Compare commits

...
This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.

10 Commits

Author SHA1 Message Date
Jens Langhammer def0a42bf1
release: 2022.10.4 2022-12-23 14:19:17 +01:00
Jens Langhammer 727e55e44b
web: backport API update
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-23 14:19:10 +01:00
Jens L cd88b91686
security: fix CVE 2022 23555 (#4274)
* add flow to invitation

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* show warning on invitation page

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add security advisory

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-23 14:18:13 +01:00
Jens L 8eb73d3a16
security: fix CVE 2022 46172 (#4275)
* fallback to current user in user_write, add flag to disable user creation

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update api and web ui

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update default flows

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add cve post to website

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-23 14:18:09 +01:00
Jens Langhammer 83f46f6ff1 release: 2022.10.3 2022-12-02 23:01:17 +02:00
Jens Langhammer 0e7cc6da4c web: bump API version
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-02 22:51:09 +02:00
Jens Langhammer a262171671 release: 2022.10.2 2022-12-01 10:40:58 +02:00
Jens Langhammer 87b8ca7be4 *: backport CVE-2022-46145 fix
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-01 10:40:51 +02:00
Jens Langhammer cc8dc1403f root: include security policy in website container
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-11-30 13:05:02 +02:00
Jens Langhammer f21a196a3b root: rework and expand security policy
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

# Conflicts:
#	SECURITY.md
2022-11-30 13:04:50 +02:00
60 changed files with 743 additions and 169 deletions

View File

@ -1,5 +1,5 @@
[bumpversion]
current_version = 2022.10.1
current_version = 2022.10.4
tag = True
commit = True
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

View File

@ -17,24 +17,24 @@ diverse, inclusive, and healthy community.
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the
overall community
- Demonstrating empathy and kindness toward other people
- Being respectful of differing opinions, viewpoints, and experiences
- Giving and gracefully accepting constructive feedback
- Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
- Focusing on what is best not just for us as individuals, but for the
overall community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or
advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
- The use of sexualized language or imagery, and sexual attention or
advances of any kind
- Trolling, insulting or derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or email
address, without their explicit permission
- Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
@ -106,7 +106,7 @@ Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within

View File

@ -11,19 +11,22 @@ The following is a set of guidelines for contributing to authentik and its compo
[I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
[What should I know before I get started?](#what-should-i-know-before-i-get-started)
* [The components](#the-components)
* [authentik's structure](#authentiks-structure)
- [The components](#the-components)
- [authentik's structure](#authentiks-structure)
[How Can I Contribute?](#how-can-i-contribute)
* [Reporting Bugs](#reporting-bugs)
* [Suggesting Enhancements](#suggesting-enhancements)
* [Your First Code Contribution](#your-first-code-contribution)
* [Pull Requests](#pull-requests)
- [Reporting Bugs](#reporting-bugs)
- [Suggesting Enhancements](#suggesting-enhancements)
- [Your First Code Contribution](#your-first-code-contribution)
- [Pull Requests](#pull-requests)
[Styleguides](#styleguides)
* [Git Commit Messages](#git-commit-messages)
* [Python Styleguide](#python-styleguide)
* [Documentation Styleguide](#documentation-styleguide)
- [Git Commit Messages](#git-commit-messages)
- [Python Styleguide](#python-styleguide)
- [Documentation Styleguide](#documentation-styleguide)
## Code of Conduct
@ -39,11 +42,11 @@ Either [create a question on GitHub](https://github.com/goauthentik/authentik/is
authentik consists of a few larger components:
- *authentik* the actual application server, is described below.
- *outpost-proxy* is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
- *outpost-ldap* is a Go LDAP server that uses the *authentik* application server as its backend
- *web* is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
- *website* is the Website/documentation, which uses docusaurus.
- _authentik_ the actual application server, is described below.
- _outpost-proxy_ is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
- _outpost-ldap_ is a Go LDAP server that uses the _authentik_ application server as its backend
- _web_ is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
- _website_ is the Website/documentation, which uses docusaurus.
### authentik's structure
@ -137,10 +140,10 @@ This is documented in the [developer docs](https://goauthentik.io/developer-docs
The process described here has several goals:
- Maintain authentik's quality
- Fix problems that are important to users
- Engage the community in working toward the best possible authentik
- Enable a sustainable system for authentik's maintainers to review contributions
- Maintain authentik's quality
- Fix problems that are important to users
- Engage the community in working toward the best possible authentik
- Enable a sustainable system for authentik's maintainers to review contributions
Please follow these steps to have your contribution considered by the maintainers:
@ -154,10 +157,10 @@ While the prerequisites above must be satisfied prior to having your pull reques
### Git Commit Messages
* Use the format of `<package>: <verb> <description>`
- See [here](#authentik-packages) for `package`
- Example: `providers/saml2: fix parsing of requests`
* Reference issues and pull requests liberally after the first line
- Use the format of `<package>: <verb> <description>`
- See [here](#authentik-packages) for `package`
- Example: `providers/saml2: fix parsing of requests`
- Reference issues and pull requests liberally after the first line
### Python Styleguide
@ -165,11 +168,11 @@ All Python code is linted with [black](https://black.readthedocs.io/en/stable/),
authentik runs on Python 3.9 at the time of writing this.
* Use native type-annotations wherever possible.
* Add meaningful docstrings when possible.
* Ensure any database migrations work properly from the last stable version (this is checked via CI)
* If your code changes central functions, make sure nothing else is broken.
- Use native type-annotations wherever possible.
- Add meaningful docstrings when possible.
- Ensure any database migrations work properly from the last stable version (this is checked via CI)
- If your code changes central functions, make sure nothing else is broken.
### Documentation Styleguide
* Use [MDX](https://mdxjs.com/) whenever appropriate.
- Use [MDX](https://mdxjs.com/) whenever appropriate.

