2020-12-05 21:08:42 +00:00
|
|
|
"""authentik core models"""
|
2019-02-25 19:46:23 +00:00
|
|
|
from datetime import timedelta
|
2021-02-25 14:20:59 +00:00
|
|
|
from hashlib import md5, sha256
|
2021-02-18 12:41:03 +00:00
|
|
|
from typing import Any, Optional, Type
|
2021-02-25 14:20:59 +00:00
|
|
|
from urllib.parse import urlencode
|
2018-12-09 20:05:25 +00:00
|
|
|
from uuid import uuid4
|
2018-11-11 12:41:48 +00:00
|
|
|
|
2021-06-19 14:17:54 +00:00
|
|
|
from deepmerge import always_merger
|
2021-02-14 17:25:50 +00:00
|
|
|
from django.conf import settings
|
2018-11-11 12:41:48 +00:00
|
|
|
from django.contrib.auth.models import AbstractUser
|
2020-09-15 20:37:31 +00:00
|
|
|
from django.contrib.auth.models import UserManager as DjangoUserManager
|
2021-06-02 22:21:20 +00:00
|
|
|
from django.core import validators
|
2018-11-11 12:41:48 +00:00
|
|
|
from django.db import models
|
2021-06-30 08:37:28 +00:00
|
|
|
from django.db.models import Q, QuerySet, options
|
2020-02-17 16:47:51 +00:00
|
|
|
from django.http import HttpRequest
|
2021-02-25 14:20:59 +00:00
|
|
|
from django.templatetags.static import static
|
2020-09-25 21:59:06 +00:00
|
|
|
from django.utils.functional import cached_property
|
2021-02-25 14:20:59 +00:00
|
|
|
from django.utils.html import escape
|
2019-02-25 14:41:36 +00:00
|
|
|
from django.utils.timezone import now
|
2020-02-17 16:47:51 +00:00
|
|
|
from django.utils.translation import gettext_lazy as _
|
2019-10-10 08:45:51 +00:00
|
|
|
from guardian.mixins import GuardianUserMixin
|
2018-11-16 08:10:35 +00:00
|
|
|
from model_utils.managers import InheritanceManager
|
2020-12-16 20:38:40 +00:00
|
|
|
from rest_framework.serializers import Serializer
|
2021-01-01 14:39:43 +00:00
|
|
|
from structlog.stdlib import get_logger
|
2018-11-11 12:41:48 +00:00
|
|
|
|
2020-12-05 21:08:42 +00:00
|
|
|
from authentik.core.exceptions import PropertyMappingExpressionException
|
|
|
|
|
from authentik.core.signals import password_changed
|
2021-06-08 15:56:35 +00:00
|
|
|
from authentik.core.types import UILoginButton, UserSettingSerializer
|
2020-12-05 21:08:42 +00:00
|
|
|
from authentik.flows.models import Flow
|
2021-02-25 14:20:59 +00:00
|
|
|
from authentik.lib.config import CONFIG
|
2020-12-12 18:39:09 +00:00
|
|
|
from authentik.lib.models import CreatedUpdatedModel, SerializerModel
|
2021-05-29 22:10:50 +00:00
|
|
|
from authentik.lib.utils.http import get_client_ip
|
2021-02-03 20:18:31 +00:00
|
|
|
from authentik.managed.models import ManagedModel
|
2020-12-05 21:08:42 +00:00
|
|
|
from authentik.policies.models import PolicyBindingModel
|
2018-11-11 12:41:48 +00:00
|
|
|
|
2019-10-04 08:08:53 +00:00
|
|
|
LOGGER = get_logger()
|
2020-12-05 21:08:42 +00:00
|
|
|
USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
|
|
|
|
|
USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
|
2021-05-06 17:35:05 +00:00
|
|
|
USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
|
2018-11-11 12:41:48 +00:00
|
|
|
|
2021-02-25 14:20:59 +00:00
|
|
|
GRAVATAR_URL = "https://secure.gravatar.com"
|
2021-02-26 14:07:30 +00:00
|
|
|
DEFAULT_AVATAR = static("dist/assets/images/user_default.png")
|
2021-02-25 14:20:59 +00:00
|
|
|
|
2019-02-25 19:46:23 +00:00
|
|
|
|
2021-06-10 09:58:12 +00:00
|
|
|
options.DEFAULT_NAMES = options.DEFAULT_NAMES + ("authentik_used_by_shadows",)
|
|
|
|
|
|
|
|
|
|
|
2020-05-16 14:11:53 +00:00
|
|
|
def default_token_duration():
|
|
|
|
|
"""Default duration a Token is valid"""
|
2020-05-10 18:15:56 +00:00
|
|
|
return now() + timedelta(minutes=30)
|
2019-02-25 19:46:23 +00:00
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
|
2020-10-18 12:34:22 +00:00
|
|
|
def default_token_key():
|
|
|
|
|
"""Default token key"""
|
|
|
|
|
return uuid4().hex
|
|
|
|
|
|
|
|
|
|
|
2020-05-20 07:17:06 +00:00
|
|
|
class Group(models.Model):
|
2018-12-26 23:38:42 +00:00
|
|
|
"""Custom Group model which supports a basic hierarchy"""
|
|
|
|
|
|
2020-05-20 07:17:06 +00:00
|
|
|
group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
2020-09-15 20:37:31 +00:00
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
name = models.CharField(_("name"), max_length=80)
|
2020-09-15 20:37:31 +00:00
|
|
|
is_superuser = models.BooleanField(
|
|
|
|
|
default=False, help_text=_("Users added to this group will be superusers.")
