Compare commits
157 Commits
trustchain
...
sources/sc
Author | SHA1 | Date |
---|---|---|
Jens Langhammer | 10d76fa4f1 | |
Jens Langhammer | 16bc7408e7 | |
Jens Langhammer | 7f12b14145 | |
Jens Langhammer | 619f356ecc | |
Jens Langhammer | d99a81d32f | |
Jens Langhammer | f1426be34c | |
Jens Langhammer | 4698194a4a | |
Jens Langhammer | 1a57f14f59 | |
Jens Langhammer | 2cab4b7cda | |
Jens L | 51d3511f8b | |
dependabot[bot] | 6a8eae6780 | |
Jens L | 99cecdb3ca | |
Tana M Berry | bac7e034f8 | |
Jens L | 3d66923310 | |
Jens L | 95c71016ae | |
Tana M Berry | 5cfae6e117 | |
Marc 'risson' Schmitt | a2e5de1656 | |
Jens L | 0d59d24989 | |
Jens L | 01ffece9ff | |
dependabot[bot] | 5b5fc42a0c | |
transifex-integration[bot] | 8cd352a600 | |
transifex-integration[bot] | 2a3fd88081 | |
dependabot[bot] | d39d8e6195 | |
dependabot[bot] | b3d86374aa | |
dependabot[bot] | 76db5b69de | |
dependabot[bot] | 1ac3d6ddcb | |
dependabot[bot] | f4c6a0af1f | |
transifex-integration[bot] | d0c392f311 | |
transifex-integration[bot] | af1fed3308 | |
Jens L | deb0cb236e | |
Jens L | 31592712a4 | |
dependabot[bot] | 627b3bc095 | |
dependabot[bot] | ce667c6457 | |
dependabot[bot] | 9b89ba0659 | |
dependabot[bot] | c86d347034 | |
dependabot[bot] | 5b3a15173a | |
dependabot[bot] | 0430c16f8a | |
dependabot[bot] | 554481f81f | |
dependabot[bot] | 2c84e3d955 | |
Jens L | dc7ffba8fa | |
thijs_a | 695719540b | |
authentik-automation[bot] | 0e019e18c9 | |
Jens L | f728bbb14b | |
Jens L | 4080080acd | |
authentik-automation[bot] | 0a0f87b9ca | |
dependabot[bot] | 7699a119a3 | |
dependabot[bot] | 73fbcde924 | |
dependabot[bot] | a1efcc4da9 | |
dependabot[bot] | d594574ffa | |
dependabot[bot] | dbbb5e75cf | |
dependabot[bot] | ddb73db287 | |
dependabot[bot] | 143f092153 | |
dependabot[bot] | d89adef963 | |
dependabot[bot] | 5f3cbf6f7f | |
transifex-integration[bot] | a9fdacc60b | |
Philipp Kolberg | 9db9ad3d66 | |
dependabot[bot] | 11dcda77fa | |
dependabot[bot] | 4ce5f0931b | |
dependabot[bot] | f8e2cd5639 | |
dependabot[bot] | 8b4f66e457 | |
dependabot[bot] | 939631c94e | |
dependabot[bot] | 467a149c06 | |
Tana M Berry | f62f720c55 | |
authentik-automation[bot] | ba8fd9fcb2 | |
dependabot[bot] | fdc323af62 | |
dependabot[bot] | 44bac0d67b | |
dependabot[bot] | 191514864e | |
dependabot[bot] | 258a4d5283 | |
dependabot[bot] | 62a85fb888 | |
dependabot[bot] | 7685320466 | |
Jens Langhammer | c30a2406a9 | |
Jens L | 9232042c55 | |
Marc 'risson' Schmitt | d8b1a59dad | |
Jens L | 1e05d38059 | |
Marc 'risson' Schmitt | d5871fef4e | |
Andrey | 7f4fa70a41 | |
Jens Langhammer | fa0c4d8410 | |
Jens Langhammer | aeb24889fd | |
Jens Langhammer | 8ac9042501 | |
Marc 'risson' Schmitt | 2d821a07c6 | |
Andrey | 9680106b45 | |
dependabot[bot] | 709358615c | |
dependabot[bot] | 0ad1b42706 | |
dependabot[bot] | 2333e1f434 | |
dependabot[bot] | 4444db9e6d | |
dependabot[bot] | c5d483a238 | |
Ken Sternberg | cc1c66aa13 | |
Ken Sternberg | 67d6c0e8af | |
dependabot[bot] | b9afac5008 | |
François-Xavier Payet | aadda1f314 | |
dependabot[bot] | 293fa2e375 | |
dependabot[bot] | ddb1597501 | |
dependabot[bot] | 96f8e961ea | |
dependabot[bot] | f699dba2ae | |
dependabot[bot] | 250e8ee4a1 | |
dependabot[bot] | ce47755049 | |
transifex-integration[bot] | 8125a790a9 | |
transifex-integration[bot] | b7e653db6a | |
transifex-integration[bot] | 74958693a1 | |
dependabot[bot] | cadc311703 | |
dependabot[bot] | 924f3c9075 | |
Jens L | a7933c84c1 | |
Jens L | fe1a06ebf2 | |
dependabot[bot] | 823e7dbe1a | |
macmoritz | 90b8217eb2 | |
dependabot[bot] | c897271756 | |
dependabot[bot] | d1c9d41954 | |
dependabot[bot] | 1906a10b1a | |
dependabot[bot] | a03cc57473 | |
dependabot[bot] | e00799b314 | |
dependabot[bot] | faa5ce3e83 | |
dependabot[bot] | 937d025ef6 | |
dependabot[bot] | a748a61cd6 | |
dependabot[bot] | b24420598c | |
dependabot[bot] | b005ec7684 | |
dependabot[bot] | 6f6ee29738 | |
dependabot[bot] | ff3fef6d09 | |
dependabot[bot] | 515958157c | |
Jens L | dd4e9030b4 | |
Jens L | f94670cad7 | |
dependabot[bot] | b4dd74f2ff | |
dependabot[bot] | 9a2b548bf6 | |
dependabot[bot] | d6e3de4f48 | |
dependabot[bot] | 30ccaaf97c | |
Jens L | 3d9f7ee27e | |
Tana M Berry | 211dcf3272 | |
transifex-integration[bot] | 1d0b8a065b | |
dependabot[bot] | 7f82b555c8 | |
dependabot[bot] | f7aec3cf28 | |
dependabot[bot] | c6c133f67d | |
dependabot[bot] | 73db23f21f | |
dependabot[bot] | 4744f5c6c6 | |
Philipp Kolberg | e92bda2659 | |
gc4g40u6 | a10392efcc | |
dependabot[bot] | e52f13afae | |
dependabot[bot] | 07c50a43ae | |
dependabot[bot] | 0cd2f68bf3 | |
dependabot[bot] | 4ef10f1cec | |
dependabot[bot] | 43151c09e2 | |
dependabot[bot] | 871b5f3246 | |
dependabot[bot] | ed66bdaec4 | |
dependabot[bot] | 345022f1aa | |
dependabot[bot] | f296862d3c | |
dependabot[bot] | 5aca310d10 | |
dependabot[bot] | 7dab5dc03f | |
dependabot[bot] | 2d6e0984d1 | |
Jens L | 028c7af00f | |
Ken Sternberg | 6df83e4259 | |
dependabot[bot] | afdca418e1 | |
senare | d8728c1749 | |
dependabot[bot] | e5afabb221 | |
dependabot[bot] | a0a6ee0769 | |
dependabot[bot] | a65bb0b29f | |
dependabot[bot] | 3df7b5504e | |
authentik-automation[bot] | 99f44ea805 | |
Jens Langhammer | 97ccc84796 | |
Jens Langhammer | a43b2fb17c |
|
@ -1,5 +1,5 @@
|
||||||
[bumpversion]
|
[bumpversion]
|
||||||
current_version = 2023.10.2
|
current_version = 2023.10.3
|
||||||
tag = True
|
tag = True
|
||||||
commit = True
|
commit = True
|
||||||
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
|
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
|
||||||
|
|
|
@ -11,6 +11,7 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
- version-*
|
||||||
|
|
||||||
env:
|
env:
|
||||||
POSTGRES_DB: authentik
|
POSTGRES_DB: authentik
|
||||||
|
@ -185,6 +186,9 @@ jobs:
|
||||||
build:
|
build:
|
||||||
needs: ci-core-mark
|
needs: ci-core-mark
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
# Needed to upload contianer images to ghcr.io
|
||||||
|
packages: write
|
||||||
timeout-minutes: 120
|
timeout-minutes: 120
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
@ -235,6 +239,9 @@ jobs:
|
||||||
build-arm64:
|
build-arm64:
|
||||||
needs: ci-core-mark
|
needs: ci-core-mark
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
# Needed to upload contianer images to ghcr.io
|
||||||
|
packages: write
|
||||||
timeout-minutes: 120
|
timeout-minutes: 120
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
|
@ -9,6 +9,7 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
- version-*
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
lint-golint:
|
lint-golint:
|
||||||
|
@ -65,6 +66,9 @@ jobs:
|
||||||
- ldap
|
- ldap
|
||||||
- radius
|
- radius
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
# Needed to upload contianer images to ghcr.io
|
||||||
|
packages: write
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
|
|
|
@ -9,6 +9,7 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
- version-*
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
lint-eslint:
|
lint-eslint:
|
||||||
|
|
|
@ -9,6 +9,7 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
- version-*
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
lint-prettier:
|
lint-prettier:
|
||||||
|
|
|
@ -6,6 +6,7 @@ on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
|
# Needed to be able to push to the next branch
|
||||||
contents: write
|
contents: write
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
|
|
@ -7,6 +7,9 @@ on:
|
||||||
jobs:
|
jobs:
|
||||||
build-server:
|
build-server:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
# Needed to upload contianer images to ghcr.io
|
||||||
|
packages: write
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- name: Set up QEMU
|
- name: Set up QEMU
|
||||||
|
@ -52,6 +55,9 @@ jobs:
|
||||||
VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
|
VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
|
||||||
build-outpost:
|
build-outpost:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
# Needed to upload contianer images to ghcr.io
|
||||||
|
packages: write
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
|
@ -106,6 +112,9 @@ jobs:
|
||||||
build-outpost-binary:
|
build-outpost-binary:
|
||||||
timeout-minutes: 120
|
timeout-minutes: 120
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
# Needed to upload binaries to the release
|
||||||
|
contents: write
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
|
|
|
@ -30,7 +30,7 @@ jobs:
|
||||||
private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
||||||
- name: Extract version number
|
- name: Extract version number
|
||||||
id: get_version
|
id: get_version
|
||||||
uses: actions/github-script@v6
|
uses: actions/github-script@v7
|
||||||
with:
|
with:
|
||||||
github-token: ${{ steps.generate_token.outputs.token }}
|
github-token: ${{ steps.generate_token.outputs.token }}
|
||||||
script: |
|
script: |
|
||||||
|
|
|
@ -6,8 +6,8 @@ on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
|
# Needed to update issues and PRs
|
||||||
issues: write
|
issues: write
|
||||||
pull-requests: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
stale:
|
stale:
|
||||||
|
|
|
@ -7,7 +7,8 @@ on:
|
||||||
paths:
|
paths:
|
||||||
- "!**"
|
- "!**"
|
||||||
- "locale/**"
|
- "locale/**"
|
||||||
- "web/src/locales/**"
|
- "!locale/en/**"
|
||||||
|
- "web/xliff/**"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
post-comment:
|
post-comment:
|
||||||
|
|
13
Dockerfile
13
Dockerfile
|
@ -35,7 +35,14 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
|
||||||
RUN npm run build
|
RUN npm run build
|
||||||
|
|
||||||
# Stage 3: Build go proxy
|
# Stage 3: Build go proxy
|
||||||
FROM docker.io/golang:1.21.3-bookworm AS go-builder
|
FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS go-builder
|
||||||
|
|
||||||
|
ARG TARGETOS
|
||||||
|
ARG TARGETARCH
|
||||||
|
ARG TARGETVARIANT
|
||||||
|
|
||||||
|
ARG GOOS=$TARGETOS
|
||||||
|
ARG GOARCH=$TARGETARCH
|
||||||
|
|
||||||
WORKDIR /go/src/goauthentik.io
|
WORKDIR /go/src/goauthentik.io
|
||||||
|
|
||||||
|
@ -57,10 +64,10 @@ ENV CGO_ENABLED=0
|
||||||
|
|
||||||
RUN --mount=type=cache,target=/go/pkg/mod \
|
RUN --mount=type=cache,target=/go/pkg/mod \
|
||||||
--mount=type=cache,target=/root/.cache/go-build \
|
--mount=type=cache,target=/root/.cache/go-build \
|
||||||
go build -o /go/authentik ./cmd/server
|
GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
|
||||||
|
|
||||||
# Stage 4: MaxMind GeoIP
|
# Stage 4: MaxMind GeoIP
|
||||||
FROM ghcr.io/maxmind/geoipupdate:v6.0 as geoip
|
FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.0 as geoip
|
||||||
|
|
||||||
ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
|
ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
|
||||||
ENV GEOIPUPDATE_VERBOSE="true"
|
ENV GEOIPUPDATE_VERBOSE="true"
|
||||||
|
|
2
Makefile
2
Makefile
|
@ -110,6 +110,8 @@ gen-diff: ## (Release) generate the changelog diff between the current schema a
|
||||||
--markdown /local/diff.md \
|
--markdown /local/diff.md \
|
||||||
/local/old_schema.yml /local/schema.yml
|
/local/old_schema.yml /local/schema.yml
|
||||||
rm old_schema.yml
|
rm old_schema.yml
|
||||||
|
sed -i 's/{/{/g' diff.md
|
||||||
|
sed -i 's/}/}/g' diff.md
|
||||||
npx prettier --write diff.md
|
npx prettier --write diff.md
|
||||||
|
|
||||||
gen-clean:
|
gen-clean:
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
from os import environ
|
from os import environ
|
||||||
from typing import Optional
|
from typing import Optional
|
||||||
|
|
||||||
__version__ = "2023.10.2"
|
__version__ = "2023.10.3"
|
||||||
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,8 @@ from rest_framework.settings import api_settings
|
||||||
|
|
||||||
from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
|
from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
|
||||||
|
|
||||||
|
from authentik.api.apps import AuthentikAPIConfig
|
||||||
|
|
||||||
|
|
||||||
def build_standard_type(obj, **kwargs):
|
def build_standard_type(obj, **kwargs):
|
||||||
"""Build a basic type with optional add owns."""
|
"""Build a basic type with optional add owns."""
|
||||||
|
@ -100,3 +102,12 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
|
||||||
comp = result["components"]["schemas"][component]
|
comp = result["components"]["schemas"][component]
|
||||||
comp["additionalProperties"] = {}
|
comp["additionalProperties"] = {}
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
def preprocess_schema_exclude_non_api(endpoints, **kwargs):
|
||||||
|
"""Filter out all API Views which are not mounted under /api"""
|
||||||
|
return [
|
||||||
|
(path, path_regex, method, callback)
|
||||||
|
for path, path_regex, method, callback in endpoints
|
||||||
|
if path.startswith("/" + AuthentikAPIConfig.mountpoint)
|
||||||
|
]
|
||||||
|
|
|
@ -93,10 +93,10 @@ class ConfigView(APIView):
|
||||||
"traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
|
"traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
|
||||||
},
|
},
|
||||||
"capabilities": self.get_capabilities(),
|
"capabilities": self.get_capabilities(),
|
||||||
"cache_timeout": CONFIG.get_int("redis.cache_timeout"),
|
"cache_timeout": CONFIG.get_int("cache.timeout"),
|
||||||
"cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
|
"cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
|
||||||
"cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
|
"cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
|
||||||
"cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
|
"cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -17,9 +17,15 @@ class Command(BaseCommand):
|
||||||
"""Run worker"""
|
"""Run worker"""
|
||||||
|
|
||||||
def add_arguments(self, parser):
|
def add_arguments(self, parser):
|
||||||
parser.add_argument("-b", "--beat", action="store_true")
|
parser.add_argument(
|
||||||
|
"-b",
|
||||||
|
"--beat",
|
||||||
|
action="store_false",
|
||||||
|
help="When set, this worker will _not_ run Beat (scheduled) tasks",
|
||||||
|
)
|
||||||
|
|
||||||
def handle(self, **options):
|
def handle(self, **options):
|
||||||
|
LOGGER.debug("Celery options", **options)
|
||||||
close_old_connections()
|
close_old_connections()
|
||||||
if CONFIG.get_bool("remote_debug"):
|
if CONFIG.get_bool("remote_debug"):
|
||||||
import debugpy
|
import debugpy
|
||||||
|
|
|
@ -13,6 +13,7 @@ from authentik.events.tasks import event_notification_handler, gdpr_cleanup
|
||||||
from authentik.flows.models import Stage
|
from authentik.flows.models import Stage
|
||||||
from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
|
from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
|
||||||
from authentik.flows.views.executor import SESSION_KEY_PLAN
|
from authentik.flows.views.executor import SESSION_KEY_PLAN
|
||||||
|
from authentik.lib.config import CONFIG
|
||||||
from authentik.stages.invitation.models import Invitation
|
from authentik.stages.invitation.models import Invitation
|
||||||
from authentik.stages.invitation.signals import invitation_used
|
from authentik.stages.invitation.signals import invitation_used
|
||||||
from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
|
from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
|
||||||
|
@ -92,4 +93,5 @@ def event_post_save_notification(sender, instance: Event, **_):
|
||||||
@receiver(pre_delete, sender=User)
|
@receiver(pre_delete, sender=User)
|
||||||
def event_user_pre_delete_cleanup(sender, instance: User, **_):
|
def event_user_pre_delete_cleanup(sender, instance: User, **_):
|
||||||
"""If gdpr_compliance is enabled, remove all the user's events"""
|
"""If gdpr_compliance is enabled, remove all the user's events"""
|
||||||
|
if CONFIG.get_bool("gdpr_compliance", True):
|
||||||
gdpr_cleanup.delay(instance.pk)
|
gdpr_cleanup.delay(instance.pk)
|
||||||
|
|
|
@ -153,6 +153,12 @@ def sanitize_item(value: Any) -> Any:
|
||||||
return value.isoformat()
|
return value.isoformat()
|
||||||
if isinstance(value, timedelta):
|
if isinstance(value, timedelta):
|
||||||
return str(value.total_seconds())
|
return str(value.total_seconds())
|
||||||
|
if callable(value):
|
||||||
|
return {
|
||||||
|
"type": "callable",
|
||||||
|
"name": value.__name__,
|
||||||
|
"module": value.__module__,
|
||||||
|
}
|
||||||
return value
|
return value
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -33,7 +33,7 @@ PLAN_CONTEXT_SOURCE = "source"
|
||||||
# Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
|
# Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
|
||||||
# was restored.
|
# was restored.
|
||||||
PLAN_CONTEXT_IS_RESTORED = "is_restored"
|
PLAN_CONTEXT_IS_RESTORED = "is_restored"
|
||||||
CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_flows")
|
CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
|
||||||
CACHE_PREFIX = "goauthentik.io/flows/planner/"
|
CACHE_PREFIX = "goauthentik.io/flows/planner/"
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
"""authentik core config loader"""
|
"""authentik core config loader"""
|
||||||
|
import base64
|
||||||
|
import json
|
||||||
import os
|
import os
|
||||||
from collections.abc import Mapping
|
from collections.abc import Mapping
|
||||||
from contextlib import contextmanager
|
from contextlib import contextmanager
|
||||||
|
@ -22,6 +24,25 @@ SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] +
|
||||||
ENV_PREFIX = "AUTHENTIK"
|
ENV_PREFIX = "AUTHENTIK"
|
||||||
ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
|
ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
|
||||||
|
|
||||||
|
REDIS_ENV_KEYS = [
|
||||||
|
f"{ENV_PREFIX}_REDIS__HOST",
|
||||||
|
f"{ENV_PREFIX}_REDIS__PORT",
|
||||||
|
f"{ENV_PREFIX}_REDIS__DB",
|
||||||
|
f"{ENV_PREFIX}_REDIS__USERNAME",
|
||||||
|
f"{ENV_PREFIX}_REDIS__PASSWORD",
|
||||||
|
f"{ENV_PREFIX}_REDIS__TLS",
|
||||||
|
f"{ENV_PREFIX}_REDIS__TLS_REQS",
|
||||||
|
]
|
||||||
|
|
||||||
|
DEPRECATIONS = {
|
||||||
|
"redis.broker_url": "broker.url",
|
||||||
|
"redis.broker_transport_options": "broker.transport_options",
|
||||||
|
"redis.cache_timeout": "cache.timeout",
|
||||||
|
"redis.cache_timeout_flows": "cache.timeout_flows",
|
||||||
|
"redis.cache_timeout_policies": "cache.timeout_policies",
|
||||||
|
"redis.cache_timeout_reputation": "cache.timeout_reputation",
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
|
def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
|
||||||
"""Recursively walk through `root`, checking each part of `path` separated by `sep`.
|
"""Recursively walk through `root`, checking each part of `path` separated by `sep`.
|
||||||
|
@ -81,6 +102,10 @@ class AttrEncoder(JSONEncoder):
|
||||||
return super().default(o)
|
return super().default(o)
|
||||||
|
|
||||||
|
|
||||||
|
class UNSET:
|
||||||
|
"""Used to test whether configuration key has not been set."""
|
||||||
|
|
||||||
|
|
||||||
class ConfigLoader:
|
class ConfigLoader:
|
||||||
"""Search through SEARCH_PATHS and load configuration. Environment variables starting with
|
"""Search through SEARCH_PATHS and load configuration. Environment variables starting with
|
||||||
`ENV_PREFIX` are also applied.
|
`ENV_PREFIX` are also applied.
