policies: remove deprecated group_membership policy

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/api/v2/urls.py

@@ -38,7 +38,6 @@ from authentik.policies.dummy.api import DummyPolicyViewSet
 from authentik.policies.event_matcher.api import EventMatcherPolicyViewSet
 from authentik.policies.expiry.api import PasswordExpiryPolicyViewSet
 from authentik.policies.expression.api import ExpressionPolicyViewSet
-from authentik.policies.group_membership.api import GroupMembershipPolicyViewSet
 from authentik.policies.hibp.api import HaveIBeenPwendPolicyViewSet
 from authentik.policies.password.api import PasswordPolicyViewSet
 from authentik.policies.reputation.api import (
@@ -134,7 +133,6 @@ router.register("policies/all", PolicyViewSet)
 router.register("policies/bindings", PolicyBindingViewSet)
 router.register("policies/expression", ExpressionPolicyViewSet)
 router.register("policies/event_matcher", EventMatcherPolicyViewSet)
-router.register("policies/group_membership", GroupMembershipPolicyViewSet)
 router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
 router.register("policies/password_expiry", PasswordExpiryPolicyViewSet)
 router.register("policies/password", PasswordPolicyViewSet)

authentik/flows/api/flows.py

@@ -6,7 +6,7 @@ from django.db.models import Model
 from django.http.response import HttpResponseBadRequest, JsonResponse
 from django.shortcuts import get_object_or_404
 from drf_yasg2 import openapi
-from drf_yasg2.utils import no_body, swagger_auto_schema, unset
+from drf_yasg2.utils import no_body, swagger_auto_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied

authentik/policies/event_matcher/migrations/0012_auto_20210323_1339.py

@@ -0,0 +1,83 @@
+# Generated by Django 3.1.7 on 2021-03-23 13:39
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_policies_event_matcher", "0011_auto_20210302_0856"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="eventmatcherpolicy",
+            name="app",
+            field=models.TextField(
+                blank=True,
+                choices=[
+                    ("authentik.admin", "authentik Admin"),
+                    ("authentik.api", "authentik API"),
+                    ("authentik.events", "authentik Events"),
+                    ("authentik.crypto", "authentik Crypto"),
+                    ("authentik.flows", "authentik Flows"),
+                    ("authentik.outposts", "authentik Outpost"),
+                    ("authentik.lib", "authentik lib"),
+                    ("authentik.policies", "authentik Policies"),
+                    ("authentik.policies.dummy", "authentik Policies.Dummy"),
+                    (
+                        "authentik.policies.event_matcher",
+                        "authentik Policies.Event Matcher",
+                    ),
+                    ("authentik.policies.expiry", "authentik Policies.Expiry"),
+                    ("authentik.policies.expression", "authentik Policies.Expression"),
+                    ("authentik.policies.hibp", "authentik Policies.HaveIBeenPwned"),
+                    ("authentik.policies.password", "authentik Policies.Password"),
+                    ("authentik.policies.reputation", "authentik Policies.Reputation"),
+                    ("authentik.providers.proxy", "authentik Providers.Proxy"),
+                    ("authentik.providers.oauth2", "authentik Providers.OAuth2"),
+                    ("authentik.providers.saml", "authentik Providers.SAML"),
+                    ("authentik.recovery", "authentik Recovery"),
+                    ("authentik.sources.ldap", "authentik Sources.LDAP"),
+                    ("authentik.sources.oauth", "authentik Sources.OAuth"),
+                    ("authentik.sources.saml", "authentik Sources.SAML"),
+                    (
+                        "authentik.stages.authenticator_static",
+                        "authentik Stages.Authenticator.Static",
+                    ),
+                    (
+                        "authentik.stages.authenticator_totp",
+                        "authentik Stages.Authenticator.TOTP",
+                    ),
+                    (
+                        "authentik.stages.authenticator_validate",
+                        "authentik Stages.Authenticator.Validate",
+                    ),
+                    (
+                        "authentik.stages.authenticator_webauthn",
+                        "authentik Stages.Authenticator.WebAuthn",
+                    ),
+                    ("authentik.stages.captcha", "authentik Stages.Captcha"),
+                    ("authentik.stages.consent", "authentik Stages.Consent"),
+                    ("authentik.stages.deny", "authentik Stages.Deny"),
+                    ("authentik.stages.dummy", "authentik Stages.Dummy"),
+                    ("authentik.stages.email", "authentik Stages.Email"),
+                    (
+                        "authentik.stages.identification",
+                        "authentik Stages.Identification",
+                    ),
+                    ("authentik.stages.invitation", "authentik Stages.User Invitation"),
+                    ("authentik.stages.password", "authentik Stages.Password"),
+                    ("authentik.stages.prompt", "authentik Stages.Prompt"),
+                    ("authentik.stages.user_delete", "authentik Stages.User Delete"),
+                    ("authentik.stages.user_login", "authentik Stages.User Login"),
+                    ("authentik.stages.user_logout", "authentik Stages.User Logout"),
+                    ("authentik.stages.user_write", "authentik Stages.User Write"),
+                    ("authentik.managed", "authentik Managed"),
+                    ("authentik.core", "authentik Core"),
+                ],
+                default="",
+                help_text="Match events created by selected application. When left empty, all applications are matched.",
+            ),
+        ),
+    ]

