trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

blueprints: docs (#3376) 

* further blueprint cleanup

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* make group users and parent optional

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix api client usage

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-08-06 00:52:12 +02:00 committed by GitHub
parent 85640d402f
commit 89fef0ae72
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 165 additions and 322 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
authentik/blueprints/management/commands/schema_template.json
View File

@ -57,6 +57,7 @@
"description": "Commonly available field, may not exist on all models"
}
},
"default": {},
"additionalProperties": true
},
"identifiers": {

2
authentik/blueprints/v1/common.py
View File

@ -40,7 +40,7 @@ class BlueprintEntry:
identifiers: dict[str, Any]
model: str
attrs: dict[str, Any]
attrs: Optional[dict[str, Any]] = field(default_factory=dict)
# pylint: disable=invalid-name
id: Optional[str] = None

5
authentik/core/api/groups.py
View File

@ -62,6 +62,11 @@ class GroupSerializer(ModelSerializer):
"attributes",
"users_obj",
]
extra_kwargs = {
"users": {
"default": list,
}
}
class GroupFilter(FilterSet):

26
authentik/core/migrations/0022_alter_group_parent.py Normal file
View File

@ -0,0 +1,26 @@
# Generated by Django 4.0.6 on 2022-08-05 22:01
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_core", "0021_source_user_path_user_path"),
]
operations = [
migrations.AlterField(
model_name="group",
name="parent",
field=models.ForeignKey(
blank=True,
default=None,
null=True,
on_delete=django.db.models.deletion.SET_NULL,
related_name="children",
to="authentik_core.group",
),
),
]

1
authentik/core/models.py
View File

@ -82,6 +82,7 @@ class Group(SerializerModel):
"Group",
blank=True,
null=True,
default=None,
on_delete=models.SET_NULL,
related_name="children",
)

30
blueprints/default/0-flow-password-change.yaml
View File

@ -1,12 +1,10 @@
version: 1
metadata:
name: Default - Password change flow
entries:
- attrs:
compatibility_mode: false
designation: stage_configuration
layout: stacked
name: Change Password
policy_engine_mode: all
title: Change password
identifiers:
slug: default-password-change
@ -17,7 +15,6 @@ entries:
placeholder: Password
placeholder_expression: false
required: true
sub_text: ''
type: password
identifiers:
field_key: password
@ -29,7 +26,6 @@ entries:
placeholder: Password (repeat)
placeholder_expression: false
required: true
sub_text: ''
type: password
identifiers:
field_key: password_repeat
@ -40,39 +36,21 @@ entries:
fields:
- !KeyOf prompt-field-password
- !KeyOf prompt-field-password-repeat
meta_model_name: authentik_stages_prompt.promptstage
validation_policies: []
identifiers:
name: default-password-change-prompt
id: default-password-change-prompt
model: authentik_stages_prompt.promptstage
- attrs:
create_users_as_inactive: false
create_users_group: null
meta_model_name: authentik_stages_user_write.userwritestage
user_path_template: ''
identifiers:
- identifiers:
name: default-password-change-write
id: default-password-change-write
model: authentik_stages_user_write.userwritestage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 0
stage: !KeyOf default-password-change-prompt
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 1
stage: !KeyOf default-password-change-write
target: !KeyOf flow
model: authentik_flows.flowstagebinding
version: 1