|
||||||
|
@ -113,6 +138,40 @@ class ConfigLoader:
|
||||||
self.update_from_file(env_file)
|
self.update_from_file(env_file)
|
||||||
self.update_from_env()
|
self.update_from_env()
|
||||||
self.update(self.__config, kwargs)
|
self.update(self.__config, kwargs)
|
||||||
|
self.check_deprecations()
|
||||||
|
|
||||||
|
def check_deprecations(self):
|
||||||
|
"""Warn if any deprecated configuration options are used"""
|
||||||
|
|
||||||
|
def _pop_deprecated_key(current_obj, dot_parts, index):
|
||||||
|
"""Recursive function to remove deprecated keys in configuration"""
|
||||||
|
dot_part = dot_parts[index]
|
||||||
|
if index == len(dot_parts) - 1:
|
||||||
|
return current_obj.pop(dot_part)
|
||||||
|
value = _pop_deprecated_key(current_obj[dot_part], dot_parts, index + 1)
|
||||||
|
if not current_obj[dot_part]:
|
||||||
|
current_obj.pop(dot_part)
|
||||||
|
return value
|
||||||
|
|
||||||
|
for deprecation, replacement in DEPRECATIONS.items():
|
||||||
|
if self.get(deprecation, default=UNSET) is not UNSET:
|
||||||
|
message = (
|
||||||
|
f"'{deprecation}' has been deprecated in favor of '{replacement}'! "
|
||||||
|
+ "Please update your configuration."
|
||||||
|
)
|
||||||
|
self.log(
|
||||||
|
"warning",
|
||||||
|
message,
|
||||||
|
)
|
||||||
|
try:
|
||||||
|
from authentik.events.models import Event, EventAction
|
||||||
|
|
||||||
|
Event.new(EventAction.CONFIGURATION_ERROR, message=message).save()
|
||||||
|
except ImportError:
|
||||||
|
continue
|
||||||
|
|
||||||
|
deprecated_attr = _pop_deprecated_key(self.__config, deprecation.split("."), 0)
|
||||||
|
self.set(replacement, deprecated_attr.value)
|
||||||
|
|
||||||
def log(self, level: str, message: str, **kwargs):
|
def log(self, level: str, message: str, **kwargs):
|
||||||
"""Custom Log method, we want to ensure ConfigLoader always logs JSON even when
|
"""Custom Log method, we want to ensure ConfigLoader always logs JSON even when
|
||||||
|
@ -180,6 +239,10 @@ class ConfigLoader:
|
||||||
error=str(exc),
|
error=str(exc),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def update_from_dict(self, update: dict):
|
||||||
|
"""Update config from dict"""
|
||||||
|
self.__config.update(update)
|
||||||
|
|
||||||
def update_from_env(self):
|
def update_from_env(self):
|
||||||
"""Check environment variables"""
|
"""Check environment variables"""
|
||||||
outer = {}
|
outer = {}
|
||||||
|
@ -188,19 +251,13 @@ class ConfigLoader:
|
||||||
if not key.startswith(ENV_PREFIX):
|
if not key.startswith(ENV_PREFIX):
|
||||||
continue
|
continue
|
||||||
relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
|
relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
|
||||||
# Recursively convert path from a.b.c into outer[a][b][c]
|
|
||||||
current_obj = outer
|
|
||||||
dot_parts = relative_key.split(".")
|
|
||||||
for dot_part in dot_parts[:-1]:
|
|
||||||
if dot_part not in current_obj:
|
|
||||||
current_obj[dot_part] = {}
|
|
||||||
current_obj = current_obj[dot_part]
|
|
||||||
# Check if the value is json, and try to load it
|
# Check if the value is json, and try to load it
|
||||||
try:
|
try:
|
||||||
value = loads(value)
|
value = loads(value)
|
||||||
except JSONDecodeError:
|
except JSONDecodeError:
|
||||||
pass
|
pass
|
||||||
current_obj[dot_parts[-1]] = Attr(value, Attr.Source.ENV, key)
|
attr_value = Attr(value, Attr.Source.ENV, relative_key)
|
||||||
|
set_path_in_dict(outer, relative_key, attr_value)
|
||||||
idx += 1
|
idx += 1
|
||||||
if idx > 0:
|
if idx > 0:
|
||||||
self.log("debug", "Loaded environment variables", count=idx)
|
self.log("debug", "Loaded environment variables", count=idx)
|
||||||
|
@ -241,6 +298,23 @@ class ConfigLoader:
|
||||||
"""Wrapper for get that converts value into boolean"""
|
"""Wrapper for get that converts value into boolean"""
|
||||||
return str(self.get(path, default)).lower() == "true"
|
return str(self.get(path, default)).lower() == "true"
|
||||||
|
|
||||||
|
def get_dict_from_b64_json(self, path: str, default=None) -> dict:
|
||||||
|
"""Wrapper for get that converts value from Base64 encoded string into dictionary"""
|
||||||
|
config_value = self.get(path)
|
||||||
|
if config_value is None:
|
||||||
|
return {}
|
||||||
|
try:
|
||||||
|
b64decoded_str = base64.b64decode(config_value).decode("utf-8")
|
||||||
|
b64decoded_str = b64decoded_str.strip().lstrip("{").rstrip("}")
|
||||||
|
b64decoded_str = "{" + b64decoded_str + "}"
|
||||||
|
return json.loads(b64decoded_str)
|
||||||
|
except (JSONDecodeError, TypeError, ValueError) as exc:
|
||||||
|
self.log(
|
||||||
|
"warning",
|
||||||
|
f"Ignored invalid configuration for '{path}' due to exception: {str(exc)}",
|
||||||
|
)
|
||||||
|
return default if isinstance(default, dict) else {}
|
||||||
|
|
||||||
def set(self, path: str, value: Any, sep="."):
|
def set(self, path: str, value: Any, sep="."):
|
||||||
"""Set value using same syntax as get()"""
|
"""Set value using same syntax as get()"""
|
||||||
set_path_in_dict(self.raw, path, Attr(value), sep=sep)
|
set_path_in_dict(self.raw, path, Attr(value), sep=sep)
|
||||||
|
|
|
@ -28,14 +28,28 @@ listen:
|
||||||
redis:
|
redis:
|
||||||
host: localhost
|
host: localhost
|
||||||
port: 6379
|
port: 6379
|
||||||
|
db: 0
|
||||||
|
username: ""
|
||||||
password: ""
|
password: ""
|
||||||
tls: false
|
tls: false
|
||||||
tls_reqs: "none"
|
tls_reqs: "none"
|
||||||
db: 0
|
|
||||||
cache_timeout: 300
|
# broker:
|
||||||
cache_timeout_flows: 300
|
# url: ""
|
||||||
cache_timeout_policies: 300
|
# transport_options: ""
|
||||||
cache_timeout_reputation: 300
|
|
||||||
|
cache:
|
||||||
|
# url: ""
|
||||||
|
timeout: 300
|
||||||
|
timeout_flows: 300
|
||||||
|
timeout_policies: 300
|
||||||
|
timeout_reputation: 300
|
||||||
|
|
||||||
|
# channel:
|
||||||
|
# url: ""
|
||||||
|
|
||||||
|
# result_backend:
|
||||||
|
# url: ""
|
||||||
|
|
||||||
paths:
|
paths:
|
||||||
media: ./media
|
media: ./media
|
||||||
|
|
|
@ -1,20 +1,32 @@
|
||||||
"""Test config loader"""
|
"""Test config loader"""
|
||||||
|
import base64
|
||||||
|
from json import dumps
|
||||||
from os import chmod, environ, unlink, write
|
from os import chmod, environ, unlink, write
|
||||||
from tempfile import mkstemp
|
from tempfile import mkstemp
|
||||||
|
from unittest import mock
|
||||||
|
|
||||||
from django.conf import ImproperlyConfigured
|
from django.conf import ImproperlyConfigured
|
||||||
from django.test import TestCase
|
from django.test import TestCase
|
||||||
|
|
||||||
from authentik.lib.config import ENV_PREFIX, ConfigLoader
|
from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
|
||||||
|
|
||||||
|
|
||||||
class TestConfig(TestCase):
|
class TestConfig(TestCase):
|
||||||
"""Test config loader"""
|
"""Test config loader"""
|
||||||
|
|
||||||
|
check_deprecations_env_vars = {
|
||||||
|
ENV_PREFIX + "_REDIS__BROKER_URL": "redis://myredis:8327/43",
|
||||||
|
ENV_PREFIX + "_REDIS__BROKER_TRANSPORT_OPTIONS": "bWFzdGVybmFtZT1teW1hc3Rlcg==",
|
||||||
|
ENV_PREFIX + "_REDIS__CACHE_TIMEOUT": "124s",
|
||||||
|
ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_FLOWS": "32m",
|
||||||
|
ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_POLICIES": "3920ns",
|
||||||
|
ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_REPUTATION": "298382us",
|
||||||
|
}
|
||||||
|
|
||||||
|
@mock.patch.dict(environ, {ENV_PREFIX + "_test__test": "bar"})
|
||||||
def test_env(self):
|
def test_env(self):
|
||||||
"""Test simple instance"""
|
"""Test simple instance"""
|
||||||
config = ConfigLoader()
|
config = ConfigLoader()
|
||||||
environ[ENV_PREFIX + "_test__test"] = "bar"
|
|
||||||
config.update_from_env()
|
config.update_from_env()
|
||||||
self.assertEqual(config.get("test.test"), "bar")
|
self.assertEqual(config.get("test.test"), "bar")
|
||||||
|
|
||||||
|
@ -27,12 +39,20 @@ class TestConfig(TestCase):
|
||||||
self.assertEqual(config.get("foo.bar"), "baz")
|
self.assertEqual(config.get("foo.bar"), "baz")
|
||||||
self.assertEqual(config.get("foo.bar"), "bar")
|
self.assertEqual(config.get("foo.bar"), "bar")
|
||||||
|
|
||||||
|
@mock.patch.dict(environ, {"foo": "bar"})
|
||||||
def test_uri_env(self):
|
def test_uri_env(self):
|
||||||
"""Test URI parsing (environment)"""
|
"""Test URI parsing (environment)"""
|
||||||
config = ConfigLoader()
|
config = ConfigLoader()
|
||||||
environ["foo"] = "bar"
|
foo_uri = "env://foo"
|
||||||
self.assertEqual(config.parse_uri("env://foo").value, "bar")
|
foo_parsed = config.parse_uri(foo_uri)
|
||||||
self.assertEqual(config.parse_uri("env://foo?bar").value, "bar")
|
self.assertEqual(foo_parsed.value, "bar")
|
||||||
|
self.assertEqual(foo_parsed.source_type, Attr.Source.URI)
|
||||||
|
self.assertEqual(foo_parsed.source, foo_uri)
|
||||||
|
foo_bar_uri = "env://foo?bar"
|
||||||
|
foo_bar_parsed = config.parse_uri(foo_bar_uri)
|
||||||
|
self.assertEqual(foo_bar_parsed.value, "bar")
|
||||||
|
self.assertEqual(foo_bar_parsed.source_type, Attr.Source.URI)
|
||||||
|
self.assertEqual(foo_bar_parsed.source, foo_bar_uri)
|
||||||
|
|
||||||
def test_uri_file(self):
|
def test_uri_file(self):
|
||||||
"""Test URI parsing (file load)"""
|
"""Test URI parsing (file load)"""
|
||||||
|
@ -91,3 +111,60 @@ class TestConfig(TestCase):
|
||||||
config = ConfigLoader()
|
config = ConfigLoader()
|
||||||
config.set("foo", "bar")
|
config.set("foo", "bar")
|
||||||
self.assertEqual(config.get_int("foo", 1234), 1234)
|
self.assertEqual(config.get_int("foo", 1234), 1234)
|
||||||
|
|
||||||
|
def test_get_dict_from_b64_json(self):
|
||||||
|
"""Test get_dict_from_b64_json"""
|
||||||
|
config = ConfigLoader()
|
||||||
|
test_value = ' { "foo": "bar" } '.encode("utf-8")
|
||||||
|
b64_value = base64.b64encode(test_value)
|
||||||
|
config.set("foo", b64_value)
|
||||||
|
self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
|
||||||
|
|
||||||
|
def test_get_dict_from_b64_json_missing_brackets(self):
|
||||||
|
"""Test get_dict_from_b64_json with missing brackets"""
|
||||||
|
config = ConfigLoader()
|
||||||
|
test_value = ' "foo": "bar" '.encode("utf-8")
|
||||||
|
b64_value = base64.b64encode(test_value)
|
||||||
|
config.set("foo", b64_value)
|
||||||
|
self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
|
||||||
|
|
||||||
|
def test_get_dict_from_b64_json_invalid(self):
|
||||||
|
"""Test get_dict_from_b64_json with invalid value"""
|
||||||
|
config = ConfigLoader()
|
||||||
|
config.set("foo", "bar")
|
||||||
|
self.assertEqual(config.get_dict_from_b64_json("foo"), {})
|
||||||
|
|
||||||
|
def test_attr_json_encoder(self):
|
||||||
|
"""Test AttrEncoder"""
|
||||||
|
test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_REDIS__USERNAME")
|
||||||
|
json_attr = dumps(test_attr, indent=4, cls=AttrEncoder)
|
||||||
|
self.assertEqual(json_attr, '"foo"')
|
||||||
|
|
||||||
|
def test_attr_json_encoder_no_attr(self):
|
||||||
|
"""Test AttrEncoder if no Attr is passed"""
|
||||||
|
|
||||||
|
class Test:
|
||||||
|
"""Non Attr class"""
|
||||||
|
|
||||||
|
with self.assertRaises(TypeError):
|
||||||
|
test_obj = Test()
|
||||||
|
dumps(test_obj, indent=4, cls=AttrEncoder)
|
||||||
|
|
||||||
|
@mock.patch.dict(environ, check_deprecations_env_vars)
|
||||||
|
def test_check_deprecations(self):
|
||||||
|
"""Test config key re-write for deprecated env vars"""
|
||||||
|
config = ConfigLoader()
|
||||||
|
config.update_from_env()
|
||||||
|
config.check_deprecations()
|
||||||
|
self.assertEqual(config.get("redis.broker_url", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.broker_transport_options", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.cache_timeout", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.cache_timeout_flows", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.cache_timeout_policies", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("redis.cache_timeout_reputation", UNSET), UNSET)
|
||||||
|
self.assertEqual(config.get("broker.url"), "redis://myredis:8327/43")
|
||||||
|
self.assertEqual(config.get("broker.transport_options"), "bWFzdGVybmFtZT1teW1hc3Rlcg==")
|
||||||
|
self.assertEqual(config.get("cache.timeout"), "124s")
|
||||||
|
self.assertEqual(config.get("cache.timeout_flows"), "32m")
|
||||||
|
self.assertEqual(config.get("cache.timeout_policies"), "3920ns")
|
||||||
|
self.assertEqual(config.get("cache.timeout_reputation"), "298382us")
|
||||||
|
|
|
@ -93,7 +93,7 @@ class OutpostConsumer(AuthJsonConsumer):
|
||||||
expected=self.outpost.config.kubernetes_replicas,
|
expected=self.outpost.config.kubernetes_replicas,
|
||||||
).dec()
|
).dec()
|
||||||
|
|
||||||
def receive_json(self, content: Data):
|
def receive_json(self, content: Data, **kwargs):
|
||||||
msg = from_dict(WebsocketMessage, content)
|
msg = from_dict(WebsocketMessage, content)
|
||||||
uid = msg.args.get("uuid", self.channel_name)
|
uid = msg.args.get("uuid", self.channel_name)
|
||||||
self.last_uid = uid
|
self.last_uid = uid
|
||||||
|
|
|
@ -39,6 +39,7 @@ class Migration(migrations.Migration):
|
||||||
("authentik.sources.oauth", "authentik Sources.OAuth"),
|
("authentik.sources.oauth", "authentik Sources.OAuth"),
|
||||||
("authentik.sources.plex", "authentik Sources.Plex"),
|
("authentik.sources.plex", "authentik Sources.Plex"),
|
||||||
("authentik.sources.saml", "authentik Sources.SAML"),
|
("authentik.sources.saml", "authentik Sources.SAML"),
|
||||||
|
("authentik.sources.scim", "authentik Sources.SCIM"),
|
||||||
("authentik.stages.authenticator_duo", "authentik Stages.Authenticator.Duo"),
|
("authentik.stages.authenticator_duo", "authentik Stages.Authenticator.Duo"),
|
||||||
("authentik.stages.authenticator_sms", "authentik Stages.Authenticator.SMS"),
|
("authentik.stages.authenticator_sms", "authentik Stages.Authenticator.SMS"),
|
||||||
(
|
(
|
||||||
|
|
|
@ -20,7 +20,7 @@ from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
|
||||||
FORK_CTX = get_context("fork")
|
FORK_CTX = get_context("fork")
|
||||||
CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_policies")
|
CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_policies")
|
||||||
PROCESS_CLASS = FORK_CTX.Process
|
PROCESS_CLASS = FORK_CTX.Process
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@ from authentik.policies.reputation.tasks import save_reputation
|
||||||
from authentik.stages.identification.signals import identification_failed
|
from authentik.stages.identification.signals import identification_failed
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_reputation")
|
CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_reputation")
|
||||||
|
|
||||||
|
|
||||||
def update_score(request: HttpRequest, identifier: str, amount: int):
|
def update_score(request: HttpRequest, identifier: str, amount: int):
|
||||||
|
|
|
@ -188,6 +188,7 @@ def authenticate_provider(request: HttpRequest) -> Optional[OAuth2Provider]:
|
||||||
if client_id != provider.client_id or client_secret != provider.client_secret:
|
if client_id != provider.client_id or client_secret != provider.client_secret:
|
||||||
LOGGER.debug("(basic) Provider for basic auth does not exist")
|
LOGGER.debug("(basic) Provider for basic auth does not exist")
|
||||||
return None
|
return None
|
||||||
|
CTX_AUTH_VIA.set("oauth_client_secret")
|
||||||
return provider
|
return provider
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,7 @@ from jwt import PyJWK, PyJWT, PyJWTError, decode
|
||||||
from sentry_sdk.hub import Hub
|
from sentry_sdk.hub import Hub
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
|
from authentik.core.middleware import CTX_AUTH_VIA
|
||||||
from authentik.core.models import (
|
from authentik.core.models import (
|
||||||
USER_ATTRIBUTE_EXPIRES,
|
USER_ATTRIBUTE_EXPIRES,
|
||||||
USER_ATTRIBUTE_GENERATED,
|
USER_ATTRIBUTE_GENERATED,
|
||||||
|
@ -448,6 +449,7 @@ class TokenView(View):
|
||||||
if not self.provider:
|
if not self.provider:
|
||||||
LOGGER.warning("OAuth2Provider does not exist", client_id=client_id)
|
LOGGER.warning("OAuth2Provider does not exist", client_id=client_id)
|
||||||
raise TokenError("invalid_client")
|
raise TokenError("invalid_client")
|
||||||
|
CTX_AUTH_VIA.set("oauth_client_secret")
|
||||||
self.params = TokenParams.parse(request, self.provider, client_id, client_secret)
|
self.params = TokenParams.parse(request, self.provider, client_id, client_secret)
|
||||||
|
|
||||||
with Hub.current.start_span(
|
with Hub.current.start_span(
|
||||||
|
|
|
@ -46,7 +46,9 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
|
||||||
|
|
||||||
def to_scim(self, obj: Group) -> SCIMGroupSchema:
|
def to_scim(self, obj: Group) -> SCIMGroupSchema:
|
||||||
"""Convert authentik user into SCIM"""
|
"""Convert authentik user into SCIM"""
|
||||||
raw_scim_group = {}
|
raw_scim_group = {
|
||||||
|
"schemas": ("urn:ietf:params:scim:schemas:core:2.0:Group",),
|
||||||
|
}
|
||||||
for mapping in (
|
for mapping in (
|
||||||
self.provider.property_mappings_group.all().order_by("name").select_subclasses()
|
self.provider.property_mappings_group.all().order_by("name").select_subclasses()
|
||||||
):
|
):
|
||||||
|
|
|
@ -15,12 +15,14 @@ from pydanticscim.user import User as BaseUser
|
||||||
class User(BaseUser):
|
class User(BaseUser):
|
||||||
"""Modified User schema with added externalId field"""
|
"""Modified User schema with added externalId field"""
|
||||||
|
|
||||||
|
schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:User",)
|
||||||
externalId: Optional[str] = None
|
externalId: Optional[str] = None
|
||||||
|
|
||||||
|
|
||||||
class Group(BaseGroup):
|
class Group(BaseGroup):
|
||||||
"""Modified Group schema with added externalId field"""
|
"""Modified Group schema with added externalId field"""
|
||||||
|
|
||||||
|
schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:Group",)
|
||||||
externalId: Optional[str] = None
|
externalId: Optional[str] = None
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -39,7 +39,9 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
|
||||||
|
|
||||||
def to_scim(self, obj: User) -> SCIMUserSchema:
|
def to_scim(self, obj: User) -> SCIMUserSchema:
|
||||||
"""Convert authentik user into SCIM"""
|
"""Convert authentik user into SCIM"""
|
||||||
raw_scim_user = {}
|
raw_scim_user = {
|
||||||
|
"schemas": ("urn:ietf:params:scim:schemas:core:2.0:User",),
|
||||||
|
}
|
||||||
for mapping in self.provider.property_mappings.all().order_by("name").select_subclasses():
|
for mapping in self.provider.property_mappings.all().order_by("name").select_subclasses():
|
||||||
if not isinstance(mapping, SCIMMapping):
|
if not isinstance(mapping, SCIMMapping):
|
||||||
continue
|
continue
|
||||||
|
|
|
@ -61,7 +61,11 @@ class SCIMGroupTests(TestCase):
|
||||||
self.assertEqual(mock.request_history[1].method, "POST")
|
self.assertEqual(mock.request_history[1].method, "POST")
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mock.request_history[1].body,
|
mock.request_history[1].body,
|
||||||
{"externalId": str(group.pk), "displayName": group.name},
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
|
||||||
|
"externalId": str(group.pk),
|
||||||
|
"displayName": group.name,
|
||||||
|
},
|
||||||
)
|
)
|
||||||
|
|
||||||
@Mocker()
|
@Mocker()
|
||||||
|
@ -96,7 +100,11 @@ class SCIMGroupTests(TestCase):
|
||||||
validate(body, loads(schema.read()))
|
validate(body, loads(schema.read()))
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
body,
|
body,
|
||||||
{"externalId": str(group.pk), "displayName": group.name},
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
|
||||||
|
"externalId": str(group.pk),
|
||||||
|
"displayName": group.name,
|
||||||
|
},
|
||||||
)
|
)
|
||||||
group.save()
|
group.save()
|
||||||
self.assertEqual(mock.call_count, 4)
|
self.assertEqual(mock.call_count, 4)
|
||||||
|
@ -129,7 +137,11 @@ class SCIMGroupTests(TestCase):
|
||||||
self.assertEqual(mock.request_history[1].method, "POST")
|
self.assertEqual(mock.request_history[1].method, "POST")
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mock.request_history[1].body,
|
mock.request_history[1].body,
|
||||||
{"externalId": str(group.pk), "displayName": group.name},
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
|
||||||
|
"externalId": str(group.pk),
|
||||||
|
"displayName": group.name,
|
||||||
|
},
|
||||||
)
|
)
|
||||||
group.delete()
|
group.delete()
|
||||||
self.assertEqual(mock.call_count, 4)
|
self.assertEqual(mock.call_count, 4)
|
||||||
|
|
|
@ -89,6 +89,7 @@ class SCIMMembershipTests(TestCase):
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mocker.request_history[3].body,
|
mocker.request_history[3].body,
|
||||||
{
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
|
||||||
"emails": [],
|
"emails": [],
|
||||||
"active": True,
|
"active": True,
|
||||||
"externalId": user.uid,
|
"externalId": user.uid,
|
||||||
|
@ -99,7 +100,11 @@ class SCIMMembershipTests(TestCase):
|
||||||
)
|
)
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mocker.request_history[5].body,
|
mocker.request_history[5].body,
|
||||||
{"externalId": str(group.pk), "displayName": group.name},
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
|
||||||
|
"externalId": str(group.pk),
|
||||||
|
"displayName": group.name,
|
||||||
|
},
|
||||||
)
|
)
|
||||||
|
|
||||||
with Mocker() as mocker:
|
with Mocker() as mocker:
|
||||||
|
@ -118,6 +123,7 @@ class SCIMMembershipTests(TestCase):
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mocker.request_history[1].body,
|
mocker.request_history[1].body,
|
||||||
{
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
|
||||||
"Operations": [
|
"Operations": [
|
||||||
{
|
{
|
||||||
"op": "add",
|
"op": "add",
|
||||||
|
@ -125,7 +131,6 @@ class SCIMMembershipTests(TestCase):
|
||||||
"value": [{"value": user_scim_id}],
|
"value": [{"value": user_scim_id}],
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
|
