make sure embedded outpost is disabled when tenants are enabled
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
This commit is contained in:
parent
e14f1e2cfb
commit
fc851a8eff
|
@ -111,9 +111,8 @@ cert_discovery_dir: /certs
|
|||
default_token_length: 60
|
||||
|
||||
tenants:
|
||||
api:
|
||||
enabled: false
|
||||
key: ""
|
||||
api_key: ""
|
||||
|
||||
blueprints_dir: /blueprints
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
"""Serializer for tenants models"""
|
||||
from hmac import compare_digest
|
||||
|
||||
from django.http import Http404
|
||||
from django_tenants.utils import get_tenant
|
||||
from rest_framework import permissions
|
||||
from rest_framework.authentication import get_authorization_header
|
||||
|
@ -23,7 +24,7 @@ class TenantManagementKeyPermission(permissions.BasePermission):
|
|||
|
||||
def has_permission(self, request: Request, view: View) -> bool:
|
||||
token = validate_auth(get_authorization_header(request))
|
||||
key = CONFIG.get("tenants.api.key")
|
||||
key = CONFIG.get("tenants.api_key")
|
||||
if compare_digest("", key):
|
||||
return False
|
||||
return compare_digest(token, key)
|
||||
|
@ -55,6 +56,11 @@ class TenantViewSet(ModelViewSet):
|
|||
permission_classes = [TenantManagementKeyPermission]
|
||||
filter_backends = [OrderingFilter, SearchFilter]
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
if not CONFIG.get_bool("tenants.enabled", True):
|
||||
return Http404()
|
||||
return super().dispatch(request, *args, **kwargs)
|
||||
|
||||
|
||||
class DomainSerializer(ModelSerializer):
|
||||
"""Domain Serializer"""
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
from django.core.checks import Error, register
|
||||
|
||||
from authentik.lib.config import CONFIG
|
||||
|
||||
|
||||
@register()
|
||||
def check_embedded_outpost_disabled(app_configs, **kwargs):
|
||||
if CONFIG.get_bool("tenants.enabled", False) and not CONFIG.get_bool(
|
||||
"outposts.disable_embedded_outpost"
|
||||
):
|
||||
return [
|
||||
Error(
|
||||
"Embedded outpost must be disabled when tenants API is enabled.",
|
||||
hint="Disable embedded outpost by setting outposts.disable_embedded_outpost to False, or disable the tenants API by setting tenants.enabled to False",
|
||||
)
|
||||
]
|
||||
return []
|
|
@ -1,15 +1,10 @@
|
|||
"""API URLs"""
|
||||
from django.urls import path
|
||||
|
||||
from authentik.lib.config import CONFIG
|
||||
from authentik.tenants.api import SettingsView, TenantViewSet
|
||||
|
||||
api_urlpatterns = [
|
||||
path("admin/settings/", SettingsView.as_view(), name="tenant_settings"),
|
||||
]
|
||||
|
||||
if CONFIG.get_bool("tenants.api.enabled", False):
|
||||
api_urlpatterns += [
|
||||
(
|
||||
"tenants",
|
||||
TenantViewSet,
|
||||
|
|
|
@ -14,15 +14,14 @@ with open("local.env.yml", "w", encoding="utf-8") as _config:
|
|||
},
|
||||
"outposts": {
|
||||
"container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
|
||||
"disable_embedded_outpost": False,
|
||||
},
|
||||
"blueprints_dir": "./blueprints",
|
||||
"cert_discovery_dir": "./certs",
|
||||
"geoip": "tests/GeoLite2-City-Test.mmdb",
|
||||
"tenants": {
|
||||
"api": {
|
||||
"enabled": True,
|
||||
"key": generate_id(),
|
||||
},
|
||||
"enabled": False,
|
||||
"api_key": generate_id(),
|
||||
},
|
||||
},
|
||||
_config,
|
||||
|
|
Reference in New Issue