From 89fef0ae727f09b319198b422013c27428a0bdd2 Mon Sep 17 00:00:00 2001 From: Jens L Date: Sat, 6 Aug 2022 00:52:12 +0200 Subject: [PATCH] blueprints: docs (#3376) * further blueprint cleanup Signed-off-by: Jens Langhammer * more Signed-off-by: Jens Langhammer * make group users and parent optional Signed-off-by: Jens Langhammer * fix api client usage Signed-off-by: Jens Langhammer --- .../management/commands/schema_template.json | 1 + authentik/blueprints/v1/common.py | 2 +- authentik/core/api/groups.py | 5 ++ .../migrations/0022_alter_group_parent.py | 26 ++++++++ authentik/core/models.py | 1 + .../default/0-flow-password-change.yaml | 30 ++------- .../10-flow-default-authentication-flow.yaml | 43 ++----------- .../10-flow-default-invalidation-flow.yaml | 17 +----- ...ow-default-authenticator-static-setup.yaml | 12 +--- ...flow-default-authenticator-totp-setup.yaml | 13 +--- ...-default-authenticator-webauthn-setup.yaml | 15 +---- ...ovider-authorization-explicit-consent.yaml | 18 +----- ...ovider-authorization-implicit-consent.yaml | 5 +- ...20-flow-default-source-authentication.yaml | 21 +------ .../20-flow-default-source-enrollment.yaml | 49 ++------------- ...low-default-source-pre-authentication.yaml | 5 +- .../30-flow-default-user-settings-flow.yaml | 33 ++-------- blueprints/default/40-events-default.yaml | 20 ------ blueprints/default/90-default-tenant.yaml | 2 +- blueprints/default/91-flow-oobe.yaml | 25 +------- blueprints/example/flows-login-2fa.yaml | 19 +----- .../flows-login-conditional-captcha.yaml | 11 ---- .../flows-recovery-email-verification.yaml | 17 ------ blueprints/schema.json | 1 + internal/outpost/ldap/search/memory/memory.go | 6 +- schema.yml | 4 -- website/developer-docs/blueprints/index.md | 9 +++ .../developer-docs/blueprints/v1/structure.md | 61 +++++++++++++++++++ website/sidebarsDev.js | 16 ++++- 29 files changed, 165 insertions(+), 322 deletions(-) create mode 100644 authentik/core/migrations/0022_alter_group_parent.py create mode 100644 website/developer-docs/blueprints/index.md create mode 100644 website/developer-docs/blueprints/v1/structure.md diff --git a/authentik/blueprints/management/commands/schema_template.json b/authentik/blueprints/management/commands/schema_template.json index cf1bf2b00..8ead5ef3e 100644 --- a/authentik/blueprints/management/commands/schema_template.json +++ b/authentik/blueprints/management/commands/schema_template.json @@ -57,6 +57,7 @@ "description": "Commonly available field, may not exist on all models" } }, + "default": {}, "additionalProperties": true }, "identifiers": { diff --git a/authentik/blueprints/v1/common.py b/authentik/blueprints/v1/common.py index a3b06f6fa..c508a6e8b 100644 --- a/authentik/blueprints/v1/common.py +++ b/authentik/blueprints/v1/common.py @@ -40,7 +40,7 @@ class BlueprintEntry: identifiers: dict[str, Any] model: str - attrs: dict[str, Any] + attrs: Optional[dict[str, Any]] = field(default_factory=dict) # pylint: disable=invalid-name id: Optional[str] = None diff --git a/authentik/core/api/groups.py b/authentik/core/api/groups.py index 688ab802a..2777020a2 100644 --- a/authentik/core/api/groups.py +++ b/authentik/core/api/groups.py @@ -62,6 +62,11 @@ class GroupSerializer(ModelSerializer): "attributes", "users_obj", ] + extra_kwargs = { + "users": { + "default": list, + } + } class GroupFilter(FilterSet): diff --git a/authentik/core/migrations/0022_alter_group_parent.py b/authentik/core/migrations/0022_alter_group_parent.py new file mode 100644 index 000000000..1392f3c7c --- /dev/null +++ b/authentik/core/migrations/0022_alter_group_parent.py @@ -0,0 +1,26 @@ +# Generated by Django 4.0.6 on 2022-08-05 22:01 + +import django.db.models.deletion +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ("authentik_core", "0021_source_user_path_user_path"), + ] + + operations = [ + migrations.AlterField( + model_name="group", + name="parent", + field=models.ForeignKey( + blank=True, + default=None, + null=True, + on_delete=django.db.models.deletion.SET_NULL, + related_name="children", + to="authentik_core.group", + ), + ), + ] diff --git a/authentik/core/models.py b/authentik/core/models.py index ed745caf8..d18a2cbec 100644 --- a/authentik/core/models.py +++ b/authentik/core/models.py @@ -82,6 +82,7 @@ class Group(SerializerModel): "Group", blank=True, null=True, + default=None, on_delete=models.SET_NULL, related_name="children", ) diff --git a/blueprints/default/0-flow-password-change.yaml b/blueprints/default/0-flow-password-change.yaml index c59d73f15..fd87049f8 100644 --- a/blueprints/default/0-flow-password-change.yaml +++ b/blueprints/default/0-flow-password-change.yaml @@ -1,12 +1,10 @@ +version: 