43
blueprints/default/10-flow-default-authentication-flow.yaml
View File

@ -1,13 +1,11 @@
version: 1
metadata:
name: Default - Authentication flow
entries:
- attrs:
cache_count: 1
compatibility_mode: false
designation: authentication
layout: stacked
name: Welcome to authentik!
policy_engine_mode: all
title: Welcome to authentik!
identifiers:
slug: default-authentication-flow
@ -21,32 +19,23 @@ entries:
- authentik.core.auth.TokenBackend
configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
failed_attempts_before_cancel: 5
meta_model_name: authentik_stages_password.passwordstage
identifiers:
name: default-authentication-password
id: default-authentication-password
model: authentik_stages_password.passwordstage
- attrs:
configuration_stages: []
device_classes:
- static
- totp
- webauthn
- duo
- sms
last_auth_threshold: seconds=0
meta_model_name: authentik_stages_authenticator_validate.authenticatorvalidatestage
not_configured_action: skip
identifiers:
name: default-authentication-mfa-validation
id: default-authentication-mfa-validation
model: authentik_stages_authenticator_validate.authenticatorvalidatestage
- attrs:
case_insensitive_matching: true
meta_model_name: authentik_stages_identification.identificationstage
show_matched_user: true
show_source_labels: false
sources: []
user_fields:
- email
- username
@ -55,50 +44,28 @@ entries:
id: default-authentication-identification
model: authentik_stages_identification.identificationstage
- attrs:
meta_model_name: authentik_stages_user_login.userloginstage
session_duration: seconds=0
identifiers:
name: default-authentication-login
id: default-authentication-login
model: authentik_stages_user_login.userloginstage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 10
stage: !KeyOf default-authentication-identification
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 20
stage: !KeyOf default-authentication-password
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: any
re_evaluate_policies: false
identifiers:
- identifiers:
order: 30
stage: !KeyOf default-authentication-mfa-validation
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 100
stage: !KeyOf default-authentication-login
target: !KeyOf flow
model: authentik_flows.flowstagebinding
version: 1

17
blueprints/default/10-flow-default-invalidation-flow.yaml
View File

@ -1,32 +1,21 @@
version: 1
metadata:
name: Default - Invalidation flow
entries:
- attrs:
compatibility_mode: false
designation: invalidation
layout: stacked
name: Logout
policy_engine_mode: all
title: Default Invalidation Flow
identifiers:
pk: 46979d76-94d3-43b5-ad07-43e924c15d2c
slug: default-invalidation-flow
model: authentik_flows.flow
id: flow
- attrs:
meta_model_name: authentik_stages_user_logout.userlogoutstage
identifiers:
- identifiers:
name: default-invalidation-logout
id: default-invalidation-logout
model: authentik_stages_user_logout.userlogoutstage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 0
stage: !KeyOf default-invalidation-logout
target: !KeyOf flow
model: authentik_flows.flowstagebinding
version: 1

12
blueprints/default/20-flow-default-authenticator-static-setup.yaml
View File

@ -1,10 +1,9 @@
version: 1
metadata:
name: Default - Static MFA setup flow
entries:
- attrs:
compatibility_mode: false
designation: stage_configuration
layout: stacked
name: default-authenticator-static-setup
policy_engine_mode: any
title: Setup Static OTP Tokens
@ -14,20 +13,13 @@ entries:
id: flow
- attrs:
configure_flow: !KeyOf flow
meta_model_name: authentik_stages_authenticator_static.authenticatorstaticstage
token_count: 6
identifiers:
name: default-authenticator-static-setup
id: default-authenticator-static-setup
model: authentik_stages_authenticator_static.authenticatorstaticstage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: any
re_evaluate_policies: false
identifiers:
- identifiers:
order: 0
stage: !KeyOf default-authenticator-static-setup
target: !KeyOf flow
model: authentik_flows.flowstagebinding
version: 1

13
blueprints/default/20-flow-default-authenticator-totp-setup.yaml
View File

@ -1,12 +1,10 @@
version: 1
metadata:
name: Default - TOTP MFA setup flow
entries:
- attrs:
compatibility_mode: false
designation: stage_configuration
layout: stacked
name: default-authenticator-totp-setup
policy_engine_mode: any
title: Setup Two-Factor authentication
identifiers:
slug: default-authenticator-totp-setup
@ -15,19 +13,12 @@ entries:
- attrs:
configure_flow: !KeyOf flow
digits: 6
meta_model_name: authentik_stages_authenticator_totp.authenticatortotpstage
identifiers:
name: default-authenticator-totp-setup
id: default-authenticator-totp-setup
model: authentik_stages_authenticator_totp.authenticatortotpstage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: any
re_evaluate_policies: false
identifiers:
- identifiers:
order: 0
stage: !KeyOf default-authenticator-totp-setup
target: !KeyOf flow
model: authentik_flows.flowstagebinding
version: 1