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -174,6 +179,7 @@ class SCIMMembershipTests(TestCase):
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mocker.request_history[3].body,
|
mocker.request_history[3].body,
|
||||||
{
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
|
||||||
"active": True,
|
"active": True,
|
||||||
"displayName": "",
|
"displayName": "",
|
||||||
"emails": [],
|
"emails": [],
|
||||||
|
@ -184,7 +190,11 @@ class SCIMMembershipTests(TestCase):
|
||||||
)
|
)
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mocker.request_history[5].body,
|
mocker.request_history[5].body,
|
||||||
{"externalId": str(group.pk), "displayName": group.name},
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
|
||||||
|
"externalId": str(group.pk),
|
||||||
|
"displayName": group.name,
|
||||||
|
},
|
||||||
)
|
)
|
||||||
|
|
||||||
with Mocker() as mocker:
|
with Mocker() as mocker:
|
||||||
|
@ -203,6 +213,7 @@ class SCIMMembershipTests(TestCase):
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mocker.request_history[1].body,
|
mocker.request_history[1].body,
|
||||||
{
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
|
||||||
"Operations": [
|
"Operations": [
|
||||||
{
|
{
|
||||||
"op": "add",
|
"op": "add",
|
||||||
|
@ -210,7 +221,6 @@ class SCIMMembershipTests(TestCase):
|
||||||
"value": [{"value": user_scim_id}],
|
"value": [{"value": user_scim_id}],
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
|
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -230,6 +240,7 @@ class SCIMMembershipTests(TestCase):
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mocker.request_history[1].body,
|
mocker.request_history[1].body,
|
||||||
{
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
|
||||||
"Operations": [
|
"Operations": [
|
||||||
{
|
{
|
||||||
"op": "remove",
|
"op": "remove",
|
||||||
|
@ -237,6 +248,5 @@ class SCIMMembershipTests(TestCase):
|
||||||
"value": [{"value": user_scim_id}],
|
"value": [{"value": user_scim_id}],
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
|
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
|
@ -66,6 +66,7 @@ class SCIMUserTests(TestCase):
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mock.request_history[1].body,
|
mock.request_history[1].body,
|
||||||
{
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
|
||||||
"active": True,
|
"active": True,
|
||||||
"emails": [
|
"emails": [
|
||||||
{
|
{
|
||||||
|
@ -121,6 +122,7 @@ class SCIMUserTests(TestCase):
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
body,
|
body,
|
||||||
{
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
|
||||||
"active": True,
|
"active": True,
|
||||||
"emails": [
|
"emails": [
|
||||||
{
|
{
|
||||||
|
@ -173,6 +175,7 @@ class SCIMUserTests(TestCase):
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mock.request_history[1].body,
|
mock.request_history[1].body,
|
||||||
{
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
|
||||||
"active": True,
|
"active": True,
|
||||||
"emails": [
|
"emails": [
|
||||||
{
|
{
|
||||||
|
@ -240,6 +243,7 @@ class SCIMUserTests(TestCase):
|
||||||
self.assertJSONEqual(
|
self.assertJSONEqual(
|
||||||
mock.request_history[1].body,
|
mock.request_history[1].body,
|
||||||
{
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
|
||||||
"active": True,
|
"active": True,
|
||||||
"emails": [
|
"emails": [
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
"""root settings for authentik"""
|
"""root settings for authentik"""
|
||||||
|
|
||||||
import importlib
|
import importlib
|
||||||
import os
|
import os
|
||||||
from hashlib import sha512
|
from hashlib import sha512
|
||||||
|
@ -83,6 +82,7 @@ INSTALLED_APPS = [
|
||||||
"authentik.sources.oauth",
|
"authentik.sources.oauth",
|
||||||
"authentik.sources.plex",
|
"authentik.sources.plex",
|
||||||
"authentik.sources.saml",
|
"authentik.sources.saml",
|
||||||
|
"authentik.sources.scim",
|
||||||
"authentik.stages.authenticator",
|
"authentik.stages.authenticator",
|
||||||
"authentik.stages.authenticator_duo",
|
"authentik.stages.authenticator_duo",
|
||||||
"authentik.stages.authenticator_sms",
|
"authentik.stages.authenticator_sms",
|
||||||
|
@ -147,6 +147,9 @@ SPECTACULAR_SETTINGS = {
|
||||||
"UserTypeEnum": "authentik.core.models.UserTypes",
|
"UserTypeEnum": "authentik.core.models.UserTypes",
|
||||||
},
|
},
|
||||||
"ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
|
"ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
|
||||||
|
"PREPROCESSING_HOOKS": [
|
||||||
|
"authentik.api.schema.preprocess_schema_exclude_non_api",
|
||||||
|
],
|
||||||
"POSTPROCESSING_HOOKS": [
|
"POSTPROCESSING_HOOKS": [
|
||||||
"authentik.api.schema.postprocess_schema_responses",
|
"authentik.api.schema.postprocess_schema_responses",
|
||||||
"drf_spectacular.hooks.postprocess_schema_enums",
|
"drf_spectacular.hooks.postprocess_schema_enums",
|
||||||
|
@ -195,8 +198,8 @@ _redis_url = (
|
||||||
CACHES = {
|
CACHES = {
|
||||||
"default": {
|
"default": {
|
||||||
"BACKEND": "django_redis.cache.RedisCache",
|
"BACKEND": "django_redis.cache.RedisCache",
|
||||||
"LOCATION": f"{_redis_url}/{CONFIG.get('redis.db')}",
|
"LOCATION": CONFIG.get("cache.url") or f"{_redis_url}/{CONFIG.get('redis.db')}",
|
||||||
"TIMEOUT": CONFIG.get_int("redis.cache_timeout", 300),
|
"TIMEOUT": CONFIG.get_int("cache.timeout", 300),
|
||||||
"OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
|
"OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
|
||||||
"KEY_PREFIX": "authentik_cache",
|
"KEY_PREFIX": "authentik_cache",
|
||||||
}
|
}
|
||||||
|
@ -256,7 +259,7 @@ CHANNEL_LAYERS = {
|
||||||
"default": {
|
"default": {
|
||||||
"BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
|
"BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
|
||||||
"CONFIG": {
|
"CONFIG": {
|
||||||
"hosts": [f"{_redis_url}/{CONFIG.get('redis.db')}"],
|
"hosts": [CONFIG.get("channel.url", f"{_redis_url}/{CONFIG.get('redis.db')}")],
|
||||||
"prefix": "authentik_channels_",
|
"prefix": "authentik_channels_",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -349,8 +352,11 @@ CELERY = {
|
||||||
},
|
},
|
||||||
"task_create_missing_queues": True,
|
"task_create_missing_queues": True,
|
||||||
"task_default_queue": "authentik",
|
"task_default_queue": "authentik",
|
||||||
"broker_url": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
|
"broker_url": CONFIG.get("broker.url")
|
||||||
"result_backend": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
|
or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
|
||||||
|
"broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
|
||||||
|
"result_backend": CONFIG.get("result_backend.url")
|
||||||
|
or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
|
||||||
}
|
}
|
||||||
|
|
||||||
# Sentry integration
|
# Sentry integration
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
"""Source API Views"""
|
"""Source API Views"""
|
||||||
from typing import Any
|
from typing import Any, Optional
|
||||||
|
|
||||||
|
from django.core.cache import cache
|
||||||
from django_filters.filters import AllValuesMultipleFilter
|
from django_filters.filters import AllValuesMultipleFilter
|
||||||
from django_filters.filterset import FilterSet
|
from django_filters.filterset import FilterSet
|
||||||
from drf_spectacular.types import OpenApiTypes
|
from drf_spectacular.types import OpenApiTypes
|
||||||
from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
|
from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
|
||||||
from rest_framework.decorators import action
|
from rest_framework.decorators import action
|
||||||
from rest_framework.exceptions import ValidationError
|
from rest_framework.exceptions import ValidationError
|
||||||
from rest_framework.fields import DictField, ListField
|
from rest_framework.fields import BooleanField, DictField, ListField, SerializerMethodField
|
||||||
from rest_framework.relations import PrimaryKeyRelatedField
|
from rest_framework.relations import PrimaryKeyRelatedField
|
||||||
from rest_framework.request import Request
|
from rest_framework.request import Request
|
||||||
from rest_framework.response import Response
|
from rest_framework.response import Response
|
||||||
|
@ -17,15 +18,17 @@ from authentik.admin.api.tasks import TaskSerializer
|
||||||
from authentik.core.api.propertymappings import PropertyMappingSerializer
|
from authentik.core.api.propertymappings import PropertyMappingSerializer
|
||||||
from authentik.core.api.sources import SourceSerializer
|
from authentik.core.api.sources import SourceSerializer
|
||||||
from authentik.core.api.used_by import UsedByMixin
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
|
from authentik.core.api.utils import PassiveSerializer
|
||||||
from authentik.crypto.models import CertificateKeyPair
|
from authentik.crypto.models import CertificateKeyPair
|
||||||
from authentik.events.monitored_tasks import TaskInfo
|
from authentik.events.monitored_tasks import TaskInfo
|
||||||
from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
|
from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
|
||||||
from authentik.sources.ldap.tasks import SYNC_CLASSES
|
from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES
|
||||||
|
|
||||||
|
|
||||||
class LDAPSourceSerializer(SourceSerializer):
|
class LDAPSourceSerializer(SourceSerializer):
|
||||||
"""LDAP Source Serializer"""
|
"""LDAP Source Serializer"""
|
||||||
|
|
||||||
|
connectivity = SerializerMethodField()
|
||||||
client_certificate = PrimaryKeyRelatedField(
|
client_certificate = PrimaryKeyRelatedField(
|
||||||
allow_null=True,
|
allow_null=True,
|
||||||
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
|
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
|
||||||
|
@ -35,6 +38,10 @@ class LDAPSourceSerializer(SourceSerializer):
|
||||||
required=False,
|
required=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def get_connectivity(self, source: LDAPSource) -> Optional[dict[str, dict[str, str]]]:
|
||||||
|
"""Get cached source connectivity"""
|
||||||
|
return cache.get(CACHE_KEY_STATUS + source.slug, None)
|
||||||
|
|
||||||
def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
|
def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
|
||||||
"""Check that only a single source has password_sync on"""
|
"""Check that only a single source has password_sync on"""
|
||||||
sync_users_password = attrs.get("sync_users_password", True)
|
sync_users_password = attrs.get("sync_users_password", True)
|
||||||
|
@ -75,10 +82,18 @@ class LDAPSourceSerializer(SourceSerializer):
|
||||||
"sync_parent_group",
|
"sync_parent_group",
|
||||||
"property_mappings",
|
"property_mappings",
|
||||||
"property_mappings_group",
|
"property_mappings_group",
|
||||||
|
"connectivity",
|
||||||
]
|
]
|
||||||
extra_kwargs = {"bind_password": {"write_only": True}}
|
extra_kwargs = {"bind_password": {"write_only": True}}
|
||||||
|
|
||||||
|
|
||||||
|
class LDAPSyncStatusSerializer(PassiveSerializer):
|
||||||
|
"""LDAP Source sync status"""
|
||||||
|
|
||||||
|
is_running = BooleanField(read_only=True)
|
||||||
|
tasks = TaskSerializer(many=True, read_only=True)
|
||||||
|
|
||||||
|
|
||||||
class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
|
class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
|
||||||
"""LDAP Source Viewset"""
|
"""LDAP Source Viewset"""
|
||||||
|
|
||||||
|
@ -114,19 +129,19 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
|
||||||
|
|
||||||
@extend_schema(
|
@extend_schema(
|
||||||
responses={
|
responses={
|
||||||
200: TaskSerializer(many=True),
|
200: LDAPSyncStatusSerializer(),
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
|
@action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
|
||||||
def sync_status(self, request: Request, slug: str) -> Response:
|
def sync_status(self, request: Request, slug: str) -> Response:
|
||||||
"""Get source's sync status"""
|
"""Get source's sync status"""
|
||||||
source = self.get_object()
|
source: LDAPSource = self.get_object()
|
||||||
results = []
|
tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*") or []
|
||||||
tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*")
|
status = {
|
||||||
if tasks:
|
"tasks": tasks,
|
||||||
for task in tasks:
|
"is_running": source.sync_lock.locked(),
|
||||||
results.append(task)
|
}
|
||||||
return Response(TaskSerializer(results, many=True).data)
|
return Response(LDAPSyncStatusSerializer(status).data)
|
||||||
|
|
||||||
@extend_schema(
|
@extend_schema(
|
||||||
responses={
|
responses={
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
"""LDAP Connection check"""
|
||||||
|
from json import dumps
|
||||||
|
|
||||||
|
from django.core.management.base import BaseCommand
|
||||||
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
|
from authentik.sources.ldap.models import LDAPSource
|
||||||
|
|
||||||
|
LOGGER = get_logger()
|
||||||
|
|
||||||
|
|
||||||
|
class Command(BaseCommand):
|
||||||
|
"""Check connectivity to LDAP servers for a source"""
|
||||||
|
|
||||||
|
def add_arguments(self, parser):
|
||||||
|
parser.add_argument("source_slugs", nargs="?", type=str)
|
||||||
|
|
||||||
|
def handle(self, **options):
|
||||||
|
sources = LDAPSource.objects.filter(enabled=True)
|
||||||
|
if options["source_slugs"]:
|
||||||
|
sources = LDAPSource.objects.filter(slug__in=options["source_slugs"])
|
||||||
|
for source in sources.order_by("slug"):
|
||||||
|
status = source.check_connection()
|
||||||
|
self.stdout.write(dumps(status, indent=4))
|
|
@ -4,10 +4,12 @@ from ssl import CERT_REQUIRED
|
||||||
from tempfile import NamedTemporaryFile, mkdtemp
|
from tempfile import NamedTemporaryFile, mkdtemp
|
||||||
from typing import Optional
|
from typing import Optional
|
||||||
|
|
||||||
|
from django.core.cache import cache
|
||||||
from django.db import models
|
from django.db import models
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
|
from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
|
||||||
from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
|
from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
|
||||||
|
from redis.lock import Lock
|
||||||
from rest_framework.serializers import Serializer
|
from rest_framework.serializers import Serializer
|
||||||
|
|
||||||
from authentik.core.models import Group, PropertyMapping, Source
|
from authentik.core.models import Group, PropertyMapping, Source
|
||||||
|
@ -117,7 +119,7 @@ class LDAPSource(Source):
|
||||||
|
|
||||||
return LDAPSourceSerializer
|
return LDAPSourceSerializer
|
||||||
|
|
||||||
def server(self, **kwargs) -> Server:
|
def server(self, **kwargs) -> ServerPool:
|
||||||
"""Get LDAP Server/ServerPool"""
|
"""Get LDAP Server/ServerPool"""
|
||||||
servers = []
|
servers = []
|
||||||
tls_kwargs = {}
|
tls_kwargs = {}
|
||||||
|
@ -154,7 +156,10 @@ class LDAPSource(Source):
|
||||||
return ServerPool(servers, RANDOM, active=5, exhaust=True)
|
return ServerPool(servers, RANDOM, active=5, exhaust=True)
|
||||||
|
|
||||||
def connection(
|
def connection(
|
||||||
self, server_kwargs: Optional[dict] = None, connection_kwargs: Optional[dict] = None
|
self,
|
||||||
|
server: Optional[Server] = None,
|
||||||
|
server_kwargs: Optional[dict] = None,
|
||||||
|
connection_kwargs: Optional[dict] = None,
|
||||||
) -> Connection:
|
) -> Connection:
|
||||||
"""Get a fully connected and bound LDAP Connection"""
|
"""Get a fully connected and bound LDAP Connection"""
|
||||||
server_kwargs = server_kwargs or {}
|
server_kwargs = server_kwargs or {}
|
||||||
|
@ -164,7 +169,7 @@ class LDAPSource(Source):
|
||||||
if self.bind_password is not None:
|
if self.bind_password is not None:
|
||||||
connection_kwargs.setdefault("password", self.bind_password)
|
connection_kwargs.setdefault("password", self.bind_password)
|
||||||
connection = Connection(
|
connection = Connection(
|
||||||
self.server(**server_kwargs),
|
server or self.server(**server_kwargs),
|
||||||
raise_exceptions=True,
|
raise_exceptions=True,
|
||||||
receive_timeout=LDAP_TIMEOUT,
|
receive_timeout=LDAP_TIMEOUT,
|
||||||
**connection_kwargs,
|
**connection_kwargs,
|
||||||
|
@ -183,9 +188,55 @@ class LDAPSource(Source):
|
||||||
if server_kwargs.get("get_info", ALL) == NONE:
|
if server_kwargs.get("get_info", ALL) == NONE:
|
||||||
raise exc
|
raise exc
|
||||||
server_kwargs["get_info"] = NONE
|
server_kwargs["get_info"] = NONE
|
||||||
return self.connection(server_kwargs, connection_kwargs)
|
return self.connection(server, server_kwargs, connection_kwargs)
|
||||||
return RuntimeError("Failed to bind")
|
return RuntimeError("Failed to bind")
|
||||||
|
|
||||||
|
@property
|
||||||
|
def sync_lock(self) -> Lock:
|
||||||
|
"""Redis lock for syncing LDAP to prevent multiple parallel syncs happening"""
|
||||||
|
return Lock(
|
||||||
|
cache.client.get_client(),
|
||||||
|
name=f"goauthentik.io/sources/ldap/sync-{self.slug}",
|
||||||
|
# Convert task timeout hours to seconds, and multiply times 3
|
||||||
|
# (see authentik/sources/ldap/tasks.py:54)
|
||||||
|
# multiply by 3 to add even more leeway
|
||||||
|
timeout=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3,
|
||||||
|
)
|
||||||
|
|
||||||
|
def check_connection(self) -> dict[str, dict[str, str]]:
|
||||||
|
"""Check LDAP Connection"""
|
||||||
|
from authentik.sources.ldap.sync.base import flatten
|
||||||
|
|
||||||
|
servers = self.server()
|
||||||
|
server_info = {}
|
||||||
|
# Check each individual server
|
||||||
|
for server in servers.servers:
|
||||||
|
server: Server
|
||||||
|
try:
|
||||||
|
connection = self.connection(server=server)
|
||||||
|
server_info[server.host] = {
|
||||||
|
"vendor": str(flatten(connection.server.info.vendor_name)),
|
||||||
|
"version": str(flatten(connection.server.info.vendor_version)),
|
||||||
|
"status": "ok",
|
||||||
|
}
|
||||||
|
except LDAPException as exc:
|
||||||
|
server_info[server.host] = {
|
||||||
|
"status": str(exc),
|
||||||
|
}
|
||||||
|
# Check server pool
|
||||||
|
try:
|
||||||
|
connection = self.connection()
|
||||||
|
server_info["__all__"] = {
|
||||||
|
"vendor": str(flatten(connection.server.info.vendor_name)),
|
||||||
|
"version": str(flatten(connection.server.info.vendor_version)),
|
||||||
|
"status": "ok",
|
||||||
|
}
|
||||||
|
except LDAPException as exc:
|
||||||
|
server_info["__all__"] = {
|
||||||
|
"status": str(exc),
|
||||||
|
}
|
||||||
|
return server_info
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
verbose_name = _("LDAP Source")
|
verbose_name = _("LDAP Source")
|
||||||
verbose_name_plural = _("LDAP Sources")
|
verbose_name_plural = _("LDAP Sources")
|
||||||
|
|
|
@ -8,5 +8,10 @@ CELERY_BEAT_SCHEDULE = {
|
||||||
"task": "authentik.sources.ldap.tasks.ldap_sync_all",
|
"task": "authentik.sources.ldap.tasks.ldap_sync_all",
|
||||||
"schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
|
"schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
|
||||||
"options": {"queue": "authentik_scheduled"},
|
"options": {"queue": "authentik_scheduled"},
|
||||||
}
|
},
|
||||||
|
"sources_ldap_connectivity_check": {
|
||||||
|
"task": "authentik.sources.ldap.tasks.ldap_connectivity_check",
|
||||||
|
"schedule": crontab(minute=fqdn_rand("sources_ldap_connectivity_check"), hour="*"),
|
||||||
|
"options": {"queue": "authentik_scheduled"},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,7 @@ from authentik.events.models import Event, EventAction
|
||||||
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
|
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
|
||||||
from authentik.sources.ldap.models import LDAPSource
|
from authentik.sources.ldap.models import LDAPSource
|
||||||
from authentik.sources.ldap.password import LDAPPasswordChanger
|
from authentik.sources.ldap.password import LDAPPasswordChanger
|
||||||
from authentik.sources.ldap.tasks import ldap_sync_single
|
from authentik.sources.ldap.tasks import ldap_connectivity_check, ldap_sync_single
|
||||||
from authentik.stages.prompt.signals import password_validate
|
from authentik.stages.prompt.signals import password_validate
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
@ -32,6 +32,7 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
|
||||||
if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
|
if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
|
||||||
return
|
return
|
||||||
ldap_sync_single.delay(instance.pk)
|
ldap_sync_single.delay(instance.pk)
|
||||||
|
ldap_connectivity_check.delay(instance.pk)
|
||||||
|
|
||||||
|
|
||||||
@receiver(password_validate)
|
@receiver(password_validate)
|
||||||
|
|
|
@ -17,6 +17,15 @@ from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
|
||||||
LDAP_UNIQUENESS = "ldap_uniq"
|
LDAP_UNIQUENESS = "ldap_uniq"
|
||||||
|
|
||||||
|
|
||||||
|
def flatten(value: Any) -> Any:
|
||||||
|
"""Flatten `value` if its a list"""
|
||||||
|
if isinstance(value, list):
|
||||||
|
if len(value) < 1:
|
||||||
|
return None
|
||||||
|
return value[0]
|
||||||
|
return value
|
||||||
|
|
||||||
|
|
||||||
class BaseLDAPSynchronizer:
|
class BaseLDAPSynchronizer:
|
||||||
"""Sync LDAP Users and groups into authentik"""
|
"""Sync LDAP Users and groups into authentik"""
|
||||||
|
|
||||||
|
@ -122,14 +131,6 @@ class BaseLDAPSynchronizer:
|
||||||
cookie = None
|
cookie = None
|
||||||
yield self._connection.response
|
yield self._connection.response
|
||||||
|
|
||||||
def _flatten(self, value: Any) -> Any:
|
|
||||||
"""Flatten `value` if its a list"""
|
|
||||||
if isinstance(value, list):
|
|
||||||
if len(value) < 1:
|
|
||||||
return None
|
|
||||||
return value[0]
|
|
||||||
return value
|
|
||||||
|
|
||||||
def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
|
def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
|
||||||
"""Build attributes for User object based on property mappings."""