1 metadata: name: Default - Password change flow entries: - attrs: - compatibility_mode: false designation: stage_configuration - layout: stacked name: Change Password - policy_engine_mode: all title: Change password identifiers: slug: default-password-change @@ -17,7 +15,6 @@ entries: placeholder: Password placeholder_expression: false required: true - sub_text: '' type: password identifiers: field_key: password @@ -29,7 +26,6 @@ entries: placeholder: Password (repeat) placeholder_expression: false required: true - sub_text: '' type: password identifiers: field_key: password_repeat @@ -40,39 +36,21 @@ entries: fields: - !KeyOf prompt-field-password - !KeyOf prompt-field-password-repeat - meta_model_name: authentik_stages_prompt.promptstage - validation_policies: [] identifiers: name: default-password-change-prompt id: default-password-change-prompt model: authentik_stages_prompt.promptstage -- attrs: - create_users_as_inactive: false - create_users_group: null - meta_model_name: authentik_stages_user_write.userwritestage - user_path_template: '' - identifiers: +- identifiers: name: default-password-change-write id: default-password-change-write model: authentik_stages_user_write.userwritestage -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 0 stage: !KeyOf default-password-change-prompt target: !KeyOf flow model: authentik_flows.flowstagebinding -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 1 stage: !KeyOf default-password-change-write target: !KeyOf flow model: authentik_flows.flowstagebinding -version: 1 diff --git a/blueprints/default/10-flow-default-authentication-flow.yaml b/blueprints/default/10-flow-default-authentication-flow.yaml index c44587e77..b6b4f95d9 100644 --- a/blueprints/default/10-flow-default-authentication-flow.yaml +++ b/blueprints/default/10-flow-default-authentication-flow.yaml @@ -1,13 +1,11 @@ +version: 1 metadata: name: Default - Authentication flow entries: - attrs: - cache_count: 1 - compatibility_mode: false designation: authentication layout: stacked name: Welcome to authentik! - policy_engine_mode: all title: Welcome to authentik! identifiers: slug: default-authentication-flow @@ -21,32 +19,23 @@ entries: - authentik.core.auth.TokenBackend configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]] failed_attempts_before_cancel: 5 - meta_model_name: authentik_stages_password.passwordstage identifiers: name: default-authentication-password id: default-authentication-password model: authentik_stages_password.passwordstage - attrs: - configuration_stages: [] device_classes: - static - totp - webauthn - duo - sms - last_auth_threshold: seconds=0 - meta_model_name: authentik_stages_authenticator_validate.authenticatorvalidatestage not_configured_action: skip identifiers: name: default-authentication-mfa-validation id: default-authentication-mfa-validation model: authentik_stages_authenticator_validate.authenticatorvalidatestage - attrs: - case_insensitive_matching: true - meta_model_name: authentik_stages_identification.identificationstage - show_matched_user: true - show_source_labels: false - sources: [] user_fields: - email - username @@ -55,50 +44,28 @@ entries: id: default-authentication-identification model: authentik_stages_identification.identificationstage - attrs: - meta_model_name: authentik_stages_user_login.userloginstage session_duration: seconds=0 identifiers: name: default-authentication-login id: default-authentication-login model: authentik_stages_user_login.userloginstage -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 10 stage: !KeyOf default-authentication-identification target: !KeyOf flow model: authentik_flows.flowstagebinding -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 20 stage: !KeyOf default-authentication-password target: !KeyOf flow model: authentik_flows.flowstagebinding -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: any - re_evaluate_policies: false - identifiers: +- identifiers: order: 30 stage: !KeyOf default-authentication-mfa-validation target: !KeyOf flow model: authentik_flows.flowstagebinding -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 100 stage: !KeyOf default-authentication-login target: !KeyOf flow model: authentik_flows.flowstagebinding -version: 1 diff --git a/blueprints/default/10-flow-default-invalidation-flow.yaml b/blueprints/default/10-flow-default-invalidation-flow.yaml index 5c1c11580..80f8e729c 100644 --- a/blueprints/default/10-flow-default-invalidation-flow.yaml +++ b/blueprints/default/10-flow-default-invalidation-flow.yaml @@ -1,32 +1,21 @@ +version: 1 metadata: name: Default - Invalidation flow entries: - attrs: - compatibility_mode: false designation: invalidation - layout: stacked name: Logout - policy_engine_mode: all title: Default Invalidation Flow identifiers: - pk: 46979d76-94d3-43b5-ad07-43e924c15d2c slug: default-invalidation-flow model: authentik_flows.flow id: flow -- attrs: - meta_model_name: authentik_stages_user_logout.userlogoutstage - identifiers: +- identifiers: name: default-invalidation-logout id: default-invalidation-logout model: authentik_stages_user_logout.userlogoutstage -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 0 stage: !KeyOf default-invalidation-logout target: !KeyOf flow model: authentik_flows.flowstagebinding -version: 1 diff --git a/blueprints/default/20-flow-default-authenticator-static-setup.yaml b/blueprints/default/20-flow-default-authenticator-static-setup.yaml index 4ac810007..825ca458a 100644 --- a/blueprints/default/20-flow-default-authenticator-static-setup.yaml +++ b/blueprints/default/20-flow-default-authenticator-static-setup.yaml @@ -1,10 +1,9 @@ +version: 1 metadata: name: Default - Static MFA setup flow entries: - attrs: - compatibility_mode: false designation: stage_configuration - layout: stacked name: default-authenticator-static-setup policy_engine_mode: any title: Setup Static OTP Tokens @@ -14,20 +13,13 @@ entries: id: flow - attrs: configure_flow: !KeyOf flow - meta_model_name: authentik_stages_authenticator_static.authenticatorstaticstage token_count: 6 identifiers: name: default-authenticator-static-setup id: default-authenticator-static-setup model: authentik_stages_authenticator_static.authenticatorstaticstage -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: any - re_evaluate_policies: false - identifiers: +- identifiers: order: 0 stage: !KeyOf default-authenticator-static-setup target: !KeyOf flow model: authentik_flows.flowstagebinding -version: 1 diff --git a/blueprints/default/20-flow-default-authenticator-totp-setup.yaml b/blueprints/default/20-flow-default-authenticator-totp-setup.yaml index 017486361..d701dd0ea 100644 --- a/blueprints/default/20-flow-default-authenticator-totp-setup.yaml +++ b/blueprints/default/20-flow-default-authenticator-totp-setup.yaml @@ -1,12 +1,10 @@ +version: 1 metadata: name: Default - TOTP MFA setup flow entries: - attrs: - compatibility_mode: false designation: stage_configuration - layout: stacked name: default-authenticator-totp-setup - policy_engine_mode: any title: Setup Two-Factor authentication identifiers: slug: default-authenticator-totp-setup @@ -15,19 +13,12 @@ entries: - attrs: configure_flow: !KeyOf flow digits: 6 - meta_model_name: authentik_stages_authenticator_totp.authenticatortotpstage identifiers: name: default-authenticator-totp-setup id: default-authenticator-totp-setup model: authentik_stages_authenticator_totp.authenticatortotpstage -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: any - re_evaluate_policies: false - identifiers: +- identifiers: order: 0 stage: !KeyOf default-authenticator-totp-setup target: !KeyOf flow model: authentik_flows.flowstagebinding -version: 1 diff --git a/blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml b/blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml index 2b5962de5..91d907c53 100644 --- a/blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml +++ b/blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml @@ -1,10 +1,9 @@ +version: 1 metadata: name: Default - WebAuthn MFA setup flow entries: - attrs: - compatibility_mode: false designation: stage_configuration - layout: stacked name: default-authenticator-webauthn-setup policy_engine_mode: any title: Setup WebAuthn @@ -13,23 +12,13 @@ entries: model: authentik_flows.flow id: flow - attrs: - authenticator_attachment: null configure_flow: !KeyOf flow - meta_model_name: authentik_stages_authenticator_webauthn.authenticatewebauthnstage - resident_key_requirement: preferred - user_verification: preferred identifiers: name: default-authenticator-webauthn-setup id: default-authenticator-webauthn-setup model: authentik_stages_authenticator_webauthn.authenticatewebauthnstage -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: any - re_evaluate_policies: false - identifiers: +- identifiers: order: 0 stage: !KeyOf default-authenticator-webauthn-setup target: !KeyOf flow model: authentik_flows.flowstagebinding -version: 1 diff --git a/blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml b/blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml index 681bbd7cb..74eff8785 100644 --- a/blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml +++ b/blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml @@ -1,33 +1,21 @@ +version: 1 metadata: name: Default - Provider authorization flow (explicit consent) entries: - attrs: - compatibility_mode: false designation: authorization - layout: stacked name: Authorize Application - policy_engine_mode: all title: Redirecting to %(app)s identifiers: slug: default-provider-authorization-explicit-consent model: authentik_flows.flow id: flow -- attrs: - consent_expire_in: weeks=4 - meta_model_name: authentik_stages_consent.consentstage - mode: always_require - identifiers: +- identifiers: name: default-provider-authorization-consent id: default-provider-authorization-consent model: authentik_stages_consent.consentstage -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 0 stage: !KeyOf default-provider-authorization-consent target: !KeyOf flow model: authentik_flows.flowstagebinding -version: 1 diff --git a/blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml b/blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml index 94ac91645..b609afdd9 100644 --- a/blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml +++ b/blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml @@ -1,14 +1,11 @@ +version: 1 metadata: name: Default - Provider authorization flow (implicit consent) entries: - attrs: - compatibility_mode: false designation: authorization - layout: stacked name: Authorize Application - policy_engine_mode: all title: Redirecting to %(app)s identifiers: slug: default-provider-authorization-implicit-consent model: authentik_flows.flow -version: 1 diff --git a/blueprints/default/20-flow-default-source-authentication.yaml b/blueprints/default/20-flow-default-source-authentication.yaml index f5437914a..7b630343b 100644 --- a/blueprints/default/20-flow-default-source-authentication.yaml +++ b/blueprints/default/20-flow-default-source-authentication.yaml @@ -1,52 +1,37 @@ +version: 1 metadata: name: Default - Source authentication flow entries: - attrs: - compatibility_mode: false designation: authentication - layout: stacked name: Welcome to authentik! - policy_engine_mode: all title: Welcome to authentik! identifiers: slug: default-source-authentication model: authentik_flows.flow id: flow - attrs: - execution_logging: false expression: | # This policy ensures that this flow can only be used when the user # is in a SSO Flow (meaning they come from an external IdP) return ak_is_sso_flow - meta_model_name: authentik_policies_expression.expressionpolicy identifiers: name: default-source-authentication-if-sso id: default-source-authentication-if-sso model: authentik_policies_expression.expressionpolicy - attrs: - meta_model_name: authentik_stages_user_login.userloginstage session_duration: seconds=0 identifiers: name: default-source-authentication-login id: default-source-authentication-login model: authentik_stages_user_login.userloginstage -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 0 stage: !KeyOf default-source-authentication-login target: !KeyOf flow model: authentik_flows.flowstagebinding -- attrs: - enabled: true - negate: false - timeout: 30 - identifiers: +- identifiers: order: 0 policy: !KeyOf default-source-authentication-if-sso target: !KeyOf flow model: authentik_policies.policybinding -version: 1 diff --git a/blueprints/default/20-flow-default-source-enrollment.yaml b/blueprints/default/20-flow-default-source-enrollment.yaml index 998468e8c..52e55b807 100644 --- a/blueprints/default/20-flow-default-source-enrollment.yaml +++ b/blueprints/default/20-flow-default-source-enrollment.yaml @@ -1,12 +1,10 @@ +version: 1 metadata: name: Default - Source enrollment flow entries: - attrs: - compatibility_mode: false designation: enrollment - layout: stacked name: Welcome to authentik! Please select a username. - policy_engine_mode: all title: Welcome to authentik! Please select a username. identifiers: slug: default-source-enrollment @@ -17,7 +15,6 @@ entries: placeholder: Username placeholder_expression: false required: true - sub_text: '' type: text identifiers: field_key: username @@ -25,29 +22,24 @@ entries: id: prompt-field-username model: authentik_stages_prompt.prompt - attrs: - execution_logging: false expression: | # Check if we''ve not been given a username by the external IdP # and trigger the enrollment flow return 'username' not in context.get('prompt_data', {}) - meta_model_name: authentik_policies_expression.expressionpolicy identifiers: name: default-source-enrollment-if-username id: default-source-enrollment-if-username model: authentik_policies_expression.expressionpolicy - attrs: - execution_logging: false expression: | # This policy ensures that this flow can only be used when the user # is in a SSO Flow (meaning they come from an external IdP) return ak_is_sso_flow - meta_model_name: authentik_policies_expression.expressionpolicy identifiers: name: default-source-enrollment-if-sso id: default-source-enrollment-if-sso model: authentik_policies_expression.expressionpolicy - attrs: - meta_model_name: authentik_stages_user_login.userloginstage session_duration: seconds=0 identifiers: name: default-source-enrollment-login @@ -56,25 +48,15 @@ entries: - attrs: fields: - !KeyOf prompt-field-username - meta_model_name: authentik_stages_prompt.promptstage - validation_policies: [] identifiers: name: default-source-enrollment-prompt id: default-source-enrollment-prompt model: authentik_stages_prompt.promptstage -- attrs: - create_users_as_inactive: false - create_users_group: null - meta_model_name: authentik_stages_user_write.userwritestage - user_path_template: '' - identifiers: +- identifiers: name: default-source-enrollment-write id: default-source-enrollment-write model: authentik_stages_user_write.userwritestage - attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all re_evaluate_policies: true identifiers: order: 0 @@ -82,42 +64,23 @@ entries: target: !KeyOf flow id: prompt-binding model: authentik_flows.flowstagebinding -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 1 stage: !KeyOf default-source-enrollment-write target: !KeyOf flow model: authentik_flows.flowstagebinding -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: all - re_evaluate_policies: false - identifiers: +- identifiers: order: 2 stage: !KeyOf default-source-enrollment-login target: !KeyOf flow model: authentik_flows.flowstagebinding -- attrs: - enabled: true - negate: false - timeout: 30 - identifiers: +- identifiers: order: 0 policy: !KeyOf default-source-enrollment-if-sso target: !KeyOf flow model: authentik_policies.policybinding -- attrs: - enabled: true - negate: false - timeout: 30 - identifiers: +- identifiers: order: 0 policy: !KeyOf default-source-enrollment-if-username target: !KeyOf prompt-binding model: authentik_policies.policybinding -version: 1 diff --git a/blueprints/default/20-flow-default-source-pre-authentication.yaml b/blueprints/default/20-flow-default-source-pre-authentication.yaml index d958b888e..c98843de0 100644 --- a/blueprints/default/20-flow-default-source-pre-authentication.yaml +++ b/blueprints/default/20-flow-default-source-pre-authentication.yaml @@ -1,14 +1,11 @@ +version: 1 metadata: name: Default - Source pre-authentication flow entries: - attrs: - compatibility_mode: false designation: stage_configuration - layout: stacked name: Pre-Authentication - policy_engine_mode: any title: Pre-authentication identifiers: slug: default-source-pre-authentication model: authentik_flows.flow -version: 1 diff --git a/blueprints/default/30-flow-default-user-settings-flow.yaml b/blueprints/default/30-flow-default-user-settings-flow.yaml index d02a8de8a..8254d4865 100644 --- a/blueprints/default/30-flow-default-user-settings-flow.yaml +++ b/blueprints/default/30-flow-default-user-settings-flow.yaml @@ -1,12 +1,10 @@ +version: 1 metadata: name: Default - User settings flow entries: - attrs: - compatibility_mode: false designation: stage_configuration - layout: stacked name: User settings - policy_engine_mode: any title: Update your info identifiers: slug: default-user-settings-flow @@ -21,7 +19,6 @@ entries: return '' placeholder_expression: true required: true - sub_text: '' type: text identifiers: field_key: username @@ -37,7 +34,6 @@ entries: return '' placeholder_expression: true required: true - sub_text: '' type: text identifiers: field_key: name @@ -53,7 +49,6 @@ entries: return '' placeholder_expression: true required: true - sub_text: '' type: email identifiers: field_key: email @@ -69,7 +64,6 @@ entries: return '' placeholder_expression: true required: true - sub_text: '' type: ak-locale identifiers: field_key: attributes.settings.locale @@ -77,7 +71,6 @@ entries: id: prompt-field-locale model: authentik_stages_prompt.prompt - attrs: - execution_logging: false expression: | from authentik.lib.config import CONFIG from authentik.core.models import ( @@ -109,17 +102,11 @@ entries: return False return True - meta_model_name: authentik_policies_expression.expressionpolicy identifiers: name: default-user-settings-authorization id: default-user-settings-authorization model: authentik_policies_expression.expressionpolicy -- attrs: - create_users_as_inactive: false - create_users_group: null - meta_model_name: authentik_stages_user_write.userwritestage - user_path_template: '' - identifiers: +- identifiers: name: default-user-settings-write id: default-user-settings-write model: authentik_stages_user_write.userwritestage @@ -129,31 +116,19 @@ entries: - !KeyOf prompt-field-name - !KeyOf prompt-field-email - !KeyOf prompt-field-locale - meta_model_name: authentik_stages_prompt.promptstage validation_policies: - !KeyOf default-user-settings-authorization identifiers: name: default-user-settings id: default-user-settings model: authentik_stages_prompt.promptstage -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: any - re_evaluate_policies: false - identifiers: +- identifiers: order: 20 stage: !KeyOf default-user-settings target: !KeyOf flow model: authentik_flows.flowstagebinding -- attrs: - evaluate_on_plan: true - invalid_response_action: retry - policy_engine_mode: any - re_evaluate_policies: false - identifiers: +- identifiers: order: 100 stage: !KeyOf default-user-settings-write target: !KeyOf flow model: authentik_flows.flowstagebinding -version: 1 diff --git a/blueprints/default/40-events-default.yaml b/blueprints/default/40-events-default.yaml index ad2bdc96d..a5bd390f7 100644 --- a/blueprints/default/40-events-default.yaml +++ b/blueprints/default/40-events-default.yaml @@ -18,10 +18,6 @@ entries: id: group identifiers: name: authentik Admins - attrs: - is_superuser: true - users: [] - parent: null - model: authentik_policies_event_matcher.eventmatcherpolicy id: default-match-configuration-error @@ -40,10 +36,6 @@ entries: - !KeyOf default-email-transport - !KeyOf default-local-transport - model: authentik_policies.policybinding - attrs: - enabled: true - negate: false - timeout: 30 identifiers: order: 0 policy: !KeyOf default-match-configuration-error @@ -66,10 +58,6 @@ entries: - !KeyOf default-email-transport - !KeyOf default-local-transport - model: authentik_policies.policybinding - attrs: - enabled: true - negate: false - timeout: 30 identifiers: order: 0 policy: !KeyOf default-match-update @@ -98,19 +86,11 @@ entries: - !KeyOf default-email-transport - !KeyOf default-local-transport - model: authentik_policies.policybinding - attrs: - enabled: true - negate: false - timeout: 30 identifiers: order: 0 policy: !KeyOf default-match-policy-exception target: !KeyOf default-notify-exception - model: authentik_policies.policybinding - attrs: - enabled: true - negate: false - timeout: 30 identifiers: order: 1 policy: !KeyOf default-match-property-mapping-exception diff --git a/blueprints/default/90-default-tenant.yaml b/blueprints/default/90-default-tenant.yaml index c7d0bc16c..6914293e8 100644 --- a/blueprints/default/90-default-tenant.yaml +++ b/blueprints/default/90-default-tenant.yaml @@ -9,4 +9,4 @@ entries: identifiers: domain: authentik-default default: True - model: authentik_tenants.Tenant + model: authentik_tenants.tenant diff --git a/blueprints/default/91-flow-oobe.yaml b/blueprints/default/91-flow-oobe.yaml index ef2b44d6c..8e659d532 100644 --- a/blueprints/default/91-flow-oobe.yaml +++ b/blueprints/default/91-flow-oobe.yaml @@ -3,11 +3,9 @@ metadata: version: 1 entries: - attrs: - compatibility_mode: false denied_action: message_continue designation: stage_configuration name: default-oobe-setup - policy_engine_mode: all title: Welcome to authentik! id: flow identifiers: @@ -63,7 +61,6 @@ entries: label: Password (repeat) model: authentik_stages_prompt.prompt - attrs: - execution_logging: false expression: | # This policy sets the user for the currently running flow # by injecting "pending_user" @@ -75,7 +72,6 @@ entries: name: default-oobe-prefill-user model: authentik_policies_expression.expressionpolicy - attrs: - execution_logging: false expression: | # This policy ensures that the setup flow can only be # executed when the admin user doesn''t have a password set @@ -102,18 +98,13 @@ entries: identifiers: name: default-authentication-login model: authentik_stages_user_login.userloginstage -- attrs: - create_users_as_inactive: false - create_users_group: null - user_path_template: '' - id: stage-default-password-change-write +- id: stage-default-password-change-write identifiers: name: default-password-change-write model: authentik_stages_user_write.userwritestage - attrs: evaluate_on_plan: true invalid_response_action: retry - policy_engine_mode: all re_evaluate_policies: false identifiers: order: 10 @@ -123,7 +114,6 @@ entries: - attrs: evaluate_on_plan: false invalid_response_action: retry - policy_engine_mode: all re_evaluate_policies: true id: binding-password-write identifiers: @@ -134,27 +124,18 @@ entries: - attrs: evaluate_on_plan: true invalid_response_action: retry - policy_engine_mode: all re_evaluate_policies: false identifiers: order: 100 stage: !KeyOf stage-default-authentication-login target: !KeyOf flow model: authentik_flows.flowstagebinding -- attrs: - enabled: true - negate: false - timeout: 30 - identifiers: +- identifiers: order: 0 policy: !KeyOf policy-default-oobe-password-usable target: !KeyOf flow model: authentik_policies.policybinding -- attrs: - enabled: true - negate: false - timeout: 30 - identifiers: +- identifiers: order: 0 policy: !KeyOf policy-default-oobe-prefill-user target: !KeyOf binding-password-write diff --git a/blueprints/example/flows-login-2fa.yaml b/blueprints/example/flows-login-2fa.yaml index f86846881..b5261895f 100644 --- a/blueprints/example/flows-login-2fa.yaml +++ b/blueprints/example/flows-login-2fa.yaml @@ -17,7 +17,6 @@ entries: id: test-not-app-password model: authentik_policies_expression.expressionpolicy attrs: - execution_logging: false expression: | return context["auth_method"] != "app_password" - identifiers: @@ -35,13 +34,10 @@ entries: - email - username template: stages/identification/login.html - enrollment_flow: null - recovery_flow: null - identifiers: name: default-authentication-flow-mfa id: default-authentication-flow-mfa - model: authentik_stages_authenticator_validate.AuthenticatorValidateStage - attrs: {} + model: authentik_stages_authenticator_validate.authenticatorvalidatestage - identifiers: name: default-authentication-password id: default-authentication-password @@ -56,15 +52,11 @@ entries: stage: !KeyOf default-authentication-identification order: 10 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-authentication-password order: 20 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-authentication-flow-mfa @@ -72,23 +64,14 @@ entries: model: authentik_flows.flowstagebinding id: flow-binding-mfa attrs: - evaluate_on_plan: false re_evaluate_policies: true - policy_engine_mode: any - invalid_response_action: retry - identifiers: target: !KeyOf flow stage: !KeyOf default-authentication-login order: 100 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: policy: !KeyOf test-not-app-password target: !KeyOf flow-binding-mfa order: 0 model: authentik_policies.policybinding - attrs: - negate: false - enabled: true - timeout: 30 diff --git a/blueprints/example/flows-login-conditional-captcha.yaml b/blueprints/example/flows-login-conditional-captcha.yaml index ed24f919f..7d313bf8e 100644 --- a/blueprints/example/flows-login-conditional-captcha.yaml +++ b/blueprints/example/flows-login-conditional-captcha.yaml @@ -34,8 +34,6 @@ entries: - email - username template: stages/identification/login.html - enrollment_flow: null - recovery_flow: null - identifiers: name: default-authentication-password id: default-authentication-password @@ -50,15 +48,11 @@ entries: stage: !KeyOf default-authentication-identification order: 10 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-authentication-password order: 20 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-authentication-flow-captcha @@ -73,8 +67,6 @@ entries: stage: !KeyOf default-authentication-login order: 100 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: name: default-authentication-flow-conditional-captcha id: default-authentication-flow-conditional-captcha @@ -88,6 +80,3 @@ entries: target: !KeyOf flow-binding-captcha order: 0 model: authentik_policies.policybinding - attrs: - enabled: true - timeout: 30 diff --git a/blueprints/example/flows-recovery-email-verification.yaml b/blueprints/example/flows-recovery-email-verification.yaml index 041e481fd..ef407b568 100644 --- a/blueprints/example/flows-recovery-email-verification.yaml +++ b/blueprints/example/flows-recovery-email-verification.yaml @@ -12,10 +12,6 @@ entries: name: Default recovery flow title: Reset your password designation: recovery - cache_count: 0 - policy_engine_mode: any - compatibility_mode: false - layout: stacked - identifiers: field_key: password label: Password @@ -45,7 +41,6 @@ entries: id: default-recovery-skip-if-restored model: authentik_policies_expression.expressionpolicy attrs: - execution_logging: false expression: | return request.context.get('is_restored', False) - identifiers: @@ -69,10 +64,6 @@ entries: name: default-recovery-user-write id: default-recovery-user-write model: authentik_stages_user_write.userwritestage - attrs: - create_users_as_inactive: false - create_users_group: null - user_path_template: "" - identifiers: name: default-recovery-identification id: default-recovery-identification @@ -81,14 +72,6 @@ entries: user_fields: - email - username - password_stage: null - case_insensitive_matching: true - show_matched_user: true - enrollment_flow: null - recovery_flow: null - passwordless_flow: null - sources: [] - show_source_labels: false - identifiers: name: default-recovery-user-login id: default-recovery-user-login diff --git a/blueprints/schema.json b/blueprints/schema.json