policies: remove deprecated group_membership policy
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
6961089425
commit
0671d712fa
|
@ -38,7 +38,6 @@ from authentik.policies.dummy.api import DummyPolicyViewSet
|
|||
from authentik.policies.event_matcher.api import EventMatcherPolicyViewSet
|
||||
from authentik.policies.expiry.api import PasswordExpiryPolicyViewSet
|
||||
from authentik.policies.expression.api import ExpressionPolicyViewSet
|
||||
from authentik.policies.group_membership.api import GroupMembershipPolicyViewSet
|
||||
from authentik.policies.hibp.api import HaveIBeenPwendPolicyViewSet
|
||||
from authentik.policies.password.api import PasswordPolicyViewSet
|
||||
from authentik.policies.reputation.api import (
|
||||
|
@ -134,7 +133,6 @@ router.register("policies/all", PolicyViewSet)
|
|||
router.register("policies/bindings", PolicyBindingViewSet)
|
||||
router.register("policies/expression", ExpressionPolicyViewSet)
|
||||
router.register("policies/event_matcher", EventMatcherPolicyViewSet)
|
||||
router.register("policies/group_membership", GroupMembershipPolicyViewSet)
|
||||
router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
|
||||
router.register("policies/password_expiry", PasswordExpiryPolicyViewSet)
|
||||
router.register("policies/password", PasswordPolicyViewSet)
|
||||
|
|
|
@ -6,7 +6,7 @@ from django.db.models import Model
|
|||
from django.http.response import HttpResponseBadRequest, JsonResponse
|
||||
from django.shortcuts import get_object_or_404
|
||||
from drf_yasg2 import openapi
|
||||
from drf_yasg2.utils import no_body, swagger_auto_schema, unset
|
||||
from drf_yasg2.utils import no_body, swagger_auto_schema
|
||||
from guardian.shortcuts import get_objects_for_user
|
||||
from rest_framework.decorators import action
|
||||
from rest_framework.exceptions import PermissionDenied
|
||||
|
|
|
@ -0,0 +1,83 @@
|
|||
# Generated by Django 3.1.7 on 2021-03-23 13:39
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
("authentik_policies_event_matcher", "0011_auto_20210302_0856"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterField(
|
||||
model_name="eventmatcherpolicy",
|
||||
name="app",
|
||||
field=models.TextField(
|
||||
blank=True,
|
||||
choices=[
|
||||
("authentik.admin", "authentik Admin"),
|
||||
("authentik.api", "authentik API"),
|
||||
("authentik.events", "authentik Events"),
|
||||
("authentik.crypto", "authentik Crypto"),
|
||||
("authentik.flows", "authentik Flows"),
|
||||
("authentik.outposts", "authentik Outpost"),
|
||||
("authentik.lib", "authentik lib"),
|
||||
("authentik.policies", "authentik Policies"),
|
||||
("authentik.policies.dummy", "authentik Policies.Dummy"),
|
||||
(
|
||||
"authentik.policies.event_matcher",
|
||||
"authentik Policies.Event Matcher",
|
||||
),
|
||||
("authentik.policies.expiry", "authentik Policies.Expiry"),
|
||||
("authentik.policies.expression", "authentik Policies.Expression"),
|
||||
("authentik.policies.hibp", "authentik Policies.HaveIBeenPwned"),
|
||||
("authentik.policies.password", "authentik Policies.Password"),
|
||||
("authentik.policies.reputation", "authentik Policies.Reputation"),
|
||||
("authentik.providers.proxy", "authentik Providers.Proxy"),
|
||||
("authentik.providers.oauth2", "authentik Providers.OAuth2"),
|
||||
("authentik.providers.saml", "authentik Providers.SAML"),
|
||||
("authentik.recovery", "authentik Recovery"),
|
||||