|
"""Build attributes for User object based on property mappings."""
|
||||||
props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
|
props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
|
||||||
|
@ -163,10 +164,10 @@ class BaseLDAPSynchronizer:
|
||||||
object_field = mapping.object_field
|
object_field = mapping.object_field
|
||||||
if object_field.startswith("attributes."):
|
if object_field.startswith("attributes."):
|
||||||
# Because returning a list might desired, we can't
|
# Because returning a list might desired, we can't
|
||||||
# rely on self._flatten here. Instead, just save the result as-is
|
# rely on flatten here. Instead, just save the result as-is
|
||||||
set_path_in_dict(properties, object_field, value)
|
set_path_in_dict(properties, object_field, value)
|
||||||
else:
|
else:
|
||||||
properties[object_field] = self._flatten(value)
|
properties[object_field] = flatten(value)
|
||||||
except PropertyMappingExpressionException as exc:
|
except PropertyMappingExpressionException as exc:
|
||||||
Event.new(
|
Event.new(
|
||||||
EventAction.CONFIGURATION_ERROR,
|
EventAction.CONFIGURATION_ERROR,
|
||||||
|
@ -177,7 +178,7 @@ class BaseLDAPSynchronizer:
|
||||||
self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
|
self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
|
||||||
continue
|
continue
|
||||||
if self._source.object_uniqueness_field in kwargs:
|
if self._source.object_uniqueness_field in kwargs:
|
||||||
properties["attributes"][LDAP_UNIQUENESS] = self._flatten(
|
properties["attributes"][LDAP_UNIQUENESS] = flatten(
|
||||||
kwargs.get(self._source.object_uniqueness_field)
|
kwargs.get(self._source.object_uniqueness_field)
|
||||||
)
|
)
|
||||||
properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn
|
properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn
|
||||||
|
|
|
@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
|
||||||
|
|
||||||
from authentik.core.models import Group
|
from authentik.core.models import Group
|
||||||
from authentik.events.models import Event, EventAction
|
from authentik.events.models import Event, EventAction
|
||||||
from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
|
from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
|
||||||
|
|
||||||
|
|
||||||
class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
|
class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
|
@ -39,7 +39,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
if "attributes" not in group:
|
if "attributes" not in group:
|
||||||
continue
|
continue
|
||||||
attributes = group.get("attributes", {})
|
attributes = group.get("attributes", {})
|
||||||
group_dn = self._flatten(self._flatten(group.get("entryDN", group.get("dn"))))
|
group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
|
||||||
if self._source.object_uniqueness_field not in attributes:
|
if self._source.object_uniqueness_field not in attributes:
|
||||||
self.message(
|
self.message(
|
||||||
f"Cannot find uniqueness field in attributes: '{group_dn}'",
|
f"Cannot find uniqueness field in attributes: '{group_dn}'",
|
||||||
|
@ -47,7 +47,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
dn=group_dn,
|
dn=group_dn,
|
||||||
)
|
)
|
||||||
continue
|
continue
|
||||||
uniq = self._flatten(attributes[self._source.object_uniqueness_field])
|
uniq = flatten(attributes[self._source.object_uniqueness_field])
|
||||||
try:
|
try:
|
||||||
defaults = self.build_group_properties(group_dn, **attributes)
|
defaults = self.build_group_properties(group_dn, **attributes)
|
||||||
defaults["parent"] = self._source.sync_parent_group
|
defaults["parent"] = self._source.sync_parent_group
|
||||||
|
|
|
@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
|
||||||
|
|
||||||
from authentik.core.models import User
|
from authentik.core.models import User
|
||||||
from authentik.events.models import Event, EventAction
|
from authentik.events.models import Event, EventAction
|
||||||
from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
|
from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
|
||||||
from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
|
from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
|
||||||
from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
|
from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
|
||||||
|
|
||||||
|
@ -41,7 +41,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
if "attributes" not in user:
|
if "attributes" not in user:
|
||||||
continue
|
continue
|
||||||
attributes = user.get("attributes", {})
|
attributes = user.get("attributes", {})
|
||||||
user_dn = self._flatten(user.get("entryDN", user.get("dn")))
|
user_dn = flatten(user.get("entryDN", user.get("dn")))
|
||||||
if self._source.object_uniqueness_field not in attributes:
|
if self._source.object_uniqueness_field not in attributes:
|
||||||
self.message(
|
self.message(
|
||||||
f"Cannot find uniqueness field in attributes: '{user_dn}'",
|
f"Cannot find uniqueness field in attributes: '{user_dn}'",
|
||||||
|
@ -49,7 +49,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
|
||||||
dn=user_dn,
|
dn=user_dn,
|
||||||
)
|
)
|
||||||
continue
|
continue
|
||||||
uniq = self._flatten(attributes[self._source.object_uniqueness_field])
|
uniq = flatten(attributes[self._source.object_uniqueness_field])
|
||||||
try:
|
try:
|
||||||
defaults = self.build_user_properties(user_dn, **attributes)
|
defaults = self.build_user_properties(user_dn, **attributes)
|
||||||
self._logger.debug("Writing user with attributes", **defaults)
|
self._logger.debug("Writing user with attributes", **defaults)
|
||||||
|
|
|
@ -5,7 +5,7 @@ from typing import Any, Generator
|
||||||
from pytz import UTC
|
from pytz import UTC
|
||||||
|
|
||||||
from authentik.core.models import User
|
from authentik.core.models import User
|
||||||
from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
|
from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer, flatten
|
||||||
|
|
||||||
|
|
||||||
class FreeIPA(BaseLDAPSynchronizer):
|
class FreeIPA(BaseLDAPSynchronizer):
|
||||||
|
@ -47,7 +47,7 @@ class FreeIPA(BaseLDAPSynchronizer):
|
||||||
return
|
return
|
||||||
# For some reason, nsaccountlock is not defined properly in the schema as bool
|
# For some reason, nsaccountlock is not defined properly in the schema as bool
|
||||||
# hence we get it as a list of strings
|
# hence we get it as a list of strings
|
||||||
_is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
|
_is_locked = str(flatten(attributes.get("nsaccountlock", ["FALSE"])))
|
||||||
# So we have to attempt to convert it to a bool
|
# So we have to attempt to convert it to a bool
|
||||||
is_locked = _is_locked.lower() == "true"
|
is_locked = _is_locked.lower() == "true"
|
||||||
# And then invert it since freeipa saves locked and we save active
|
# And then invert it since freeipa saves locked and we save active
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
"""LDAP Sync tasks"""
|
"""LDAP Sync tasks"""
|
||||||
|
from typing import Optional
|
||||||
from uuid import uuid4
|
from uuid import uuid4
|
||||||
|
|
||||||
from celery import chain, group
|
from celery import chain, group
|
||||||
from django.core.cache import cache
|
from django.core.cache import cache
|
||||||
from ldap3.core.exceptions import LDAPException
|
from ldap3.core.exceptions import LDAPException
|
||||||
from redis.exceptions import LockError
|
from redis.exceptions import LockError
|
||||||
from redis.lock import Lock
|
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
|
from authentik.events.monitored_tasks import CACHE_KEY_PREFIX as CACHE_KEY_PREFIX_TASKS
|
||||||
from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
|
from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
|
||||||
from authentik.lib.config import CONFIG
|
from authentik.lib.config import CONFIG
|
||||||
from authentik.lib.utils.errors import exception_to_string
|
from authentik.lib.utils.errors import exception_to_string
|
||||||
|
@ -26,6 +27,7 @@ SYNC_CLASSES = [
|
||||||
MembershipLDAPSynchronizer,
|
MembershipLDAPSynchronizer,
|
||||||
]
|
]
|
||||||
CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
|
CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
|
||||||
|
CACHE_KEY_STATUS = "goauthentik.io/sources/ldap/status/"
|
||||||
|
|
||||||
|
|
||||||
@CELERY_APP.task()
|
@CELERY_APP.task()
|
||||||
|
@ -35,6 +37,19 @@ def ldap_sync_all():
|
||||||
ldap_sync_single.apply_async(args=[source.pk])
|
ldap_sync_single.apply_async(args=[source.pk])
|
||||||
|
|
||||||
|
|
||||||
|
@CELERY_APP.task()
|
||||||
|
def ldap_connectivity_check(pk: Optional[str] = None):
|
||||||
|
"""Check connectivity for LDAP Sources"""
|
||||||
|
# 2 hour timeout, this task should run every hour
|
||||||
|
timeout = 60 * 60 * 2
|
||||||
|
sources = LDAPSource.objects.filter(enabled=True)
|
||||||
|
if pk:
|
||||||
|
sources = sources.filter(pk=pk)
|
||||||
|
for source in sources:
|
||||||
|
status = source.check_connection()
|
||||||
|
cache.set(CACHE_KEY_STATUS + source.slug, status, timeout=timeout)
|
||||||
|
|
||||||
|
|
||||||
@CELERY_APP.task(
|
@CELERY_APP.task(
|
||||||
# We take the configured hours timeout time by 2.5 as we run user and
|
# We take the configured hours timeout time by 2.5 as we run user and
|
||||||
# group in parallel and then membership, so 2x is to cover the serial tasks,
|
# group in parallel and then membership, so 2x is to cover the serial tasks,
|
||||||
|
@ -47,12 +62,15 @@ def ldap_sync_single(source_pk: str):
|
||||||
source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
|
source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
|
||||||
if not source:
|
if not source:
|
||||||
return
|
return
|
||||||
lock = Lock(cache.client.get_client(), name=f"goauthentik.io/sources/ldap/sync-{source.slug}")
|
lock = source.sync_lock
|
||||||
if lock.locked():
|
if lock.locked():
|
||||||
LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
|
LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
|
||||||
return
|
return
|
||||||
try:
|
try:
|
||||||
with lock:
|
with lock:
|
||||||
|
# Delete all sync tasks from the cache
|
||||||
|
keys = cache.keys(f"{CACHE_KEY_PREFIX_TASKS}ldap_sync:{source.slug}*")
|
||||||
|
cache.delete_many(keys)
|
||||||
task = chain(
|
task = chain(
|
||||||
# User and group sync can happen at once, they have no dependencies on each other
|
# User and group sync can happen at once, they have no dependencies on each other
|
||||||
group(
|
group(
|
||||||
|
|
|
@ -12,8 +12,9 @@ class PatreonOAuthRedirect(OAuthRedirect):
|
||||||
"""Patreon OAuth2 Redirect"""
|
"""Patreon OAuth2 Redirect"""
|
||||||
|
|
||||||
def get_additional_parameters(self, source: OAuthSource): # pragma: no cover
|
def get_additional_parameters(self, source: OAuthSource): # pragma: no cover
|
||||||
|
# https://docs.patreon.com/#scopes
|
||||||
return {
|
return {
|
||||||
"scope": ["openid", "email", "profile"],
|
"scope": ["identity", "identity[email]"],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,62 @@
|
||||||
|
"""SCIMSource API Views"""
|
||||||
|
from django.urls import reverse_lazy
|
||||||
|
from rest_framework.fields import SerializerMethodField
|
||||||
|
from rest_framework.viewsets import ModelViewSet
|
||||||
|
|
||||||
|
from authentik.core.api.sources import SourceSerializer
|
||||||
|
from authentik.core.api.tokens import TokenSerializer
|
||||||
|
from authentik.core.api.used_by import UsedByMixin
|
||||||
|
from authentik.core.models import Token, TokenIntents, User, UserTypes
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMSourceSerializer(SourceSerializer):
|
||||||
|
"""SCIMSource Serializer"""
|
||||||
|
|
||||||
|
root_url = SerializerMethodField()
|
||||||
|
token_obj = TokenSerializer(source="token", required=False, read_only=True)
|
||||||
|
|
||||||
|
def get_root_url(self, instance: SCIMSource) -> str:
|
||||||
|
"""Get Root URL"""
|
||||||
|
relative_url = reverse_lazy(
|
||||||
|
"authentik_sources_scim:v2-root",
|
||||||
|
kwargs={"source_slug": instance.slug},
|
||||||
|
)
|
||||||
|
if "request" not in self.context:
|
||||||
|
return relative_url
|
||||||
|
return self.context["request"].build_absolute_uri(relative_url)
|
||||||
|
|
||||||
|
def create(self, validated_data):
|
||||||
|
instance: SCIMSource = super().create(validated_data)
|
||||||
|
identifier = f"ak-source-scim-{instance.pk}"
|
||||||
|
user = User.objects.create(
|
||||||
|
username=identifier,
|
||||||
|
name=f"SCIM Source {instance.name} Service-Account",
|
||||||
|
type=UserTypes.SERVICE_ACCOUNT,
|
||||||
|
)
|
||||||
|
token = Token.objects.create(
|
||||||
|
user=user,
|
||||||
|
identifier=identifier,
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
expiring=False,
|
||||||
|
managed=f"goauthentik.io/sources/scim/{instance.pk}",
|
||||||
|
)
|
||||||
|
instance.token = token
|
||||||
|
instance.save()
|
||||||
|
return instance
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
model = SCIMSource
|
||||||
|
fields = SourceSerializer.Meta.fields + ["token", "root_url", "token_obj"]
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
|
||||||
|
"""SCIMSource Viewset"""
|
||||||
|
|
||||||
|
queryset = SCIMSource.objects.all()
|
||||||
|
serializer_class = SCIMSourceSerializer
|
||||||
|
lookup_field = "slug"
|
||||||
|
filterset_fields = ["name", "slug"]
|
||||||
|
search_fields = ["name", "slug", "token__identifier", "token__user__username"]
|
||||||
|
ordering = ["name"]
|
|
@ -0,0 +1,11 @@
|
||||||
|
"""Authentik SCIM app config"""
|
||||||
|
|
||||||
|
from django.apps import AppConfig
|
||||||
|
|
||||||
|
|
||||||
|
class AuthentikSourceSCIMConfig(AppConfig):
|
||||||
|
"""authentik SCIM Source app config"""
|
||||||
|
|
||||||
|
name = "authentik.sources.scim"
|
||||||
|
label = "authentik_sources_scim"
|
||||||
|
verbose_name = "authentik Sources.SCIM"
|
|
@ -0,0 +1,8 @@
|
||||||
|
"""SCIM Errors"""
|
||||||
|
|
||||||
|
from authentik.lib.sentry import SentryIgnoredException
|
||||||
|
|
||||||
|
|
||||||
|
class PatchError(SentryIgnoredException):
|
||||||
|
"""Error raised within an atomic block when an error happened
|
||||||
|
so nothing is saved"""
|
|
@ -0,0 +1,61 @@
|
||||||
|
grammar ScimFilter;
|
||||||
|
|
||||||
|
parse
|
||||||
|
: filter
|
||||||
|
;
|
||||||
|
|
||||||
|
filter
|
||||||
|
: attrPath SP PR #presentExp
|
||||||
|
| attrPath SP COMPAREOPERATOR SP VALUE #operatorExp
|
||||||
|
| NOT? SP* '(' filter ')' #braceExp
|
||||||
|
| attrPath '[' valPathFilter ']' #valPathExp
|
||||||
|
| filter SP AND SP filter #andExp
|
||||||
|
| filter SP OR SP filter #orExp
|
||||||
|
;
|
||||||
|
|
||||||
|
valPathFilter
|
||||||
|
: attrPath SP PR #valPathPresentExp
|
||||||
|
| attrPath SP COMPAREOPERATOR SP VALUE #valPathOperatorExp
|
||||||
|
| NOT? SP* '(' valPathFilter ')' #valPathBraceExp
|
||||||
|
| valPathFilter SP AND SP valPathFilter #valPathAndExp
|
||||||
|
| valPathFilter SP OR SP valPathFilter #valPathOrExp
|
||||||
|
;
|
||||||
|
|
||||||
|
attrPath
|
||||||
|
: (SCHEMA)? ATTRNAME ('.' ATTRNAME)?
|
||||||
|
;
|
||||||
|
|
||||||
|
COMPAREOPERATOR : EQ | NE | CO | SW | EW | GT | GE | LT | LE;
|
||||||
|
|
||||||
|
EQ : [eE][qQ];
|
||||||
|
NE : [nN][eE];
|
||||||
|
CO : [cC][oO];
|
||||||
|
SW : [sS][wW];
|
||||||
|
EW : [eE][wW];
|
||||||
|
PR : [pP][rR];
|
||||||
|
GT : [gG][tT];
|
||||||
|
GE : [gG][eE];
|
||||||
|
LT : [lL][tT];
|
||||||
|
LE : [lL][eE];
|
||||||
|
|
||||||
|
NOT : [nN][oO][tT];
|
||||||
|
AND : [aA][nN][dD];
|
||||||
|
OR : [oO][rR];
|
||||||
|
|
||||||
|
SP : ' ';
|
||||||
|
|
||||||
|
SCHEMA : 'urn:' (SEGMENT ':')+;
|
||||||
|
|
||||||
|
ATTRNAME : ALPHA (ALPHA | DIGIT | '_' | '-')+;
|
||||||
|
|
||||||
|
fragment SEGMENT : (ALPHA | DIGIT | '_' | '-' | '.')+;
|
||||||
|
|
||||||
|
fragment DIGIT : [0-9];
|
||||||
|
|
||||||
|
fragment ALPHA : [a-z] | [A-Z];
|
||||||
|
|
||||||
|
ESCAPED_QUOTE : '\\"';
|
||||||
|
|
||||||
|
VALUE : '"'(ESCAPED_QUOTE | ~'"')*'"' | 'true' | 'false' | 'null' | DIGIT+('.'DIGIT+)?;
|
||||||
|
|
||||||
|
EXCLUDE : [\b | \t | \r | \n]+ -> skip;
|
|
@ -0,0 +1,65 @@
|
||||||
|
token literal names:
|
||||||
|
null
|
||||||
|
'('
|
||||||
|
')'
|
||||||
|
'['
|
||||||
|
']'
|
||||||
|
'.'