View File

@ -3,6 +3,7 @@ FROM --platform=${BUILDPLATFORM} docker.io/node:18 as website-builder
COPY ./website /work/website/
COPY ./blueprints /work/blueprints/
COPY ./SECURITY.md /work/
ENV NODE_ENV=production
WORKDIR /work/website

View File

@ -26,10 +26,10 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
## Screenshots
Light | Dark
--- | ---
![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg)
![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg)
| Light | Dark |
| ------------------------------------------------------ | ----------------------------------------------------- |
| ![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg) |
| ![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) |
## Development

View File

@ -1,17 +1,43 @@
# Security Policy
Authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
## Supported Versions
(.x being the latest patch release for each version)
| Version | Supported |
| ---------- | ------------------ |
| 2022.9.x | :white_check_mark: |
| 2022.10.x | :white_check_mark: |
| Version | Supported |
| --------- | ------------------ |
| 2022.10.x | :white_check_mark: |
| 2022.11.x | :white_check_mark: |
## Reporting a Vulnerability
To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io)
To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the bug.
## Criticality levels
### High
- Authorization bypass
- Circumvention of policies
### Moderate
- Denial-of-Service attacks
### Low
- Unvalidated redirects
- Issues requiring uncommon setups
## Disclosure process
1. Issue is reported via Email as listed above.
2. The authentik Security team will try to reproduce the issue and ask for more information if required.
3. A criticality level is assigned.
4. A fix is created, and if possible tested by the issue reporter.
5. The fix is backported to other supported versions, and if possible a workaround for other versions is created.
6. An announcement is sent out with a fixed release date and criticality level of the issue. The announcement will be sent at least 24 hours before the release of the fix
7. The fixed version is released for the supported versions.
## Getting security notifications

View File

@ -2,7 +2,7 @@
from os import environ
from typing import Optional
__version__ = "2022.10.1"
__version__ = "2022.10.4"
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

View File

@ -72,6 +72,7 @@ class FlowSerializer(ModelSerializer):
"export_url",
"layout",
"denied_action",
"authentication",
]
extra_kwargs = {
"background": {"read_only": True},

View File

@ -1,4 +1,6 @@
"""flow exceptions"""
from typing import Optional
from django.utils.translation import gettext_lazy as _
from authentik.lib.sentry import SentryIgnoredException
@ -6,15 +8,15 @@ from authentik.policies.types import PolicyResult
class FlowNonApplicableException(SentryIgnoredException):
"""Flow does not apply to current user (denied by policy)."""
"""Flow does not apply to current user (denied by policy, or otherwise)."""
policy_result: PolicyResult
policy_result: Optional[PolicyResult] = None
@property
def messages(self) -> str:
"""Get messages from policy result, fallback to generic reason"""
if len(self.policy_result.messages) < 1:
return _("Flow does not apply to current user (denied by policy).")
if not self.policy_result or len(self.policy_result.messages) < 1:
return _("Flow does not apply to current user.")
return "\n".join(self.policy_result.messages)

View File

@ -0,0 +1,27 @@
# Generated by Django 4.1.3 on 2022-11-30 09:04
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_flows", "0023_flow_denied_action"),
]
operations = [
migrations.AddField(
model_name="flow",
name="authentication",
field=models.TextField(
choices=[
("none", "None"),
("require_authenticated", "Require Authenticated"),
("require_unauthenticated", "Require Unauthenticated"),
("require_superuser", "Require Superuser"),
],
default="none",
help_text="Required level of authentication and authorization to access a flow.",
),
),
]

View File

@ -23,6 +23,15 @@ if TYPE_CHECKING:
LOGGER = get_logger()
class FlowAuthenticationRequirement(models.TextChoices):
"""Required level of authentication and authorization to access a flow"""
NONE = "none"
REQUIRE_AUTHENTICATED = "require_authenticated"
REQUIRE_UNAUTHENTICATED = "require_unauthenticated"
REQUIRE_SUPERUSER = "require_superuser"
class NotConfiguredAction(models.TextChoices):
"""Decides how the FlowExecutor should proceed when a stage isn't configured"""
@ -152,6 +161,12 @@ class Flow(SerializerModel, PolicyBindingModel):
help_text=_("Configure what should happen when a flow denies access to a user."),
)
authentication = models.TextField(
choices=FlowAuthenticationRequirement.choices,
default=FlowAuthenticationRequirement.NONE,
help_text=_("Required level of authentication and authorization to access a flow."),
)
@property
def background_url(self) -> str:
"""Get the URL to the background image. If the name is /static or starts with http

View File

@ -13,7 +13,14 @@ from authentik.events.models import cleanse_dict
from authentik.flows.apps import HIST_FLOWS_PLAN_TIME
from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
from authentik.flows.markers import ReevaluateMarker, StageMarker
from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage, in_memory_stage
from authentik.flows.models import (
Flow,
FlowAuthenticationRequirement,
FlowDesignation,
FlowStageBinding,
Stage,
in_memory_stage,
)
from authentik.lib.config import CONFIG
from authentik.policies.engine import PolicyEngine
@ -116,11 +123,30 @@ class FlowPlanner:
self.flow = flow
self._logger = get_logger().bind(flow_slug=flow.slug)
def _check_authentication(self, request: HttpRequest):
"""Check the flow's authentication level is matched by `request`"""
if (
self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
and not request.user.is_authenticated
):
raise FlowNonApplicableException()
if (
self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED
and request.user.is_authenticated
):
raise FlowNonApplicableException()
if (
self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_SUPERUSER
and not request.user.is_superuser
):
raise FlowNonApplicableException()
def plan(
self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None
) -> FlowPlan:
"""Check each of the flows' policies, check policies for each stage with PolicyBinding
and return ordered list"""
self._check_authentication(request)
with Hub.current.start_span(
op="authentik.flow.planner.plan", description=self.flow.slug
) as span:

View File

@ -1,6 +1,7 @@
"""flow planner tests"""
from unittest.mock import MagicMock, Mock, PropertyMock, patch
from django.contrib.auth.models import AnonymousUser
from django.contrib.sessions.middleware import SessionMiddleware
from django.core.cache import cache
from django.test import RequestFactory, TestCase
@ -8,10 +9,10 @@ from django.urls import reverse
from guardian.shortcuts import get_anonymous_user
from authentik.core.models import User
from authentik.core.tests.utils import create_test_flow
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
from authentik.flows.markers import ReevaluateMarker, StageMarker
from authentik.flows.models import FlowDesignation, FlowStageBinding
from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation, FlowStageBinding
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
from authentik.lib.tests.utils import dummy_get_response
from authentik.policies.dummy.models import DummyPolicy
@ -43,6 +44,30 @@ class TestFlowPlanner(TestCase):
planner = FlowPlanner(flow)
planner.plan(request)
def test_authentication(self):
"""Test flow authentication"""
flow = create_test_flow()
flow.authentication = FlowAuthenticationRequirement.NONE
request = self.request_factory.get(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
)
request.user = AnonymousUser()
planner = FlowPlanner(flow)
planner.allow_empty_flows = True
planner.plan(request)
with self.assertRaises(FlowNonApplicableException):
flow.authentication = FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
FlowPlanner(flow).plan(request)
with self.assertRaises(FlowNonApplicableException):
flow.authentication = FlowAuthenticationRequirement.REQUIRE_SUPERUSER
FlowPlanner(flow).plan(request)
request.user = create_test_admin_user()
planner = FlowPlanner(flow)
planner.allow_empty_flows = True
planner.plan(request)
@patch(
"authentik.policies.engine.PolicyEngine.result",
POLICY_RETURN_FALSE,