|
|
|
|
|
)
|
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
parent = models.ForeignKey(
|
|
|
|
|
"Group",
|
|
|
|
|
blank=True,
|
|
|
|
|
null=True,
|
|
|
|
|
on_delete=models.SET_NULL,
|
|
|
|
|
related_name="children",
|
|
|
|
|
)
|
2020-08-15 19:04:22 +00:00
|
|
|
attributes = models.JSONField(default=dict, blank=True)
|
2018-12-26 23:38:42 +00:00
|
|
|
|
|
|
|
|
def __str__(self):
|
2019-10-07 14:33:48 +00:00
|
|
|
return f"Group {self.name}"
|
2018-12-26 23:38:42 +00:00
|
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
|
2020-09-30 17:34:22 +00:00
|
|
|
unique_together = (
|
|
|
|
|
(
|
|
|
|
|
"name",
|
|
|
|
|
"parent",
|
|
|
|
|
),
|
|
|
|
|
)
|
2019-12-31 11:51:16 +00:00
|
|
|
|
2018-12-26 23:38:42 +00:00
|
|
|
|
2020-09-15 20:37:31 +00:00
|
|
|
class UserManager(DjangoUserManager):
|
|
|
|
|
"""Custom user manager that doesn't assign is_superuser and is_staff"""
|
|
|
|
|
|
|
|
|
|
def create_user(self, username, email=None, password=None, **extra_fields):
|
|
|
|
|
"""Custom user manager that doesn't assign is_superuser and is_staff"""
|
|
|
|
|
return self._create_user(username, email, password, **extra_fields)
|
|
|
|
|
|
|
|
|
|
|
2020-05-20 07:17:06 +00:00
|
|
|
class User(GuardianUserMixin, AbstractUser):
|
2021-03-02 15:58:55 +00:00
|
|
|
"""Custom User model to allow easier adding of user-based settings"""
|
2018-11-11 12:41:48 +00:00
|
|
|
|
2018-12-09 20:05:25 +00:00
|
|
|
uuid = models.UUIDField(default=uuid4, editable=False)
|
2020-02-21 14:12:16 +00:00
|
|
|
name = models.TextField(help_text=_("User's display name."))