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
' '
|
||||||
|
null
|
||||||
|
null
|
||||||
|
'\\"'
|
||||||
|
null
|
||||||
|
null
|
||||||
|
|
||||||
|
token symbolic names:
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
null
|
||||||
|
COMPAREOPERATOR
|
||||||
|
EQ
|
||||||
|
NE
|
||||||
|
CO
|
||||||
|
SW
|
||||||
|
EW
|
||||||
|
PR
|
||||||
|
GT
|
||||||
|
GE
|
||||||
|
LT
|
||||||
|
LE
|
||||||
|
NOT
|
||||||
|
AND
|
||||||
|
OR
|
||||||
|
SP
|
||||||
|
SCHEMA
|
||||||
|
ATTRNAME
|
||||||
|
ESCAPED_QUOTE
|
||||||
|
VALUE
|
||||||
|
EXCLUDE
|
||||||
|
|
||||||
|
rule names:
|
||||||
|
parse
|
||||||
|
filter
|
||||||
|
valPathFilter
|
||||||
|
attrPath
|
||||||
|
|
||||||
|
|
||||||
|
atn:
|
||||||
|
[4, 1, 25, 106, 2, 0, 7, 0, 2, 1, 7, 1, 2, 2, 7, 2, 2, 3, 7, 3, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 23, 8, 1, 1, 1, 5, 1, 26, 8, 1, 10, 1, 12, 1, 29, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 40, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 5, 1, 52, 8, 1, 10, 1, 12, 1, 55, 9, 1, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 69, 8, 2, 1, 2, 5, 2, 72, 8, 2, 10, 2, 12, 2, 75, 9, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 81, 8, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 5, 2, 93, 8, 2, 10, 2, 12, 2, 96, 9, 2, 1, 3, 3, 3, 99, 8, 3, 1, 3, 1, 3, 1, 3, 3, 3, 104, 8, 3, 1, 3, 0, 2, 2, 4, 4, 0, 2, 4, 6, 0, 0, 116, 0, 8, 1, 0, 0, 0, 2, 39, 1, 0, 0, 0, 4, 80, 1, 0, 0, 0, 6, 98, 1, 0, 0, 0, 8, 9, 3, 2, 1, 0, 9, 1, 1, 0, 0, 0, 10, 11, 6, 1, -1, 0, 11, 12, 3, 6, 3, 0, 12, 13, 5, 20, 0, 0, 13, 14, 5, 12, 0, 0, 14, 40, 1, 0, 0, 0, 15, 16, 3, 6, 3, 0, 16, 17, 5, 20, 0, 0, 17, 18, 5, 6, 0, 0, 18, 19, 5, 20, 0, 0, 19, 20, 5, 24, 0, 0, 20, 40, 1, 0, 0, 0, 21, 23, 5, 17, 0, 0, 22, 21, 1, 0, 0, 0, 22, 23, 1, 0, 0, 0, 23, 27, 1, 0, 0, 0, 24, 26, 5, 20, 0, 0, 25, 24, 1, 0, 0, 0, 26, 29, 1, 0, 0, 0, 27, 25, 1, 0, 0, 0, 27, 28, 1, 0, 0, 0, 28, 30, 1, 0, 0, 0, 29, 27, 1, 0, 0, 0, 30, 31, 5, 1, 0, 0, 31, 32, 3, 2, 1, 0, 32, 33, 5, 2, 0, 0, 33, 40, 1, 0, 0, 0, 34, 35, 3, 6, 3, 0, 35, 36, 5, 3, 0, 0, 36, 37, 3, 4, 2, 0, 37, 38, 5, 4, 0, 0, 38, 40, 1, 0, 0, 0, 39, 10, 1, 0, 0, 0, 39, 15, 1, 0, 0, 0, 39, 22, 1, 0, 0, 0, 39, 34, 1, 0, 0, 0, 40, 53, 1, 0, 0, 0, 41, 42, 10, 2, 0, 0, 42, 43, 5, 20, 0, 0, 43, 44, 5, 18, 0, 0, 44, 45, 5, 20, 0, 0, 45, 52, 3, 2, 1, 3, 46, 47, 10, 1, 0, 0, 47, 48, 5, 20, 0, 0, 48, 49, 5, 19, 0, 0, 49, 50, 5, 20, 0, 0, 50, 52, 3, 2, 1, 2, 51, 41, 1, 0, 0, 0, 51, 46, 1, 0, 0, 0, 52, 55, 1, 0, 0, 0, 53, 51, 1, 0, 0, 0, 53, 54, 1, 0, 0, 0, 54, 3, 1, 0, 0, 0, 55, 53, 1, 0, 0, 0, 56, 57, 6, 2, -1, 0, 57, 58, 3, 6, 3, 0, 58, 59, 5, 20, 0, 0, 59, 60, 5, 12, 0, 0, 60, 81, 1, 0, 0, 0, 61, 62, 3, 6, 3, 0, 62, 63, 5, 20, 0, 0, 63, 64, 5, 6, 0, 0, 64, 65, 5, 20, 0, 0, 65, 66, 5, 24, 0, 0, 66, 81, 1, 0, 0, 0, 67, 69, 5, 17, 0, 0, 68, 67, 1, 0, 0, 0, 68, 69, 1, 0, 0, 0, 69, 73, 1, 0, 0, 0, 70, 72, 5, 20, 0, 0, 71, 70, 1, 0, 0, 0, 72, 75, 1, 0, 0, 0, 73, 71, 1, 0, 0, 0, 73, 74, 1, 0, 0, 0, 74, 76, 1, 0, 0, 0, 75, 73, 1, 0, 0, 0, 76, 77, 5, 1, 0, 0, 77, 78, 3, 4, 2, 0, 78, 79, 5, 2, 0, 0, 79, 81, 1, 0, 0, 0, 80, 56, 1, 0, 0, 0, 80, 61, 1, 0, 0, 0, 80, 68, 1, 0, 0, 0, 81, 94, 1, 0, 0, 0, 82, 83, 10, 2, 0, 0, 83, 84, 5, 20, 0, 0, 84, 85, 5, 18, 0, 0, 85, 86, 5, 20, 0, 0, 86, 93, 3, 4, 2, 3, 87, 88, 10, 1, 0, 0, 88, 89, 5, 20, 0, 0, 89, 90, 5, 19, 0, 0, 90, 91, 5, 20, 0, 0, 91, 93, 3, 4, 2, 2, 92, 82, 1, 0, 0, 0, 92, 87, 1, 0, 0, 0, 93, 96, 1, 0, 0, 0, 94, 92, 1, 0, 0, 0, 94, 95, 1, 0, 0, 0, 95, 5, 1, 0, 0, 0, 96, 94, 1, 0, 0, 0, 97, 99, 5, 21, 0, 0, 98, 97, 1, 0, 0, 0, 98, 99, 1, 0, 0, 0, 99, 100, 1, 0, 0, 0, 100, 103, 5, 22, 0, 0, 101, 102, 5, 5, 0, 0, 102, 104, 5, 22, 0, 0, 103, 101, 1, 0, 0, 0, 103, 104, 1, 0, 0, 0, 104, 7, 1, 0, 0, 0, 12, 22, 27, 39, 51, 53, 68, 73, 80, 92, 94, 98, 103]
|
|
@ -0,0 +1,32 @@
|
||||||
|
T__0=1
|
||||||
|
T__1=2
|
||||||
|
T__2=3
|
||||||
|
T__3=4
|
||||||
|
T__4=5
|
||||||
|
COMPAREOPERATOR=6
|
||||||
|
EQ=7
|
||||||
|
NE=8
|
||||||
|
CO=9
|
||||||
|
SW=10
|
||||||
|
EW=11
|
||||||
|
PR=12
|
||||||
|
GT=13
|
||||||
|
GE=14
|
||||||
|
LT=15
|
||||||
|
LE=16
|
||||||
|
NOT=17
|
||||||
|
AND=18
|
||||||
|
OR=19
|
||||||
|
SP=20
|
||||||
|
SCHEMA=21
|
||||||
|
ATTRNAME=22
|
||||||
|
ESCAPED_QUOTE=23
|
||||||
|
VALUE=24
|
||||||
|
EXCLUDE=25
|
||||||
|
'('=1
|
||||||
|
')'=2
|
||||||
|
'['=3
|
||||||
|
']'=4
|
||||||
|
'.'=5
|
||||||
|
' '=20
|
||||||
|
'\\"'=23
|
File diff suppressed because one or more lines are too long
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,32 @@
|
||||||
|
T__0=1
|
||||||
|
T__1=2
|
||||||
|
T__2=3
|
||||||
|
T__3=4
|
||||||
|
T__4=5
|
||||||
|
COMPAREOPERATOR=6
|
||||||
|
EQ=7
|
||||||
|
NE=8
|
||||||
|
CO=9
|
||||||
|
SW=10
|
||||||
|
EW=11
|
||||||
|
PR=12
|
||||||
|
GT=13
|
||||||
|
GE=14
|
||||||
|
LT=15
|
||||||
|
LE=16
|
||||||
|
NOT=17
|
||||||
|
AND=18
|
||||||
|
OR=19
|
||||||
|
SP=20
|
||||||
|
SCHEMA=21
|
||||||
|
ATTRNAME=22
|
||||||
|
ESCAPED_QUOTE=23
|
||||||
|
VALUE=24
|
||||||
|
EXCLUDE=25
|
||||||
|
'('=1
|
||||||
|
')'=2
|
||||||
|
'['=3
|
||||||
|
']'=4
|
||||||
|
'.'=5
|
||||||
|
' '=20
|
||||||
|
'\\"'=23
|
|
@ -0,0 +1,118 @@
|
||||||
|
# pylint: skip-file
|
||||||
|
# Generated from ScimFilter.g4 by ANTLR 4.10.1
|
||||||
|
from antlr4 import *
|
||||||
|
|
||||||
|
if __name__ is not None and "." in __name__:
|
||||||
|
from .ScimFilterParser import ScimFilterParser
|
||||||
|
else:
|
||||||
|
from ScimFilterParser import ScimFilterParser
|
||||||
|
|
||||||
|
# This class defines a complete listener for a parse tree produced by ScimFilterParser.
|
||||||
|
class ScimFilterListener(ParseTreeListener):
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#parse.
|
||||||
|
def enterParse(self, ctx: ScimFilterParser.ParseContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#parse.
|
||||||
|
def exitParse(self, ctx: ScimFilterParser.ParseContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#andExp.
|
||||||
|
def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#andExp.
|
||||||
|
def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathExp.
|
||||||
|
def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathExp.
|
||||||
|
def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#presentExp.
|
||||||
|
def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#presentExp.
|
||||||
|
def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#operatorExp.
|
||||||
|
def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#operatorExp.
|
||||||
|
def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#braceExp.
|
||||||
|
def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#braceExp.
|
||||||
|
def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#orExp.
|
||||||
|
def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#orExp.
|
||||||
|
def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathOperatorExp.
|
||||||
|
def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathOperatorExp.
|
||||||
|
def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathPresentExp.
|
||||||
|
def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathPresentExp.
|
||||||
|
def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathAndExp.
|
||||||
|
def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathAndExp.
|
||||||
|
def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathOrExp.
|
||||||
|
def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathOrExp.
|
||||||
|
def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#valPathBraceExp.
|
||||||
|
def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#valPathBraceExp.
|
||||||
|
def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Enter a parse tree produced by ScimFilterParser#attrPath.
|
||||||
|
def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Exit a parse tree produced by ScimFilterParser#attrPath.
|
||||||
|
def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
del ScimFilterParser
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,101 @@
|
||||||
|
"""Django listener"""
|
||||||
|
from django.db.models import Q
|
||||||
|
from django.utils.tree import Node
|
||||||
|
|
||||||
|
from authentik.sources.scim.filters.ScimFilterListener import ScimFilterListener
|
||||||
|
from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
|
||||||
|
|
||||||
|
|
||||||
|
class DjangoQueryListener(ScimFilterListener):
|
||||||
|
"""SCIM filter listener that converts it to a query"""
|
||||||
|
|
||||||
|
_query: Node
|
||||||
|
_last_node: Node
|
||||||
|
|
||||||
|
def __init__(self) -> None:
|
||||||
|
super().__init__()
|
||||||
|
self._query = Q()
|
||||||
|
self._last_node = Q()
|
||||||
|
|
||||||
|
@property
|
||||||
|
def query(self) -> Node:
|
||||||
|
return self._query
|
||||||
|
|
||||||
|
def enterParse(self, ctx: ScimFilterParser.ParseContext):
|
||||||
|
print("enterParse", ctx)
|
||||||
|
|
||||||
|
def exitParse(self, ctx: ScimFilterParser.ParseContext):
|
||||||
|
print("exitParse", ctx)
|
||||||
|
|
||||||
|
def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
|
||||||
|
print("enterAndExp", ctx)
|
||||||
|
|
||||||
|
def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
|
||||||
|
print("exitAndExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
|
||||||
|
print("enterValPathExp", ctx.getText())
|
||||||
|
|
||||||
|
def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
|
||||||
|
print("exitValPathExp", ctx)
|
||||||
|
|
||||||
|
def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
|
||||||
|
print("enterPresentExp", ctx)
|
||||||
|
|
||||||
|
def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
|
||||||
|
print("exitPresentExp", ctx)
|
||||||
|
|
||||||
|
def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
|
||||||
|
print("enterOperatorExp", ctx)
|
||||||
|
|
||||||
|
def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
|
||||||
|
print("exitOperatorExp", ctx)
|
||||||
|
|
||||||
|
def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
|
||||||
|
print("enterBraceExp", ctx)
|
||||||
|
|
||||||
|
def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
|
||||||
|
print("exitBraceExp", ctx)
|
||||||
|
|
||||||
|
def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
|
||||||
|
print("enterOrExp", ctx)
|
||||||
|
|
||||||
|
def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
|
||||||
|
print("exitOrExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
|
||||||
|
print("enterValPathOperatorExp", ctx)
|
||||||
|
|
||||||
|
def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
|
||||||
|
print("exitValPathOperatorExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
|
||||||
|
print("enterValPathPresentExp", ctx)
|
||||||
|
|
||||||
|
def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
|
||||||
|
print("exitValPathPresentExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
|
||||||
|
print("enterValPathAndExp", ctx.getText())
|
||||||
|
|
||||||
|
def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
|
||||||
|
print("exitValPathAndExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
|
||||||
|
print("enterValPathOrExp", ctx)
|
||||||
|
|
||||||
|
def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
|
||||||
|
print("exitValPathOrExp", ctx)
|
||||||
|
|
||||||
|
def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
|
||||||
|
print("enterValPathBraceExp", ctx)
|
||||||
|
|
||||||
|
def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
|
||||||
|
print("exitValPathBraceExp", ctx)
|
||||||
|
|
||||||
|
def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
|
||||||
|
self._last_node = Q(ctx.getText())
|
||||||
|
|
||||||
|
def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
|
||||||
|
self._query = self._last_node
|
||||||
|
self._last_node = Q()
|
|
@ -0,0 +1,46 @@
|
||||||
|
# Generated by Django 4.0.5 on 2022-06-06 21:37
|
||||||
|
|
||||||
|
import django.db.models.deletion
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
initial = True
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
("authentik_core", "0020_application_open_in_new_tab"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.CreateModel(
|
||||||
|
name="SCIMSource",
|
||||||
|
fields=[
|
||||||
|
(
|
||||||
|
"source_ptr",
|
||||||
|
models.OneToOneField(
|
||||||
|
auto_created=True,
|
||||||
|
on_delete=django.db.models.deletion.CASCADE,
|
||||||
|
parent_link=True,
|
||||||
|
primary_key=True,
|
||||||
|
serialize=False,
|
||||||
|
to="authentik_core.source",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
(
|
||||||
|
"token",
|
||||||
|
models.ForeignKey(
|
||||||
|
default=None,
|
||||||
|
null=True,
|
||||||
|
on_delete=django.db.models.deletion.CASCADE,
|
||||||
|
to="authentik_core.token",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
],
|
||||||
|
options={
|
||||||
|
"verbose_name": "SCIM Source",
|
||||||
|
"verbose_name_plural": "SCIM Sources",
|
||||||
|
},
|
||||||
|
bases=("authentik_core.source",),
|
||||||
|
),
|
||||||
|
]
|
|
@ -0,0 +1,36 @@
|
||||||
|
"""SCIM Source"""
|
||||||
|
from django.db import models
|
||||||
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
from rest_framework.serializers import BaseSerializer
|
||||||
|
|
||||||
|
from authentik.core.models import Source, Token
|
||||||
|
|
||||||
|
USER_ATTRIBUTE_SCIM_ID = "goauthentik.io/sources/scim/id"
|
||||||
|
USER_ATTRIBUTE_SCIM_ADDRESS = "goauthentik.io/sources/scim/address"
|
||||||
|
USER_ATTRIBUTE_SCIM_ENTERPRISE = "goauthentik.io/sources/scim/enterprise"
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMSource(Source):
|
||||||
|
"""System for Cross-domain Identity Management Source, allows for
|
||||||
|
cross-system user provisioning"""
|
||||||
|
|
||||||
|
token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def component(self) -> str:
|
||||||
|
"""Return component used to edit this object"""
|
||||||
|
return "ak-source-scim-form"
|
||||||
|
|
||||||
|
@property
|
||||||
|
def serializer(self) -> BaseSerializer:
|
||||||
|
from authentik.sources.scim.api import SCIMSourceSerializer
|
||||||
|
|
||||||
|
return SCIMSourceSerializer
|
||||||
|
|
||||||
|
def __str__(self) -> str:
|
||||||
|
return f"SCIM Source {self.name}"
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
verbose_name = _("SCIM Source")
|
||||||
|
verbose_name_plural = _("SCIM Sources")
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,86 @@
|
||||||
|
"""Test SCIM Auth"""
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMAuth(APITestCase):
|
||||||
|
"""Test SCIM Auth view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.token2 = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.token3 = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
self.source2 = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token2
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_auth_ok(self):
|
||||||
|
"""Test successful auth"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_auth_missing(self):
|
||||||
|
"""Test without header"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 403)
|
||||||
|
|
||||||
|
def test_auth_wrong_token(self):
|
||||||
|
"""Test with wrong token"""
|
||||||
|
# Token for wrong source
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token2.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 403)
|
||||||
|
# Token for no source
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token3.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 403)
|
|
@ -0,0 +1,64 @@
|
||||||
|
"""Test SCIM ResourceTypes"""
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMResourceTypes(APITestCase):
|
||||||
|
"""Test SCIM ResourceTypes view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_resource_type(self):
|
||||||
|
"""Test full resource type view"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_resource_type_single(self):
|
||||||
|
"""Test single resource type"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"resource_type": "ServiceProviderConfig",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_resource_type_single_404(self):
|
||||||
|
"""Test single resource type (404"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"resource_type": "foo",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
|
@ -0,0 +1,64 @@
|
||||||
|
"""Test SCIM Schema"""
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMSchemas(APITestCase):
|
||||||
|
"""Test SCIM Schema view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_schema(self):
|
||||||
|
"""Test full schema view"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_schema_single(self):
|
||||||
|
"""Test single schema"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"schema_uri": "urn:ietf:params:scim:schemas:core:2.0:Meta",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_schema_single_404(self):
|
||||||
|
"""Test single schema (404"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"schema_uri": "foo",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
|
@ -0,0 +1,36 @@
|
||||||
|
"""Test SCIM ServiceProviderConfig"""
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import SCIMSource
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMServiceProviderConfig(APITestCase):
|
||||||
|
"""Test SCIM ServiceProviderConfig view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_config(self):
|
||||||
|
"""Test full config view"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-service-provider-config",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
|
@ -0,0 +1,83 @@
|
||||||
|
"""Test SCIM User"""
|
||||||
|
from json import dumps
|
||||||
|
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.test import APITestCase
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents, User
|
||||||
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
|
from authentik.lib.generators import generate_id
|
||||||
|
from authentik.sources.scim.models import USER_ATTRIBUTE_SCIM_ID, SCIMSource
|
||||||
|
from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE
|
||||||
|
|
||||||
|
|
||||||
|
class TestSCIMUsers(APITestCase):
|
||||||
|
"""Test SCIM User view"""
|
||||||
|
|
||||||
|
def setUp(self) -> None:
|
||||||
|
self.user = create_test_admin_user()
|
||||||
|
self.token = Token.objects.create(
|
||||||
|
user=self.user,
|
||||||
|
identifier=generate_id(),
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
)
|
||||||
|
self.source = SCIMSource.objects.create(
|
||||||
|
name=generate_id(), slug=generate_id(), token=self.token
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_user_list(self):
|
||||||
|
"""Test full user list"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-users",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_user_list_single(self):
|
||||||
|
"""Test full user list (single user)"""
|
||||||
|
response = self.client.get(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-users",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
"user_id": str(self.user.pk),
|
||||||
|
},
|
||||||
|
),
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_user_create(self):
|
||||||
|
"""Test user create"""
|
||||||
|
ext_id = generate_id()
|
||||||
|
response = self.client.post(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-users",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.source.slug,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
data=dumps(
|
||||||
|
{
|
||||||
|
"userName": generate_id(),
|
||||||
|
"externalId": ext_id,
|
||||||
|
"emails": [
|
||||||
|
{
|
||||||
|
"primary": True,
|
||||||
|
"value": self.user.email,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
}
|
||||||
|
),
|
||||||
|
content_type=SCIM_CONTENT_TYPE,
|
||||||
|
HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, 201)
|
||||||
|
self.assertTrue(
|
||||||
|
User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_SCIM_ID}": ext_id}).exists()
|
||||||
|
)
|
|
@ -0,0 +1,64 @@
|
||||||
|
"""SCIM URLs"""
|
||||||
