make sure embedded outpost is disabled when tenants are enabled

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

authentik/lib/default.yml

@@ -111,9 +111,8 @@ cert_discovery_dir: /certs
 default_token_length: 60
 
 tenants:
-  api:
+  enabled: false
-    enabled: false
+  api_key: ""
-    key: ""
 
 blueprints_dir: /blueprints
 

authentik/tenants/api.py

@@ -1,6 +1,7 @@
 """Serializer for tenants models"""
 from hmac import compare_digest
 
+from django.http import Http404
 from django_tenants.utils import get_tenant
 from rest_framework import permissions
 from rest_framework.authentication import get_authorization_header
@@ -23,7 +24,7 @@ class TenantManagementKeyPermission(permissions.BasePermission):
 
     def has_permission(self, request: Request, view: View) -> bool:
         token = validate_auth(get_authorization_header(request))
-        key = CONFIG.get("tenants.api.key")
+        key = CONFIG.get("tenants.api_key")
         if compare_digest("", key):
             return False
         return compare_digest(token, key)
@@ -55,6 +56,11 @@ class TenantViewSet(ModelViewSet):
     permission_classes = [TenantManagementKeyPermission]
     filter_backends = [OrderingFilter, SearchFilter]
 
+    def dispatch(self, request, *args, **kwargs):
+        if not CONFIG.get_bool("tenants.enabled", True):
+            return Http404()
+        return super().dispatch(request, *args, **kwargs)
+
 
 class DomainSerializer(ModelSerializer):
     """Domain Serializer"""

authentik/tenants/checks.py

@@ -0,0 +1,17 @@
+from django.core.checks import Error, register
+
+from authentik.lib.config import CONFIG
+
+
+@register()
+def check_embedded_outpost_disabled(app_configs, **kwargs):
+    if CONFIG.get_bool("tenants.enabled", False) and not CONFIG.get_bool(
+        "outposts.disable_embedded_outpost"
+    ):
+        return [
+            Error(
+                "Embedded outpost must be disabled when tenants API is enabled.",
+                hint="Disable embedded outpost by setting outposts.disable_embedded_outpost to False, or disable the tenants API by setting tenants.enabled to False",
+            )
+        ]
+    return []

authentik/tenants/urls.py

@@ -1,17 +1,12 @@
 """API URLs"""
 from django.urls import path
 
-from authentik.lib.config import CONFIG
 from authentik.tenants.api import SettingsView, TenantViewSet
 
 api_urlpatterns = [
     path("admin/settings/", SettingsView.as_view(), name="tenant_settings"),
+    (
+        "tenants",
+        TenantViewSet,
+    ),
 ]
-
-if CONFIG.get_bool("tenants.api.enabled", False):
-    api_urlpatterns += [
-        (
-            "tenants",
-            TenantViewSet,
-        ),
-    ]

scripts/generate_config.py

@@ -14,15 +14,14 @@ with open("local.env.yml", "w", encoding="utf-8") as _config:
             },
             "outposts": {
                 "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
+                "disable_embedded_outpost": False,
             },
             "blueprints_dir": "./blueprints",
             "cert_discovery_dir": "./certs",
             "geoip": "tests/GeoLite2-City-Test.mmdb",
             "tenants": {
-                "api": {
+                "enabled": False,
-                    "enabled": True,
+                "api_key": generate_id(),
-                    "key": generate_id(),
-                },
             },
         },
         _config,