From 4cf76fdcdaf6728a0d5a144497d53c1652c5d8ba Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 23 Aug 2021 16:38:46 +0200 Subject: [PATCH] stages/password: auto-enable app password backend Signed-off-by: Jens Langhammer --- .../migrations/0028_alter_token_intent.py | 26 ++++++++++ .../flows/migrations/0008_default_flows.py | 4 +- authentik/stages/password/__init__.py | 2 +- .../password/migrations/0007_app_password.py | 52 +++++++++++++++++++ authentik/stages/password/models.py | 4 +- 5 files changed, 83 insertions(+), 5 deletions(-) create mode 100644 authentik/core/migrations/0028_alter_token_intent.py create mode 100644 authentik/stages/password/migrations/0007_app_password.py diff --git a/authentik/core/migrations/0028_alter_token_intent.py b/authentik/core/migrations/0028_alter_token_intent.py new file mode 100644 index 000000000..77fe3e0a1 --- /dev/null +++ b/authentik/core/migrations/0028_alter_token_intent.py @@ -0,0 +1,26 @@ +# Generated by Django 3.2.6 on 2021-08-23 14:35 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ("authentik_core", "0027_bootstrap_token"), + ] + + operations = [ + migrations.AlterField( + model_name="token", + name="intent", + field=models.TextField( + choices=[ + ("verification", "Intent Verification"), + ("api", "Intent Api"), + ("recovery", "Intent Recovery"), + ("app_password", "Intent App Password"), + ], + default="verification", + ), + ), + ] diff --git a/authentik/flows/migrations/0008_default_flows.py b/authentik/flows/migrations/0008_default_flows.py index 8de070f80..e2498b6c5 100644 --- a/authentik/flows/migrations/0008_default_flows.py +++ b/authentik/flows/migrations/0008_default_flows.py @@ -6,7 +6,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor from authentik.flows.models import FlowDesignation from authentik.stages.identification.models import UserFields -from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP +from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_DJANGO, BACKEND_LDAP def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): @@ -26,7 +26,7 @@ def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSc password_stage, _ = PasswordStage.objects.using(db_alias).update_or_create( name="default-authentication-password", - defaults={"backends": [BACKEND_DJANGO, BACKEND_LDAP]}, + defaults={"backends": [BACKEND_DJANGO, BACKEND_LDAP, BACKEND_APP_PASSWORD]}, ) login_stage, _ = UserLoginStage.objects.using(db_alias).update_or_create( diff --git a/authentik/stages/password/__init__.py b/authentik/stages/password/__init__.py index 2bfdc92e1..fe333bd84 100644 --- a/authentik/stages/password/__init__.py +++ b/authentik/stages/password/__init__.py @@ -1,4 +1,4 @@ """Backend paths""" BACKEND_DJANGO = "django.contrib.auth.backends.ModelBackend" BACKEND_LDAP = "authentik.sources.ldap.auth.LDAPBackend" -BACKEND_TOKEN = "authentik.core.token_auth.TokenBackend" # nosec +BACKEND_APP_PASSWORD = "authentik.core.token_auth.TokenBackend" # nosec diff --git a/authentik/stages/password/migrations/0007_app_password.py b/authentik/stages/password/migrations/0007_app_password.py new file mode 100644 index 000000000..168424c95 --- /dev/null +++ b/authentik/stages/password/migrations/0007_app_password.py @@ -0,0 +1,52 @@ +# Generated by Django 3.2.6 on 2021-08-23 14:34 +import django.contrib.postgres.fields +from django.apps.registry import Apps +from django.db import migrations, models +from django.db.backends.base.schema import BaseDatabaseSchemaEditor + +from authentik.stages.password import BACKEND_APP_PASSWORD + + +def update_default_backends(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): + PasswordStage = apps.get_model("authentik_stages_password", "passwordstage") + db_alias = schema_editor.connection.alias + + stages = PasswordStage.objects.using(db_alias).filter(name="default-authentication-password") + if not stages.exists(): + return + stage = stages.first() + stage.backends.append(BACKEND_APP_PASSWORD) + stage.save() + + +class Migration(migrations.Migration): + + dependencies = [ + ("authentik_flows", "0008_default_flows"), + ("authentik_stages_password", "0006_passwordchange_rename"), + ] + + operations = [ + migrations.AlterField( + model_name="passwordstage", + name="backends", + field=django.contrib.postgres.fields.ArrayField( + base_field=models.TextField( + choices=[ + ( + "django.contrib.auth.backends.ModelBackend", + "User database + standard password", + ), + ("authentik.core.token_auth.TokenBackend", "User database + app passwords"), + ( + "authentik.sources.ldap.auth.LDAPBackend", + "User database + LDAP password", + ), + ] + ), + help_text="Selection of backends to test the password against.", + size=None, + ), + ), + migrations.RunPython(update_default_backends), + ] diff --git a/authentik/stages/password/models.py b/authentik/stages/password/models.py index 66fd5d043..50932f29e 100644 --- a/authentik/stages/password/models.py +++ b/authentik/stages/password/models.py @@ -9,7 +9,7 @@ from rest_framework.serializers import BaseSerializer from authentik.core.types import UserSettingSerializer from authentik.flows.models import ConfigurableStage, Stage -from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP, BACKEND_TOKEN +from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_DJANGO, BACKEND_LDAP def get_authentication_backends(): @@ -20,7 +20,7 @@ def get_authentication_backends(): _("User database + standard password"), ), ( - BACKEND_TOKEN, + BACKEND_APP_PASSWORD, _("User database + app passwords"), ), (