core: improve messaging on flow_manager, authenticate user when they linked their account after not having been authenticateed

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-05-04 18:45:28 +02:00 · 2021-05-04 18:45:28 +02:00 · 4acbda2b77
parent 83cfb5f8c2
commit 4acbda2b77
5 changed files with 29 additions and 9 deletions
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-all: lint-fix lint coverage gen
+all: lint-fix lint test gen

 test-integration:
 	k3d cluster create || exit 0
@ -8,7 +8,7 @@ test-integration:
 test-e2e:
 	coverage run manage.py test --failfast -v 3 tests/e2e

-coverage:
+test:
 	coverage run manage.py test -v 3 authentik
 	coverage html
 	coverage report
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -134,7 +134,9 @@ class SourceFlowManager:
            SourceUserMatchingModes.EMAIL_DENY,
            SourceUserMatchingModes.USERNAME_DENY,
        ]:
+            self._logger.info("denying source because user exists", user=user)
            return Action.DENY, None
+        # Should never get here as default enroll case is returned above.
        return Action.DENY, None

    def update_connection(
@ -146,17 +148,25 @@ class SourceFlowManager:
    def get_flow(self, **kwargs) -> HttpResponse:
        """Get the flow response based on user_matching_mode"""
        action, connection = self.get_action()
-        if action == Action.LINK:
-            self._logger.debug("Linking existing user")
-            return self.handle_existing_user_link()
        if not connection:
            return redirect("/")
+        if action == Action.LINK:
+            self._logger.debug("Linking existing user")
+            return self.handle_existing_user_link(connection)
        if action == Action.AUTH:
            self._logger.debug("Handling auth user")
            return self.handle_auth_user(connection)
        if action == Action.ENROLL:
            self._logger.debug("Handling enrollment of new user")
            return self.handle_enroll(connection)
+        # Default case, assume deny
+        messages.error(
+            self.request,
+            _(
+                "Request to authenticate with %(source)s has been denied!"
+                % {"source": self.source.name}
+            ),
+        )
        return redirect("/")

    # pylint: disable=unused-argument
@ -216,9 +226,11 @@ class SourceFlowManager:

    def handle_existing_user_link(
        self,
+        connection: UserSourceConnection,
    ) -> HttpResponse:
        """Handler when the user was already authenticated and linked an external source
        to their account."""
+        # Connection has already been saved
        Event.new(
            EventAction.SOURCE_LINKED,
            message="Linked Source",
@ -228,6 +240,9 @@ class SourceFlowManager:
            self.request,
            _("Successfully linked %(source)s!" % {"source": self.source.name}),
        )
+        # When request isn't authenticated we jump straight to auth
+        if not self.request.user.is_authenticated:
+            return self.handle_auth_user(connection)
        return redirect(
            reverse(
                "authentik_core:if-admin",
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@ -201,7 +201,7 @@ stages:
            displayName: Run full test suite
            inputs:
              script: |
-                pipenv run make coverage
+                pipenv run make test
          - task: CmdLine@2
            inputs:
              script: |
--- a/internal/web/web_proxy.go
+++ b/internal/web/web_proxy.go
@ -11,6 +11,7 @@ func (ws *WebServer) configureProxy() {
 	u, _ := url.Parse("http://localhost:8000")
 	rp := httputil.NewSingleHostReverseProxy(u)
 	rp.ErrorHandler = ws.proxyErrorHandler
+	rp.ModifyResponse = ws.proxyModifyResponse
 	ws.m.PathPrefix("/").Handler(rp)
 }

@ -18,3 +19,8 @@ func (ws *WebServer) proxyErrorHandler(rw http.ResponseWriter, req *http.Request
 	ws.log.WithError(err).Warning("proxy error")
 	rw.WriteHeader(http.StatusBadGateway)
 }
+
+func (ws *WebServer) proxyModifyResponse(r *http.Response) error {
+	r.Header.Set("X-authentik-from", "authentik")
+	return nil
+}
--- a/website/docs/releases/v2021.4.md
+++ b/website/docs/releases/v2021.4.md
@ -40,7 +40,6 @@ slug: "2021.4"

 - You can now specify the amount of processes started in docker-compose using the `WORKERS` environment variable.

-
 ## Fixed in 2021.4.2

 - core: fix propertymapping API returning invalid value for components (https://github.com/goauthentik/authentik/issues/746)
@ -134,8 +133,8 @@ This release does not introduce any new requirements.

 ### docker-compose

-Download the latest docker-compose file from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.4/docker-compose.yml). Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`.
+Download the latest docker-compose file from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.4/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.

 ### Kubernetes

-Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`.
+Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik -f values.yaml`.