View File

@ -8,6 +8,7 @@ from rest_framework.viewsets import ModelViewSet
from authentik.core.api.groups import GroupMemberSerializer
from authentik.core.api.used_by import UsedByMixin
from authentik.core.api.utils import is_dict
from authentik.flows.api.flows import FlowSerializer
from authentik.flows.api.stages import StageSerializer
from authentik.stages.invitation.models import Invitation, InvitationStage
@ -49,6 +50,7 @@ class InvitationSerializer(ModelSerializer):
created_by = GroupMemberSerializer(read_only=True)
fixed_data = JSONField(validators=[is_dict], required=False)
flow_obj = FlowSerializer(read_only=True, required=False, source="flow")
class Meta:
@ -60,6 +62,8 @@ class InvitationSerializer(ModelSerializer):
"fixed_data",
"created_by",
"single_use",
"flow",
"flow_obj",
]
@ -69,8 +73,8 @@ class InvitationViewSet(UsedByMixin, ModelViewSet):
queryset = Invitation.objects.all()
serializer_class = InvitationSerializer
ordering = ["-expires"]
search_fields = ["name", "created_by__username", "expires"]
filterset_fields = ["name", "created_by__username", "expires"]
search_fields = ["name", "created_by__username", "expires", "flow__slug"]
filterset_fields = ["name", "created_by__username", "expires", "flow__slug"]
def perform_create(self, serializer: InvitationSerializer):
serializer.save(created_by=self.request.user)

View File

@ -0,0 +1,26 @@
# Generated by Django 4.1.4 on 2022-12-20 13:43
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_flows", "0024_flow_authentication"),
("authentik_stages_invitation", "0001_squashed_0006_invitation_name"),
]
operations = [
migrations.AddField(
model_name="invitation",
name="flow",
field=models.ForeignKey(
default=None,
help_text="When set, only the configured flow can use this invitation.",
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
to="authentik_flows.flow",
),
),
]

View File

@ -55,6 +55,13 @@ class Invitation(SerializerModel, ExpiringModel):
name = models.SlugField()
flow = models.ForeignKey(
"authentik_flows.Flow",
default=None,
null=True,
on_delete=models.SET_DEFAULT,
help_text=_("When set, only the configured flow can use this invitation."),
)
single_use = models.BooleanField(
default=False,
help_text=_("When enabled, the invitation will be deleted after usage."),

View File

@ -37,22 +37,30 @@ class InvitationStageView(StageView):
return self.executor.plan.context[PLAN_CONTEXT_PROMPT][INVITATION_TOKEN_KEY_CONTEXT]
return None
def get_invite(self) -> Optional[Invitation]:
"""Check the token, find the invite and check it's flow"""
token = self.get_token()
if not token:
return None
invite: Invitation = Invitation.objects.filter(pk=token).first()
if not invite:
self.logger.debug("invalid invitation", token=token)
return None
if invite.flow and invite.flow.pk != self.executor.plan.flow_pk:
self.logger.debug("invite for incorrect flow", expected=invite.flow.slug)
return None
return invite
def get(self, request: HttpRequest) -> HttpResponse:
"""Apply data to the current flow based on a URL"""
stage: InvitationStage = self.executor.current_stage
token = self.get_token()
if not token:
# No Invitation was given, raise error or continue
invite = self.get_invite()
if not invite:
if stage.continue_flow_without_invitation:
return self.executor.stage_ok()
return self.executor.stage_invalid()
invite: Invitation = Invitation.objects.filter(pk=token).first()
if not invite:
self.logger.debug("invalid invitation", token=token)
if stage.continue_flow_without_invitation:
return self.executor.stage_ok()
return self.executor.stage_invalid()
self.executor.plan.context[INVITATION_IN_EFFECT] = True
self.executor.plan.context[INVITATION] = invite

View File

@ -23,7 +23,7 @@ from authentik.stages.password import BACKEND_INBUILT
from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
class TestUserLoginStage(FlowTestCase):
class TestInvitationStage(FlowTestCase):
"""Login tests"""
def setUp(self):
@ -98,6 +98,33 @@ class TestUserLoginStage(FlowTestCase):
self.assertEqual(response.status_code, 200)
self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
def test_invalid_flow(self):
"""Test with invitation, invalid flow limit"""
invalid_flow = create_test_flow(FlowDesignation.ENROLLMENT)
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
session = self.client.session
session[SESSION_KEY_PLAN] = plan
session.save()
data = {"foo": "bar"}
invite = Invitation.objects.create(
created_by=get_anonymous_user(), fixed_data=data, flow=invalid_flow
)
with patch("authentik.flows.views.executor.FlowExecutorView.cancel", MagicMock()):
base_url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
args = urlencode({INVITATION_TOKEN_KEY: invite.pk.hex})
response = self.client.get(base_url + f"?query={args}")
session = self.client.session
plan: FlowPlan = session[SESSION_KEY_PLAN]
self.assertStageResponse(
response,
flow=self.flow,
component="ak-stage-access-denied",
)
def test_with_invitation_prompt_data(self):
"""Test with invitation, check data in session"""
data = {"foo": "bar"}

View File

@ -15,6 +15,7 @@ class UserWriteStageSerializer(StageSerializer):
fields = StageSerializer.Meta.fields + [
"create_users_as_inactive",
"create_users_group",
"can_create_users",
"user_path_template",
]

View File

@ -0,0 +1,21 @@
# Generated by Django 4.1.4 on 2022-12-22 14:30
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_stages_user_write", "0005_userwritestage_user_path_template"),
]
operations = [
migrations.AddField(
model_name="userwritestage",
name="can_create_users",
field=models.BooleanField(
default=True,
help_text="When set, this stage can create users. If not enabled and no user is available, stage will fail.",
),
),
]

