From f4990bb5da8180b9f8df72e247995571ab39b2ef Mon Sep 17 00:00:00 2001 From: Jens L Date: Tue, 20 Dec 2022 22:09:30 +0100 Subject: [PATCH] core: bundle geoip (#4250) * bundle geoip Signed-off-by: Jens Langhammer * correctly pass secrets Signed-off-by: Jens Langhammer * add geoip docs and release notes Signed-off-by: Jens Langhammer Signed-off-by: Jens Langhammer --- .dockerignore | 2 +- .github/workflows/ci-main.yml | 3 + .github/workflows/release-publish.yml | 11 +- Dockerfile | 17 +- docker-compose.yml | 13 -- website/docs/core/geoip.mdx | 105 +++++++++++ website/docs/flow/stages/captcha/index.md | 12 +- website/docs/installation/configuration.md | 4 + website/docs/installation/docker-compose.md | 16 -- website/docs/policies/expression.mdx | 2 +- website/docs/releases/v2022.12.md | 194 ++++++++++++++++++++ website/sidebars.js | 4 +- 12 files changed, 348 insertions(+), 35 deletions(-) create mode 100644 website/docs/core/geoip.mdx create mode 100644 website/docs/releases/v2022.12.md diff --git a/.dockerignore b/.dockerignore index 94cf9d0ab..b1eb0cd9b 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,8 +1,8 @@ env -static htmlcov *.env.yml **/node_modules dist/** build/** build_docs/** +Dockerfile diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml index 9e0686754..0371bcf9e 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/ci-main.yml @@ -208,6 +208,9 @@ jobs: - name: Building Docker Image uses: docker/build-push-action@v3 with: + secrets: | + GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }} + GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }} push: ${{ steps.ev.outputs.shouldBuild == 'true' }} tags: | ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }} diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index d98f8e884..c09b8332b 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -31,6 +31,9 @@ jobs: uses: docker/build-push-action@v3 with: push: ${{ github.event_name == 'release' }} + secrets: + GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }} + GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }} tags: | beryju/authentik:${{ steps.ev.outputs.version }}, beryju/authentik:${{ steps.ev.outputs.versionFamily }}, @@ -39,7 +42,8 @@ jobs: ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }}, ghcr.io/goauthentik/server:latest platforms: linux/amd64,linux/arm64 - context: . + build-args: | + VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }} build-outpost: runs-on: ubuntu-latest strategy: @@ -84,6 +88,11 @@ jobs: ghcr.io/goauthentik/${{ matrix.type }}:latest file: ${{ matrix.type }}.Dockerfile platforms: linux/amd64,linux/arm64 + secrets: | + GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }} + GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }} + build-args: | + VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }} build-outpost-binary: timeout-minutes: 120 runs-on: ubuntu-latest diff --git a/Dockerfile b/Dockerfile index 37b399542..8ccbd20e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,7 +46,21 @@ COPY ./go.sum /work/go.sum RUN go build -o /work/authentik ./cmd/server/ -# Stage 5: Run +# Stage 5: MaxMind GeoIP +FROM docker.io/maxmindinc/geoipupdate:v4.10 as geoip + +ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City" + +RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \ + --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \ + mkdir -p /usr/share/GeoIP && \ + /bin/sh -c "\ + export GEOIPUPDATE_ACCOUNT_ID=$(cat /run/secrets/GEOIPUPDATE_ACCOUNT_ID); \ + export GEOIPUPDATE_LICENSE_KEY=$(cat /run/secrets/GEOIPUPDATE_LICENSE_KEY); \ + /usr/bin/entry.sh || exit 0 \ + " + +# Stage 6: Run FROM docker.io/python:3.11.1-slim-bullseye AS final-image LABEL org.opencontainers.image.url https://goauthentik.io @@ -60,6 +74,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH COPY --from=poetry-locker /work/requirements.txt / COPY --from=poetry-locker /work/requirements-dev.txt / +COPY --from=geoip /usr/share/GeoIP /geoip RUN apt-get update && \ # Required for installing pip packages diff --git a/docker-compose.yml b/docker-compose.yml index ca289fa98..837b10fa9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -44,7 +44,6 @@ services: volumes: - ./media:/media - ./custom-templates:/templates - - geoip:/geoip env_file: - .env ports: @@ -72,16 +71,6 @@ services: - ./media:/media - ./certs:/certs - ./custom-templates:/templates - - geoip:/geoip - env_file: - - .env - geoipupdate: - image: "maxmindinc/geoipupdate:latest" - volumes: - - "geoip:/usr/share/GeoIP" - environment: - GEOIPUPDATE_EDITION_IDS: "GeoLite2-City" - GEOIPUPDATE_FREQUENCY: "8" env_file: - .env @@ -90,5 +79,3 @@ volumes: driver: local redis: driver: local - geoip: - driver: local diff --git a/website/docs/core/geoip.mdx b/website/docs/core/geoip.mdx new file mode 100644 index 000000000..b3cedbe47 --- /dev/null +++ b/website/docs/core/geoip.mdx @@ -0,0 +1,105 @@ +# GeoIP + +authentik supports GeoIP to add additional information to login/authorization/enrollment requests, and make policy decisions based on the lookup result. + +### Configuration + +:::info +Starting with authentik 2022.12, GeoIP is bundled and does not require any additional setup. +::: + +By default, the GeoIP database is loaded from `/geoip/GeoLite2-City.mmdb`. If more frequent database updates are desired, a volume can be mounted to `/geoip` to update this file externally. authentik will automatically re-load the file when it changes. + +### Deactivating GeoIP + +If you want to disable GeoIP, you can set the path to a non-existent path and authentik will skip the GeoIP. + +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; + + + +Add the following block to your `.env` file: + +```shell +AUTHENTIK_GEOIP=/tmp/non-existent-file +``` + +Afterwards, run the upgrade commands from the latest release notes. + + + +Add the following block to your `values.yml` file: + +```yaml +authentik: + geoip: /tmp/non-existent-file +``` + +Afterwards, run the upgrade commands from the latest release notes. + + + + +### External updates + +Sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup). + + + +Add the following block to a `docker-compose.override.yml` file in the same folder as the authentik docker-compose file: + +```yaml +version: "3.2" + +services: + server: + volumes: + - geoip:/geoip + worker: + volumes: + - geoip:/geoip + geoipupdate: + image: "maxmindinc/geoipupdate:latest" + volumes: + - "geoip:/usr/share/GeoIP" + environment: + GEOIPUPDATE_EDITION_IDS: "GeoLite2-City" + GEOIPUPDATE_FREQUENCY: "8" + GEOIPUPDATE_ACCOUNT_ID: "*your account ID*" + GEOIPUPDATE_LICENSE_KEY: "*your license key*" +volumes: + geoip: + driver: local +``` + +Afterwards, run the upgrade commands from the latest release notes. + + + +Add the following block to your `values.yml` file: + +```yaml +geoip: + enabled: true + accountId: "*your account ID*" + licenseKey: "*your license key*" + editionIds: "GeoLite2-City" + image: maxmindinc/geoipupdate:v4.8 + updateInterval: 8 +``` + +Afterwards, run the upgrade commands from the latest release notes. + + + diff --git a/website/docs/flow/stages/captcha/index.md b/website/docs/flow/stages/captcha/index.md index e4cf069ba..3a2f50a83 100644 --- a/website/docs/flow/stages/captcha/index.md +++ b/website/docs/flow/stages/captcha/index.md @@ -2,8 +2,18 @@ title: Captcha stage --- -This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html). +This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html) or compatible services. + +### Google ReCaptcha This stage has two required fields: Public key and private key. These can both be acquired at https://www.google.com/recaptcha/admin. ![](captcha-admin.png) + +### hCaptcha + +See https://docs.hcaptcha.com/switch + +### Turnstile + +See https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md index dc0fe9da4..f69660b69 100644 --- a/website/docs/installation/configuration.md +++ b/website/docs/installation/configuration.md @@ -78,6 +78,10 @@ Defaults to `info`. Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under. +### `AUTHENTIK_GEOIP` + +Path to the GeoIP database. Defaults to `/geoip/GeoLite2-City.mmdb`. If the file is not found, authentik will skip GeoIP support. + ### `AUTHENTIK_DISABLE_UPDATE_CHECK` Disable the inbuilt update-checker. Defaults to `false`. diff --git a/website/docs/installation/docker-compose.md b/website/docs/installation/docker-compose.md index d16398266..6f397baa8 100644 --- a/website/docs/installation/docker-compose.md +++ b/website/docs/installation/docker-compose.md @@ -49,22 +49,6 @@ AUTHENTIK_EMAIL__TIMEOUT=10 AUTHENTIK_EMAIL__FROM=authentik@localhost ``` -## GeoIP configuration (optional) - -authentik can use a MaxMind-formatted GeoIP Database to extract location data from IPs. You can then use this location data in policies, and location data is saved in events. - -To configure GeoIP, sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup). - -After you have your account ID and license key, add the following block to your `.env` file: - -```shell -GEOIPUPDATE_ACCOUNT_ID=*your account ID* -GEOIPUPDATE_LICENSE_KEY=* your license key* -AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb -``` - -The GeoIP database will automatically be updated every 8 hours. - ## Running on Port 80/443 By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can set the following variables in `.env`: diff --git a/website/docs/policies/expression.mdx b/website/docs/policies/expression.mdx index 1c6200f6f..54d6ba7f6 100644 --- a/website/docs/policies/expression.mdx +++ b/website/docs/policies/expression.mdx @@ -70,7 +70,7 @@ import Objects from "../expressions/_objects.md"; - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object. - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution. -- `geoip`: GeoIP object, which is added when GeoIP is enabled. See [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City) +- `geoip`: GeoIP object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City) - `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider. - `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example diff --git a/website/docs/releases/v2022.12.md b/website/docs/releases/v2022.12.md new file mode 100644 index 000000000..21d5320b1 --- /dev/null +++ b/website/docs/releases/v2022.12.md @@ -0,0 +1,194 @@ +--- +title: Release 2022.12 +slug: "2022.12" +--- + +## New features + +- Bundled GeoIP City database + + authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more [here](../core/geoip) + +- Customisable Captcha stage + + The captcha stage now supports alternate compatible providers, like [hCaptcha](https://docs.hcaptcha.com/switch/) and [Turnstile](https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha/). + +## Upgrading + +This release does not introduce any new requirements. + +### docker-compose + +Download the docker-compose file for 2022.12 from [here](https://goauthentik.io/version/2022.12/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. + +### Kubernetes + +Update your values to use the new images: + +```yaml +image: + repository: ghcr.io/goauthentik/server + tag: 2022.12.0 +``` + +## Minor changes/fixes + +## API Changes + +#### What's Changed + +--- + +##### `GET` /stages/captcha/{stage_uuid}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Added property `js_url` (string) + + - Added property `api_url` (string) + + - Changed property `public_key` (string) + > Public key, acquired your captcha Provider. + +##### `PUT` /stages/captcha/{stage_uuid}/ + +###### Request: + +Changed content type : `application/json` + +- Added property `js_url` (string) + +- Added property `api_url` (string) + +- Changed property `public_key` (string) + + > Public key, acquired your captcha Provider. + +- Changed property `private_key` (string) + > Private key, acquired your captcha Provider. + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Added property `js_url` (string) + + - Added property `api_url` (string) + + - Changed property `public_key` (string) + > Public key, acquired your captcha Provider. + +##### `PATCH` /stages/captcha/{stage_uuid}/ + +###### Request: + +Changed content type : `application/json` + +- Added property `js_url` (string) + +- Added property `api_url` (string) + +- Changed property `public_key` (string) + + > Public key, acquired your captcha Provider. + +- Changed property `private_key` (string) + > Private key, acquired your captcha Provider. + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Added property `js_url` (string) + + - Added property `api_url` (string) + + - Changed property `public_key` (string) + > Public key, acquired your captcha Provider. + +##### `GET` /flows/executor/{flow_slug}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + Updated `ak-stage-captcha` component: + New required properties: + + - `js_url` + + * Added property `js_url` (string) + +##### `POST` /flows/executor/{flow_slug}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + Updated `ak-stage-captcha` component: + New required properties: + + - `js_url` + + * Added property `js_url` (string) + +##### `POST` /stages/captcha/ + +###### Request: + +Changed content type : `application/json` + +- Added property `js_url` (string) + +- Added property `api_url` (string) + +- Changed property `public_key` (string) + + > Public key, acquired your captcha Provider. + +- Changed property `private_key` (string) + > Private key, acquired your captcha Provider. + +###### Return Type: + +Changed response : **201 Created** + +- Changed content type : `application/json` + + - Added property `js_url` (string) + + - Added property `api_url` (string) + + - Changed property `public_key` (string) + > Public key, acquired your captcha Provider. + +##### `GET` /stages/captcha/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `results` (array) + + Changed items (object): > CaptchaStage Serializer + + - Added property `js_url` (string) + + - Added property `api_url` (string) + + - Changed property `public_key` (string) + > Public key, acquired your captcha Provider. diff --git a/website/sidebars.js b/website/sidebars.js index dffe9505d..9ab48af07 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -34,6 +34,7 @@ module.exports = { "core/applications", "core/tenants", "core/certificates", + "core/geoip", ], }, { @@ -217,13 +218,14 @@ module.exports = { description: "Release notes for recent authentik versions", }, items: [ + "releases/v2022.12", "releases/v2022.11", "releases/v2022.10", - "releases/v2022.9", { type: "category", label: "Previous versions", items: [ + "releases/v2022.9", "releases/v2022.8", "releases/v2022.7", "releases/v2022.6",