15
blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml
View File

@ -1,10 +1,9 @@
version: 1
metadata:
name: Default - WebAuthn MFA setup flow
entries:
- attrs:
compatibility_mode: false
designation: stage_configuration
layout: stacked
name: default-authenticator-webauthn-setup
policy_engine_mode: any
title: Setup WebAuthn
@ -13,23 +12,13 @@ entries:
model: authentik_flows.flow
id: flow
- attrs:
authenticator_attachment: null
configure_flow: !KeyOf flow
meta_model_name: authentik_stages_authenticator_webauthn.authenticatewebauthnstage
resident_key_requirement: preferred
user_verification: preferred
identifiers:
name: default-authenticator-webauthn-setup
id: default-authenticator-webauthn-setup
model: authentik_stages_authenticator_webauthn.authenticatewebauthnstage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: any
re_evaluate_policies: false
identifiers:
- identifiers:
order: 0
stage: !KeyOf default-authenticator-webauthn-setup
target: !KeyOf flow
model: authentik_flows.flowstagebinding
version: 1

18
blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml
View File

@ -1,33 +1,21 @@
version: 1
metadata:
name: Default - Provider authorization flow (explicit consent)
entries:
- attrs:
compatibility_mode: false
designation: authorization
layout: stacked
name: Authorize Application
policy_engine_mode: all
title: Redirecting to %(app)s
identifiers:
slug: default-provider-authorization-explicit-consent
model: authentik_flows.flow
id: flow
- attrs:
consent_expire_in: weeks=4
meta_model_name: authentik_stages_consent.consentstage
mode: always_require
identifiers:
- identifiers:
name: default-provider-authorization-consent
id: default-provider-authorization-consent
model: authentik_stages_consent.consentstage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 0
stage: !KeyOf default-provider-authorization-consent
target: !KeyOf flow
model: authentik_flows.flowstagebinding
version: 1

5
blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml
View File

@ -1,14 +1,11 @@
version: 1
metadata:
name: Default - Provider authorization flow (implicit consent)
entries:
- attrs:
compatibility_mode: false
designation: authorization
layout: stacked
name: Authorize Application
policy_engine_mode: all
title: Redirecting to %(app)s
identifiers:
slug: default-provider-authorization-implicit-consent
model: authentik_flows.flow
version: 1

21
blueprints/default/20-flow-default-source-authentication.yaml
View File

@ -1,52 +1,37 @@
version: 1
metadata:
name: Default - Source authentication flow
entries:
- attrs:
compatibility_mode: false
designation: authentication
layout: stacked
name: Welcome to authentik!
policy_engine_mode: all
title: Welcome to authentik!
identifiers:
slug: default-source-authentication
model: authentik_flows.flow
id: flow
- attrs:
execution_logging: false
expression: |
# This policy ensures that this flow can only be used when the user
# is in a SSO Flow (meaning they come from an external IdP)
return ak_is_sso_flow
meta_model_name: authentik_policies_expression.expressionpolicy
identifiers:
name: default-source-authentication-if-sso
id: default-source-authentication-if-sso
model: authentik_policies_expression.expressionpolicy
- attrs:
meta_model_name: authentik_stages_user_login.userloginstage
session_duration: seconds=0
identifiers:
name: default-source-authentication-login
id: default-source-authentication-login
model: authentik_stages_user_login.userloginstage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 0
stage: !KeyOf default-source-authentication-login
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- attrs:
enabled: true
negate: false
timeout: 30
identifiers:
- identifiers:
order: 0
policy: !KeyOf default-source-authentication-if-sso
target: !KeyOf flow
model: authentik_policies.policybinding
version: 1