("authentik.sources.ldap", "authentik Sources.LDAP"),
|
||||
("authentik.sources.oauth", "authentik Sources.OAuth"),
|
||||
("authentik.sources.saml", "authentik Sources.SAML"),
|
||||
(
|
||||
"authentik.stages.authenticator_static",
|
||||
"authentik Stages.Authenticator.Static",
|
||||
),
|
||||
(
|
||||
"authentik.stages.authenticator_totp",
|
||||
"authentik Stages.Authenticator.TOTP",
|
||||
),
|
||||
(
|
||||
"authentik.stages.authenticator_validate",
|
||||
"authentik Stages.Authenticator.Validate",
|
||||
),
|
||||
(
|
||||
"authentik.stages.authenticator_webauthn",
|
||||
"authentik Stages.Authenticator.WebAuthn",
|
||||
),
|
||||
("authentik.stages.captcha", "authentik Stages.Captcha"),
|
||||
("authentik.stages.consent", "authentik Stages.Consent"),
|
||||
("authentik.stages.deny", "authentik Stages.Deny"),
|
||||
("authentik.stages.dummy", "authentik Stages.Dummy"),
|
||||
("authentik.stages.email", "authentik Stages.Email"),
|
||||
(
|
||||
"authentik.stages.identification",
|
||||
"authentik Stages.Identification",
|
||||
),
|
||||
("authentik.stages.invitation", "authentik Stages.User Invitation"),
|
||||
("authentik.stages.password", "authentik Stages.Password"),
|
||||
("authentik.stages.prompt", "authentik Stages.Prompt"),
|
||||
("authentik.stages.user_delete", "authentik Stages.User Delete"),
|
||||
("authentik.stages.user_login", "authentik Stages.User Login"),
|
||||
("authentik.stages.user_logout", "authentik Stages.User Logout"),
|
||||
("authentik.stages.user_write", "authentik Stages.User Write"),
|
||||
("authentik.managed", "authentik Managed"),
|
||||
("authentik.core", "authentik Core"),
|
||||
],
|
||||
default="",
|
||||
help_text="Match events created by selected application. When left empty, all applications are matched.",
|
||||
),
|
||||
),
|
||||
]
|
|
@ -1,22 +0,0 @@
|
|||
"""Group Membership Policy API"""
|
||||
from rest_framework.viewsets import ModelViewSet
|
||||
|
||||
from authentik.policies.api import PolicySerializer
|
||||
from authentik.policies.group_membership.models import GroupMembershipPolicy
|
||||
|
||||
|
||||
class GroupMembershipPolicySerializer(PolicySerializer):
|
||||
"""Group Membership Policy Serializer"""
|
||||
|
||||
class Meta:
|
||||
model = GroupMembershipPolicy
|
||||
fields = PolicySerializer.Meta.fields + [
|
||||
"group",
|
||||
]
|
||||
|
||||
|
||||
class GroupMembershipPolicyViewSet(ModelViewSet):
|
||||
"""Group Membership Policy Viewset"""
|
||||
|
||||
queryset = GroupMembershipPolicy.objects.all()
|
||||
serializer_class = GroupMembershipPolicySerializer
|
|
@ -1,11 +0,0 @@
|
|||
"""authentik Group Membership policy app config"""
|
||||
|
||||
from django.apps import AppConfig
|
||||
|
||||
|
||||
class AuthentikPoliciesGroupMembershipConfig(AppConfig):
|
||||
"""authentik Group Membership policy app config"""
|
||||
|
||||
name = "authentik.policies.group_membership"
|
||||
label = "authentik_policies_group_membership"
|
||||
verbose_name = "authentik Policies.Group Membership"
|
|
@ -1,23 +0,0 @@
|
|||
"""authentik Group Membership Policy forms"""
|
||||
|
||||
from django import forms
|
||||
|
||||
from authentik.core.models import Group
|
||||
from authentik.policies.forms import PolicyForm
|
||||
from authentik.policies.group_membership.models import GroupMembershipPolicy
|
||||
|
||||
|
||||
class GroupMembershipPolicyForm(PolicyForm):
|
||||
"""GroupMembershipPolicy Form"""
|
||||
|
||||
