wip add username whitespace check to invitation flow blueprint

.env.sample

@@ -90,7 +90,12 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_MONITORING_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
 
-# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/", "Rallly":"https://rallly.example.cloud/"}'
+# COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
+# RALLLY_DOMAIN=rallly.example.com
+# SECRET_RALLLY_ID_VERSION=v1
+# SECRET_RALLLY_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
+
+# APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
 # APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
-# APP_ICONS="$APP_ICONS Rallly:~/.abra/recipes/authentik/icons/rallly.png"
 # APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"

abra.sh

@@ -11,6 +11,7 @@ export MATRIX_CONFIG_VERSION=v1
 export WEKAN_CONFIG_VERSION=v3
 export VIKUNJA_CONFIG_VERSION=v1
 export OUTLINE_CONFIG_VERSION=v1
+export RALLLY_CONFIG_VERSION=v1
 export MONITORING_CONFIG_VERSION=v1
 export DB_ENTRYPOINT_VERSION=v1
 

compose.rallly.yml

@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - rallly_id
+      - rallly_secret
+    environment:
+      - RALLLY_DOMAIN
+    configs:
+      - source: rallly
+        target: /blueprints/rallly.yaml
+
+secrets:
+  rallly_id:
+    external: true
+    name: ${STACK_NAME}_rallly_id_${SECRET_RALLLY_ID_VERSION}
+  rallly_secret:
+    external: true
+    name: ${STACK_NAME}_rallly_secret_${SECRET_RALLLY_SECRET_VERSION}
+
+
+configs:
+  rallly:
+    name: ${STACK_NAME}_rallly_${RALLLY_CONFIG_VERSION}
+    file: rallly.yaml.tmpl
+    template_driver: golang

compose.yml

@@ -76,7 +76,7 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=4.1.1+2023.10.7"
+        - "coop-cloud.${STACK_NAME}.version=4.2.0+2023.10.7"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:

flow_invitation.yaml.tmpl

@@ -24,6 +24,24 @@ entries:
   id: invitation-enrollment-flow
   model: authentik_flows.flow
 
+### POLICIES
+- attrs:
+    expression: "if not regex_match(request.context.get('prompt_data').get('username'),\
+      \ '\\s'):\n    return True\n\nak_message(\"Username must not contain\
+      \ whitespace!\")\nreturn False"
+    name: username-without-spaces-policy
+  id: username-without-spaces-policy
+  identifiers:
+    name: username-without-spaces-policy
+  model: authentik_policies_expression.expressionpolicy
+
+### POLICY BINDINGS
+- identifiers:
+    policy: !KeyOf username-without-spaces-policy
+    target: !KeyOf prompt-stage-binding
+    order: 10
+  model: authentik_policies.policybinding
+
 ### STAGES
 - identifiers:
     name: invitation-stage
@@ -53,6 +71,7 @@ entries:
     stage: !KeyOf enrollment-prompt-userdata
     target: !KeyOf invitation-enrollment-flow
   model: authentik_flows.flowstagebinding
+  id: prompt-stage-binding
 - identifiers:
     order: 20
     stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-source-enrollment-write]]

flow_translation.yaml.tmpl

@@ -69,3 +69,16 @@ entries:
   attrs:
     label: !Context transl_username
     placeholder: !Context transl_username
+
+### POLICIES
+- model: authentik_policies_expression.expressionpolicy
+  identifiers:
+    name: username-without-spaces-policy
+  attrs:
+    expression: "if not regex_match(request.context.get('prompt_data').get('username'),\
+      \ '\\s'):\n    return True\n\nak_message(\"Benutzername darf kein Leerzeichen\
+      \ enthalten\")\nreturn False"
+      name: username-without-spaces-policy
+  id: username-without-spaces-policy
+
+Benutzername darf kein Leerzeichen enthalten\")\n

rallly.yaml.tmpl

@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: rallly
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "rallly_id" }}
+    client_secret: {{ secret  "rallly_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Rallly
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: hashed_user_id
+    token_validity: days=30
+  conditions: []
+  id: rallly_provider
+  identifiers:
+    pk: 9995
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "RALLLY_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf rallly_provider
+    slug: rallly
+  conditions: []
+  id: rallly_application
+  identifiers:
+    name: Rallly
+  model: authentik_core.application
+  state: present