|
2019-02-27 14:09:05 +00:00
|
|
|
|
2020-05-16 14:02:42 +00:00
|
|
|
sources = models.ManyToManyField("Source", through="UserSourceConnection")
|
2020-12-05 21:08:42 +00:00
|
|
|
ak_groups = models.ManyToManyField("Group", related_name="users")
|
2019-02-25 14:41:36 +00:00
|
|
|
password_change_date = models.DateTimeField(auto_now_add=True)
|
|
|
|
|
|
2020-08-15 19:04:22 +00:00
|
|
|
attributes = models.JSONField(default=dict, blank=True)
|
2019-10-11 10:47:06 +00:00
|
|
|
|
2020-09-15 20:37:31 +00:00
|
|
|
objects = UserManager()
|
|
|
|
|
|
2021-02-18 12:41:03 +00:00
|
|
|
def group_attributes(self) -> dict[str, Any]:
|
2020-09-30 09:39:25 +00:00
|
|
|
"""Get a dictionary containing the attributes from all groups the user belongs to,
|
|
|
|
|
including the users attributes"""
|
2020-09-24 13:45:58 +00:00
|
|
|
final_attributes = {}
|
2020-12-05 21:08:42 +00:00
|
|
|
for group in self.ak_groups.all().order_by("name"):
|
2021-06-19 14:17:54 +00:00
|
|
|
always_merger.merge(final_attributes, group.attributes)
|
|
|
|
|
always_merger.merge(final_attributes, self.attributes)
|
2020-09-24 13:45:58 +00:00
|
|
|
return final_attributes
|
|
|
|
|
|
2020-09-25 21:59:06 +00:00
|
|
|
@cached_property
|
2020-09-15 20:37:31 +00:00
|
|
|
def is_superuser(self) -> bool:
|
|
|
|
|
"""Get supseruser status based on membership in a group with superuser status"""
|
2020-12-05 21:08:42 +00:00
|
|
|
return self.ak_groups.filter(is_superuser=True).exists()
|
2020-09-15 20:37:31 +00:00
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def is_staff(self) -> bool:
|
|
|
|
|
"""superuser == staff user"""
|
2020-09-25 21:59:06 +00:00
|
|
|
return self.is_superuser # type: ignore
|
2020-09-15 20:37:31 +00:00
|
|
|
|
2020-09-21 09:04:26 +00:00
|
|
|
def set_password(self, password, signal=True):
|
|
|
|
|
if self.pk and signal:
|
2019-02-26 14:40:58 +00:00
|
|
|
password_changed.send(sender=self, user=self, password=password)
|
2019-02-25 14:41:36 +00:00
|
|
|
self.password_change_date = now()
|
|
|
|
|
return super().set_password(password)
|
2018-11-16 10:41:14 +00:00
|
|
|
|
2021-02-14 17:25:50 +00:00
|
|
|
@property
|
|
|
|
|
def uid(self) -> str:
|
|
|
|
|
"""Generate a globall unique UID, based on the user ID and the hashed secret key"""
|
|
|
|
|
return sha256(f"{self.id}-{settings.SECRET_KEY}".encode("ascii")).hexdigest()
|
|
|
|
|
|
2021-02-25 14:20:59 +00:00
|
|
|
@property
|
|
|
|
|
def avatar(self) -> str:
|
|
|
|
|
"""Get avatar, depending on authentik.avatar setting"""
|
2021-06-22 10:24:23 +00:00
|
|
|
mode: str = CONFIG.y("avatars", "none")
|
2021-02-25 14:20:59 +00:00
|
|
|
if mode == "none":
|
|
|
|
|
return DEFAULT_AVATAR
|
2021-06-22 10:24:23 +00:00
|
|
|
# gravatar uses md5 for their URLs, so md5 can't be avoided
|
|
|
|
|
mail_hash = md5(self.email.encode("utf-8")).hexdigest() # nosec
|
2021-02-25 14:20:59 +00:00
|
|
|
if mode == "gravatar":
|
|
|
|
|
parameters = [
|
|
|
|
|
("s", "158"),
|
|
|
|
|
("r", "g"),
|
|
|
|
|
]
|
|
|
|
|
gravatar_url = (
|
|
|
|
|
f"{GRAVATAR_URL}/avatar/{mail_hash}?{urlencode(parameters, doseq=True)}"
|
|
|
|
|
)
|
|
|
|
|
return escape(gravatar_url)
|
2021-06-22 10:24:23 +00:00
|
|
|
return mode % {
|
|
|
|
|
"username": self.username,
|
|
|
|
|
"mail_hash": mail_hash,
|
|
|
|
|
"upn": self.attributes.get("upn", ""),
|
|
|
|
|
}
|
2021-02-25 14:20:59 +00:00
|
|
|
|
2019-10-10 11:01:36 +00:00
|
|
|
class Meta:
|
|
|
|
|
|
2020-09-17 14:24:53 +00:00
|
|
|
permissions = (
|
|
|
|
|
("reset_user_password", "Reset Password"),
|
|
|
|
|
("impersonate", "Can impersonate other users"),
|
|
|
|
|
)
|
2020-07-03 22:16:16 +00:00
|
|
|
verbose_name = _("User")
|
|
|
|
|
verbose_name_plural = _("Users")
|
2019-12-31 11:51:16 +00:00
|
|
|
|