49
blueprints/default/20-flow-default-source-enrollment.yaml
View File

@ -1,12 +1,10 @@
version: 1
metadata:
name: Default - Source enrollment flow
entries:
- attrs:
compatibility_mode: false
designation: enrollment
layout: stacked
name: Welcome to authentik! Please select a username.
policy_engine_mode: all
title: Welcome to authentik! Please select a username.
identifiers:
slug: default-source-enrollment
@ -17,7 +15,6 @@ entries:
placeholder: Username
placeholder_expression: false
required: true
sub_text: ''
type: text
identifiers:
field_key: username
@ -25,29 +22,24 @@ entries:
id: prompt-field-username
model: authentik_stages_prompt.prompt
- attrs:
execution_logging: false
expression: |
# Check if we''ve not been given a username by the external IdP
# and trigger the enrollment flow
return 'username' not in context.get('prompt_data', {})
meta_model_name: authentik_policies_expression.expressionpolicy
identifiers:
name: default-source-enrollment-if-username
id: default-source-enrollment-if-username
model: authentik_policies_expression.expressionpolicy
- attrs:
execution_logging: false
expression: |
# This policy ensures that this flow can only be used when the user
# is in a SSO Flow (meaning they come from an external IdP)
return ak_is_sso_flow
meta_model_name: authentik_policies_expression.expressionpolicy
identifiers:
name: default-source-enrollment-if-sso
id: default-source-enrollment-if-sso
model: authentik_policies_expression.expressionpolicy
- attrs:
meta_model_name: authentik_stages_user_login.userloginstage
session_duration: seconds=0
identifiers:
name: default-source-enrollment-login
@ -56,25 +48,15 @@ entries:
- attrs:
fields:
- !KeyOf prompt-field-username
meta_model_name: authentik_stages_prompt.promptstage
validation_policies: []
identifiers:
name: default-source-enrollment-prompt
id: default-source-enrollment-prompt
model: authentik_stages_prompt.promptstage
- attrs:
create_users_as_inactive: false
create_users_group: null
meta_model_name: authentik_stages_user_write.userwritestage
user_path_template: ''
identifiers:
- identifiers:
name: default-source-enrollment-write
id: default-source-enrollment-write
model: authentik_stages_user_write.userwritestage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: true
identifiers:
order: 0
@ -82,42 +64,23 @@ entries:
target: !KeyOf flow
id: prompt-binding
model: authentik_flows.flowstagebinding
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 1
stage: !KeyOf default-source-enrollment-write
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
- identifiers:
order: 2
stage: !KeyOf default-source-enrollment-login
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- attrs:
enabled: true
negate: false
timeout: 30
identifiers:
- identifiers:
order: 0
policy: !KeyOf default-source-enrollment-if-sso
target: !KeyOf flow
model: authentik_policies.policybinding
- attrs:
enabled: true
negate: false
timeout: 30
identifiers:
- identifiers:
order: 0
policy: !KeyOf default-source-enrollment-if-username
target: !KeyOf prompt-binding
model: authentik_policies.policybinding
version: 1

5
blueprints/default/20-flow-default-source-pre-authentication.yaml
View File

@ -1,14 +1,11 @@
version: 1
metadata:
name: Default - Source pre-authentication flow
entries:
- attrs:
compatibility_mode: false
designation: stage_configuration
layout: stacked
name: Pre-Authentication
policy_engine_mode: any
title: Pre-authentication
identifiers:
slug: default-source-pre-authentication
model: authentik_flows.flow
version: 1

33
blueprints/default/30-flow-default-user-settings-flow.yaml
View File

@ -1,12 +1,10 @@
version: 1
metadata:
name: Default - User settings flow
entries:
- attrs:
compatibility_mode: false
designation: stage_configuration
layout: stacked
name: User settings
policy_engine_mode: any
title: Update your info
identifiers:
slug: default-user-settings-flow
@ -21,7 +19,6 @@ entries:
return ''
placeholder_expression: true
required: true
sub_text: ''
type: text
identifiers:
field_key: username
@ -37,7 +34,6 @@ entries:
return ''
placeholder_expression: true
required: true
sub_text: ''
type: text
identifiers:
field_key: name
@ -53,7 +49,6 @@ entries:
return ''
placeholder_expression: true
required: true
sub_text: ''
type: email
identifiers:
field_key: email
@ -69,7 +64,6 @@ entries:
return ''
placeholder_expression: true
required: true
sub_text: ''
type: ak-locale
identifiers:
field_key: attributes.settings.locale
@ -77,7 +71,6 @@ entries:
id: prompt-field-locale
model: authentik_stages_prompt.prompt
- attrs:
execution_logging: false
expression: |
from authentik.lib.config import CONFIG
from authentik.core.models import (
@ -109,17 +102,11 @@ entries:
return False
return True
meta_model_name: authentik_policies_expression.expressionpolicy
identifiers:
name: default-user-settings-authorization
id: default-user-settings-authorization
model: authentik_policies_expression.expressionpolicy
- attrs:
create_users_as_inactive: false
create_users_group: null
meta_model_name: authentik_stages_user_write.userwritestage
user_path_template: ''
identifiers:
- identifiers:
name: default-user-settings-write
id: default-user-settings-write
model: authentik_stages_user_write.userwritestage
@ -129,31 +116,19 @@ entries:
- !KeyOf prompt-field-name
- !KeyOf prompt-field-email
- !KeyOf prompt-field-locale
meta_model_name: authentik_stages_prompt.promptstage
validation_policies:
- !KeyOf default-user-settings-authorization
identifiers:
name: default-user-settings
id: default-user-settings
model: authentik_stages_prompt.promptstage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: any
re_evaluate_policies: false
identifiers:
- identifiers:
order: 20
stage: !KeyOf default-user-settings
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: any
re_evaluate_policies: false
identifiers:
- identifiers:
order: 100
stage: !KeyOf default-user-settings-write
target: !KeyOf flow
model: authentik_flows.flowstagebinding
version: 1