View File

@ -13,6 +13,16 @@ class UserWriteStage(Stage):
"""Writes currently pending data into the pending user, or if no user exists,
creates a new user with the data."""
can_create_users = models.BooleanField(
default=True,
help_text=_(
(
"When set, this stage can create users. "
"If not enabled and no user is available, stage will fail."
)
),
)
create_users_as_inactive = models.BooleanField(
default=False,
help_text=_("When set, newly created users are inactive and cannot login."),

View File

@ -1,10 +1,9 @@
"""Write stage logic"""
from typing import Any
from typing import Any, Optional
from django.contrib import messages
from django.contrib.auth import update_session_auth_hash
from django.db import transaction
from django.db.utils import IntegrityError
from django.db.utils import IntegrityError, InternalError
from django.http import HttpRequest, HttpResponse
from django.utils.translation import gettext as _
@ -47,7 +46,7 @@ class UserWriteStageView(StageView):
"""Wrapper for post requests"""
return self.get(request)
def ensure_user(self) -> tuple[User, bool]:
def ensure_user(self) -> tuple[Optional[User], bool]:
"""Ensure a user exists"""
user_created = False
path = self.executor.plan.context.get(
@ -55,7 +54,11 @@ class UserWriteStageView(StageView):
)
if path == "":
path = User.default_path()
if not self.request.user.is_anonymous:
self.executor.plan.context.setdefault(PLAN_CONTEXT_PENDING_USER, self.request.user)
if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
if not self.executor.current_stage.can_create_users:
return None, False
self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = User(
is_active=not self.executor.current_stage.create_users_as_inactive,
path=path,
@ -110,11 +113,14 @@ class UserWriteStageView(StageView):
a new user is created."""
if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
message = _("No Pending data.")
messages.error(request, message)
self.logger.debug(message)
return self.executor.stage_invalid()
return self.executor.stage_invalid(message)
data = self.executor.plan.context[PLAN_CONTEXT_PROMPT]
user, user_created = self.ensure_user()
if not user:
message = _("No user found and can't create new user.")
self.logger.info(message)
return self.executor.stage_invalid(message)
# Before we change anything, check if the user is the same as in the request
# and we're updating a password. In that case we need to update the session hash
# Also check that we're not currently impersonating, so we don't update the session
@ -137,9 +143,9 @@ class UserWriteStageView(StageView):
user.ak_groups.add(self.executor.current_stage.create_users_group)
if PLAN_CONTEXT_GROUPS in self.executor.plan.context:
user.ak_groups.add(*self.executor.plan.context[PLAN_CONTEXT_GROUPS])
except (IntegrityError, ValueError, TypeError) as exc:
except (IntegrityError, ValueError, TypeError, InternalError) as exc:
self.logger.warning("Failed to save user", exc=exc)
return self.executor.stage_invalid()
return self.executor.stage_invalid(_("Failed to save user"))
user_write.send(sender=self, request=request, user=user, data=data, created=user_created)
# Check if the password has been updated, and update the session auth hash
if should_update_session:

View File

@ -1,6 +1,4 @@
"""write tests"""
import string
from random import SystemRandom
from unittest.mock import patch
from django.urls import reverse
@ -14,6 +12,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
from authentik.flows.tests import FlowTestCase
from authentik.flows.tests.test_executor import TO_STAGE_RESPONSE_MOCK
from authentik.flows.views.executor import SESSION_KEY_PLAN
from authentik.lib.generators import generate_key
from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
from authentik.stages.user_write.models import UserWriteStage
from authentik.stages.user_write.stage import PLAN_CONTEXT_GROUPS, UserWriteStageView
@ -32,12 +31,11 @@ class TestUserWriteStage(FlowTestCase):
)
self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
self.source = Source.objects.create(name="fake_source")
self.user = create_test_admin_user()
def test_user_create(self):
"""Test creation of user"""
password = "".join(
SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(8)
)
password = generate_key()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PROMPT] = {
@ -66,9 +64,7 @@ class TestUserWriteStage(FlowTestCase):
def test_user_update(self):
"""Test update of existing user"""
new_password = "".join(
SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(8)
)
new_password = generate_key()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PENDING_USER] = User.objects.create(
username="unittest", email="test@goauthentik.io"
@ -142,6 +138,49 @@ class TestUserWriteStage(FlowTestCase):
component="ak-stage-access-denied",
)
def test_authenticated_no_user(self):
"""Test user in session and none in plan"""
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
self.client.force_login(self.user)
session = self.client.session
plan.context[PLAN_CONTEXT_PROMPT] = {
"username": "foo",
"attribute_some-custom-attribute": "test",
"some_ignored_attribute": "bar",
}
session[SESSION_KEY_PLAN] = plan
session.save()
response = self.client.get(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
)
self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
self.user.refresh_from_db()
self.assertEqual(self.user.username, "foo")
def test_no_create(self):
"""Test can_create_users set to false"""
self.stage.can_create_users = False
self.stage.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
session = self.client.session
plan.context[PLAN_CONTEXT_PROMPT] = {
"username": "foo",
"attribute_some-custom-attribute": "test",
"some_ignored_attribute": "bar",
}
session[SESSION_KEY_PLAN] = plan
session.save()
response = self.client.get(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
)
self.assertStageResponse(
response,
self.flow,
component="ak-stage-access-denied",
)
@patch(
"authentik.flows.views.executor.to_stage_response",
TO_STAGE_RESPONSE_MOCK,

View File

@ -6,6 +6,7 @@ entries:
designation: stage_configuration
name: Change Password
title: Change password
authentication: require_authenticated
identifiers:
slug: default-password-change
model: authentik_flows.flow
@ -44,6 +45,8 @@ entries:
name: default-password-change-write
id: default-password-change-write
model: authentik_stages_user_write.userwritestage
attrs:
can_create_users: false
- identifiers:
order: 0
stage: !KeyOf default-password-change-prompt

View File

@ -11,6 +11,7 @@ entries:
designation: authentication
name: Welcome to authentik!
title: Welcome to authentik!
authentication: require_unauthenticated
identifiers:
slug: default-authentication-flow
model: authentik_flows.flow

View File

@ -6,6 +6,7 @@ entries:
designation: invalidation
name: Logout
title: Default Invalidation Flow
authentication: require_authenticated
identifiers:
slug: default-invalidation-flow
model: authentik_flows.flow