|
from django.urls import path
|
||||||
|
|
||||||
|
from authentik.sources.scim.views.v2 import (
|
||||||
|
base,
|
||||||
|
groups,
|
||||||
|
resource_types,
|
||||||
|
schemas,
|
||||||
|
service_provider_config,
|
||||||
|
users,
|
||||||
|
)
|
||||||
|
|
||||||
|
urlpatterns = [
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2",
|
||||||
|
base.SCIMRootView.as_view(),
|
||||||
|
name="v2-root",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Users",
|
||||||
|
users.UsersView.as_view(),
|
||||||
|
name="v2-users",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Users/<str:user_id>",
|
||||||
|
users.UsersView.as_view(),
|
||||||
|
name="v2-users",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Groups",
|
||||||
|
groups.GroupsView.as_view(),
|
||||||
|
name="v2-groups",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Groups/<str:group_id>",
|
||||||
|
groups.GroupsView.as_view(),
|
||||||
|
name="v2-groups",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Schemas",
|
||||||
|
schemas.SchemaView.as_view(),
|
||||||
|
name="v2-schema",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/Schemas/<str:schema_uri>",
|
||||||
|
schemas.SchemaView.as_view(),
|
||||||
|
name="v2-schema",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/ServiceProviderConfig",
|
||||||
|
service_provider_config.ServiceProviderConfigView.as_view(),
|
||||||
|
name="v2-service-provider-config",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/ResourceTypes",
|
||||||
|
resource_types.ResourceTypesView.as_view(),
|
||||||
|
name="v2-resource-types",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"<slug:source_slug>/v2/ResourceTypes/<str:resource_type>",
|
||||||
|
resource_types.ResourceTypesView.as_view(),
|
||||||
|
name="v2-resource-types",
|
||||||
|
),
|
||||||
|
]
|
|
@ -0,0 +1,46 @@
|
||||||
|
"""SCIM Token auth"""
|
||||||
|
from base64 import b64decode
|
||||||
|
from typing import Any, Optional, Union
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
|
from rest_framework.authentication import BaseAuthentication, get_authorization_header
|
||||||
|
from rest_framework.request import Request
|
||||||
|
|
||||||
|
from authentik.core.models import Token, TokenIntents, User
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMTokenAuth(BaseAuthentication):
|
||||||
|
"""SCIM Token auth"""
|
||||||
|
|
||||||
|
def legacy(self, key: str, source_slug: str) -> Optional[Token]: # pragma: no cover
|
||||||
|
"""Legacy HTTP-Basic auth for testing"""
|
||||||
|
if not settings.TEST and not settings.DEBUG:
|
||||||
|
return None
|
||||||
|
_username, _, password = b64decode(key.encode()).decode().partition(":")
|
||||||
|
token = self.check_token(password, source_slug)
|
||||||
|
if token:
|
||||||
|
return (token.user, token)
|
||||||
|
return None
|
||||||
|
|
||||||
|
def check_token(self, key: str, source_slug: str) -> Optional[Token]:
|
||||||
|
"""Check that a token exists, is not expired, and is assigned to the correct source"""
|
||||||
|
token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first()
|
||||||
|
if not token:
|
||||||
|
return None
|
||||||
|
if not token.scimsource_set.exists():
|
||||||
|
return None
|
||||||
|
if token.scimsource_set.first().slug != source_slug:
|
||||||
|
return None
|
||||||
|
return token
|
||||||
|
|
||||||
|
def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
|
||||||
|
kwargs = request._request.resolver_match.kwargs
|
||||||
|
source_slug = kwargs.get("source_slug", None)
|
||||||
|
auth = get_authorization_header(request).decode()
|
||||||
|
auth_type, _, key = auth.partition(" ")
|
||||||
|
if auth_type != "Bearer":
|
||||||
|
return self.legacy(key, source_slug)
|
||||||
|
token = self.check_token(key, source_slug)
|
||||||
|
if not token:
|
||||||
|
return None
|
||||||
|
return (token.user, token)
|
|
@ -0,0 +1,81 @@
|
||||||
|
"""SCIM Utils"""
|
||||||
|
from typing import Optional
|
||||||
|
from urllib.parse import urlparse
|
||||||
|
|
||||||
|
from antlr4 import CommonTokenStream, InputStream, ParseTreeWalker
|
||||||
|
from django.urls import resolve
|
||||||
|
from rest_framework.parsers import JSONParser
|
||||||
|
from rest_framework.permissions import IsAuthenticated
|
||||||
|
from rest_framework.renderers import JSONRenderer
|
||||||
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.response import Response
|
||||||
|
from rest_framework.views import APIView
|
||||||
|
|
||||||
|
from authentik.core.models import Group, User
|
||||||
|
from authentik.sources.scim.filters.django import DjangoQueryListener
|
||||||
|
from authentik.sources.scim.filters.ScimFilterLexer import ScimFilterLexer
|
||||||
|
from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
|
||||||
|
from authentik.sources.scim.views.v2.auth import SCIMTokenAuth
|
||||||
|
|
||||||
|
SCIM_CONTENT_TYPE = "application/scim+json"
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMParser(JSONParser):
|
||||||
|
"""SCIM clients use a custom content type"""
|
||||||
|
|
||||||
|
media_type = SCIM_CONTENT_TYPE
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMRenderer(JSONRenderer):
|
||||||
|
"""SCIM clients also expect a custom content type"""
|
||||||
|
|
||||||
|
media_type = SCIM_CONTENT_TYPE
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMView(APIView):
|
||||||
|
"""Base class for SCIM Views"""
|
||||||
|
|
||||||
|
authentication_classes = [SCIMTokenAuth]
|
||||||
|
permission_classes = [IsAuthenticated]
|
||||||
|
parser_classes = [SCIMParser]
|
||||||
|
renderer_classes = [SCIMRenderer]
|
||||||
|
|
||||||
|
def patch_resolve_value(self, raw_value: dict) -> Optional[User | Group]:
|
||||||
|
"""Attempt to resolve a raw `value` attribute of a patch operation into
|
||||||
|
a database model"""
|
||||||
|
model = User
|
||||||
|
query = {}
|
||||||
|
if "$ref" in raw_value:
|
||||||
|
url = urlparse(raw_value["$ref"])
|
||||||
|
if match := resolve(url.path):
|
||||||
|
if match.url_name == "v2-users":
|
||||||
|
model = User
|
||||||
|
query = {"pk": int(match.kwargs["user_id"])}
|
||||||
|
elif "type" in raw_value:
|
||||||
|
match raw_value["tyoe"]:
|
||||||
|
case "User":
|
||||||
|
model = User
|
||||||
|
query = {"pk": int(raw_value["value"])}
|
||||||
|
case "Group":
|
||||||
|
model = Group
|
||||||
|
else:
|
||||||
|
return None
|
||||||
|
return model.objects.filter(**query).first()
|
||||||
|
|
||||||
|
def patch_parse_path(self, path: str):
|
||||||
|
"""Parse the path of a Patch Operation"""
|
||||||
|
lexer = ScimFilterLexer(InputStream(path))
|
||||||
|
stream = CommonTokenStream(lexer)
|
||||||
|
parser = ScimFilterParser(stream)
|
||||||
|
tree = parser.filter_()
|
||||||
|
listener = DjangoQueryListener()
|
||||||
|
walker = ParseTreeWalker()
|
||||||
|
walker.walk(listener, tree)
|
||||||
|
return listener.query
|
||||||
|
|
||||||
|
|
||||||
|
class SCIMRootView(SCIMView):
|
||||||
|
"""Root SCIM View"""
|
||||||
|
|
||||||
|
def dispatch(self, request: Request, *args, **kwargs) -> Response:
|
||||||
|
return Response({"message": "Use this base-URL with an SCIM-compatible system."})
|
|
@ -0,0 +1,126 @@
|
||||||
|
"""SCIM Group Views"""
|
||||||
|
from typing import Optional
|
||||||
|
|
||||||
|
from django.core.paginator import Paginator
|
||||||
|
from django.db.transaction import atomic
|
||||||
|
from django.http import Http404, QueryDict
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.response import Response
|
||||||
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
|
from authentik.core.models import Group
|
||||||
|
from authentik.sources.scim.errors import PatchError
|
||||||
|
from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
|
||||||
|
|
||||||
|
LOGGER = get_logger()
|
||||||
|
|
||||||
|
|
||||||
|
class GroupsView(SCIMView):
|
||||||
|
"""SCIM Group View"""
|
||||||
|
|
||||||
|
def group_to_scim(self, group: Group) -> dict:
|
||||||
|
"""Convert group to SCIM"""
|
||||||
|
return {
|
||||||
|
"id": str(group.pk),
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "Group",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-groups",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"group_id": str(group.pk),
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"displayName": group.name,
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
|
||||||
|
}
|
||||||
|
|
||||||
|
def get(self, request: Request, group_id: Optional[str] = None, **kwargs) -> Response:
|
||||||
|
"""List Group handler"""
|
||||||
|
if group_id:
|
||||||
|
group = Group.objects.filter(pk=group_id).first()
|
||||||
|
if not group:
|
||||||
|
raise Http404
|
||||||
|
return Response(self.group_to_scim(group))
|
||||||
|
groups = Group.objects.all().order_by("pk")
|
||||||
|
per_page = 50
|
||||||
|
paginator = Paginator(groups, per_page=per_page)
|
||||||
|
start_index = int(request.query_params.get("startIndex", 1))
|
||||||
|
page = paginator.page(int(max(start_index / per_page, 1)))
|
||||||
|
return Response(
|
||||||
|
{
|
||||||
|
"totalResults": paginator.count,
|
||||||
|
"itemsPerPage": per_page,
|
||||||
|
"startIndex": page.start_index(),
|
||||||
|
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
|
||||||
|
"Resources": [self.group_to_scim(group) for group in page],
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
def update_group(self, group: Group, data: QueryDict) -> Group:
|
||||||
|
"""Partial update a group"""
|
||||||
|
if "displayName" in data:
|
||||||
|
group.name = data.get("displayName")
|
||||||
|
return group
|
||||||
|
|
||||||
|
def post(self, request: Request, **kwargs) -> Response:
|
||||||
|
"""Create group handler"""
|
||||||
|
group = Group.objects.filter(name=request.data.get("displayName")).first()
|
||||||
|
if group:
|
||||||
|
LOGGER.debug("Found existing group")
|
||||||
|
return Response(status=409)
|
||||||
|
group = self.update_group(Group(), request.data)
|
||||||
|
group.save()
|
||||||
|
return Response(self.group_to_scim(group), status=201)
|
||||||
|
|
||||||
|
def patch(self, request: Request, group_id: str, **kwargs) -> Response:
|
||||||
|
"""Update group handler"""
|
||||||
|
group: Optional[Group] = Group.objects.filter(pk=group_id).first()
|
||||||
|
if not group:
|
||||||
|
raise Http404
|
||||||
|
if request.data.get("schemas", []) != ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]:
|
||||||
|
return Response(status=400)
|
||||||
|
try:
|
||||||
|
with atomic():
|
||||||
|
for op in request.data.get("Operations", []):
|
||||||
|
path = self.patch_parse_path(op["path"])
|
||||||
|
operation = op["op"]
|
||||||
|
raw_value = op.get("value", None)
|
||||||
|
values = []
|
||||||
|
for value in raw_value:
|
||||||
|
values.append(self.patch_resolve_value(value))
|
||||||
|
match operation:
|
||||||
|
case "add":
|
||||||
|
group.users.add(*[x.pk for x in values])
|
||||||
|
case "remove":
|
||||||
|
pass
|
||||||
|
return Response(self.group_to_scim(group), status=200)
|
||||||
|
except (KeyError, PatchError):
|
||||||
|
return Response(status=400)
|
||||||
|
|
||||||
|
def put(self, request: Request, group_id: str, **kwargs) -> Response:
|
||||||
|
"""Update group handler"""
|
||||||
|
group: Optional[Group] = Group.objects.filter(pk=group_id).first()
|
||||||
|
if not group:
|
||||||
|
raise Http404
|
||||||
|
self.update_group(group, request.data)
|
||||||
|
group.save()
|
||||||
|
return Response(self.group_to_scim(group), status=200)
|
||||||
|
|
||||||
|
def delete(self, request: Request, group_id: str, **kwargs) -> Response:
|
||||||
|
"""Delete group handler"""
|
||||||
|
group: Optional[Group] = Group.objects.filter(pk=group_id).first()
|
||||||
|
if not group:
|
||||||
|
raise Http404
|
||||||
|
group.delete()
|
||||||
|
return Response(
|
||||||
|
{},
|
||||||
|
status=204,
|
||||||
|
headers={
|
||||||
|
"Content-Type": SCIM_CONTENT_TYPE,
|
||||||
|
},
|
||||||
|
)
|
|
@ -0,0 +1,153 @@
|
||||||
|
"""SCIM Meta views"""
|
||||||
|
from typing import Optional
|
||||||
|
|
||||||
|
from django.http import Http404
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.response import Response
|
||||||
|
|
||||||
|
from authentik.sources.scim.views.v2.base import SCIMView
|
||||||
|
|
||||||
|
|
||||||
|
class ResourceTypesView(SCIMView):
|
||||||
|
"""https://ldapwiki.com/wiki/SCIM%20ResourceTypes%20endpoint"""
|
||||||
|
|
||||||
|
def get_resource_types(self):
|
||||||
|
"""List all resource types"""
|
||||||
|
return [
|
||||||
|
{
|
||||||
|
"id": "ServiceProviderConfig",
|
||||||
|
"name": "ServiceProviderConfig",
|
||||||
|
"description": "the service providers configuration",
|
||||||
|
"endpoint": "/ServiceProviderConfig",
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
|
||||||
|
"schemas": [
|
||||||
|
"urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "ServiceProviderConfig",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "ResourceType",
|
||||||
|
"name": "ResourceType",
|
||||||
|
"description": "ResourceType",
|
||||||
|
"endpoint": "/ResourceTypes",
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
"schemas": [
|
||||||
|
"urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "ResourceType",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "Schema",
|
||||||
|
"name": "Schema",
|
||||||
|
"description": "Schema endpoint description",
|
||||||
|
"endpoint": "/Schemas",
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:Schema",
|
||||||
|
"schemas": [
|
||||||
|
"urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "Schema",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "User",
|
||||||
|
"name": "User",
|
||||||
|
"endpoint": "/Users",
|
||||||
|
"description": "https://tools.ietf.org/html/rfc7643#section-8.7.1",
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
|
||||||
|
"schemaExtensions": [
|
||||||
|
{
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
|
||||||
|
"required": True,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "User",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "Group",
|
||||||
|
"name": "Group",
|
||||||
|
"description": "Group",
|
||||||
|
"endpoint": "/Groups",
|
||||||
|
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
|
||||||
|
"schemas": [
|
||||||
|
"urn:ietf:params:scim:schemas:core:2.0:ResourceType",
|
||||||
|
],
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "ResourceType",
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-resource-types",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"resource_type": "Group",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
]
|
||||||
|
|
||||||
|
# pylint: disable=unused-argument
|
||||||
|
def get(
|
||||||
|
self, request: Request, source_slug: str, resource_type: Optional[str] = None
|
||||||
|
) -> Response:
|
||||||
|
"""Get resource types as SCIM response"""
|
||||||
|
resource_types = self.get_resource_types()
|
||||||
|
if resource_type:
|
||||||
|
resource = [x for x in resource_types if x.get("id") == resource_type]
|
||||||
|
if resource:
|
||||||
|
return Response(resource[0])
|
||||||
|
raise Http404
|
||||||
|
return Response(
|
||||||
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
|
||||||
|
"totalResults": len(resource_types),
|
||||||
|
"itemsPerPage": len(resource_types),
|
||||||
|
"startIndex": 1,
|
||||||
|
"Resources": resource_types,
|
||||||
|
}
|
||||||
|
)
|
|
@ -0,0 +1,52 @@
|
||||||
|
"""Schema Views"""
|
||||||
|
from json import loads
|
||||||
|
from typing import Optional
|
||||||
|
|
||||||
|
from django.http import Http404
|
||||||
|
from django.urls import reverse
|
||||||
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.response import Response
|
||||||
|
|
||||||
|
from authentik.sources.scim.views.v2.base import SCIMView
|
||||||
|
|
||||||
|
with open("authentik/sources/scim/schemas/schema.json", "r", encoding="utf-8") as SCHEMA_FILE:
|
||||||
|
_raw_schemas = loads(SCHEMA_FILE.read())
|
||||||
|
|
||||||
|
|
||||||
|
class SchemaView(SCIMView):
|
||||||
|
"""https://ldapwiki.com/wiki/SCIM%20Schemas%20Attribute"""
|
||||||
|
|
||||||
|
def get_schemas(self):
|
||||||
|
"""List of all schemas"""
|
||||||
|
schemas = []
|
||||||
|
for raw_schema in _raw_schemas:
|
||||||
|
raw_schema["meta"]["location"] = self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-schema",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"schema_uri": raw_schema["id"],
|
||||||
|
},
|
||||||
|
)
|
||||||
|
)
|
||||||
|
schemas.append(raw_schema)
|
||||||
|
return schemas
|
||||||
|
|
||||||
|
# pylint: disable=unused-argument
|
||||||
|
def get(self, request: Request, source_slug: str, schema_uri: Optional[str] = None) -> Response:
|
||||||
|
"""Get schemas as SCIM response"""
|
||||||
|
schemas = self.get_schemas()
|
||||||
|
if schema_uri:
|
||||||
|
schema = [x for x in schemas if x.get("id") == schema_uri]
|
||||||
|
if schema:
|
||||||
|
return Response(schema[0])
|
||||||
|
raise Http404
|
||||||
|
return Response(
|
||||||
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
|
||||||
|
"totalResults": len(schemas),
|
||||||
|
"itemsPerPage": len(schemas),
|
||||||
|
"startIndex": 1,
|
||||||
|
"Resources": schemas,
|
||||||
|
}
|
||||||
|
)
|
|
@ -0,0 +1,35 @@
|
||||||
|
"""SCIM Meta views"""
|
||||||
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.response import Response
|
||||||
|
|
||||||
|
from authentik.sources.scim.views.v2.base import SCIMView
|
||||||
|
|
||||||
|
|
||||||
|
class ServiceProviderConfigView(SCIMView):
|
||||||
|
"""ServiceProviderConfig, https://ldapwiki.com/wiki/SCIM%20ServiceProviderConfig%20endpoint"""
|
||||||
|
|
||||||
|
# pylint: disable=unused-argument
|
||||||
|
def get(self, request: Request, source_slug: str) -> Response:
|
||||||
|
"""Get ServiceProviderConfig"""
|
||||||
|
return Response(
|
||||||
|
{
|
||||||
|
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
|
||||||
|
"authenticationSchemes": [
|
||||||
|
{
|
||||||
|
"type": "oauthbearertoken",
|
||||||
|
"name": "OAuth Bearer Token",
|
||||||
|
"description": (
|
||||||
|
"Authentication scheme using the OAuth Bearer Token Standard"
|
||||||
|
),
|
||||||
|
"specUri": "https://www.rfc-editor.org/info/rfc6750",
|
||||||
|
"primary": True,
|
||||||
|
},
|
||||||
|
],
|
||||||
|
"patch": {"supported": True},
|
||||||
|
"bulk": {"supported": False, "maxOperations": 0, "maxPayloadSize": 0},
|
||||||
|
"filter": {"supported": False, "maxResults": 200},
|
||||||
|
"changePassword": {"supported": False},
|
||||||
|
"sort": {"supported": False},
|
||||||
|
"etag": {"supported": False},
|
||||||
|
}
|
||||||
|
)
|
|
@ -0,0 +1,154 @@
|
||||||
|
"""SCIM User Views"""
|
||||||
|
from typing import Optional
|
||||||
|
|
||||||
|
from django.core.paginator import Paginator
|
||||||
|
from django.http import Http404, QueryDict
|
||||||
|
from django.urls import reverse
|
||||||
|
from guardian.shortcuts import get_anonymous_user
|
||||||
|
from rest_framework.exceptions import ValidationError
|
||||||
|
from rest_framework.request import Request
|
||||||
|
from rest_framework.response import Response
|
||||||
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
|
from authentik.core.models import User
|
||||||
|
from authentik.sources.scim.models import (
|
||||||
|
USER_ATTRIBUTE_SCIM_ADDRESS,
|
||||||
|
USER_ATTRIBUTE_SCIM_ENTERPRISE,
|
||||||
|
USER_ATTRIBUTE_SCIM_ID,
|
||||||
|
)
|
||||||
|
from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
|
||||||
|
|
||||||
|
LOGGER = get_logger()
|
||||||
|
|
||||||
|
|
||||||
|
class UsersView(SCIMView):
|
||||||
|
"""SCIM User view"""
|
||||||
|
|
||||||
|
def get_email(self, data: list[dict]) -> str:
|
||||||
|
"""Wrapper to get primary email or first email"""
|
||||||
|
for email in data:
|
||||||
|
if email.get("primary", False):
|
||||||
|
return email.get("value")
|
||||||
|
return data[0].get("value")
|
||||||
|
|
||||||
|
def user_to_scim(self, user: User) -> dict:
|
||||||
|
"""Convert User to SCIM data"""