20
blueprints/default/40-events-default.yaml
View File

@ -18,10 +18,6 @@ entries:
id: group
identifiers:
name: authentik Admins
attrs:
is_superuser: true
users: []
parent: null
- model: authentik_policies_event_matcher.eventmatcherpolicy
id: default-match-configuration-error
@ -40,10 +36,6 @@ entries:
- !KeyOf default-email-transport
- !KeyOf default-local-transport
- model: authentik_policies.policybinding
attrs:
enabled: true
negate: false
timeout: 30
identifiers:
order: 0
policy: !KeyOf default-match-configuration-error
@ -66,10 +58,6 @@ entries:
- !KeyOf default-email-transport
- !KeyOf default-local-transport
- model: authentik_policies.policybinding
attrs:
enabled: true
negate: false
timeout: 30
identifiers:
order: 0
policy: !KeyOf default-match-update
@ -98,19 +86,11 @@ entries:
- !KeyOf default-email-transport
- !KeyOf default-local-transport
- model: authentik_policies.policybinding
attrs:
enabled: true
negate: false
timeout: 30
identifiers:
order: 0
policy: !KeyOf default-match-policy-exception
target: !KeyOf default-notify-exception
- model: authentik_policies.policybinding
attrs:
enabled: true
negate: false
timeout: 30
identifiers:
order: 1
policy: !KeyOf default-match-property-mapping-exception

2
blueprints/default/90-default-tenant.yaml
View File

@ -9,4 +9,4 @@ entries:
identifiers:
domain: authentik-default
default: True
model: authentik_tenants.Tenant
model: authentik_tenants.tenant

25
blueprints/default/91-flow-oobe.yaml
View File

@ -3,11 +3,9 @@ metadata:
version: 1
entries:
- attrs:
compatibility_mode: false
denied_action: message_continue
designation: stage_configuration
name: default-oobe-setup
policy_engine_mode: all
title: Welcome to authentik!
id: flow
identifiers:
@ -63,7 +61,6 @@ entries:
label: Password (repeat)
model: authentik_stages_prompt.prompt
- attrs:
execution_logging: false
expression: |
# This policy sets the user for the currently running flow
# by injecting "pending_user"
@ -75,7 +72,6 @@ entries:
name: default-oobe-prefill-user
model: authentik_policies_expression.expressionpolicy
- attrs:
execution_logging: false
expression: |
# This policy ensures that the setup flow can only be
# executed when the admin user doesn''t have a password set
@ -102,18 +98,13 @@ entries:
identifiers:
name: default-authentication-login
model: authentik_stages_user_login.userloginstage
- attrs:
create_users_as_inactive: false
create_users_group: null
user_path_template: ''
id: stage-default-password-change-write
- id: stage-default-password-change-write
identifiers:
name: default-password-change-write
model: authentik_stages_user_write.userwritestage
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
order: 10
@ -123,7 +114,6 @@ entries:
- attrs:
evaluate_on_plan: false
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: true
id: binding-password-write
identifiers:
@ -134,27 +124,18 @@ entries:
- attrs:
evaluate_on_plan: true
invalid_response_action: retry
policy_engine_mode: all
re_evaluate_policies: false
identifiers:
order: 100
stage: !KeyOf stage-default-authentication-login
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- attrs:
enabled: true
negate: false
timeout: 30
identifiers:
- identifiers:
order: 0
policy: !KeyOf policy-default-oobe-password-usable
target: !KeyOf flow
model: authentik_policies.policybinding
- attrs:
enabled: true
negate: false
timeout: 30
identifiers:
- identifiers:
order: 0
policy: !KeyOf policy-default-oobe-prefill-user
target: !KeyOf binding-password-write