View File

@ -6,6 +6,7 @@ entries:
designation: stage_configuration
name: default-authenticator-static-setup
title: Setup Static OTP Tokens
authentication: require_authenticated
identifiers:
slug: default-authenticator-static-setup
model: authentik_flows.flow

View File

@ -6,6 +6,7 @@ entries:
designation: stage_configuration
name: default-authenticator-totp-setup
title: Setup Two-Factor authentication
authentication: require_authenticated
identifiers:
slug: default-authenticator-totp-setup
model: authentik_flows.flow

View File

@ -6,6 +6,7 @@ entries:
designation: stage_configuration
name: default-authenticator-webauthn-setup
title: Setup WebAuthn
authentication: require_authenticated
identifiers:
slug: default-authenticator-webauthn-setup
model: authentik_flows.flow

View File

@ -6,6 +6,7 @@ entries:
designation: authorization
name: Authorize Application
title: Redirecting to %(app)s
authentication: require_authenticated
identifiers:
slug: default-provider-authorization-explicit-consent
model: authentik_flows.flow

View File

@ -6,6 +6,7 @@ entries:
designation: authorization
name: Authorize Application
title: Redirecting to %(app)s
authentication: require_authenticated
identifiers:
slug: default-provider-authorization-implicit-consent
model: authentik_flows.flow

View File

@ -6,6 +6,7 @@ entries:
designation: authentication
name: Welcome to authentik!
title: Welcome to authentik!
authentication: require_unauthenticated
identifiers:
slug: default-source-authentication
model: authentik_flows.flow

View File

@ -6,6 +6,7 @@ entries:
designation: enrollment
name: Welcome to authentik! Please select a username.
title: Welcome to authentik! Please select a username.
authentication: none
identifiers:
slug: default-source-enrollment
model: authentik_flows.flow
@ -56,6 +57,8 @@ entries:
name: default-source-enrollment-write
id: default-source-enrollment-write
model: authentik_stages_user_write.userwritestage
attrs:
can_create_users: true
- attrs:
re_evaluate_policies: true
identifiers:

View File

@ -6,6 +6,7 @@ entries:
designation: stage_configuration
name: Pre-Authentication
title: Pre-authentication
authentication: none
identifiers:
slug: default-source-pre-authentication
model: authentik_flows.flow

View File

@ -6,6 +6,7 @@ entries:
designation: stage_configuration
name: User settings
title: Update your info
authentication: require_authenticated
identifiers:
slug: default-user-settings-flow
model: authentik_flows.flow
@ -108,6 +109,8 @@ entries:
model: authentik_policies_expression.expressionpolicy
- identifiers:
name: default-user-settings-write
attrs:
can_create_users: false
id: default-user-settings-write
model: authentik_stages_user_write.userwritestage
- attrs:

View File

@ -102,6 +102,8 @@ entries:
identifiers:
name: default-password-change-write
model: authentik_stages_user_write.userwritestage
attrs:
can_create_users: false
- attrs:
evaluate_on_plan: true
invalid_response_action: retry

View File

@ -12,6 +12,7 @@ entries:
name: Default enrollment Flow
title: Welcome to authentik!
designation: enrollment
authentication: require_unauthenticated
- identifiers:
field_key: username
label: Username
@ -94,7 +95,8 @@ entries:
name: default-enrollment-user-write
id: default-enrollment-user-write
model: authentik_stages_user_write.userwritestage
attrs: {}
attrs:
can_create_users: true
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-enrollment-prompt-first

View File

@ -12,6 +12,7 @@ entries:
name: Default enrollment Flow
title: Welcome to authentik!
designation: enrollment
authentication: require_unauthenticated
- identifiers:
field_key: username
label: Username
@ -113,6 +114,7 @@ entries:
model: authentik_stages_user_write.userwritestage
attrs:
create_users_as_inactive: true
can_create_users: true
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-enrollment-prompt-first

View File

@ -12,6 +12,7 @@ entries:
name: Default Authentication Flow
title: Welcome to authentik!
designation: authentication
authentication: require_unauthenticated
- identifiers:
name: test-not-app-password
id: test-not-app-password

View File

@ -12,6 +12,7 @@ entries:
name: Default Authentication Flow
title: Welcome to authentik!
designation: authentication
authentication: require_unauthenticated
- identifiers:
name: default-authentication-login
id: default-authentication-login

View File

@ -12,6 +12,7 @@ entries:
name: Default recovery flow
title: Reset your password
designation: recovery
authentication: require_unauthenticated
- identifiers:
field_key: password
label: Password
@ -62,6 +63,8 @@ entries:
name: default-recovery-user-write
id: default-recovery-user-write
model: authentik_stages_user_write.userwritestage
attrs:
can_create_users: false
- identifiers:
name: default-recovery-identification
id: default-recovery-identification

View File

@ -12,6 +12,7 @@ entries:
name: Default unenrollment flow
title: Delete your account
designation: unenrollment
authentication: require_authenticated
- identifiers:
name: default-unenrollment-user-delete
id: default-unenrollment-user-delete

View File

@ -32,7 +32,7 @@ services:
volumes:
- redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.4}
restart: unless-stopped
command: server
environment:
@ -52,7 +52,7 @@ services:
- "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
- "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.4}
restart: unless-stopped
command: worker
environment:

View File

@ -29,4 +29,4 @@ func UserAgent() string {
return fmt.Sprintf("authentik@%s", FullVersion())
}
const VERSION = "2022.10.1"
const VERSION = "2022.10.4"

View File

@ -100,7 +100,7 @@ addopts = "-p no:celery --junitxml=unittest.xml"
[tool.poetry]
name = "authentik"
version = "2022.10.1"
version = "2022.10.4"
description = ""
authors = ["authentik Team <hello@goauthentik.io>"]