group = forms.ModelChoiceField(queryset=Group.objects.all().order_by("name"))
|
||||
|
||||
class Meta:
|
||||
|
||||
model = GroupMembershipPolicy
|
||||
fields = PolicyForm.Meta.fields + [
|
||||
"group",
|
||||
]
|
||||
widgets = {
|
||||
"name": forms.TextInput(),
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
# Generated by Django 3.0.7 on 2020-07-01 19:01
|
||||
|
||||
import django.db.models.deletion
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
initial = True
|
||||
|
||||
dependencies = [
|
||||
("authentik_policies", "0002_auto_20200528_1647"),
|
||||
("authentik_core", "0003_default_user"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name="GroupMembershipPolicy",
|
||||
fields=[
|
||||
(
|
||||
"policy_ptr",
|
||||
models.OneToOneField(
|
||||
auto_created=True,
|
||||
on_delete=django.db.models.deletion.CASCADE,
|
||||
parent_link=True,
|
||||
primary_key=True,
|
||||
serialize=False,
|
||||
to="authentik_policies.Policy",
|
||||
),
|
||||
),
|
||||
(
|
||||
"group",
|
||||
models.ForeignKey(
|
||||
blank=True,
|
||||
null=True,
|
||||
on_delete=django.db.models.deletion.SET_NULL,
|
||||
to="authentik_core.Group",
|
||||
),
|
||||
),
|
||||
],
|
||||
options={
|
||||
"verbose_name": "Group Membership Policy",
|
||||
"verbose_name_plural": "Group Membership Policies",
|
||||
},
|
||||
bases=("authentik_policies.policy",),
|
||||
),
|
||||
]
|
|
@ -1,20 +0,0 @@
|
|||
# Generated by Django 3.1.6 on 2021-02-11 19:24
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
("authentik_policies_group_membership", "0001_initial"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name="groupmembershippolicy",
|
||||
options={
|
||||
"verbose_name": "Group Membership Policy (deprecated)",
|
||||
"verbose_name_plural": "Group Membership Policies",
|
||||
},
|
||||
),
|
||||
]
|
|
@ -1,40 +0,0 @@
|
|||
"""user field matcher models"""
|
||||
from typing import Type
|
||||
|
||||
from django.db import models
|
||||
from django.forms import ModelForm
|
||||
from django.utils.translation import gettext as _
|
||||
from rest_framework.serializers import BaseSerializer
|
||||
|
||||
from authentik.core.models import Group
|
||||
from authentik.policies.models import Policy
|
||||
from authentik.policies.types import PolicyRequest, PolicyResult
|
||||
|
||||
|
||||
class GroupMembershipPolicy(Policy):
|
||||
"""Check that the user is member of the selected group. **DEPRECATED**
|
||||
Assign the group directly in a binding instead of using this policy."""
|
||||
|
||||
group = models.ForeignKey(Group, null=True, blank=True, on_delete=models.SET_NULL)
|
||||
|
||||
@property
|
||||
def serializer(self) -> BaseSerializer:
|
||||
from authentik.policies.group_membership.api import (
|
||||
GroupMembershipPolicySerializer,
|
||||
)
|
||||
|
||||
return GroupMembershipPolicySerializer
|
||||
|
||||
@property
|
||||
def form(self) -> Type[ModelForm]:
|
||||
from authentik.policies.group_membership.forms import GroupMembershipPolicyForm
|
||||
|
||||
return GroupMembershipPolicyForm
|
||||
|
||||
def passes(self, request: PolicyRequest) -> PolicyResult:
|
||||
return PolicyResult(self.group.users.filter(pk=request.user.pk).exists())
|
||||
|
||||
class Meta:
|
||||
|
||||
verbose_name = _("Group Membership Policy (deprecated)")
|
||||
verbose_name_plural = _("Group Membership Policies")
|
|
@ -1,32 +0,0 @@
|
|||
"""evaluator tests"""
|
||||
from django.test import TestCase
|
||||