19
blueprints/example/flows-login-2fa.yaml
View File

@ -17,7 +17,6 @@ entries:
id: test-not-app-password
model: authentik_policies_expression.expressionpolicy
attrs:
execution_logging: false
expression: |
return context["auth_method"] != "app_password"
- identifiers:
@ -35,13 +34,10 @@ entries:
- email
- username
template: stages/identification/login.html
enrollment_flow: null
recovery_flow: null
- identifiers:
name: default-authentication-flow-mfa
id: default-authentication-flow-mfa
model: authentik_stages_authenticator_validate.AuthenticatorValidateStage
attrs: {}
model: authentik_stages_authenticator_validate.authenticatorvalidatestage
- identifiers:
name: default-authentication-password
id: default-authentication-password
@ -56,15 +52,11 @@ entries:
stage: !KeyOf default-authentication-identification
order: 10
model: authentik_flows.flowstagebinding
attrs:
re_evaluate_policies: false
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-authentication-password
order: 20
model: authentik_flows.flowstagebinding
attrs:
re_evaluate_policies: false
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-authentication-flow-mfa
@ -72,23 +64,14 @@ entries:
model: authentik_flows.flowstagebinding
id: flow-binding-mfa
attrs:
evaluate_on_plan: false
re_evaluate_policies: true
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-authentication-login
order: 100
model: authentik_flows.flowstagebinding
attrs:
re_evaluate_policies: false
- identifiers:
policy: !KeyOf test-not-app-password
target: !KeyOf flow-binding-mfa
order: 0
model: authentik_policies.policybinding
attrs:
negate: false
enabled: true
timeout: 30

11
blueprints/example/flows-login-conditional-captcha.yaml
View File

@ -34,8 +34,6 @@ entries:
- email
- username
template: stages/identification/login.html
enrollment_flow: null
recovery_flow: null
- identifiers:
name: default-authentication-password
id: default-authentication-password
@ -50,15 +48,11 @@ entries:
stage: !KeyOf default-authentication-identification
order: 10
model: authentik_flows.flowstagebinding
attrs:
re_evaluate_policies: false
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-authentication-password
order: 20
model: authentik_flows.flowstagebinding
attrs:
re_evaluate_policies: false
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-authentication-flow-captcha
@ -73,8 +67,6 @@ entries:
stage: !KeyOf default-authentication-login
order: 100
model: authentik_flows.flowstagebinding
attrs:
re_evaluate_policies: false
- identifiers:
name: default-authentication-flow-conditional-captcha
id: default-authentication-flow-conditional-captcha
@ -88,6 +80,3 @@ entries:
target: !KeyOf flow-binding-captcha
order: 0
model: authentik_policies.policybinding
attrs:
enabled: true
timeout: 30

17
blueprints/example/flows-recovery-email-verification.yaml
View File

@ -12,10 +12,6 @@ entries:
name: Default recovery flow
title: Reset your password
designation: recovery
cache_count: 0
policy_engine_mode: any
compatibility_mode: false
layout: stacked
- identifiers:
field_key: password
label: Password
@ -45,7 +41,6 @@ entries:
id: default-recovery-skip-if-restored
model: authentik_policies_expression.expressionpolicy
attrs:
execution_logging: false
expression: |
return request.context.get('is_restored', False)
- identifiers:
@ -69,10 +64,6 @@ entries:
name: default-recovery-user-write
id: default-recovery-user-write
model: authentik_stages_user_write.userwritestage
attrs:
create_users_as_inactive: false
create_users_group: null
user_path_template: ""
- identifiers:
name: default-recovery-identification
id: default-recovery-identification
@ -81,14 +72,6 @@ entries:
user_fields:
- email
- username
password_stage: null
case_insensitive_matching: true
show_matched_user: true
enrollment_flow: null
recovery_flow: null
passwordless_flow: null
sources: []
show_source_labels: false
- identifiers:
name: default-recovery-user-login
id: default-recovery-user-login