authentik/policies/group_membership/api.py

@@ -1,22 +0,0 @@
-"""Group Membership Policy API"""
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.policies.api import PolicySerializer
-from authentik.policies.group_membership.models import GroupMembershipPolicy
-
-
-class GroupMembershipPolicySerializer(PolicySerializer):
-    """Group Membership Policy Serializer"""
-
-    class Meta:
-        model = GroupMembershipPolicy
-        fields = PolicySerializer.Meta.fields + [
-            "group",
-        ]
-
-
-class GroupMembershipPolicyViewSet(ModelViewSet):
-    """Group Membership Policy Viewset"""
-
-    queryset = GroupMembershipPolicy.objects.all()
-    serializer_class = GroupMembershipPolicySerializer

authentik/policies/group_membership/apps.py

@@ -1,11 +0,0 @@
-"""authentik Group Membership policy app config"""
-
-from django.apps import AppConfig
-
-
-class AuthentikPoliciesGroupMembershipConfig(AppConfig):
-    """authentik Group Membership policy app config"""
-
-    name = "authentik.policies.group_membership"
-    label = "authentik_policies_group_membership"
-    verbose_name = "authentik Policies.Group Membership"

authentik/policies/group_membership/forms.py

@@ -1,23 +0,0 @@
-"""authentik Group Membership Policy forms"""
-
-from django import forms
-
-from authentik.core.models import Group
-from authentik.policies.forms import PolicyForm
-from authentik.policies.group_membership.models import GroupMembershipPolicy
-
-
-class GroupMembershipPolicyForm(PolicyForm):
-    """GroupMembershipPolicy Form"""
-
-    group = forms.ModelChoiceField(queryset=Group.objects.all().order_by("name"))
-
-    class Meta:
-
-        model = GroupMembershipPolicy
-        fields = PolicyForm.Meta.fields + [
-            "group",
-        ]
-        widgets = {
-            "name": forms.TextInput(),
-        }

authentik/policies/group_membership/migrations/0001_initial.py

@@ -1,47 +0,0 @@
-# Generated by Django 3.0.7 on 2020-07-01 19:01
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("authentik_policies", "0002_auto_20200528_1647"),
-        ("authentik_core", "0003_default_user"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="GroupMembershipPolicy",
-            fields=[
-                (
-                    "policy_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_policies.Policy",
-                    ),
-                ),
-                (
-                    "group",
-                    models.ForeignKey(
-                        blank=True,
-                        null=True,
-                        on_delete=django.db.models.deletion.SET_NULL,
-                        to="authentik_core.Group",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Group Membership Policy",
-                "verbose_name_plural": "Group Membership Policies",
-            },
-            bases=("authentik_policies.policy",),
-        ),
-    ]

authentik/policies/group_membership/migrations/0002_auto_20210211_1924.py

@@ -1,20 +0,0 @@
-# Generated by Django 3.1.6 on 2021-02-11 19:24
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_policies_group_membership", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name="groupmembershippolicy",
-            options={
-                "verbose_name": "Group Membership Policy (deprecated)",
-                "verbose_name_plural": "Group Membership Policies",
-            },
-        ),
-    ]