2019-10-10 11:01:36 +00:00
|
|
|
|
2020-12-16 20:38:40 +00:00
|
|
|
class Provider(SerializerModel):
|
2020-05-16 14:02:42 +00:00
|
|
|
"""Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
|
|
|
|
|
|
2020-10-03 18:01:10 +00:00
|
|
|
name = models.TextField()
|
|
|
|
|
|
2020-06-07 14:35:08 +00:00
|
|
|
authorization_flow = models.ForeignKey(
|
|
|
|
|
Flow,
|
|
|
|
|
on_delete=models.CASCADE,
|
|
|
|
|
help_text=_("Flow used when authorizing this provider."),
|
|
|
|
|
related_name="provider_authorization",
|
|
|
|
|
)
|
|
|
|
|
|
2020-05-16 14:02:42 +00:00
|
|
|
property_mappings = models.ManyToManyField(
|
|
|
|
|
"PropertyMapping", default=None, blank=True
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
objects = InheritanceManager()
|
|
|
|
|
|
2020-09-14 16:12:42 +00:00
|
|
|
@property
|
|
|
|
|
def launch_url(self) -> Optional[str]:
|
|
|
|
|
"""URL to this provider and initiate authorization for the user.
|
|
|
|
|
Can return None for providers that are not URL-based"""
|
|
|
|
|
return None
|
|
|
|
|
|
2020-09-29 08:32:41 +00:00
|
|
|
@property
|
2021-04-01 17:28:30 +00:00
|
|
|
def component(self) -> str:
|
|
|
|
|
"""Return component used to edit this object"""
|
2020-07-20 14:03:55 +00:00
|
|
|
raise NotImplementedError
|
|
|
|
|
|
2020-12-16 20:38:40 +00:00
|
|
|
@property
|
|
|
|
|
def serializer(self) -> Type[Serializer]:
|
|
|
|
|
"""Get serializer for this model"""
|
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
2020-05-16 14:02:42 +00:00
|
|
|
def __str__(self):
|
2020-10-03 18:01:10 +00:00
|
|
|
return self.name
|
2020-05-16 14:02:42 +00:00
|
|
|
|
|
|
|
|
|
2020-05-20 07:17:06 +00:00
|
|
|
class Application(PolicyBindingModel):
|
2020-12-05 21:08:42 +00:00
|
|
|
"""Every Application which uses authentik for authentication/identification/authorization
|
2018-11-11 12:41:48 +00:00
|
|
|
needs an Application record. Other authentication types can subclass this Model to
|
|
|
|
|
add custom fields and other properties"""
|
|
|
|
|
|
2020-02-21 14:12:16 +00:00
|
|
|
name = models.TextField(help_text=_("Application's display Name."))
|
2021-05-14 08:49:37 +00:00
|
|
|
slug = models.SlugField(
|
|
|
|
|
help_text=_("Internal application name, used in URLs."), unique=True
|
|
|
|
|
)
|
2020-05-16 14:02:42 +00:00
|
|
|
provider = models.OneToOneField(
|
|
|
|
|
"Provider", null=True, blank=True, default=None, on_delete=models.SET_DEFAULT
|
2019-12-31 11:51:16 +00:00
|
|
|
)
|
2020-02-20 12:45:22 +00:00
|
|
|
|
2021-06-02 22:21:20 +00:00
|
|
|
meta_launch_url = models.TextField(
|
|
|
|
|
default="", blank=True, validators=[validators.URLValidator()]
|
|
|
|
|
)
|
2020-12-05 21:08:42 +00:00
|
|
|
# For template applications, this can be set to /static/authentik/applications/*
|
2021-06-05 19:06:52 +00:00
|
|
|
meta_icon = models.FileField(
|
|
|
|
|
upload_to="application-icons/", default=None, null=True
|
|
|
|
|
)
|
2020-02-21 22:10:00 +00:00
|
|
|
meta_description = models.TextField(default="", blank=True)
|
|
|
|
|
meta_publisher = models.TextField(default="", blank=True)
|
2018-11-11 12:41:48 +00:00
|
|
|
|
2021-06-02 22:39:56 +00:00
|
|
|
@property
|
|
|
|
|
def get_meta_icon(self) -> Optional[str]:
|
|
|
|
|
"""Get the URL to the App Icon image. If the name is /static or starts with http
|
|
|
|
|
it is returned as-is"""
|
|
|
|
|
if not self.meta_icon:
|
|
|
|
|
return None
|
|
|
|
|
if self.meta_icon.name.startswith("http") or self.meta_icon.name.startswith(
|
|
|
|
|
"/static"
|
|
|
|
|
):
|
|
|
|
|
return self.meta_icon.name
|
|
|
|
|
return self.meta_icon.url
|
|
|
|
|
|
2020-09-14 16:12:42 +00:00
|
|
|
def get_launch_url(self) -> Optional[str]:
|
|
|
|
|
"""Get launch URL if set, otherwise attempt to get launch URL based on provider."""