1
blueprints/schema.json
View File

@ -135,6 +135,7 @@
"description": "Commonly available field, may not exist on all models"
}
},
"default": {},
"additionalProperties": true
},
"identifiers": {

6
internal/outpost/ldap/search/memory/memory.go
View File

@ -135,7 +135,11 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
for _, u := range g.UsersObj {
if flags.UserPk == u.Pk {
//TODO: Is there a better way to clone this object?
fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.Parent, g.ParentName, []int32{flags.UserPk}, []api.GroupMember{u})
fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.ParentName, []api.GroupMember{u})
fg.SetUsers([]int32{flags.UserPk})
if g.Parent.IsSet() {
fg.SetParent(*g.Parent.Get())
}
fg.SetAttributes(g.Attributes)
fg.SetIsSuperuser(*g.IsSuperuser)
groups = append(groups, group.FromAPIGroup(*fg, ms.si))

4
schema.yml
View File

@ -22723,10 +22723,8 @@ components:
required:
- name
- num_pk
- parent
- parent_name
- pk
- users
- users_obj
GroupMember:
type: object
@ -22833,8 +22831,6 @@ components:
additionalProperties: {}
required:
- name
- parent
- users
HaveIBeenPwendPolicy:
type: object
description: Have I Been Pwned Policy Serializer

9
website/developer-docs/blueprints/index.md Normal file
View File

@ -0,0 +1,9 @@
---
title: Blueprints
---
:::info
Requires authentik 2022.8
:::
Blueprints offer a new way to template, automate and distribute authentik configuration. Blueprints can be used to automatically configure instances, manage config as code without any external tools, and to distribute application configs.

61
website/developer-docs/blueprints/v1/structure.md Normal file
View File

@ -0,0 +1,61 @@
---
title: File structure
---
Blueprints are YAML files, which can use some additional tags to ease blueprint creation.
## Additional Tags
#### `!KeyOf`
Example: `policy: !KeyOf my-policy-id`
Resolves to the primary key of the model instance defined by id _my-policy-id_.
If no matching entry can be found, an error is raised and the blueprint is invalid.
#### `!Find`
Example: `configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]`
Looks up any model and resolves to the the matches' primary key.
First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for.
## Structure
```yaml
# The version of this blueprint, currently 1
version: 1
# Optional block of metadata, name is required if metadata is set
metadata:
# Arbitrary key=value store, special labels are listed below
labels:
foo: bar
name: example-blueprint
# List of entries (required)
entries:
- # Model in app.model notation, possibilities are listed in the schema (required)
model: authentik_flows.flow
# Key:value filters to uniquely identify this object (required)
identifiers:
slug: initial-setup
# Optional ID for use with !KeyOf
id: flow
# Attributes to set on the object. Only explicitly required settings should be stated
# as these values will override existing attributes
attrs:
denied_action: message_continue
designation: stage_configuration
name: default-oobe-setup
title: Welcome to authentik!
```
## Special Labels
#### `blueprints.goauthentik.io/system`:
Used by authentik's packaged blueprints to keep globals up-to-date. Should only be removed in special cases.
#### `blueprints.goauthentik.io/example`:
Blueprints with this label are not automatically imported. They are still available when creating a new instance.

16
website/sidebarsDev.js
View File

@ -6,9 +6,21 @@ module.exports = {
},
{
type: "category",
label: "Using the API",
label: "Blueprints",
link: {
type: "doc",
id: "blueprints/index",
},
items: ["blueprints/v1/structure"],
},
{
type: "category",
label: "API",
link: {
type: "doc",
id: "api/api",
},
items: [
"api/api",
"api/flow-executor",
"api/making-schema-changes",
"api/websocket",