View File

@ -1,7 +1,7 @@
openapi: 3.0.3
info:
title: authentik
version: 2022.10.1
version: 2022.10.4
description: Making authentication simple.
contact:
email: hello@goauthentik.io
@ -22277,6 +22277,10 @@ paths:
schema:
type: string
format: date-time
- in: query
name: flow__slug
schema:
type: string
- in: query
name: name
schema:
@ -24520,6 +24524,10 @@ paths:
operationId: stages_user_write_list
description: UserWriteStage Viewset
parameters:
- in: query
name: can_create_users
schema:
type: boolean
- in: query
name: create_users_as_inactive
schema:
@ -25215,6 +25223,13 @@ components:
- last_used
- user
- user_agent
AuthenticationEnum:
enum:
- none
- require_authenticated
- require_unauthenticated
- require_superuser
type: string
AuthenticatorAttachmentEnum:
enum:
- platform
@ -27512,6 +27527,11 @@ components:
- $ref: '#/components/schemas/DeniedActionEnum'
description: Configure what should happen when a flow denies access to a
user.
authentication:
allOf:
- $ref: '#/components/schemas/AuthenticationEnum'
description: Required level of authentication and authorization to access
a flow.
required:
- background
- cache_count
@ -27804,6 +27824,11 @@ components:
- $ref: '#/components/schemas/DeniedActionEnum'
description: Configure what should happen when a flow denies access to a
user.
authentication:
allOf:
- $ref: '#/components/schemas/AuthenticationEnum'
description: Required level of authentication and authorization to access
a flow.
required:
- designation
- name
@ -28370,8 +28395,18 @@ components:
single_use:
type: boolean
description: When enabled, the invitation will be deleted after usage.
flow:
type: string
format: uuid
nullable: true
description: When set, only the configured flow can use this invitation.
flow_obj:
allOf:
- $ref: '#/components/schemas/Flow'
readOnly: true
required:
- created_by
- flow_obj
- name
- pk
InvitationRequest:
@ -28392,6 +28427,11 @@ components:
single_use:
type: boolean
description: When enabled, the invitation will be deleted after usage.
flow:
type: string
format: uuid
nullable: true
description: When set, only the configured flow can use this invitation.
required:
- name
InvitationStage:
@ -33535,6 +33575,11 @@ components:
- $ref: '#/components/schemas/DeniedActionEnum'
description: Configure what should happen when a flow denies access to a
user.
authentication:
allOf:
- $ref: '#/components/schemas/AuthenticationEnum'
description: Required level of authentication and authorization to access
a flow.
PatchedFlowStageBindingRequest:
type: object
description: FlowStageBinding Serializer
@ -33682,6 +33727,11 @@ components:
single_use:
type: boolean
description: When enabled, the invitation will be deleted after usage.
flow:
type: string
format: uuid
nullable: true
description: When set, only the configured flow can use this invitation.
PatchedInvitationStageRequest:
type: object
description: InvitationStage Serializer
@ -34885,6 +34935,10 @@ components:
format: uuid
nullable: true
description: Optionally add newly created users to this group.
can_create_users:
type: boolean
description: When set, this stage can create users. If not enabled and no
user is available, stage will fail.
user_path_template:
type: string
PatchedWebAuthnDeviceRequest:
@ -38023,6 +38077,10 @@ components:
format: uuid
nullable: true
description: Optionally add newly created users to this group.
can_create_users:
type: boolean
description: When set, this stage can create users. If not enabled and no
user is available, stage will fail.
user_path_template:
type: string
required:
@ -38051,6 +38109,10 @@ components:
format: uuid
nullable: true
description: Optionally add newly created users to this group.
can_create_users:
type: boolean
description: When set, this stage can create users. If not enabled and no
user is available, stage will fail.
user_path_template:
type: string
required:

14
web/package-lock.json generated
View File

@ -21,7 +21,7 @@
"@codemirror/legacy-modes": "^6.2.0",
"@formatjs/intl-listformat": "^7.1.3",
"@fortawesome/fontawesome-free": "^6.2.0",
"@goauthentik/api": "^2022.10.0-1666383274",
"@goauthentik/api": "^2022.11.3-1671801250",
"@jackfranklin/rollup-plugin-markdown": "^0.4.0",
"@lingui/cli": "^3.14.0",
"@lingui/core": "^3.14.0",
@ -1941,9 +1941,9 @@
}
},
"node_modules/@goauthentik/api": {
"version": "2022.10.0-1666383274",
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.10.0-1666383274.tgz",
"integrity": "sha512-mwBT/bTpX4cSDxy6tQgaoHIzzWqpwIXSuv16knNqjk5emquckFOI1QhurB1D2MxbvrMETX8jfJWaE+LrE/cACA=="
"version": "2022.11.3-1671801250",
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.11.3-1671801250.tgz",
"integrity": "sha512-8N6C0IPCuZQ9y5crIDJ/AeC0VlxAa3lW9mFRZ4f8g2T9FIoZUqLuxF4Uy5WW1k+IK0M0JOkuVaj2iHipaGb5Zw=="
},
"node_modules/@humanwhocodes/config-array": {
"version": "0.11.6",
@ -11620,9 +11620,9 @@
"integrity": "sha512-CNR7qRIfCwWHNN7FnKUniva94edPdyQzil/zCwk3v6k4R6rR2Fr8i4s3PM7n/lyfPA6Zfko9z5WDzFxG9SW1uQ=="
},
"@goauthentik/api": {
"version": "2022.10.0-1666383274",
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.10.0-1666383274.tgz",
"integrity": "sha512-mwBT/bTpX4cSDxy6tQgaoHIzzWqpwIXSuv16knNqjk5emquckFOI1QhurB1D2MxbvrMETX8jfJWaE+LrE/cACA=="
"version": "2022.11.3-1671801250",
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.11.3-1671801250.tgz",
"integrity": "sha512-8N6C0IPCuZQ9y5crIDJ/AeC0VlxAa3lW9mFRZ4f8g2T9FIoZUqLuxF4Uy5WW1k+IK0M0JOkuVaj2iHipaGb5Zw=="
},
"@humanwhocodes/config-array": {
"version": "0.11.6",

View File

@ -64,7 +64,7 @@
"@codemirror/legacy-modes": "^6.2.0",
"@formatjs/intl-listformat": "^7.1.3",
"@fortawesome/fontawesome-free": "^6.2.0",
"@goauthentik/api": "^2022.10.0-1666383274",
"@goauthentik/api": "^2022.11.3-1671801250",
"@jackfranklin/rollup-plugin-markdown": "^0.4.0",
"@lingui/cli": "^3.14.0",
"@lingui/core": "^3.14.0",