authentik/policies/group_membership/models.py

@@ -1,40 +0,0 @@
-"""user field matcher models"""
-from typing import Type
-
-from django.db import models
-from django.forms import ModelForm
-from django.utils.translation import gettext as _
-from rest_framework.serializers import BaseSerializer
-
-from authentik.core.models import Group
-from authentik.policies.models import Policy
-from authentik.policies.types import PolicyRequest, PolicyResult
-
-
-class GroupMembershipPolicy(Policy):
-    """Check that the user is member of the selected group. **DEPRECATED**
-    Assign the group directly in a binding instead of using this policy."""
-
-    group = models.ForeignKey(Group, null=True, blank=True, on_delete=models.SET_NULL)
-
-    @property
-    def serializer(self) -> BaseSerializer:
-        from authentik.policies.group_membership.api import (
-            GroupMembershipPolicySerializer,
-        )
-
-        return GroupMembershipPolicySerializer
-
-    @property
-    def form(self) -> Type[ModelForm]:
-        from authentik.policies.group_membership.forms import GroupMembershipPolicyForm
-
-        return GroupMembershipPolicyForm
-
-    def passes(self, request: PolicyRequest) -> PolicyResult:
-        return PolicyResult(self.group.users.filter(pk=request.user.pk).exists())
-
-    class Meta:
-
-        verbose_name = _("Group Membership Policy (deprecated)")
-        verbose_name_plural = _("Group Membership Policies")

authentik/policies/group_membership/tests.py

@@ -1,32 +0,0 @@
-"""evaluator tests"""
-from django.test import TestCase
-from guardian.shortcuts import get_anonymous_user
-
-from authentik.core.models import Group
-from authentik.policies.group_membership.models import GroupMembershipPolicy
-from authentik.policies.types import PolicyRequest
-
-
-class TestGroupMembershipPolicy(TestCase):
-    """GroupMembershipPolicy tests"""
-
-    def setUp(self):
-        self.request = PolicyRequest(user=get_anonymous_user())
-
-    def test_invalid(self):
-        """user not in group"""
-        group = Group.objects.create(name="test")
-        policy: GroupMembershipPolicy = GroupMembershipPolicy.objects.create(
-            group=group
-        )
-        self.assertFalse(policy.passes(self.request).passing)
-
-    def test_valid(self):
-        """user in group"""
-        group = Group.objects.create(name="test")
-        group.users.add(get_anonymous_user())
-        group.save()
-        policy: GroupMembershipPolicy = GroupMembershipPolicy.objects.create(
-            group=group
-        )
-        self.assertTrue(policy.passes(self.request).passing)

authentik/root/settings.py

@@ -97,7 +97,6 @@ INSTALLED_APPS = [
     "authentik.policies.event_matcher.apps.AuthentikPoliciesEventMatcherConfig",
     "authentik.policies.expiry.apps.AuthentikPolicyExpiryConfig",
     "authentik.policies.expression.apps.AuthentikPolicyExpressionConfig",
-    "authentik.policies.group_membership.apps.AuthentikPoliciesGroupMembershipConfig",
     "authentik.policies.hibp.apps.AuthentikPolicyHIBPConfig",
     "authentik.policies.password.apps.AuthentikPoliciesPasswordConfig",
     "authentik.policies.reputation.apps.AuthentikPolicyReputationConfig",