index f4c17bb46..3facde094 100644 --- a/blueprints/schema.json +++ b/blueprints/schema.json @@ -135,6 +135,7 @@ "description": "Commonly available field, may not exist on all models" } }, + "default": {}, "additionalProperties": true }, "identifiers": { diff --git a/internal/outpost/ldap/search/memory/memory.go b/internal/outpost/ldap/search/memory/memory.go index e4944002d..bc059f392 100644 --- a/internal/outpost/ldap/search/memory/memory.go +++ b/internal/outpost/ldap/search/memory/memory.go @@ -135,7 +135,11 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult, for _, u := range g.UsersObj { if flags.UserPk == u.Pk { //TODO: Is there a better way to clone this object? - fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.Parent, g.ParentName, []int32{flags.UserPk}, []api.GroupMember{u}) + fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.ParentName, []api.GroupMember{u}) + fg.SetUsers([]int32{flags.UserPk}) + if g.Parent.IsSet() { + fg.SetParent(*g.Parent.Get()) + } fg.SetAttributes(g.Attributes) fg.SetIsSuperuser(*g.IsSuperuser) groups = append(groups, group.FromAPIGroup(*fg, ms.si)) diff --git a/schema.yml b/schema.yml index 8c2de8fd6..bd5268986 100644 --- a/schema.yml +++ b/schema.yml @@ -22723,10 +22723,8 @@ components: required: - name - num_pk - - parent - parent_name - pk - - users - users_obj GroupMember: type: object @@ -22833,8 +22831,6 @@ components: additionalProperties: {} required: - name - - parent - - users HaveIBeenPwendPolicy: type: object description: Have I Been Pwned Policy Serializer diff --git a/website/developer-docs/blueprints/index.md b/website/developer-docs/blueprints/index.md new file mode 100644 index 000000000..4e2152957 --- /dev/null +++ b/website/developer-docs/blueprints/index.md @@ -0,0 +1,9 @@ +--- +title: Blueprints +--- + +:::info +Requires authentik 2022.8 +::: + +Blueprints offer a new way to template, automate and distribute authentik configuration. Blueprints can be used to automatically configure instances, manage config as code without any external tools, and to distribute application configs. diff --git a/website/developer-docs/blueprints/v1/structure.md b/website/developer-docs/blueprints/v1/structure.md new file mode 100644 index 000000000..16ebc25da --- /dev/null +++ b/website/developer-docs/blueprints/v1/structure.md @@ -0,0 +1,61 @@ +--- +title: File structure +--- + +Blueprints are YAML files, which can use some additional tags to ease blueprint creation. + +## Additional Tags + +#### `!KeyOf` + +Example: `policy: !KeyOf my-policy-id` + +Resolves to the primary key of the model instance defined by id _my-policy-id_. + +If no matching entry can be found, an error is raised and the blueprint is invalid. + +#### `!Find` + +Example: `configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]` + +Looks up any model and resolves to the the matches' primary key. +First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for. + +## Structure + +```yaml +# The version of this blueprint, currently 1 +version: 1 +# Optional block of metadata, name is required if metadata is set +metadata: + # Arbitrary key=value store, special labels are listed below + labels: + foo: bar + name: example-blueprint +# List of entries (required) +entries: + - # Model in app.model notation, possibilities are listed in the schema (required) + model: authentik_flows.flow + # Key:value filters to uniquely identify this object (required) + identifiers: + slug: initial-setup + # Optional ID for use with !KeyOf + id: flow + # Attributes to set on the object. Only explicitly required settings should be stated + # as these values will override existing attributes + attrs: + denied_action: message_continue + designation: stage_configuration + name: default-oobe-setup + title: Welcome to authentik! +``` + +## Special Labels + +#### `blueprints.goauthentik.io/system`: + +Used by authentik's packaged blueprints to keep globals up-to-date. Should only be removed in special cases. + +#### `blueprints.goauthentik.io/example`: + +Blueprints with this label are not automatically imported. They are still available when creating a new instance. diff --git a/website/sidebarsDev.js b/website/sidebarsDev.js index 468cd6840..9ed507206 100644 --- a/website/sidebarsDev.js +++ b/website/sidebarsDev.js @@ -6,9 +6,21 @@ module.exports = { }, { type: "category", - label: "Using the API", + label: "Blueprints", + link: { + type: "doc", + id: "blueprints/index", + }, + items: ["blueprints/v1/structure"], + }, + { + type: "category", + label: "API", + link: { + type: "doc", + id: "api/api", + }, items: [ - "api/api", "api/flow-executor", "api/making-schema-changes", "api/websocket",