coop-cloud/authentik
coop-cloud
/
authentik
1
0
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity

Fix nondeterministic blueprint behaviour
continuous-integration/drone/push Build is passing Details

This commit is contained in:
Moritz 2023-08-01 02:20:40 +02:00
parent 3df66b1be7
commit 566bffb7af
6 changed files with 107 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
README.md
View File

@ -89,42 +89,104 @@ Run this command after every deploy/upgrade:
## Blueprints
Blueprint Dependency Requirements:
These blueprints overwrite default blueprint values:
- flow_translation.yaml
- flow_authentication.yaml
The following default blueprints will be overwritten by customizations:
- flow-password-change.yaml
- flow-default-authentication-flow.yaml
- flow-default-user-settings-flow.yaml
- flow-default-source-enrollment.yaml
The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
### Blueprint Overwrite/Use Dependencies
- Recovery with email verification
- Default - Password change flow
- USE:
- `default-password-change-prompt`
- `default-password-change-write`
- Default - Authentication flow
- USE:
- `default-authentication-login`
- Custom Authentication Flow
- Default - Authentication flow
- USE:
- `default-authentication-password`
- OVERWRITE:
- `default-authentication-flow`
- APPEND:
- `default-authentication-identification`
- `default-authentication-login`
- REMOVE: `authentik_flows.flowstagebinding order:20`
- Recovery with email verification
- USE:
- `default-recovery-flow`
- Invitation Enrollment Flow
- Default - User settings flow
- USE:
- `default-user-settings-field-name`
- `default-user-settings-field-email`
- Default - Password change flow
- USE:
- `default-password-change-field-password`
- `default-password-change-field-password-repeat`
- Default - Authentication flow
- USE:
- `default-authentication-login`
- Default - Source enrollment flow
- USE:
- `default-source-enrollment-field-username`
- `default-source-enrollment-write`
- Custom Invalidation Flow
- Default - Invalidation flow
- APPEND_ATTR:
- `authentik_flows.flowstagebinding order: 0`
- Flow Translations
- Recovery with email verification
- APPEND: `default-recovery-flow`
- Default - Password change flow
- OVERWRITE:
- `default-password-change-field-password`
- `default-password-change-field-password-repeat`
- Default - User settings flow
- OVERWRITE:
- `default-user-settings-field-username`
- `default-user-settings-field-name`
- Default - Source enrollment flow
- OVERWRITE:
- `default-source-enrollment-field-username`
- Custom System Tenant
- Default - Tenant
- APPEND: `authentik_tenants.tenant domain: authentik-default`
- Recovery with email verification
- USE:
- `default-recovery-flow`
Blueprint Dependency Graph:
### Blueprint Dependency Execution Order
5. Custom System Tenant
- Default - Tenant
4. Invitation Enrollment Flow
3. Flow Translations
- Default - User settings flow
- Default - Source enrollment flow
2. Custom Authentication Flow
1. Recovery with email verification
- Default - Authentication flow
- Default - Password change flow
1. Recovery with email verification
- Default - Authentication flow
- Default - Password change flow
4. Invitation Enrollment Flow
3. Flow Translations
- Default - User settings flow
- Default - Source enrollment flow
1. Recovery with email verification
- Default - Authentication flow
- Default - Password change flow
2. Custom Authentication Flow
1. Recovery with email verification
- Default - Authentication flow
- Default - Password change flow
6. Custom Invalidation Flow
- Default - Invalidation flow

39
abra.sh
View File

@ -95,15 +95,24 @@ rotate_db_pass() {
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
}
# This function is for blueprints that are overwriting custom blueprints
# It deactivates the affected custom blueprints to avoid changes to be reverted
apply_blueprints() {
enable_blueprint default/flow-default-authentication-flow.yaml
enable_blueprint default/flow-default-user-settings-flow.yaml
enable_blueprint default/flow-password-change.yaml
ak apply_blueprint 6_flow_invalidation.yaml 2>&1 | quieten
ak apply_blueprint 5_system_tenant.yaml 2>&1 | quieten
disable_blueprint default/flow-default-authentication-flow.yaml
disable_blueprint default/flow-default-user-settings-flow.yaml
disable_blueprint default/flow-password-change.yaml
update_and_disable_blueprint default/flow-password-change.yaml
update_and_disable_blueprint default/flow-default-authentication-flow.yaml
update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
update_and_disable_blueprint default/flow-default-source-enrollment.yaml
apply_blueprint 3_flow_translation.yaml
apply_blueprint 2_flow_authentication.yaml
}
update_and_disable_blueprint() {
enable_blueprint $@ 2>&1 | quieten
sleep 1
apply_blueprint $@
sleep 1
disable_blueprint $@ 2>&1 | quieten
}
disable_blueprint() {
@ -114,12 +123,24 @@ enable_blueprint() {
blueprint_state True $@
}
apply_blueprint() {
echo apply blueprint $@
ak apply_blueprint $@ 2>&1 | quieten
}
blueprint_state() {
/manage.py shell -c """
import time
blueprint_state=$1
blueprint_path='$2'
blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
blueprint.enabled = blueprint_state
# Hacky workaround to reduce chance of a race condition
blueprint.save()
time.sleep(1)
blueprint.save()
time.sleep(1)
blueprint.save()
print(f'{blueprint.name} enabled: {blueprint.enabled}')
""" 2>&1 | quieten
@ -146,7 +167,7 @@ for name, url in applications.items():
quieten(){
grep -v '{"event"'
grep -v -e '{"event"' -e '{"action"'
}
set_icons(){

4
flow_authentication.yaml.tmpl
View File

@ -22,9 +22,6 @@ entries:
attrs:
name: !Context welcome_message
title: !Context welcome_message
user_fields:
- email
- username
### STAGES
- identifiers:
name: default-authentication-identification
@ -42,6 +39,7 @@ entries:
attrs:
session_duration: seconds=0
# After the first run this will produce a RelatedObjectDoesNotExist error
- identifiers:
order: 20
stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]

1
flow_invalidation.yaml.tmpl
View File

@ -13,6 +13,7 @@ entries:
### STAGE BINDINGS
# This is specified only for setting an id (this stagebinding does not have an identifier)
- identifiers:
order: 0
stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]

4
flow_translation.yaml.tmpl
View File

@ -4,7 +4,7 @@ metadata:
blueprints.goauthentik.io/instantiate: "true"
name: Flow Translations
context:
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
@ -15,7 +15,7 @@ entries:
- model: authentik_blueprints.metaapplyblueprint
attrs:
identifiers:
name: Custom Authentication Flow
name: Recovery with email verification
required: true
- model: authentik_blueprints.metaapplyblueprint
attrs:

2
system_tenant.yaml.tmpl
View File

@ -13,7 +13,7 @@ entries:
- model: authentik_blueprints.metaapplyblueprint
attrs:
identifiers:
name: Invitation Enrollment Flow
name: Recovery with email verification
required: true