View File

@ -1,4 +1,5 @@
import { DesignationToLabel, LayoutToLabel } from "@goauthentik/admin/flows/utils";
import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum";
import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
import { first } from "@goauthentik/common/utils";
import "@goauthentik/elements/forms/HorizontalFormElement";
@ -141,6 +142,37 @@ export class FlowForm extends ModelForm<Flow, string> {
</option>`;
}
renderAuthentication(): TemplateResult {
return html`
<option
value=${AuthenticationEnum.None}
?selected=${this.instance?.authentication === AuthenticationEnum.None}
>
${t`No requirement`}
</option>
<option
value=${AuthenticationEnum.RequireAuthenticated}
?selected=${this.instance?.authentication ===
AuthenticationEnum.RequireAuthenticated}
>
${t`Require authentication`}
</option>
<option
value=${AuthenticationEnum.RequireUnauthenticated}
?selected=${this.instance?.authentication ===
AuthenticationEnum.RequireUnauthenticated}
>
${t`Require no authentication.`}
</option>
<option
value=${AuthenticationEnum.RequireSuperuser}
?selected=${this.instance?.authentication === AuthenticationEnum.RequireSuperuser}
>
${t`Require superuser.`}
</option>
`;
}
renderLayout(): TemplateResult {
return html`
<option
@ -224,6 +256,18 @@ export class FlowForm extends ModelForm<Flow, string> {
</option>
</select>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Authentication`}
?required=${true}
name="authentication"
>
<select class="pf-c-form-control">
${this.renderAuthentication()}
</select>
<p class="pf-c-form__helper-text">
${t`Required authentication level for this flow.`}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Designation`}
?required=${true}

View File

@ -9,8 +9,15 @@ import { t } from "@lingui/macro";
import { TemplateResult, html } from "lit";
import { customElement } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js";
import { until } from "lit/directives/until.js";
import { Invitation, StagesApi } from "@goauthentik/api";
import {
FlowsApi,
FlowsInstancesListDesignationEnum,
Invitation,
StagesApi,
} from "@goauthentik/api";
@customElement("ak-invitation-form")
export class InvitationForm extends ModelForm<Invitation, string> {
@ -66,6 +73,34 @@ export class InvitationForm extends ModelForm<Invitation, string> {
value="${dateTimeLocal(first(this.instance?.expires, new Date()))}"
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal label=${t`Flow`} ?required=${true} name="flow">
<select class="pf-c-form-control">
<option value="" ?selected=${this.instance?.flow === undefined}>
---------
</option>
${until(
new FlowsApi(DEFAULT_CONFIG)
.flowsInstancesList({
ordering: "slug",
designation: FlowsInstancesListDesignationEnum.Enrollment,
})
.then((flows) => {
return flows.results.map((flow) => {
return html`<option
value=${ifDefined(flow.pk)}
?selected=${this.instance?.flow === flow.pk}
>
${flow.name} (${flow.slug})
</option>`;
});
}),
html`<option>${t`Loading...`}</option>`,
)}
</select>
<p class="pf-c-form__helper-text">
${t`When selected, the invite will only be usable with the flow. By default the invite is accepted on all flows with invitation stages.`}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal label=${t`Attributes`} name="fixedData">
<ak-codemirror
mode="yaml"

View File

@ -14,12 +14,12 @@ import PFFormControl from "@patternfly/patternfly/components/FormControl/form-co
import PFFlex from "@patternfly/patternfly/layouts/Flex/flex.css";
import PFBase from "@patternfly/patternfly/patternfly-base.css";
import { StagesApi } from "@goauthentik/api";
import { Invitation, StagesApi } from "@goauthentik/api";
@customElement("ak-stage-invitation-list-link")
export class InvitationListLink extends AKElement {
@property()
invitation?: string;
@property({ attribute: false })
invitation?: Invitation;
@property()
selectedFlow?: string;
@ -29,60 +29,67 @@ export class InvitationListLink extends AKElement {
}
renderLink(): string {
return `${window.location.protocol}//${window.location.host}/if/flow/${this.selectedFlow}/?itoken=${this.invitation}`;
if (this.invitation?.flowObj) {
this.selectedFlow = this.invitation.flowObj?.slug;
}
return `${window.location.protocol}//${window.location.host}/if/flow/${this.selectedFlow}/?itoken=${this.invitation?.pk}`;
}
renderFlowSelector(): TemplateResult {
return html`<div class="pf-c-description-list__group">
<dt class="pf-c-description-list__term">
<span class="pf-c-description-list__text">${t`Select an enrollment flow`}</span>
</dt>
<dd class="pf-c-description-list__description">
<div class="pf-c-description-list__text">
<select
class="pf-c-form-control"
@change=${(ev: Event) => {
const current = (ev.target as HTMLInputElement).value;
this.selectedFlow = current;
}}
>
${until(
new StagesApi(DEFAULT_CONFIG)
.stagesInvitationStagesList({
ordering: "name",
noFlows: false,
})
.then((stages) => {
if (
!this.selectedFlow &&
stages.results.length > 0 &&
stages.results[0].flowSet
) {
this.selectedFlow = stages.results[0].flowSet[0].slug;
}
const seenFlowSlugs: string[] = [];
return stages.results.map((stage) => {
return stage.flowSet?.map((flow) => {
if (seenFlowSlugs.includes(flow.slug)) {
return html``;
}
seenFlowSlugs.push(flow.slug);
return html`<option
value=${flow.slug}
?selected=${flow.slug === this.selectedFlow}
>
${flow.slug}
</option>`;
});
});
}),
html`<option>${t`Loading...`}</option>`,
)}
</select>
</div>
</dd>
</div>`;
}
render(): TemplateResult {
return html`<dl class="pf-c-description-list pf-m-horizontal">
<div class="pf-c-description-list__group">
<dt class="pf-c-description-list__term">
<span class="pf-c-description-list__text">${t`Select an enrollment flow`}</span>
</dt>
<dd class="pf-c-description-list__description">
<div class="pf-c-description-list__text">
<select
class="pf-c-form-control"
@change=${(ev: Event) => {
const current = (ev.target as HTMLInputElement).value;
this.selectedFlow = current;
}}
>
${until(
new StagesApi(DEFAULT_CONFIG)
.stagesInvitationStagesList({
ordering: "name",
noFlows: false,
})
.then((stages) => {
if (
!this.selectedFlow &&
stages.results.length > 0 &&
stages.results[0].flowSet
) {
this.selectedFlow = stages.results[0].flowSet[0].slug;
}
const seenFlowSlugs: string[] = [];
return stages.results.map((stage) => {
return stage.flowSet?.map((flow) => {
if (seenFlowSlugs.includes(flow.slug)) {
return html``;
}
seenFlowSlugs.push(flow.slug);
return html`<option
value=${flow.slug}
?selected=${flow.slug === this.selectedFlow}
>
${flow.slug}
</option>`;
});
});
}),
html`<option>${t`Loading...`}</option>`,
)}
</select>
</div>
</dd>
</div>
${this.invitation?.flow === undefined ? this.renderFlowSelector() : html``}
<div class="pf-c-description-list__group">
<dt class="pf-c-description-list__term">
<span class="pf-c-description-list__text"

