Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start view page Signed-off-by: Jens Langhammer <jens@goauthentik.io> * exclude add_ permission for per-object perms Signed-off-by: Jens Langhammer <jens@goauthentik.io> * small cleanup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add permission list for roles Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make sidebar update Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix page header not re-rendering? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fixup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add search Signed-off-by: Jens Langhammer <jens@goauthentik.io> * show first category in table groupBy except when its empty Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make model and object PK optional but required together Signed-off-by: Jens Langhammer <jens@goauthentik.io> * allow for setting global perms Signed-off-by: Jens Langhammer <jens@goauthentik.io> * exclude non-authentik permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * exclude models which aren't allowed (base models etc) Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ensure all models have verbose_name set, exclude some more internal objects Signed-off-by: Jens Langhammer <jens@goauthentik.io> * lint fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix role perm assign Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add unasign for global perms Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add meta changes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * clear modal state after submit Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add roles to our group Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix duplicate url names Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make recursive group query more usable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add name field to role itself and move group creation to signal Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start sync Signed-off-by: Jens Langhammer <jens@goauthentik.io> * move rbac stuff to separate django app Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix lint and such Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix go Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start API changes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more API tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make admin interface not require superuser for now, improve error handling Signed-off-by: Jens Langhammer <jens@goauthentik.io> * replace some IsAdminUser where applicable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate flow inspector perms to actual permission Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix license not being a serializermodel Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add permission modal to models without view page Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add additional permissions to assign/unassign permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add action to unassign user permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add permissions tab to remaining view pages Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix flow inspector permission check Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix codecov config? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more API tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ensure viewsets have an order set Signed-off-by: Jens Langhammer <jens@goauthentik.io> * hopefully the last api name change Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make perm modal less confusing Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start user view permission page Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only make delete bulk form expandable if usedBy is set Signed-off-by: Jens Langhammer <jens@goauthentik.io> * expand permission tables Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more things Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add user global permission table Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix lint Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests' url names Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add tests for assign perms Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add unassign tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rebuild permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * prevent assigning/unassigning permissions to internal service accounts Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only enable default api browser in debug Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix role object permissions showing duplicate Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix role link on role object permissions table Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix object permission modal having duplicate close buttons Signed-off-by: Jens Langhammer <jens@goauthentik.io> * return error if user has no global perm and no object perms also improve error display on table Signed-off-by: Jens Langhammer <jens@goauthentik.io> * small optimisation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * optimise even more Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add system permission for non-object permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * allow access to admin interface based on perm Signed-off-by: Jens Langhammer <jens@goauthentik.io> * clean Signed-off-by: Jens Langhammer <jens@goauthentik.io> * don't exclude base models Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
203 lines
6.2 KiB
Python
203 lines
6.2 KiB
Python
"""Policy base models"""
|
|
from uuid import uuid4
|
|
|
|
from django.db import models
|
|
from django.utils.translation import gettext_lazy as _
|
|
from model_utils.managers import InheritanceManager
|
|
from rest_framework.serializers import BaseSerializer
|
|
|
|
from authentik.lib.models import (
|
|
CreatedUpdatedModel,
|
|
InheritanceAutoManager,
|
|
InheritanceForeignKey,
|
|
SerializerModel,
|
|
)
|
|
from authentik.policies.exceptions import PolicyException
|
|
from authentik.policies.types import PolicyRequest, PolicyResult
|
|
|
|
|
|
class PolicyEngineMode(models.TextChoices):
|
|
"""Decide how results of multiple policies should be combined."""
|
|
|
|
MODE_ALL = "all", _("all, all policies must pass") # type: "PolicyEngineMode"
|
|
MODE_ANY = "any", _("any, any policy must pass") # type: "PolicyEngineMode"
|
|
|
|
|
|
class PolicyBindingModel(models.Model):
|
|
"""Base Model for objects that have policies applied to them."""
|
|
|
|
pbm_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
|
|
|
policies = models.ManyToManyField(
|
|
"Policy", through="PolicyBinding", related_name="bindings", blank=True
|
|
)
|
|
|
|
policy_engine_mode = models.TextField(
|
|
choices=PolicyEngineMode.choices,
|
|
default=PolicyEngineMode.MODE_ANY,
|
|
)
|
|
|
|
objects = InheritanceManager()
|
|
|
|
def __str__(self) -> str:
|
|
return f"PolicyBindingModel {self.pbm_uuid}"
|
|
|
|
class Meta:
|
|
verbose_name = _("Policy Binding Model")
|
|
verbose_name_plural = _("Policy Binding Models")
|
|
|
|
|
|
class PolicyBinding(SerializerModel):
|
|
"""Relationship between a Policy and a PolicyBindingModel."""