|
||||||
|
payload = {
|
||||||
|
"id": str(user.pk),
|
||||||
|
"meta": {
|
||||||
|
"resourceType": "User",
|
||||||
|
"created": user.date_joined,
|
||||||
|
# TODO: use events to find last edit?
|
||||||
|
"lastModified": user.date_joined,
|
||||||
|
"location": self.request.build_absolute_uri(
|
||||||
|
reverse(
|
||||||
|
"authentik_sources_scim:v2-users",
|
||||||
|
kwargs={
|
||||||
|
"source_slug": self.kwargs["source_slug"],
|
||||||
|
"user_id": str(user.pk),
|
||||||
|
},
|
||||||
|
)
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": user.attributes.get(
|
||||||
|
USER_ATTRIBUTE_SCIM_ENTERPRISE, {}
|
||||||
|
),
|
||||||
|
"schemas": [
|
||||||
|
"urn:ietf:params:scim:schemas:core:2.0:User",
|
||||||
|
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
|
||||||
|
],
|
||||||
|
"userName": user.username,
|
||||||
|
"name": {},
|
||||||
|
"displayName": user.name,
|
||||||
|
"active": user.is_active,
|
||||||
|
"emails": [{"value": user.email, "type": "work", "primary": True}],
|
||||||
|
}
|
||||||
|
if USER_ATTRIBUTE_SCIM_ID in user.attributes:
|
||||||
|
payload["externalId"] = user.attributes[USER_ATTRIBUTE_SCIM_ID]
|
||||||
|
return payload
|
||||||
|
|
||||||
|
def get(self, request: Request, user_id: Optional[str] = None, **kwargs) -> Response:
|
||||||
|
"""List User handler"""
|
||||||
|
if user_id:
|
||||||
|
user = User.objects.filter(pk=user_id).first()
|
||||||
|
if not user:
|
||||||
|
raise Http404
|
||||||
|
return Response(self.user_to_scim(user))
|
||||||
|
users = User.objects.all().exclude(pk=get_anonymous_user().pk).order_by("pk")
|
||||||
|
per_page = 50
|
||||||
|
paginator = Paginator(users, per_page=per_page)
|
||||||
|
start_index = int(request.query_params.get("startIndex", 1))
|
||||||
|
page = paginator.page(int(max(start_index / per_page, 1)))
|
||||||
|
return Response(
|
||||||
|
{
|
||||||
|
"totalResults": paginator.count,
|
||||||
|
"itemsPerPage": per_page,
|
||||||
|
"startIndex": page.start_index(),
|
||||||
|
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
|
||||||
|
"Resources": [self.user_to_scim(user) for user in page],
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
def update_user(self, user: User, data: QueryDict) -> User:
|
||||||
|
"""Partial update a user"""
|
||||||
|
if "userName" in data:
|
||||||
|
user.username = data.get("userName")
|
||||||
|
if "name" in data:
|
||||||
|
user.name = data.get("name", {}).get("formatted", data.get("displayName"))
|
||||||
|
if "emails" in data:
|
||||||
|
user.email = self.get_email(data.get("emails"))
|
||||||
|
if "active" in data:
|
||||||
|
user.is_active = data.get("active")
|
||||||
|
if "externalId" in data:
|
||||||
|
user.attributes[USER_ATTRIBUTE_SCIM_ID] = data.get("externalId")
|
||||||
|
if "addresses" in data:
|
||||||
|
user.attributes[USER_ATTRIBUTE_SCIM_ADDRESS] = data.get("addresses")
|
||||||
|
if "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" in data:
|
||||||
|
user.attributes[USER_ATTRIBUTE_SCIM_ENTERPRISE] = data.get(
|
||||||
|
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
|
||||||
|
)
|
||||||
|
if user.username == "":
|
||||||
|
raise ValidationError("Invalid user")
|
||||||
|
return user
|
||||||
|
|
||||||
|
def post(self, request: Request, **kwargs) -> Response:
|
||||||
|
"""Create user handler"""
|
||||||
|
user = User.objects.filter(
|
||||||
|
**{
|
||||||
|
f"attributes__{USER_ATTRIBUTE_SCIM_ID}": request.data.get("externalId"),
|
||||||
|
"username": request.data.get("userName"),
|
||||||
|
}
|
||||||
|
).first()
|
||||||
|
if user:
|
||||||
|
LOGGER.debug("Found existing user")
|
||||||
|
return Response(status=409)
|
||||||
|
user = self.update_user(User(), request.data)
|
||||||
|
user.save()
|
||||||
|
return Response(self.user_to_scim(user), status=201)
|
||||||
|
|
||||||
|
def patch(self, request: Request, user_id: str, **kwargs) -> Response:
|
||||||
|
"""Update user handler"""
|
||||||
|
return self.put(request, user_id, **kwargs)
|
||||||
|
|
||||||
|
def put(self, request: Request, user_id: str, **kwargs) -> Response:
|
||||||
|
"""Update user handler"""
|
||||||
|
user: Optional[User] = User.objects.filter(pk=user_id).first()
|
||||||
|
if not user:
|
||||||
|
raise Http404
|
||||||
|
self.update_user(user, request.data)
|
||||||
|
user.save()
|
||||||
|
return Response(self.user_to_scim(user), status=200)
|
||||||
|
|
||||||
|
def delete(self, request: Request, user_id: str, **kwargs) -> Response:
|
||||||
|
"""Delete user handler"""
|
||||||
|
user: Optional[User] = User.objects.filter(pk=user_id).first()
|
||||||
|
if not user:
|
||||||
|
raise Http404
|
||||||
|
user.delete()
|
||||||
|
return Response(
|
||||||
|
{},
|
||||||
|
status=204,
|
||||||
|
headers={
|
||||||
|
"Content-Type": SCIM_CONTENT_TYPE,
|
||||||
|
},
|
||||||
|
)
|
|
@ -1,5 +1,6 @@
|
||||||
"""authentik multi-stage authentication engine"""
|
"""authentik multi-stage authentication engine"""
|
||||||
from datetime import timedelta
|
from datetime import timedelta
|
||||||
|
from uuid import uuid4
|
||||||
|
|
||||||
from django.contrib import messages
|
from django.contrib import messages
|
||||||
from django.http import HttpRequest, HttpResponse
|
from django.http import HttpRequest, HttpResponse
|
||||||
|
@ -52,17 +53,13 @@ class EmailStageView(ChallengeStageView):
|
||||||
kwargs={"flow_slug": self.executor.flow.slug},
|
kwargs={"flow_slug": self.executor.flow.slug},
|
||||||
)
|
)
|
||||||
# Parse query string from current URL (full query string)
|
# Parse query string from current URL (full query string)
|
||||||
query_params = QueryDict(self.request.META.get("QUERY_STRING", ""), mutable=True)
|
# this view is only run within a flow executor, where we need to get the query string
|
||||||
|
# from the query= parameter (double encoded); but for the redirect
|
||||||
|
# we need to expand it since it'll go through the flow interface
|
||||||
|
query_params = QueryDict(self.request.GET.get(QS_QUERY), mutable=True)
|
||||||
query_params.pop(QS_KEY_TOKEN, None)
|
query_params.pop(QS_KEY_TOKEN, None)
|
||||||
|
|
||||||
# Check for nested query string used by flow executor, and remove any
|
|
||||||
# kind of flow token from that
|
|
||||||
if QS_QUERY in query_params:
|
|
||||||
inner_query_params = QueryDict(query_params.get(QS_QUERY), mutable=True)
|
|
||||||
inner_query_params.pop(QS_KEY_TOKEN, None)
|
|
||||||
query_params[QS_QUERY] = inner_query_params.urlencode()
|
|
||||||
|
|
||||||
query_params.update(kwargs)
|
query_params.update(kwargs)
|
||||||
|
print(query_params)
|
||||||
full_url = base_url
|
full_url = base_url
|
||||||
if len(query_params) > 0:
|
if len(query_params) > 0:
|
||||||
full_url = f"{full_url}?{query_params.urlencode()}"
|
full_url = f"{full_url}?{query_params.urlencode()}"
|
||||||
|
@ -75,7 +72,7 @@ class EmailStageView(ChallengeStageView):
|
||||||
valid_delta = timedelta(
|
valid_delta = timedelta(
|
||||||
minutes=current_stage.token_expiry + 1
|
minutes=current_stage.token_expiry + 1
|
||||||
) # + 1 because django timesince always rounds down
|
) # + 1 because django timesince always rounds down
|
||||||
identifier = slugify(f"ak-email-stage-{current_stage.name}-{pending_user}")
|
identifier = slugify(f"ak-email-stage-{current_stage.name}-{str(uuid4())}")
|
||||||
# Don't check for validity here, we only care if the token exists
|
# Don't check for validity here, we only care if the token exists
|
||||||
tokens = FlowToken.objects.filter(identifier=identifier)
|
tokens = FlowToken.objects.filter(identifier=identifier)
|
||||||
if not tokens.exists():
|
if not tokens.exists():
|
||||||
|
|
|
@ -259,7 +259,7 @@ class TestEmailStage(FlowTestCase):
|
||||||
session.save()
|
session.save()
|
||||||
|
|
||||||
url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
|
url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
|
||||||
url += "?foo=bar"
|
url += "?query=" + urlencode({"foo": "bar"})
|
||||||
request = self.factory.get(url)
|
request = self.factory.get(url)
|
||||||
stage_view = EmailStageView(
|
stage_view = EmailStageView(
|
||||||
FlowExecutorView(
|
FlowExecutorView(
|
||||||
|
@ -273,31 +273,3 @@ class TestEmailStage(FlowTestCase):
|
||||||
stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
|
stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
|
||||||
f"http://testserver/if/flow/{self.flow.slug}/?foo=bar&flow_token={token}",
|
f"http://testserver/if/flow/{self.flow.slug}/?foo=bar&flow_token={token}",
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_url_existing_params_nested(self):
|
|
||||||
"""Test to ensure that URL params are preserved in the URL being sent (including nested)"""
|
|
||||||
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
|
|
||||||
plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
|
|
||||||
session = self.client.session
|
|
||||||
session[SESSION_KEY_PLAN] = plan
|
|
||||||
session.save()
|
|
||||||
|
|
||||||
url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
|
|
||||||
url += "?foo=bar&"
|
|
||||||
url += "query=" + urlencode({"nested": "value"})
|
|
||||||
request = self.factory.get(url)
|
|
||||||
stage_view = EmailStageView(
|
|
||||||
FlowExecutorView(
|
|
||||||
request=request,
|
|
||||||
flow=self.flow,
|
|
||||||
),
|
|
||||||
request=request,
|
|
||||||
)
|
|
||||||
token = generate_id()
|
|
||||||
self.assertEqual(
|
|
||||||
stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
|
|
||||||
(
|
|
||||||
f"http://testserver/if/flow/{self.flow.slug}"
|
|
||||||
f"/?foo=bar&query=nested%3Dvalue&flow_token={token}"
|
|
||||||
),
|
|
||||||
)
|
|
||||||
|
|
|
@ -1521,6 +1521,43 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"type": "object",
|
||||||
|
"required": [
|
||||||
|
"model",
|
||||||
|
"identifiers"
|
||||||
|
],
|
||||||
|
"properties": {
|
||||||
|
"model": {
|
||||||
|
"const": "authentik_sources_scim.scimsource"
|
||||||
|
},
|
||||||
|
"id": {
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
|
"state": {
|
||||||
|
"type": "string",
|
||||||
|
"enum": [
|
||||||
|
"absent",
|
||||||
|
"present",
|
||||||
|
"created",
|
||||||
|
"must_created"
|
||||||
|
],
|
||||||
|
"default": "present"
|
||||||
|
},
|
||||||
|
"conditions": {
|
||||||
|
"type": "array",
|
||||||
|
"items": {
|
||||||
|
"type": "boolean"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"attrs": {
|
||||||
|
"$ref": "#/$defs/model_authentik_sources_scim.scimsource"
|
||||||
|
},
|
||||||
|
"identifiers": {
|
||||||
|
"$ref": "#/$defs/model_authentik_sources_scim.scimsource"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"required": [
|
"required": [
|
||||||
|
@ -3452,6 +3489,7 @@
|
||||||
"authentik.sources.oauth",
|
"authentik.sources.oauth",
|
||||||
"authentik.sources.plex",
|
"authentik.sources.plex",
|
||||||
"authentik.sources.saml",
|
"authentik.sources.saml",
|
||||||
|
"authentik.sources.scim",
|
||||||
"authentik.stages.authenticator",
|
"authentik.stages.authenticator",
|
||||||
"authentik.stages.authenticator_duo",
|
"authentik.stages.authenticator_duo",
|
||||||
"authentik.stages.authenticator_sms",
|
"authentik.stages.authenticator_sms",
|
||||||
|
@ -3527,6 +3565,7 @@
|
||||||
"authentik_sources_plex.plexsourceconnection",
|
"authentik_sources_plex.plexsourceconnection",
|
||||||
"authentik_sources_saml.samlsource",
|
"authentik_sources_saml.samlsource",
|
||||||
"authentik_sources_saml.usersamlsourceconnection",
|
"authentik_sources_saml.usersamlsourceconnection",
|
||||||
|
"authentik_sources_scim.scimsource",
|
||||||
"authentik_stages_authenticator_duo.authenticatorduostage",
|
"authentik_stages_authenticator_duo.authenticatorduostage",
|
||||||
"authentik_stages_authenticator_duo.duodevice",
|
"authentik_stages_authenticator_duo.duodevice",
|
||||||
"authentik_stages_authenticator_sms.authenticatorsmsstage",
|
"authentik_stages_authenticator_sms.authenticatorsmsstage",
|
||||||
|
@ -5700,6 +5739,74 @@
|
||||||
},
|
},
|
||||||
"required": []
|
"required": []
|
||||||
},
|
},
|
||||||
|
"model_authentik_sources_scim.scimsource": {
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"name": {
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1,
|
||||||
|
"title": "Name",
|
||||||
|
"description": "Source's display Name."
|
||||||
|
},
|
||||||
|
"slug": {
|
||||||
|
"type": "string",
|
||||||
|
"maxLength": 50,
|
||||||
|
"minLength": 1,
|
||||||
|
"pattern": "^[-a-zA-Z0-9_]+$",
|
||||||
|
"title": "Slug",
|
||||||
|
"description": "Internal source name, used in URLs."
|
||||||
|
},
|
||||||
|
"enabled": {
|
||||||
|
"type": "boolean",
|
||||||
|
"title": "Enabled"
|
||||||
|
},
|
||||||
|
"authentication_flow": {
|
||||||
|
"type": "integer",
|
||||||
|
"title": "Authentication flow",
|
||||||
|
"description": "Flow to use when authenticating existing users."
|
||||||
|
},
|
||||||
|
"enrollment_flow": {
|
||||||
|
"type": "integer",
|
||||||
|
"title": "Enrollment flow",
|
||||||
|
"description": "Flow to use when enrolling new users."
|
||||||
|
},
|
||||||
|
"policy_engine_mode": {
|
||||||
|
"type": "string",
|
||||||
|
"enum": [
|
||||||
|
"all",
|
||||||
|
"any"
|
||||||
|
],
|
||||||
|
"title": "Policy engine mode"
|
||||||
|
},
|
||||||
|
"user_matching_mode": {
|
||||||
|
"type": "string",
|
||||||
|
"enum": [
|
||||||
|
"identifier",
|
||||||
|
"email_link",
|
||||||
|
"email_deny",
|
||||||
|
"username_link",
|
||||||
|
"username_deny"
|
||||||
|
],
|
||||||
|
"title": "User matching mode",
|
||||||
|
"description": "How the source determines if an existing user should be authenticated or a new user enrolled."
|
||||||
|
},
|
||||||
|
"user_path_template": {
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1,
|
||||||
|
"title": "User path template"
|
||||||
|
},
|
||||||
|
"icon": {
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1,
|
||||||
|
"title": "Icon"
|
||||||
|
},
|
||||||
|
"token": {
|
||||||
|
"type": "integer",
|
||||||
|
"title": "Token"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"required": []
|
||||||
|
},
|
||||||
"model_authentik_stages_authenticator_duo.authenticatorduostage": {
|
"model_authentik_stages_authenticator_duo.authenticatorduostage": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
|
|
|
@ -32,7 +32,7 @@ services:
|
||||||
volumes:
|
volumes:
|
||||||
- redis:/data
|
- redis:/data
|
||||||
server:
|
server:
|
||||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.3}
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
command: server
|
command: server
|
||||||
environment:
|
environment:
|
||||||
|
@ -53,7 +53,7 @@ services:
|
||||||
- postgresql
|
- postgresql
|
||||||
- redis
|
- redis
|
||||||
worker:
|
worker:
|
||||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.3}
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
command: worker
|
command: worker
|
||||||
environment:
|
environment:
|
||||||
|
|
30
go.mod
30
go.mod
|
@ -13,24 +13,24 @@ require (
|
||||||
github.com/go-openapi/strfmt v0.21.7
|
github.com/go-openapi/strfmt v0.21.7
|
||||||
github.com/golang-jwt/jwt v3.2.2+incompatible
|
github.com/golang-jwt/jwt v3.2.2+incompatible
|
||||||
github.com/google/uuid v1.4.0
|
github.com/google/uuid v1.4.0
|
||||||
github.com/gorilla/handlers v1.5.1
|
github.com/gorilla/handlers v1.5.2
|
||||||
github.com/gorilla/mux v1.8.0
|
github.com/gorilla/mux v1.8.1
|
||||||
github.com/gorilla/securecookie v1.1.1
|
github.com/gorilla/securecookie v1.1.2
|
||||||
github.com/gorilla/sessions v1.2.1
|
github.com/gorilla/sessions v1.2.2
|
||||||
github.com/gorilla/websocket v1.5.0
|
github.com/gorilla/websocket v1.5.1
|
||||||
github.com/jellydator/ttlcache/v3 v3.1.0
|
github.com/jellydator/ttlcache/v3 v3.1.0
|
||||||
github.com/mitchellh/mapstructure v1.5.0
|
github.com/mitchellh/mapstructure v1.5.0
|
||||||
github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
|
github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
|
||||||
github.com/pires/go-proxyproto v0.7.0
|
github.com/pires/go-proxyproto v0.7.0
|
||||||
github.com/prometheus/client_golang v1.17.0
|
github.com/prometheus/client_golang v1.17.0
|
||||||
github.com/redis/go-redis/v9 v9.2.1
|
github.com/redis/go-redis/v9 v9.3.0
|
||||||
github.com/sirupsen/logrus v1.9.3
|
github.com/sirupsen/logrus v1.9.3
|
||||||
github.com/spf13/cobra v1.7.0
|
github.com/spf13/cobra v1.8.0
|
||||||
github.com/stretchr/testify v1.8.4
|
github.com/stretchr/testify v1.8.4
|
||||||
goauthentik.io/api/v3 v3.2023101.1
|
goauthentik.io/api/v3 v3.2023103.2
|
||||||
golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
|
golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
|
||||||
golang.org/x/oauth2 v0.13.0
|
golang.org/x/oauth2 v0.14.0
|
||||||
golang.org/x/sync v0.4.0
|
golang.org/x/sync v0.5.0
|
||||||
gopkg.in/yaml.v2 v2.4.0
|
gopkg.in/yaml.v2 v2.4.0
|
||||||
layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
|
layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
|
||||||
)
|
)
|
||||||
|
@ -42,7 +42,7 @@ require (
|
||||||
github.com/cespare/xxhash/v2 v2.2.0 // indirect
|
github.com/cespare/xxhash/v2 v2.2.0 // indirect
|
||||||
github.com/davecgh/go-spew v1.1.1 // indirect
|
github.com/davecgh/go-spew v1.1.1 // indirect
|
||||||
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
|
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
|
||||||
github.com/felixge/httpsnoop v1.0.1 // indirect
|
github.com/felixge/httpsnoop v1.0.3 // indirect
|
||||||
github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
|
github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
|
||||||
github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
|
github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
|
||||||
github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
|
github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
|
||||||
|
@ -72,10 +72,10 @@ require (
|
||||||
go.mongodb.org/mongo-driver v1.11.3 // indirect
|
go.mongodb.org/mongo-driver v1.11.3 // indirect
|
||||||
go.opentelemetry.io/otel v1.14.0 // indirect
|
go.opentelemetry.io/otel v1.14.0 // indirect
|
||||||
go.opentelemetry.io/otel/trace v1.14.0 // indirect
|
go.opentelemetry.io/otel/trace v1.14.0 // indirect
|
||||||
golang.org/x/crypto v0.14.0 // indirect
|
golang.org/x/crypto v0.15.0 // indirect
|
||||||
golang.org/x/net v0.17.0 // indirect
|
golang.org/x/net v0.18.0 // indirect
|
||||||
golang.org/x/sys v0.13.0 // indirect
|
golang.org/x/sys v0.14.0 // indirect
|
||||||
golang.org/x/text v0.13.0 // indirect
|
golang.org/x/text v0.14.0 // indirect
|
||||||
google.golang.org/appengine v1.6.7 // indirect
|
google.golang.org/appengine v1.6.7 // indirect
|
||||||
google.golang.org/protobuf v1.31.0 // indirect
|
google.golang.org/protobuf v1.31.0 // indirect
|
||||||
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
|
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
|
||||||
|
|
63
go.sum
63
go.sum
|
@ -62,7 +62,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
|
||||||
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
||||||
github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
|
github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
|
||||||
github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
|
github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
|
||||||
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
|
github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
|
||||||
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
|
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
|
||||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||||
|
@ -73,8 +73,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
|
||||||
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||||
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
|
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
|
||||||
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
|
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
|
||||||
github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
|
github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
|
||||||
github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
|
github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
|
||||||
github.com/getsentry/sentry-go v0.25.0 h1:q6Eo+hS+yoJlTO3uu/azhQadsD8V+jQn2D8VvX1eOyI=
|
github.com/getsentry/sentry-go v0.25.0 h1:q6Eo+hS+yoJlTO3uu/azhQadsD8V+jQn2D8VvX1eOyI=
|
||||||
github.com/getsentry/sentry-go v0.25.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
|
github.com/getsentry/sentry-go v0.25.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
|
||||||
github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
|
github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
|
||||||
|
@ -200,6 +200,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
|
||||||
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||||
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
|
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
|
||||||
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||||
|
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
|
||||||
|
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
|
||||||
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
|
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
|
||||||
github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
|
github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
|
||||||
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
||||||
|
@ -216,16 +218,16 @@ github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
|
||||||
github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||||
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
|
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
|
||||||
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
|
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
|
||||||
github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
|
github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
|
||||||
github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
|
github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
|
||||||
github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
|
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
|
||||||
github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
|
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
|
||||||
github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
|
github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
|
||||||
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
|
github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
|
||||||
github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
|
github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY=
|
||||||
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
|
github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
|
||||||
github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
|
github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
|
||||||
github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
|
github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
|
||||||
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||||
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||||
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
|
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
|
||||||
|
@ -295,8 +297,8 @@ github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdO
|
||||||
github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
|
github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
|
||||||
github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
|
github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
|
||||||
github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
|
github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
|
||||||
github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6QmlCg=
|
github.com/redis/go-redis/v9 v9.3.0 h1:RiVDjmig62jIWp7Kk4XVLs0hzV6pI3PyTnnL0cnn0u0=
|
||||||
github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
|
github.com/redis/go-redis/v9 v9.3.0/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
|
||||||
github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||||
github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||||
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||||
|
@ -309,8 +311,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
|
||||||
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
|
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
|
||||||
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
|
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
|
||||||
github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
|
github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
