This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/expressions/_functions.md
Tana M Berry 84fdd3c750
website/docs: RBAC docs (#7191)
* draft rbac docs

* tweaks

* add a permissions topic

* tweaks

* more changes

* draft permissions topic

* more content on roles

* links

* typo

* more conceptual info

* Optimised images with calibre/image-actions

* more content on roles

* add more x-ref links

* fix links

* more content

* links

* typos

* polishing

* Update website/docs/user-group-role/access-control/permissions.md

Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* separwate conceptual vs procedural in permissions

* finished groups procedurals

* new page

* added link

* Update website/docs/user-group-role/access-control/permissions.md

Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* polish

* edits from PR review

* restructured view section to remove repetition

* rest of edits from PR review

* polished flows and stages

* polish

* typo

---------

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana Berry <tana@goauthentik.io>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Jens L. <jens@goauthentik.io>
2023-10-26 12:31:32 +02:00

4.2 KiB

regex_match(value: Any, regex: str) -> bool

Check if value matches Regular Expression regex.

Example:

return regex_match(request.user.username, '.*admin.*')

regex_replace(value: Any, regex: str, repl: str) -> str

Replace anything matching regex within value with repl and return it.

Example:

user_email_local = regex_replace(request.user.email, '(.+)@.+', '')

list_flatten(value: list[Any] | Any) -> Optional[Any]

Flatten a list by either returning its first element, None if the list is empty, or the passed in object if its not a list.

Example:

user = list_flatten(["foo"])
# user = "foo"

ak_call_policy(name: str, **kwargs) -> PolicyResult

:::info Requires authentik 2021.12 :::

Call another policy with the name name. Current request is passed to policy. Key-word arguments can be used to modify the request's context.

Example:

result = ak_call_policy("test-policy")
# result is a PolicyResult object, so you can access `.passing` and `.messages`.
# Starting with authentik 2023.4 you can also access `.raw_result`, which is the raw value returned from the called policy
# `result.passing` will always be a boolean if the policy is passing or not.
return result.passing

result = ak_call_policy("test-policy-2", foo="bar")
# Inside the `test-policy-2` you can then use `request.context["foo"]`
return result.passing

ak_is_group_member(user: User, **group_filters) -> bool

Check if user is member of a group matching **group_filters.

Example:

return ak_is_group_member(request.user, name="test_group")

ak_user_by(**filters) -> Optional[User]

Fetch a user matching **filters.

Returns "None" if no user was found, otherwise returns the User object.

Example:

other_user = ak_user_by(username="other_user")

ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool (2021.9+)

:::info Only available in property mappings with authentik 2022.9 and newer :::

Check if a user has any authenticator devices. Only fully validated devices are counted.

Optionally, you can filter a specific device type. The following options are valid:

  • totp
  • duo
  • static
  • webauthn

Example:

return ak_user_has_authenticator(request.user)

ak_create_event(action: str, **kwargs) -> None

:::info Requires authentik 2022.9 :::

Create a new event with the action set to action. Any additional key-word parameters will be saved in the event context. Additionally, context will be set to the context in which this function is called.

Before saving, any data-structure which are not representable in JSON are flattened, and credentials are removed.

The event is saved automatically

Example:

ak_create_event("my_custom_event", foo=request.user)

Comparing IP Addresses

To compare IP Addresses or check if an IP Address is within a given subnet, you can use the functions ip_address('192.0.2.1') and ip_network('192.0.2.0/24'). With these objects you can do arithmetic operations.

You can also check if an IP Address is within a subnet by writing the following:

ip_address('192.0.2.1') in ip_network('192.0.2.0/24')
# evaluates to True

DNS resolution and reverse DNS lookups

:::note Requires authentik 2023.3 or higher :::

To resolve a hostname to a list of IP addresses, use the functions resolve_dns(hostname) and resolve_dns(hostname, ip_version).

resolve_dns("google.com")  # return a list of all IPv4 and IPv6 addresses
resolve_dns("google.com", 4)  # return a list of only IP4 addresses
resolve_dns("google.com", 6)  # return a list of only IP6 addresses

You can also do reverse DNS lookups.

:::note Reverse DNS lookups may not return the expected host if the IP address is part of a shared hosting environment. See: https://stackoverflow.com/a/19867936 :::

To perform a reverse DNS lookup use reverse_dns("192.0.2.0"). If no DNS records are found the original IP address is returned.

:::info DNS resolving results are cached in memory. The last 32 unique queries are cached for up to 3 minutes. :::