swagger.yaml

@@ -4852,148 +4852,6 @@ paths:
         required: true
         type: string
         format: uuid
-  /policies/group_membership/:
-    get:
-      operationId: policies_group_membership_list
-      description: Group Membership Policy Viewset
-      parameters:
-        - name: ordering
-          in: query
-          description: Which field to use when ordering the results.
-          required: false
-          type: string
-        - name: search
-          in: query
-          description: A search term.
-          required: false
-          type: string
-        - name: page
-          in: query
-          description: Page Index
-          required: false
-          type: integer
-        - name: page_size
-          in: query
-          description: Page Size
-          required: false
-          type: integer
-      responses:
-        '200':
-          description: ''
-          schema:
-            required:
-              - results
-              - pagination
-            type: object
-            properties:
-              pagination:
-                required:
-                  - next
-                  - previous
-                  - count
-                  - current
-                  - total_pages
-                  - start_index
-                  - end_index
-                type: object
-                properties:
-                  next:
-                    type: number
-                  previous:
-                    type: number
-                  count:
-                    type: number
-                  current:
-                    type: number
-                  total_pages:
-                    type: number
-                  start_index:
-                    type: number
-                  end_index:
-                    type: number
-              results:
-                type: array
-                items:
-                  $ref: '#/definitions/GroupMembershipPolicy'
-      tags:
-        - policies
-    post:
-      operationId: policies_group_membership_create
-      description: Group Membership Policy Viewset
-      parameters:
-        - name: data
-          in: body
-          required: true
-          schema:
-            $ref: '#/definitions/GroupMembershipPolicy'
-      responses:
-        '201':
-          description: ''
-          schema:
-            $ref: '#/definitions/GroupMembershipPolicy'
-      tags:
-        - policies
-    parameters: []
-  /policies/group_membership/{policy_uuid}/:
-    get:
-      operationId: policies_group_membership_read
-      description: Group Membership Policy Viewset
-      parameters: []
-      responses:
-        '200':
-          description: ''
-          schema:
-            $ref: '#/definitions/GroupMembershipPolicy'
-      tags:
-        - policies
-    put:
-      operationId: policies_group_membership_update
-      description: Group Membership Policy Viewset
-      parameters:
-        - name: data
-          in: body
-          required: true
-          schema:
-            $ref: '#/definitions/GroupMembershipPolicy'
-      responses:
-        '200':
-          description: ''
-          schema:
-            $ref: '#/definitions/GroupMembershipPolicy'
-      tags:
-        - policies
-    patch:
-      operationId: policies_group_membership_partial_update
-      description: Group Membership Policy Viewset
-      parameters:
-        - name: data
-          in: body
-          required: true
-          schema:
-            $ref: '#/definitions/GroupMembershipPolicy'
-      responses:
-        '200':
-          description: ''
-          schema:
-            $ref: '#/definitions/GroupMembershipPolicy'
-      tags:
-        - policies
-    delete:
-      operationId: policies_group_membership_delete
-      description: Group Membership Policy Viewset
-      parameters: []
-      responses:
-        '204':
-          description: ''
-      tags:
-        - policies
-    parameters:
-      - name: policy_uuid
-        in: path
-        description: A UUID string identifying this Group Membership Policy (deprecated).
-        required: true
-        type: string
-        format: uuid
   /policies/haveibeenpwned/:
     get:
       operationId: policies_haveibeenpwned_list
@@ -12629,7 +12487,6 @@ definitions:
           - authentik.policies.event_matcher
           - authentik.policies.expiry
           - authentik.policies.expression
-          - authentik.policies.group_membership
           - authentik.policies.hibp
           - authentik.policies.password
           - authentik.policies.reputation
@@ -12699,45 +12556,6 @@ definitions:
         title: Expression
         type: string
         minLength: 1
-  GroupMembershipPolicy:
-    description: Group Membership Policy Serializer
-    type: object
-    properties:
-      pk:
-        title: Policy uuid
-        type: string
-        format: uuid
-        readOnly: true
-      name:
-        title: Name
-        type: string
-        x-nullable: true
-      execution_logging:
-        title: Execution logging
-        description: When this option is enabled, all executions of this policy will
-          be logged. By default, only execution errors are logged.
-        type: boolean
-      object_type:
-        title: Object type
-        type: string
-        readOnly: true
-      verbose_name:
-        title: Verbose name
-        type: string
-        readOnly: true
-      verbose_name_plural:
-        title: Verbose name plural
-        type: string
-        readOnly: true
-      bound_to:
-        title: Bound to
-        type: integer
-        readOnly: true
-      group:
-        title: Group
-        type: string
-        format: uuid
-        x-nullable: true
   HaveIBeenPwendPolicy:
     description: Have I Been Pwned Policy Serializer
     type: object