|
||||||
github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
|
github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
|
||||||
github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
|
github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
|
||||||
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
||||||
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
|
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
|
||||||
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
|
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
|
||||||
|
@ -356,8 +358,8 @@ go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyK
|
||||||
go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
|
go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
|
||||||
go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
|
go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
|
||||||
go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
|
go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
|
||||||
goauthentik.io/api/v3 v3.2023101.1 h1:KIQ4wmxjE+geAVB0wBfmxW9Uzo/tA0dbd2hSUJ7YJ3M=
|
goauthentik.io/api/v3 v3.2023103.2 h1:k3GOGc5vVfxkS8+a8KjQaqAOPfpCqDYLEIjKEewrxwo=
|
||||||
goauthentik.io/api/v3 v3.2023101.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
|
goauthentik.io/api/v3 v3.2023103.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
|
||||||
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||||
golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
|
golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
|
||||||
|
@ -370,8 +372,8 @@ golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPh
|
||||||
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
|
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
|
||||||
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
||||||
golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
|
golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
|
||||||
golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
|
golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
|
||||||
golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
|
golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
|
||||||
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||||
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||||
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
|
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
|
||||||
|
@ -438,16 +440,16 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
|
||||||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||||
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
|
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
|
||||||
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
|
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
|
||||||
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
|
golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
|
||||||
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
|
golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
|
||||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
|
golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
|
||||||
golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
|
golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
|
||||||
golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
|
golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
|
||||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
|
@ -460,8 +462,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
|
||||||
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
|
golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
|
||||||
golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
|
golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
||||||
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
@ -502,8 +504,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
|
||||||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
|
golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
|
||||||
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||||
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
|
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
|
||||||
|
@ -519,8 +521,9 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||||
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||||
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
|
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
|
||||||
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
|
|
||||||
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
|
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
|
||||||
|
golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
|
||||||
|
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
|
||||||
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||||
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||||
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||||
|
|
|
@ -27,14 +27,11 @@ type Config struct {
|
||||||
type RedisConfig struct {
|
type RedisConfig struct {
|
||||||
Host string `yaml:"host" env:"AUTHENTIK_REDIS__HOST"`
|
Host string `yaml:"host" env:"AUTHENTIK_REDIS__HOST"`
|
||||||
Port int `yaml:"port" env:"AUTHENTIK_REDIS__PORT"`
|
Port int `yaml:"port" env:"AUTHENTIK_REDIS__PORT"`
|
||||||
|
DB int `yaml:"db" env:"AUTHENTIK_REDIS__DB"`
|
||||||
|
Username string `yaml:"username" env:"AUTHENTIK_REDIS__USERNAME"`
|
||||||
Password string `yaml:"password" env:"AUTHENTIK_REDIS__PASSWORD"`
|
Password string `yaml:"password" env:"AUTHENTIK_REDIS__PASSWORD"`
|
||||||
TLS bool `yaml:"tls" env:"AUTHENTIK_REDIS__TLS"`
|
TLS bool `yaml:"tls" env:"AUTHENTIK_REDIS__TLS"`
|
||||||
TLSReqs string `yaml:"tls_reqs" env:"AUTHENTIK_REDIS__TLS_REQS"`
|
TLSReqs string `yaml:"tls_reqs" env:"AUTHENTIK_REDIS__TLS_REQS"`
|
||||||
DB int `yaml:"cache_db" env:"AUTHENTIK_REDIS__DB"`
|
|
||||||
CacheTimeout int `yaml:"cache_timeout" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT"`
|
|
||||||
CacheTimeoutFlows int `yaml:"cache_timeout_flows" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS"`
|
|
||||||
CacheTimeoutPolicies int `yaml:"cache_timeout_policies" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES"`
|
|
||||||
CacheTimeoutReputation int `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type ListenConfig struct {
|
type ListenConfig struct {
|
||||||
|
|
|
@ -29,4 +29,4 @@ func UserAgent() string {
|
||||||
return fmt.Sprintf("authentik@%s", FullVersion())
|
return fmt.Sprintf("authentik@%s", FullVersion())
|
||||||
}
|
}
|
||||||
|
|
||||||
const VERSION = "2023.10.2"
|
const VERSION = "2023.10.3"
|
||||||
|
|
|
@ -29,16 +29,6 @@ var (
|
||||||
Name: "authentik_outpost_flow_timing_post_seconds",
|
Name: "authentik_outpost_flow_timing_post_seconds",
|
||||||
Help: "Duration it took to send a challenge in seconds",
|
Help: "Duration it took to send a challenge in seconds",
|
||||||
}, []string{"stage", "flow"})
|
}, []string{"stage", "flow"})
|
||||||
|
|
||||||
// NOTE: the following metrics are kept for compatibility purpose
|
|
||||||
FlowTimingGetLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
|
|
||||||
Name: "authentik_outpost_flow_timing_get",
|
|
||||||
Help: "Duration it took to get a challenge",
|
|
||||||
}, []string{"stage", "flow"})
|
|
||||||
FlowTimingPostLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
|
|
||||||
Name: "authentik_outpost_flow_timing_post",
|
|
||||||
Help: "Duration it took to send a challenge",
|
|
||||||
}, []string{"stage", "flow"})
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type SolverFunction func(*api.ChallengeTypes, api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error)
|
type SolverFunction func(*api.ChallengeTypes, api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error)
|
||||||
|
@ -198,10 +188,6 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
|
||||||
"stage": ch.GetComponent(),
|
"stage": ch.GetComponent(),
|
||||||
"flow": fe.flowSlug,
|
"flow": fe.flowSlug,
|
||||||
}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)) / float64(time.Second))
|
}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)) / float64(time.Second))
|
||||||
FlowTimingGetLegacy.With(prometheus.Labels{
|
|
||||||
"stage": ch.GetComponent(),
|
|
||||||
"flow": fe.flowSlug,
|
|
||||||
}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)))
|
|
||||||
return challenge, nil
|
return challenge, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -259,10 +245,6 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
|
||||||
"stage": ch.GetComponent(),
|
"stage": ch.GetComponent(),
|
||||||
"flow": fe.flowSlug,
|
"flow": fe.flowSlug,
|
||||||
}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)) / float64(time.Second))
|
}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)) / float64(time.Second))
|
||||||
FlowTimingPostLegacy.With(prometheus.Labels{
|
|
||||||
"stage": ch.GetComponent(),
|
|
||||||
"flow": fe.flowSlug,
|
|
||||||
}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)))
|
|
||||||
|
|
||||||
if depth >= 10 {
|
if depth >= 10 {
|
||||||
return false, errors.New("exceeded stage recursion depth")
|
return false, errors.New("exceeded stage recursion depth")
|
||||||
|
|
|
@ -22,11 +22,6 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
|
||||||
"type": "bind",
|
"type": "bind",
|
||||||
"app": selectedApp,
|
"app": selectedApp,
|
||||||
}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
|
}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
|
||||||
metrics.RequestsLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ls.ac.Outpost.Name,
|
|
||||||
"type": "bind",
|
|
||||||
"app": selectedApp,
|
|
||||||
}).Observe(float64(span.EndTime.Sub(span.StartTime)))
|
|
||||||
req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Bind request")
|
req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Bind request")
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
@ -55,12 +50,6 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
|
||||||
"reason": "no_provider",
|
"reason": "no_provider",
|
||||||
"app": "",
|
"app": "",
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ls.ac.Outpost.Name,
|
|
||||||
"type": "bind",
|
|
||||||
"reason": "no_provider",
|
|
||||||
"app": "",
|
|
||||||
}).Inc()
|
|
||||||
|
|
||||||
return ldap.LDAPResultInsufficientAccessRights, nil
|
return ldap.LDAPResultInsufficientAccessRights, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -47,12 +47,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
|
||||||
"reason": "flow_error",
|
"reason": "flow_error",
|
||||||
"app": db.si.GetAppSlug(),
|
"app": db.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": db.si.GetOutpostName(),
|
|
||||||
"type": "bind",
|
|
||||||
"reason": "flow_error",
|
|
||||||
"app": db.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
req.Log().WithError(err).Warning("failed to execute flow")
|
req.Log().WithError(err).Warning("failed to execute flow")
|
||||||
return ldap.LDAPResultInvalidCredentials, nil
|
return ldap.LDAPResultInvalidCredentials, nil
|
||||||
}
|
}
|
||||||
|
@ -63,12 +57,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
|
||||||
"reason": "invalid_credentials",
|
"reason": "invalid_credentials",
|
||||||
"app": db.si.GetAppSlug(),
|
"app": db.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": db.si.GetOutpostName(),
|
|
||||||
"type": "bind",
|
|
||||||
"reason": "invalid_credentials",
|
|
||||||
"app": db.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
req.Log().Info("Invalid credentials")
|
req.Log().Info("Invalid credentials")
|
||||||
return ldap.LDAPResultInvalidCredentials, nil
|
return ldap.LDAPResultInvalidCredentials, nil
|
||||||
}
|
}
|
||||||
|
@ -82,12 +70,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
|
||||||
"reason": "access_denied",
|
"reason": "access_denied",
|
||||||
"app": db.si.GetAppSlug(),
|
"app": db.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": db.si.GetOutpostName(),
|
|
||||||
"type": "bind",
|
|
||||||
"reason": "access_denied",
|
|
||||||
"app": db.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
return ldap.LDAPResultInsufficientAccessRights, nil
|
return ldap.LDAPResultInsufficientAccessRights, nil
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -97,12 +79,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
|
||||||
"reason": "access_check_fail",
|
"reason": "access_check_fail",
|
||||||
"app": db.si.GetAppSlug(),
|
"app": db.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": db.si.GetOutpostName(),
|
|
||||||
"type": "bind",
|
|
||||||
"reason": "access_check_fail",
|
|
||||||
"app": db.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
req.Log().WithError(err).Warning("failed to check access")
|
req.Log().WithError(err).Warning("failed to check access")
|
||||||
return ldap.LDAPResultOperationsError, nil
|
return ldap.LDAPResultOperationsError, nil
|
||||||
}
|
}
|
||||||
|
@ -117,12 +93,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
|
||||||
"reason": "user_info_fail",
|
"reason": "user_info_fail",
|
||||||
"app": db.si.GetAppSlug(),
|
"app": db.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": db.si.GetOutpostName(),
|
|
||||||
"type": "bind",
|
|
||||||
"reason": "user_info_fail",
|
|
||||||
"app": db.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
req.Log().WithError(err).Warning("failed to get user info")
|
req.Log().WithError(err).Warning("failed to get user info")
|
||||||
return ldap.LDAPResultOperationsError, nil
|
return ldap.LDAPResultOperationsError, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,16 +22,6 @@ var (
|
||||||
Name: "authentik_outpost_ldap_requests_rejected_total",
|
Name: "authentik_outpost_ldap_requests_rejected_total",
|
||||||
Help: "Total number of rejected requests",
|
Help: "Total number of rejected requests",
|
||||||
}, []string{"outpost_name", "type", "reason", "app"})
|
}, []string{"outpost_name", "type", "reason", "app"})
|
||||||
|
|
||||||
// NOTE: the following metrics are kept for compatibility purpose
|
|
||||||
RequestsLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
|
|
||||||
Name: "authentik_outpost_ldap_requests",
|
|
||||||
Help: "The total number of configured providers",
|
|
||||||
}, []string{"outpost_name", "type", "app"})
|
|
||||||
RequestsRejectedLegacy = promauto.NewCounterVec(prometheus.CounterOpts{
|
|
||||||
Name: "authentik_outpost_ldap_requests_rejected",
|
|
||||||
Help: "Total number of rejected requests",
|
|
||||||
}, []string{"outpost_name", "type", "reason", "app"})
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func RunServer() {
|
func RunServer() {
|
||||||
|
|
|
@ -23,11 +23,6 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
|
||||||
"type": "search",
|
"type": "search",
|
||||||
"app": selectedApp,
|
"app": selectedApp,
|
||||||
}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
|
}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
|
||||||
metrics.RequestsLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ls.ac.Outpost.Name,
|
|
||||||
"type": "search",
|
|
||||||
"app": selectedApp,
|
|
||||||
}).Observe(float64(span.EndTime.Sub(span.StartTime)))
|
|
||||||
req.Log().WithField("attributes", searchReq.Attributes).WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Search request")
|
req.Log().WithField("attributes", searchReq.Attributes).WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Search request")
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
|
|
@ -45,12 +45,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
||||||
"reason": "empty_bind_dn",
|
"reason": "empty_bind_dn",
|
||||||
"app": ds.si.GetAppSlug(),
|
"app": ds.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ds.si.GetOutpostName(),
|
|
||||||
"type": "search",
|
|
||||||
"reason": "empty_bind_dn",
|
|
||||||
"app": ds.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
|
||||||
}
|
}
|
||||||
if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
|
if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
|
||||||
|
@ -60,12 +54,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
||||||
"reason": "invalid_bind_dn",
|
"reason": "invalid_bind_dn",
|
||||||
"app": ds.si.GetAppSlug(),
|
"app": ds.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ds.si.GetOutpostName(),
|
|
||||||
"type": "search",
|
|
||||||
"reason": "invalid_bind_dn",
|
|
||||||
"app": ds.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN())
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -78,12 +66,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
||||||
"reason": "user_info_not_cached",
|
"reason": "user_info_not_cached",
|
||||||
"app": ds.si.GetAppSlug(),
|
"app": ds.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ds.si.GetOutpostName(),
|
|
||||||
"type": "search",
|
|
||||||
"reason": "user_info_not_cached",
|
|
||||||
"app": ds.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
|
||||||
}
|
}
|
||||||
accsp.Finish()
|
accsp.Finish()
|
||||||
|
@ -96,12 +78,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
||||||
"reason": "filter_parse_fail",
|
"reason": "filter_parse_fail",
|
||||||
"app": ds.si.GetAppSlug(),
|
"app": ds.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ds.si.GetOutpostName(),
|
|
||||||
"type": "search",
|
|
||||||
"reason": "filter_parse_fail",
|
|
||||||
"app": ds.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -62,12 +62,6 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
||||||
"reason": "empty_bind_dn",
|
"reason": "empty_bind_dn",
|
||||||
"app": ms.si.GetAppSlug(),
|
"app": ms.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ms.si.GetOutpostName(),
|
|
||||||
"type": "search",
|
|
||||||
"reason": "empty_bind_dn",
|
|
||||||
"app": ms.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
|
||||||
}
|
}
|
||||||
if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
|
if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
|
||||||
|
@ -77,12 +71,6 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
||||||
"reason": "invalid_bind_dn",
|
"reason": "invalid_bind_dn",
|
||||||
"app": ms.si.GetAppSlug(),
|
"app": ms.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ms.si.GetOutpostName(),
|
|
||||||
"type": "search",
|
|
||||||
"reason": "invalid_bind_dn",
|
|
||||||
"app": ms.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN())
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -95,12 +83,6 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
||||||
"reason": "user_info_not_cached",
|
"reason": "user_info_not_cached",
|
||||||
"app": ms.si.GetAppSlug(),
|
"app": ms.si.GetAppSlug(),
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ms.si.GetOutpostName(),
|
|
||||||
"type": "search",
|
|
||||||
"reason": "user_info_not_cached",
|
|
||||||
"app": ms.si.GetAppSlug(),
|
|
||||||
}).Inc()
|
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
|
||||||
}
|
}
|
||||||
accsp.Finish()
|
accsp.Finish()
|
||||||
|
|
|
@ -22,11 +22,6 @@ func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode
|
||||||
"type": "unbind",
|
"type": "unbind",
|
||||||
"app": selectedApp,
|
"app": selectedApp,
|
||||||
}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
|
}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
|
||||||
metrics.RequestsLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ls.ac.Outpost.Name,
|
|
||||||
"type": "unbind",
|
|
||||||
"app": selectedApp,
|
|
||||||
}).Observe(float64(span.EndTime.Sub(span.StartTime)))
|
|
||||||
req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Unbind request")
|
req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Unbind request")
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
@ -55,11 +50,5 @@ func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode
|
||||||
"reason": "no_provider",
|
"reason": "no_provider",
|
||||||
"app": "",
|
"app": "",
|
||||||
}).Inc()
|
}).Inc()
|
||||||
metrics.RequestsRejectedLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ls.ac.Outpost.Name,
|
|
||||||
"type": "unbind",
|
|
||||||
"reason": "no_provider",
|
|
||||||
"app": "",
|
|
||||||
}).Inc()
|
|
||||||
return ldap.LDAPResultOperationsError, nil
|
return ldap.LDAPResultOperationsError, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -173,12 +173,6 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*A
|
||||||
"method": r.Method,
|
"method": r.Method,
|
||||||
"host": web.GetHost(r),
|
"host": web.GetHost(r),
|
||||||
}).Observe(float64(elapsed) / float64(time.Second))
|
}).Observe(float64(elapsed) / float64(time.Second))
|
||||||
metrics.RequestsLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": a.outpostName,
|
|
||||||
"type": "app",
|
|
||||||
"method": r.Method,
|
|
||||||
"host": web.GetHost(r),
|
|
||||||
}).Observe(float64(elapsed))
|
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
if server.API().GlobalConfig.ErrorReporting.Enabled {
|
if server.API().GlobalConfig.ErrorReporting.Enabled {
|
||||||
|
@ -241,7 +235,10 @@ func (a *Application) Mode() api.ProxyMode {
|
||||||
return *a.proxyConfig.Mode
|
return *a.proxyConfig.Mode
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Application) HasQuerySignature(r *http.Request) bool {
|
func (a *Application) ShouldHandleURL(r *http.Request) bool {
|
||||||
|
if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io") {
|
||||||
|
return true
|
||||||
|
}
|
||||||
if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
|
if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
|
@ -64,13 +64,6 @@ func (a *Application) configureProxy() error {
|
||||||
"scheme": r.URL.Scheme,
|
"scheme": r.URL.Scheme,
|
||||||
"host": web.GetHost(r),
|
"host": web.GetHost(r),
|
||||||
}).Observe(float64(elapsed) / float64(time.Second))
|
}).Observe(float64(elapsed) / float64(time.Second))
|
||||||
metrics.UpstreamTimingLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": a.outpostName,
|
|
||||||
"upstream_host": r.URL.Host,
|
|
||||||
"method": r.Method,
|
|
||||||
"scheme": r.URL.Scheme,
|
|
||||||
"host": web.GetHost(r),
|
|
||||||
}).Observe(float64(elapsed))
|
|
||||||
})
|
})
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -71,7 +71,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
|
||||||
cs.Options.Domain = *p.CookieDomain
|
cs.Options.Domain = *p.CookieDomain
|
||||||
cs.Options.SameSite = http.SameSiteLaxMode
|
cs.Options.SameSite = http.SameSiteLaxMode
|
||||||
cs.Options.MaxAge = maxAge
|
cs.Options.MaxAge = maxAge
|
||||||
cs.Options.Path = externalHost.Path
|
cs.Options.Path = "/"
|
||||||
a.log.WithField("dir", dir).Trace("using filesystem session backend")
|
a.log.WithField("dir", dir).Trace("using filesystem session backend")
|
||||||
return cs
|
return cs
|
||||||
}
|
}
|
||||||
|
@ -131,7 +131,6 @@ func (a *Application) Logout(ctx context.Context, filter func(c Claims) bool) er
|
||||||
}
|
}
|
||||||
if rs, ok := a.sessions.(*redisstore.RedisStore); ok {
|
if rs, ok := a.sessions.(*redisstore.RedisStore); ok {
|
||||||
client := rs.Client()
|
client := rs.Client()
|
||||||
defer client.Close()
|
|
||||||
keys, err := client.Keys(ctx, fmt.Sprintf("%s*", RedisKeyPrefix)).Result()
|
keys, err := client.Keys(ctx, fmt.Sprintf("%s*", RedisKeyPrefix)).Result()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
|
@ -26,12 +26,6 @@ func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
|
||||||
"host": web.GetHost(r),
|
"host": web.GetHost(r),
|
||||||
"type": "ping",
|
"type": "ping",
|
||||||
}).Observe(float64(elapsed) / float64(time.Second))
|
}).Observe(float64(elapsed) / float64(time.Second))
|
||||||
metrics.RequestsLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ps.akAPI.Outpost.Name,
|
|
||||||
"method": r.Method,
|
|
||||||
"host": web.GetHost(r),
|
|
||||||
"type": "ping",
|
|
||||||
}).Observe(float64(elapsed))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
|
func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
|
||||||
|
@ -44,12 +38,6 @@ func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
|
||||||
"host": web.GetHost(r),
|
"host": web.GetHost(r),
|
||||||
"type": "static",
|
"type": "static",
|
||||||
}).Observe(float64(elapsed) / float64(time.Second))
|
}).Observe(float64(elapsed) / float64(time.Second))
|
||||||
metrics.RequestsLegacy.With(prometheus.Labels{
|
|
||||||
"outpost_name": ps.akAPI.Outpost.Name,
|
|
||||||
"method": r.Method,
|
|
||||||
"host": web.GetHost(r),
|
|
||||||
"type": "static",
|
|
||||||
}).Observe(float64(elapsed))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ps *ProxyServer) lookupApp(r *http.Request) (*application.Application, string) {
|
func (ps *ProxyServer) lookupApp(r *http.Request) (*application.Application, string) {
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue