From 4acbda2b777154bf4bde008978c92cfce56bb235 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 4 May 2021 18:45:28 +0200 Subject: [PATCH] core: improve messaging on flow_manager, authenticate user when they linked their account after not having been authenticateed Signed-off-by: Jens Langhammer --- Makefile | 4 ++-- authentik/core/sources/flow_manager.py | 21 ++++++++++++++++++--- azure-pipelines.yml | 2 +- internal/web/web_proxy.go | 6 ++++++ website/docs/releases/v2021.4.md | 5 ++--- 5 files changed, 29 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index edac5dc10..b5ee0fe50 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -all: lint-fix lint coverage gen +all: lint-fix lint test gen test-integration: k3d cluster create || exit 0 @@ -8,7 +8,7 @@ test-integration: test-e2e: coverage run manage.py test --failfast -v 3 tests/e2e -coverage: +test: coverage run manage.py test -v 3 authentik coverage html coverage report diff --git a/authentik/core/sources/flow_manager.py b/authentik/core/sources/flow_manager.py index c6f5b9795..6d650ec77 100644 --- a/authentik/core/sources/flow_manager.py +++ b/authentik/core/sources/flow_manager.py @@ -134,7 +134,9 @@ class SourceFlowManager: SourceUserMatchingModes.EMAIL_DENY, SourceUserMatchingModes.USERNAME_DENY, ]: + self._logger.info("denying source because user exists", user=user) return Action.DENY, None + # Should never get here as default enroll case is returned above. return Action.DENY, None def update_connection( @@ -146,17 +148,25 @@ class SourceFlowManager: def get_flow(self, **kwargs) -> HttpResponse: """Get the flow response based on user_matching_mode""" action, connection = self.get_action() - if action == Action.LINK: - self._logger.debug("Linking existing user") - return self.handle_existing_user_link() if not connection: return redirect("/") + if action == Action.LINK: + self._logger.debug("Linking existing user") + return self.handle_existing_user_link(connection) if action == Action.AUTH: self._logger.debug("Handling auth user") return self.handle_auth_user(connection) if action == Action.ENROLL: self._logger.debug("Handling enrollment of new user") return self.handle_enroll(connection) + # Default case, assume deny + messages.error( + self.request, + _( + "Request to authenticate with %(source)s has been denied!" + % {"source": self.source.name} + ), + ) return redirect("/") # pylint: disable=unused-argument @@ -216,9 +226,11 @@ class SourceFlowManager: def handle_existing_user_link( self, + connection: UserSourceConnection, ) -> HttpResponse: """Handler when the user was already authenticated and linked an external source to their account.""" + # Connection has already been saved Event.new( EventAction.SOURCE_LINKED, message="Linked Source", @@ -228,6 +240,9 @@ class SourceFlowManager: self.request, _("Successfully linked %(source)s!" % {"source": self.source.name}), ) + # When request isn't authenticated we jump straight to auth + if not self.request.user.is_authenticated: + return self.handle_auth_user(connection) return redirect( reverse( "authentik_core:if-admin", diff --git a/azure-pipelines.yml b/azure-pipelines.yml index ef87c26b8..ecc29ab41 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -201,7 +201,7 @@ stages: displayName: Run full test suite inputs: script: | - pipenv run make coverage + pipenv run make test - task: CmdLine@2 inputs: script: | diff --git a/internal/web/web_proxy.go b/internal/web/web_proxy.go index af0d8d694..9bcd03d15 100644 --- a/internal/web/web_proxy.go +++ b/internal/web/web_proxy.go @@ -11,6 +11,7 @@ func (ws *WebServer) configureProxy() { u, _ := url.Parse("http://localhost:8000") rp := httputil.NewSingleHostReverseProxy(u) rp.ErrorHandler = ws.proxyErrorHandler + rp.ModifyResponse = ws.proxyModifyResponse ws.m.PathPrefix("/").Handler(rp) } @@ -18,3 +19,8 @@ func (ws *WebServer) proxyErrorHandler(rw http.ResponseWriter, req *http.Request ws.log.WithError(err).Warning("proxy error") rw.WriteHeader(http.StatusBadGateway) } + +func (ws *WebServer) proxyModifyResponse(r *http.Response) error { + r.Header.Set("X-authentik-from", "authentik") + return nil +} diff --git a/website/docs/releases/v2021.4.md b/website/docs/releases/v2021.4.md index e307306b4..120691f6c 100644 --- a/website/docs/releases/v2021.4.md +++ b/website/docs/releases/v2021.4.md @@ -40,7 +40,6 @@ slug: "2021.4" - You can now specify the amount of processes started in docker-compose using the `WORKERS` environment variable. - ## Fixed in 2021.4.2 - core: fix propertymapping API returning invalid value for components (https://github.com/goauthentik/authentik/issues/746) @@ -134,8 +133,8 @@ This release does not introduce any new requirements. ### docker-compose -Download the latest docker-compose file from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.4/docker-compose.yml). Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`. +Download the latest docker-compose file from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.4/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. ### Kubernetes -Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`. +Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik -f values.yaml`.