|
|
|
|
|
if self.meta_launch_url:
|
|
|
|
|
return self.meta_launch_url
|
|
|
|
|
if self.provider:
|
2020-09-17 19:53:57 +00:00
|
|
|
return self.get_provider().launch_url
|
2020-09-14 16:12:42 +00:00
|
|
|
return None
|
|
|
|
|
|
2020-05-16 14:02:42 +00:00
|
|
|
def get_provider(self) -> Optional[Provider]:
|
|
|
|
|
"""Get casted provider instance"""
|
|
|
|
|
if not self.provider:
|
2019-03-07 13:09:52 +00:00
|
|
|
return None
|
2020-05-16 14:02:42 +00:00
|
|
|
return Provider.objects.get_subclass(pk=self.provider.pk)
|
2019-02-27 13:47:11 +00:00
|
|
|
|
2018-11-11 12:41:48 +00:00
|
|
|
def __str__(self):
|
|
|
|
|
return self.name
|
|
|
|
|
|
2020-07-03 22:16:16 +00:00
|
|
|
class Meta:
|
|
|
|
|
|
|
|
|
|
verbose_name = _("Application")
|
|
|
|
|
verbose_name_plural = _("Applications")
|
|
|
|
|
|
2019-10-07 14:33:48 +00:00
|
|
|
|
2021-05-03 18:27:52 +00:00
|
|
|
class SourceUserMatchingModes(models.TextChoices):
|
|
|
|
|
"""Different modes a source can handle new/returning users"""
|
|
|
|
|
|
|
|
|
|
IDENTIFIER = "identifier", _("Use the source-specific identifier")
|
|
|
|
|
EMAIL_LINK = "email_link", _(
|
|
|
|
|
(
|
|
|
|
|
"Link to a user with identical email address. Can have security implications "
|
|
|
|
|
"when a source doesn't validate email addresses."
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
EMAIL_DENY = "email_deny", _(
|
|
|
|
|
"Use the user's email address, but deny enrollment when the email address already exists."
|
|
|
|
|
)
|
|
|
|
|
USERNAME_LINK = "username_link", _(
|
|
|
|
|
(
|
|
|
|
|
"Link to a user with identical username address. Can have security implications "
|
|
|
|
|
"when a username is used with another source."
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
USERNAME_DENY = "username_deny", _(
|
|
|
|
|
"Use the user's username, but deny enrollment when the username already exists."
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
2021-04-09 14:20:59 +00:00
|
|
|
class Source(ManagedModel, SerializerModel, PolicyBindingModel):
|
2018-11-11 12:41:48 +00:00
|
|
|
"""Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
|
|
|
|
|
|
2020-05-16 14:02:42 +00:00
|
|
|
name = models.TextField(help_text=_("Source's display Name."))