from guardian.shortcuts import get_anonymous_user
|
||||
|
||||
from authentik.core.models import Group
|
||||
from authentik.policies.group_membership.models import GroupMembershipPolicy
|
||||
from authentik.policies.types import PolicyRequest
|
||||
|
||||
|
||||
class TestGroupMembershipPolicy(TestCase):
|
||||
"""GroupMembershipPolicy tests"""
|
||||
|
||||
def setUp(self):
|
||||
self.request = PolicyRequest(user=get_anonymous_user())
|
||||
|
||||
def test_invalid(self):
|
||||
"""user not in group"""
|
||||
group = Group.objects.create(name="test")
|
||||
policy: GroupMembershipPolicy = GroupMembershipPolicy.objects.create(
|
||||
group=group
|
||||
)
|
||||
self.assertFalse(policy.passes(self.request).passing)
|
||||
|
||||
def test_valid(self):
|
||||
"""user in group"""
|
||||
group = Group.objects.create(name="test")
|
||||
group.users.add(get_anonymous_user())
|
||||
group.save()
|
||||
policy: GroupMembershipPolicy = GroupMembershipPolicy.objects.create(
|
||||
group=group
|
||||
)
|
||||
self.assertTrue(policy.passes(self.request).passing)
|
|
@ -97,7 +97,6 @@ INSTALLED_APPS = [
|
|||
"authentik.policies.event_matcher.apps.AuthentikPoliciesEventMatcherConfig",
|
||||
"authentik.policies.expiry.apps.AuthentikPolicyExpiryConfig",
|
||||
"authentik.policies.expression.apps.AuthentikPolicyExpressionConfig",
|
||||
"authentik.policies.group_membership.apps.AuthentikPoliciesGroupMembershipConfig",
|
||||
"authentik.policies.hibp.apps.AuthentikPolicyHIBPConfig",
|
||||
"authentik.policies.password.apps.AuthentikPoliciesPasswordConfig",
|
||||
"authentik.policies.reputation.apps.AuthentikPolicyReputationConfig",
|
||||
|
|
182
swagger.yaml
182
swagger.yaml
|
@ -4852,148 +4852,6 @@ paths:
|
|||
required: true
|
||||
type: string
|
||||
format: uuid
|
||||
/policies/group_membership/:
|
||||
get:
|
||||
operationId: policies_group_membership_list
|
||||
description: Group Membership Policy Viewset
|
||||
parameters:
|
||||
- name: ordering
|
||||
in: query
|
||||
description: Which field to use when ordering the results.
|
||||
required: false
|
||||
type: string
|
||||
- name: search
|
||||
in: query
|
||||
description: A search term.
|
||||
required: false
|
||||
type: string
|
||||
- name: page
|
||||
in: query
|
||||
description: Page Index
|
||||
required: false
|
||||
type: integer
|
||||
- name: page_size
|
||||
in: query
|
||||
description: Page Size
|
||||
required: false
|
||||
type: integer
|
||||
responses:
|
||||
'200':
|
||||
description: ''
|
||||
schema:
|
||||
required:
|
||||
- results
|
||||
- pagination
|
||||
type: object
|
||||
properties:
|
||||
pagination:
|
||||
required:
|
||||
- next
|
||||
- previous
|
||||
- count
|
||||
- current
|
||||
- total_pages
|
||||
- start_index
|
||||
- end_index
|
||||
type: object
|
||||
properties:
|
||||
next:
|
||||
type: number
|
||||
previous:
|
||||
type: number
|
||||
count:
|
||||
type: number
|
||||
current:
|
||||
type: number
|
||||
total_pages:
|
||||
type: number
|
||||
start_index:
|
||||
type: number
|
||||
end_index:
|
||||
type: number
|
||||
results:
|
||||
type: array
|
||||
items:
|
||||
$ref: '#/definitions/GroupMembershipPolicy'
|
||||
tags:
|
||||
- policies
|
||||
post:
|
||||
operationId: policies_group_membership_create
|
||||
description: Group Membership Policy Viewset
|
||||
parameters:
|
||||
- name: data
|
||||
in: body
|
||||
required: true
|
||||
schema:
|
||||
$ref: '#/definitions/GroupMembershipPolicy'