View File

@ -2,6 +2,7 @@ import "@goauthentik/admin/stages/invitation/InvitationForm";
import "@goauthentik/admin/stages/invitation/InvitationListLink";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import { uiConfig } from "@goauthentik/common/ui/config";
import { PFColor } from "@goauthentik/elements/Label";
import "@goauthentik/elements/buttons/ModalButton";
import "@goauthentik/elements/buttons/SpinnerButton";
import "@goauthentik/elements/forms/DeleteBulkForm";
@ -18,7 +19,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
import { Invitation, StagesApi } from "@goauthentik/api";
import { FlowDesignationEnum, Invitation, StagesApi } from "@goauthentik/api";
@customElement("ak-stage-invitation-list")
export class InvitationListPage extends TablePage<Invitation> {
@ -49,12 +50,24 @@ export class InvitationListPage extends TablePage<Invitation> {
@state()
invitationStageExists = false;
@state()
multipleEnrollmentFlows = false;
async apiEndpoint(page: number): Promise<PaginatedResponse<Invitation>> {
// Check if any invitation stages exist
const stages = await new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesList({
noFlows: false,
});
this.invitationStageExists = stages.pagination.count > 0;
this.expandable = this.invitationStageExists;
stages.results.forEach((stage) => {
const enrollmentFlows = (stage.flowSet || []).filter(
(flow) => flow.designation === FlowDesignationEnum.Enrollment,
);
if (enrollmentFlows.length > 1) {
this.multipleEnrollmentFlows = true;
}
});
return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsList({
ordering: this.order,
page: page,
@ -96,7 +109,14 @@ export class InvitationListPage extends TablePage<Invitation> {
row(item: Invitation): TemplateResult[] {
return [
html`${item.name}`,
html`<div>${item.name}</div>
${!item.flowObj && this.multipleEnrollmentFlows
? html`
<ak-label color=${PFColor.Orange}>
${t`Invitation not limited to any flow, and can be used with any enrollment flow.`}
</ak-label>
`
: html``}`,
html`${item.createdBy?.username}`,
html`${item.expires?.toLocaleString() || t`-`}`,
html` <ak-forms-modal>
@ -114,7 +134,7 @@ export class InvitationListPage extends TablePage<Invitation> {
return html` <td role="cell" colspan="3">
<div class="pf-c-table__expandable-row-content">
<ak-stage-invitation-list-link
invitation=${item.pk}
.invitation=${item}
></ak-stage-invitation-list-link>
</div>
</td>

View File

@ -59,6 +59,21 @@ export class UserWriteStageForm extends ModelForm<UserWriteStage, string> {
<ak-form-group .expanded=${true}>
<span slot="header"> ${t`Stage-specific settings`} </span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal name="canCreateUsers">
<div class="pf-c-check">
<input
type="checkbox"
class="pf-c-check__input"
?checked=${first(this.instance?.canCreateUsers, false)}
/>
<label class="pf-c-check__label">
${t`Can create users`}
</label>
</div>
<p class="pf-c-form__helper-text">
${t`When enabled, this stage has the ability to create new users. If no user is available in the flow with this disabled, the stage will fail.`}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="createUsersAsInactive">
<div class="pf-c-check">
<input

View File

@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
export const ERROR_CLASS = "pf-m-danger";
export const PROGRESS_CLASS = "pf-m-in-progress";
export const CURRENT_CLASS = "pf-m-current";
export const VERSION = "2022.10.1";
export const VERSION = "2022.10.4";
export const TITLE_DEFAULT = "authentik";
export const ROUTE_SEPARATOR = ";";

View File

@ -98,13 +98,6 @@ export class UserSettingsFlowExecutor extends AKElement implements StageHost {
if (!this.flowSlug) {
return;
}
new FlowsApi(DEFAULT_CONFIG)
.flowsInstancesExecuteRetrieve({
slug: this.flowSlug || "",
})
.then(() => {
this.nextChallenge();
});
});
}

View File

@ -0,0 +1,29 @@
# CVE-2022-23555
## Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow
### Summary
Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided.
### Patches
authentik 2022.11.4, 2022.10.4 and 2022.12.0 fix this issue, for other versions the workaround can be used.
### Impact
Only configurations using both invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow.
### Details
The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used.
### Workarounds
As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows.
### For more information
If you have any questions or comments about this advisory:
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)

View File

@ -0,0 +1,19 @@
# CVE-2022-46145
## Unauthorized user creation and potential account takeover
### Impact
With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts
### Patches
authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.
### Workarounds
A policy can be created and bound to the `default-user-settings-flow` flow with the following contents
```python
return request.user.is_authenticated
```

View File

@ -0,0 +1,25 @@
# CVE-2022-46172
## Existing Authenticated Users can Create Arbitrary Accounts
### Summary
Any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also have carry over consequences to other applications being how these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations.
### Patches
authentik 2022.11.4, 2022.10.4 and 2022.12.0 fix this issue.
### Impact
This vulnerability could make it much easier for name and email collisions to occur, making it harder for user to log in. This also makes it more difficult for admins to properly administer users since more and more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves.
### Details
This vulnerability has already been submitted over email, this security advisory serves as formalization towards broader information dissemination. This vulnerability pertains to the user context used in the default-user-settings-flow. /api/v3/flows/instances/default-user-settings-flow/execute/
### For more information
If you have any questions or comments about this advisory:
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)

View File

@ -0,0 +1,5 @@
# Security Policy
import SecurityPolicy from "../../../SECURITY.md";
<SecurityPolicy />

View File

@ -281,5 +281,20 @@ module.exports = {
"troubleshooting/missing_admin_group",
],
},
{
type: "category",
label: "Security",
link: {
type: "generated-index",
title: "Security",
slug: "security",
},
items: [
"security/policy",
"security/CVE-2022-46145",
"security/CVE-2022-46172",
"security/CVE-2022-23555",
],
},
],
};