|
2020-07-09 20:57:27 +00:00
|
|
|
slug = models.SlugField(
|
|
|
|
|
help_text=_("Internal source name, used in URLs."), unique=True
|
|
|
|
|
)
|
2020-02-20 12:45:22 +00:00
|
|
|
|
2018-11-11 12:41:48 +00:00
|
|
|
enabled = models.BooleanField(default=True)
|
2019-12-31 11:51:16 +00:00
|
|
|
property_mappings = models.ManyToManyField(
|
|
|
|
|
"PropertyMapping", default=None, blank=True
|
|
|
|
|
)
|
2018-11-11 12:41:48 +00:00
|
|
|
|
2020-06-07 14:35:08 +00:00
|
|
|
authentication_flow = models.ForeignKey(
|
|
|
|
|
Flow,
|
|
|
|
|
blank=True,
|
|
|
|
|
null=True,
|
|
|
|
|
default=None,
|
|
|
|
|
on_delete=models.SET_NULL,
|
|
|
|
|
help_text=_("Flow to use when authenticating existing users."),
|
|
|
|
|
related_name="source_authentication",
|
|
|
|
|
)
|
|
|
|
|
enrollment_flow = models.ForeignKey(
|
|
|
|
|
Flow,
|
|
|
|
|
blank=True,
|
|
|
|
|
null=True,
|
|
|
|
|
default=None,
|
|
|
|
|
on_delete=models.SET_NULL,
|
|
|
|
|
help_text=_("Flow to use when enrolling new users."),
|
|
|
|
|
related_name="source_enrollment",
|
|
|
|
|
)
|
|
|
|
|
|
2021-05-03 18:27:52 +00:00
|
|
|
user_matching_mode = models.TextField(
|
|
|
|
|
choices=SourceUserMatchingModes.choices,
|
|
|
|
|
default=SourceUserMatchingModes.IDENTIFIER,
|
|
|
|
|
help_text=_(
|
|
|
|
|
(
|
|
|
|
|
"How the source determines if an existing user should be authenticated or "
|
|
|
|
|
"a new user enrolled."
|
|
|
|
|
)
|
|
|
|
|
),
|
|
|
|
|
)
|
|
|
|
|
|
2018-11-16 08:10:35 +00:00
|
|
|
objects = InheritanceManager()
|
|
|
|
|
|
2021-04-02 10:12:14 +00:00
|
|
|
@property
|
|
|
|
|
def component(self) -> str:
|
|
|
|
|
"""Return component used to edit this object"""
|
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
2018-12-18 12:24:58 +00:00
|
|
|
@property
|
2020-02-20 12:51:41 +00:00
|
|
|
def ui_login_button(self) -> Optional[UILoginButton]:
|
|
|
|
|
"""If source uses a http-based flow, return UI Information about the login
|
|
|
|
|
button. If source doesn't use http-based flow, return None."""
|
2019-10-13 14:47:05 +00:00
|
|
|
return None
|
2018-12-18 12:24:58 +00:00
|
|
|
|
2020-02-20 12:51:41 +00:00
|
|
|
@property
|
2021-06-08 15:56:35 +00:00
|
|
|
def ui_user_settings(self) -> Optional[UserSettingSerializer]:
|
2019-10-09 10:47:14 +00:00
|
|
|
"""Entrypoint to integrate with User settings. Can either return None if no
|
2021-06-08 15:56:35 +00:00
|
|
|
user settings are available, or UserSettingSerializer."""
|
2019-10-09 10:47:14 +00:00
|
|
|
return None
|
2019-03-13 15:49:30 +00:00
|
|
|
|
2018-11-11 12:41:48 +00:00
|
|
|
def __str__(self):
|
|
|
|
|
return self.name
|
|
|
|
|
|
2019-10-07 14:33:48 +00:00
|
|
|
|
2020-05-16 14:02:42 +00:00
|
|
|
class UserSourceConnection(CreatedUpdatedModel):
|
|
|
|
|
"""Connection between User and Source."""
|
2018-11-11 12:41:48 +00:00
|
|
|
|
|
|
|
|
user = models.ForeignKey(User, on_delete=models.CASCADE)
|
2020-05-16 14:02:42 +00:00
|
|
|
source = models.ForeignKey(Source, on_delete=models.CASCADE)
|
2018-11-11 12:41:48 +00:00
|
|
|
|
2021-05-03 18:27:52 +00:00
|
|
|
objects = InheritanceManager()
|
|
|
|
|
|
2020-05-15 20:15:01 +00:00
|
|
|
class Meta:
|
2018-11-11 12:41:48 +00:00
|
|
|
|
2020-05-16 14:02:42 +00:00
|
|
|
unique_together = (("user", "source"),)
|
2018-12-09 20:06:21 +00:00
|
|
|
|
2019-02-25 19:46:23 +00:00
|
|
|
|
2020-07-20 08:57:12 +00:00
|
|
|
class ExpiringModel(models.Model):
|
|
|
|
|
"""Base Model which can expire, and is automatically cleaned up."""
