From fc851a8efffcc20cc0fa6b69f6c290387dc5995d Mon Sep 17 00:00:00 2001 From: Marc 'risson' Schmitt Date: Mon, 4 Dec 2023 07:53:13 +0100 Subject: [PATCH] make sure embedded outpost is disabled when tenants are enabled Signed-off-by: Marc 'risson' Schmitt --- authentik/lib/default.yml | 5 ++--- authentik/tenants/api.py | 8 +++++++- authentik/tenants/checks.py | 17 +++++++++++++++++ authentik/tenants/urls.py | 13 ++++--------- scripts/generate_config.py | 7 +++---- 5 files changed, 33 insertions(+), 17 deletions(-) create mode 100644 authentik/tenants/checks.py diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index 24d90344c..02b3edf17 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -111,9 +111,8 @@ cert_discovery_dir: /certs default_token_length: 60 tenants: - api: - enabled: false - key: "" + enabled: false + api_key: "" blueprints_dir: /blueprints diff --git a/authentik/tenants/api.py b/authentik/tenants/api.py index f14984ff4..d384d93b5 100644 --- a/authentik/tenants/api.py +++ b/authentik/tenants/api.py @@ -1,6 +1,7 @@ """Serializer for tenants models""" from hmac import compare_digest +from django.http import Http404 from django_tenants.utils import get_tenant from rest_framework import permissions from rest_framework.authentication import get_authorization_header @@ -23,7 +24,7 @@ class TenantManagementKeyPermission(permissions.BasePermission): def has_permission(self, request: Request, view: View) -> bool: token = validate_auth(get_authorization_header(request)) - key = CONFIG.get("tenants.api.key") + key = CONFIG.get("tenants.api_key") if compare_digest("", key): return False return compare_digest(token, key) @@ -55,6 +56,11 @@ class TenantViewSet(ModelViewSet): permission_classes = [TenantManagementKeyPermission] filter_backends = [OrderingFilter, SearchFilter] + def dispatch(self, request, *args, **kwargs): + if not CONFIG.get_bool("tenants.enabled", True): + return Http404() + return super().dispatch(request, *args, **kwargs) + class DomainSerializer(ModelSerializer): """Domain Serializer""" diff --git a/authentik/tenants/checks.py b/authentik/tenants/checks.py new file mode 100644 index 000000000..319a39948 --- /dev/null +++ b/authentik/tenants/checks.py @@ -0,0 +1,17 @@ +from django.core.checks import Error, register + +from authentik.lib.config import CONFIG + + +@register() +def check_embedded_outpost_disabled(app_configs, **kwargs): + if CONFIG.get_bool("tenants.enabled", False) and not CONFIG.get_bool( + "outposts.disable_embedded_outpost" + ): + return [ + Error( + "Embedded outpost must be disabled when tenants API is enabled.", + hint="Disable embedded outpost by setting outposts.disable_embedded_outpost to False, or disable the tenants API by setting tenants.enabled to False", + ) + ] + return [] diff --git a/authentik/tenants/urls.py b/authentik/tenants/urls.py index ea0cd99ba..6d6768d2d 100644 --- a/authentik/tenants/urls.py +++ b/authentik/tenants/urls.py @@ -1,17 +1,12 @@ """API URLs""" from django.urls import path -from authentik.lib.config import CONFIG from authentik.tenants.api import SettingsView, TenantViewSet api_urlpatterns = [ path("admin/settings/", SettingsView.as_view(), name="tenant_settings"), + ( + "tenants", + TenantViewSet, + ), ] - -if CONFIG.get_bool("tenants.api.enabled", False): - api_urlpatterns += [ - ( - "tenants", - TenantViewSet, - ), - ] diff --git a/scripts/generate_config.py b/scripts/generate_config.py index 7fc9245e3..66f437996 100644 --- a/scripts/generate_config.py +++ b/scripts/generate_config.py @@ -14,15 +14,14 @@ with open("local.env.yml", "w", encoding="utf-8") as _config: }, "outposts": { "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s", + "disable_embedded_outpost": False, }, "blueprints_dir": "./blueprints", "cert_discovery_dir": "./certs", "geoip": "tests/GeoLite2-City-Test.mmdb", "tenants": { - "api": { - "enabled": True, - "key": generate_id(), - }, + "enabled": False, + "api_key": generate_id(), }, }, _config,