|
|
|
|
policy_binding_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
|
|
|
enabled = models.BooleanField(default=True)
|
|
|
|
policy = InheritanceForeignKey(
|
|
"Policy",
|
|
on_delete=models.CASCADE,
|
|
related_name="+",
|
|
default=None,
|
|
null=True,
|
|
blank=True,
|
|
)
|
|
group = models.ForeignKey(
|
|
# This is quite an ugly hack to prevent pylint from trying
|
|
# to resolve authentik_core.models.Group
|
|
# as python import path
|
|
"authentik_core.Group",
|
|
on_delete=models.CASCADE,
|
|
default=None,
|
|
null=True,
|
|
blank=True,
|
|
)
|
|
user = models.ForeignKey(
|
|
"authentik_core.User",
|
|
on_delete=models.CASCADE,
|
|
default=None,
|
|
null=True,
|
|
blank=True,
|
|
)
|
|
|
|
target = InheritanceForeignKey(PolicyBindingModel, on_delete=models.CASCADE, related_name="+")
|
|
negate = models.BooleanField(
|
|
default=False,
|
|
help_text=_("Negates the outcome of the policy. Messages are unaffected."),
|
|
)
|
|
timeout = models.PositiveIntegerField(
|
|
default=30, help_text=_("Timeout after which Policy execution is terminated.")
|
|
)
|
|
failure_result = models.BooleanField(
|
|
default=False, help_text=_("Result if the Policy execution fails.")
|
|
)
|
|
|
|
order = models.IntegerField()
|
|
|
|
def passes(self, request: PolicyRequest) -> PolicyResult:
|
|
"""Check if request passes this PolicyBinding, check policy, group or user"""
|
|
if self.policy:
|
|
self.policy: Policy
|
|
return self.policy.passes(request)
|
|
if self.group:
|
|
return PolicyResult(self.group.is_member(request.user))
|
|
if self.user:
|
|
return PolicyResult(request.user == self.user)
|
|
return PolicyResult(False)
|
|
|
|
@property
|
|
def serializer(self) -> type[BaseSerializer]:
|
|
from authentik.policies.api.bindings import PolicyBindingSerializer
|
|
|
|
return PolicyBindingSerializer
|
|
|
|
@property
|
|
def target_type(self) -> str:
|
|
"""Get the target type this binding is applied to"""
|
|
if self.policy:
|
|
return "policy"
|
|
if self.group:
|
|
return "group"
|
|
if self.user:
|
|
return "user"
|
|
return "invalid"
|
|
|
|
@property
|
|
def target_name(self) -> str:
|
|
"""Get the target name this binding is applied to"""
|
|
if self.policy:
|
|
return self.policy.name
|
|
if self.group:
|
|
return self.group.name
|
|
if self.user:
|
|
return self.user.name
|
|
return "invalid"
|
|
|
|
def __str__(self) -> str:
|
|
suffix = f"{self.target_type.title()} {self.target_name}"
|
|
try:
|
|
return f"Binding from {self.target} #{self.order} to {suffix}"
|
|
except PolicyBinding.target.RelatedObjectDoesNotExist: # pylint: disable=no-member
|
|
return f"Binding - #{self.order} to {suffix}"
|
|
return ""
|
|
|
|
class Meta:
|
|
verbose_name = _("Policy Binding")
|
|
verbose_name_plural = _("Policy Bindings")
|
|
unique_together = ("policy", "target", "order")
|
|
indexes = [
|
|
models.Index(fields=["policy"]),
|
|
models.Index(fields=["group"]),
|
|
models.Index(fields=["user"]),
|
|
models.Index(fields=["target"]),
|
|
]
|
|
|
|
|
|
class Policy(SerializerModel, CreatedUpdatedModel):
|
|
"""Policies which specify if a user is authorized to use an Application. Can be overridden by
|
|
other types to add other fields, more logic, etc."""
|
|
|
|
policy_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
|
|
|
name = models.TextField(unique=True)
|
|
|
|
execution_logging = models.BooleanField(
|
|
default=False,
|
|
help_text=_(
|
|
"When this option is enabled, all executions of this policy will be logged. "
|
|
"By default, only execution errors are logged."
|
|
),
|
|
)
|
|
|
|
objects = InheritanceAutoManager()
|
|
|
|
@property
|
|
def component(self) -> str:
|
|
"""Return component used to edit this object"""
|
|
raise NotImplementedError
|
|
|
|
def __str__(self):
|
|
return str(self.name)
|
|
|
|
def passes(self, request: PolicyRequest) -> PolicyResult: # pragma: no cover
|
|
"""Check if request passes this policy"""
|
|
raise PolicyException()
|
|
|
|
class Meta:
|
|
base_manager_name = "objects"
|
|
|
|
verbose_name = _("Policy")
|
|
verbose_name_plural = _("Policies")
|
|
|
|
permissions = [
|
|
("view_policy_cache", _("View Policy's cache metrics")),
|
|
("clear_policy_cache", _("Clear Policy's cache metrics")),
|
|
]
|
|
|
|
class PolicyMeta:
|
|
"""Base class for the Meta class for all policies"""
|
|
|
|
indexes = [
|
|
models.Index(fields=["policy_ptr_id"]),
|
|
]
|