|
|
|
|
|
|
|
|
|
|
expires = models.DateTimeField(default=default_token_duration)
|
|
|
|
|
expiring = models.BooleanField(default=True)
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def filter_not_expired(cls, **kwargs) -> QuerySet:
|
|
|
|
|
"""Filer for tokens which are not expired yet or are not expiring,
|
|
|
|
|
and match filters in `kwargs`"""
|
2020-10-18 12:34:22 +00:00
|
|
|
expired = Q(expires__lt=now(), expiring=True)
|
|
|
|
|
return cls.objects.exclude(expired).filter(**kwargs)
|
2020-07-20 08:57:12 +00:00
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def is_expired(self) -> bool:
|
|
|
|
|
"""Check if token is expired yet."""
|
2021-04-10 21:42:42 +00:00
|
|
|
if not self.expiring:
|
|
|
|
|
return False
|
2020-07-20 08:57:12 +00:00
|
|
|
return now() > self.expires
|
|
|
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
|
|
|
|
|
abstract = True
|
|
|
|
|
|
|
|
|
|
|
2020-07-05 21:14:57 +00:00
|
|
|
class TokenIntents(models.TextChoices):
|
|
|
|
|
"""Intents a Token can be created for."""
|
|
|
|
|
|
2020-10-03 21:37:58 +00:00
|
|
|
# Single use token
|
2020-07-05 21:14:57 +00:00
|
|
|
INTENT_VERIFICATION = "verification"
|
|
|
|
|
|
|
|
|
|
# Allow access to API
|
|
|
|
|
INTENT_API = "api"
|
|
|
|
|
|
2020-10-18 12:34:22 +00:00
|
|
|
# Recovery use for the recovery app
|
2020-10-03 21:37:58 +00:00
|
|
|
INTENT_RECOVERY = "recovery"
|
|
|
|
|
|
2020-07-05 21:14:57 +00:00
|
|
|
|
2021-02-03 20:18:31 +00:00
|
|
|
class Token(ManagedModel, ExpiringModel):
|
2020-07-05 21:14:57 +00:00
|
|
|
"""Token used to authenticate the User for API Access or confirm another Stage like Email."""
|
2020-05-15 20:15:01 +00:00
|
|
|
|
2020-05-20 07:17:06 +00:00
|
|
|
token_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
2021-06-03 09:45:48 +00:00
|
|
|
identifier = models.SlugField(max_length=255, unique=True)
|
2020-10-18 12:34:22 +00:00
|
|
|
key = models.TextField(default=default_token_key)
|
2020-07-05 21:14:57 +00:00
|
|
|
intent = models.TextField(
|
|
|
|
|
choices=TokenIntents.choices, default=TokenIntents.INTENT_VERIFICATION
|
|
|
|
|
)
|
2020-05-16 14:11:53 +00:00
|
|
|
user = models.ForeignKey("User", on_delete=models.CASCADE, related_name="+")
|
2020-05-16 14:02:42 +00:00
|
|
|
description = models.TextField(default="", blank=True)
|
|
|
|
|
|
2019-02-25 19:46:23 +00:00
|
|
|
def __str__(self):
|
2020-10-18 12:34:22 +00:00
|
|
|
description = f"{self.identifier}"
|
|
|
|
|
if self.expiring:
|
|
|
|
|
description += f" (expires={self.expires})"
|
|
|
|
|
return description
|
2019-02-25 19:46:23 +00:00
|
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
|
2020-05-16 14:11:53 +00:00
|
|
|
verbose_name = _("Token")
|
|
|
|
|
verbose_name_plural = _("Tokens")
|
2020-10-18 12:34:22 +00:00
|
|
|
indexes = [
|
|
|
|
|
models.Index(fields=["identifier"]),
|
|
|
|
|
models.Index(fields=["key"]),
|
|
|
|
|
]
|
2021-03-30 13:50:41 +00:00
|
|
|
permissions = (("view_token_key", "View token's key"),)
|
2019-03-08 11:47:50 +00:00
|
|
|
|
2019-10-10 12:04:58 +00:00
|
|
|
|
2021-02-03 20:18:31 +00:00
|
|
|
class PropertyMapping(SerializerModel, ManagedModel):
|
2019-03-08 11:47:50 +00:00
|
|
|
"""User-defined key -> x mapping which can be used by providers to expose extra data."""
|
|
|
|
|
|
2020-05-20 07:17:06 +00:00
|
|
|
pm_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
2019-03-08 11:47:50 +00:00
|
|
|
name = models.TextField()
|
2020-02-17 19:38:14 +00:00
|
|
|
expression = models.TextField()
|
2019-03-08 11:47:50 +00:00
|
|
|
|
|
|
|
|
objects = InheritanceManager()
|
|
|
|
|
|
2020-09-29 08:32:41 +00:00
|
|
|
@property
|
2021-03-31 21:07:57 +00:00
|
|
|
def component(self) -> str:
|
|
|
|
|
"""Return component used to edit this object"""
|
2020-07-20 13:11:27 +00:00
|
|
|
raise NotImplementedError
|
|
|
|
|
|
2021-02-03 20:18:31 +00:00
|
|
|
@property
|
|
|
|
|
def serializer(self) -> Type[Serializer]:
|
|
|
|
|
"""Get serializer for this model"""
|
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
2020-02-18 21:12:51 +00:00
|
|
|
def evaluate(
|
|
|
|
|
self, user: Optional[User], request: Optional[HttpRequest], **kwargs
|
|
|
|
|
) -> Any:
|
2020-02-17 19:38:14 +00:00
|
|
|
"""Evaluate `self.expression` using `**kwargs` as Context."""
|
2020-12-05 21:08:42 +00:00
|
|
|
from authentik.core.expression import PropertyMappingEvaluator
|
2020-06-01 13:25:38 +00:00
|
|
|
|
2020-06-05 10:00:27 +00:00
|
|
|
evaluator = PropertyMappingEvaluator()
|
2021-06-21 13:54:43 +00:00
|
|
|
evaluator.set_context(user, request, self, **kwargs)
|
2020-02-18 09:12:42 +00:00
|
|
|
try:
|
2020-06-05 10:00:27 +00:00
|
|
|
return evaluator.evaluate(self.expression)
|
|
|
|
|
except (ValueError, SyntaxError) as exc:
|
2020-02-18 09:12:42 +00:00
|
|
|
raise PropertyMappingExpressionException from exc
|
2020-02-18 14:12:05 +00:00
|
|
|
|
2019-03-08 11:47:50 +00:00
|
|
|
def __str__(self):
|
2019-10-07 14:33:48 +00:00
|
|
|
return f"Property Mapping {self.name}"
|
2019-03-08 11:47:50 +00:00
|
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
verbose_name = _("Property Mapping")
|
|
|
|
|
verbose_name_plural = _("Property Mappings")
|
2021-05-29 22:10:50 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class AuthenticatedSession(ExpiringModel):
|
|
|
|
|
"""Additional session class for authenticated users. Augments the standard django session
|
|
|
|
|
to achieve the following:
|
|
|
|
|
- Make it queryable by user
|
|
|
|
|
- Have a direct connection to user objects
|
|
|
|
|
- Allow users to view their own sessions and terminate them
|
|
|
|
|
- Save structured and well-defined information.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
uuid = models.UUIDField(default=uuid4, primary_key=True)
|
|
|
|
|
|
|
|
|
|
session_key = models.CharField(max_length=40)
|
|
|
|
|
user = models.ForeignKey(User, on_delete=models.CASCADE)
|
|
|
|
|
|
|
|
|
|
last_ip = models.TextField()
|
|
|
|
|
last_user_agent = models.TextField(blank=True)
|
|
|
|
|
last_used = models.DateTimeField(auto_now=True)
|
|
|
|
|
|
|
|
|
|
@staticmethod
|
2021-06-16 20:48:26 +00:00
|
|
|
def from_request(
|
|
|
|
|
request: HttpRequest, user: User
|
|
|
|
|
) -> Optional["AuthenticatedSession"]:
|
2021-05-29 22:10:50 +00:00
|
|
|
"""Create a new session from a http request"""
|
2021-06-16 20:48:26 +00:00
|
|
|
if not hasattr(request, "session") or not request.session.session_key:
|
|
|
|
|
return None
|
2021-05-29 22:10:50 +00:00
|
|
|
return AuthenticatedSession(
|
|
|
|
|
session_key=request.session.session_key,
|
|
|
|
|
user=user,
|
|
|
|
|
last_ip=get_client_ip(request),
|
|
|
|
|
last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
|
|
|
|
|
expires=request.session.get_expiry_date(),
|
|
|
|
|
)
|