|
||||
responses:
|
||||
'201':
|
||||
description: ''
|
||||
schema:
|
||||
$ref: '#/definitions/GroupMembershipPolicy'
|
||||
tags:
|
||||
- policies
|
||||
parameters: []
|
||||
/policies/group_membership/{policy_uuid}/:
|
||||
get:
|
||||
operationId: policies_group_membership_read
|
||||
description: Group Membership Policy Viewset
|
||||
parameters: []
|
||||
responses:
|
||||
'200':
|
||||
description: ''
|
||||
schema:
|
||||
$ref: '#/definitions/GroupMembershipPolicy'
|
||||
tags:
|
||||
- policies
|
||||
put:
|
||||
operationId: policies_group_membership_update
|
||||
description: Group Membership Policy Viewset
|
||||
parameters:
|
||||
- name: data
|
||||
in: body
|
||||
required: true
|
||||
schema:
|
||||
$ref: '#/definitions/GroupMembershipPolicy'
|
||||
responses:
|
||||
'200':
|
||||
description: ''
|
||||
schema:
|
||||
$ref: '#/definitions/GroupMembershipPolicy'
|
||||
tags:
|
||||
- policies
|
||||
patch:
|
||||
operationId: policies_group_membership_partial_update
|
||||
description: Group Membership Policy Viewset
|
||||
parameters:
|
||||
- name: data
|
||||
in: body
|
||||
required: true
|
||||
schema:
|
||||
$ref: '#/definitions/GroupMembershipPolicy'
|
||||
responses:
|
||||
'200':
|
||||
description: ''
|
||||
schema:
|
||||
$ref: '#/definitions/GroupMembershipPolicy'
|
||||
tags:
|
||||
- policies
|
||||
delete:
|
||||
operationId: policies_group_membership_delete
|
||||
description: Group Membership Policy Viewset
|
||||
parameters: []
|
||||
responses:
|
||||
'204':
|
||||
description: ''
|
||||
tags:
|
||||
- policies
|
||||
parameters:
|
||||
- name: policy_uuid
|
||||
in: path
|
||||
description: A UUID string identifying this Group Membership Policy (deprecated).
|
||||
required: true
|
||||
type: string
|
||||
format: uuid
|
||||
/policies/haveibeenpwned/:
|
||||
get:
|
||||
operationId: policies_haveibeenpwned_list
|
||||
|
@ -12629,7 +12487,6 @@ definitions:
|
|||
- authentik.policies.event_matcher
|
||||
- authentik.policies.expiry
|
||||
- authentik.policies.expression
|
||||
- authentik.policies.group_membership
|
||||
- authentik.policies.hibp
|
||||
- authentik.policies.password
|
||||
- authentik.policies.reputation
|
||||
|
@ -12699,45 +12556,6 @@ definitions:
|
|||
title: Expression
|
||||
type: string
|
||||
minLength: 1
|
||||
GroupMembershipPolicy:
|
||||
description: Group Membership Policy Serializer
|
||||
type: object
|
||||
properties:
|
||||
pk:
|
||||
title: Policy uuid
|
||||
type: string
|
||||
format: uuid
|
||||
readOnly: true
|
||||
name:
|
||||
title: Name
|
||||
type: string
|
||||
x-nullable: true
|
||||
execution_logging:
|
||||
title: Execution logging
|
||||
description: When this option is enabled, all executions of this policy will
|
||||
be logged. By default, only execution errors are logged.
|
||||
type: boolean
|
||||
object_type:
|
||||
title: Object type
|
||||
type: string
|
||||
readOnly: true
|
||||
verbose_name:
|
||||
title: Verbose name
|
||||
type: string
|
||||
readOnly: true
|
||||
verbose_name_plural:
|
||||
title: Verbose name plural
|
||||
type: string
|
||||
readOnly: true
|
||||
bound_to:
|
||||
title: Bound to
|
||||
type: integer
|
||||
readOnly: true
|
||||
group:
|
||||
title: Group
|
||||
type: string
|
||||
format: uuid
|
||||
x-nullable: true
|
||||
HaveIBeenPwendPolicy:
|
||||
description: Have I Been Pwned Policy Serializer
|
||||
type: object
|
||||
|
|
Reference in New Issue