From 566bffb7af2ec54e40a8803ca9b0c0095b359829 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Tue, 1 Aug 2023 02:20:40 +0200
Subject: [PATCH] Fix nondeterministic blueprint behaviour

---
 README.md                     | 82 ++++++++++++++++++++++++++++++-----
 abra.sh                       | 39 +++++++++++++----
 flow_authentication.yaml.tmpl |  4 +-
 flow_invalidation.yaml.tmpl   |  1 +
 flow_translation.yaml.tmpl    |  4 +-
 system_tenant.yaml.tmpl       |  2 +-
 6 files changed, 107 insertions(+), 25 deletions(-)

diff --git a/README.md b/README.md
index 5da4f35..4738670 100644
--- a/README.md
+++ b/README.md
@@ -89,42 +89,104 @@ Run this command after every deploy/upgrade:
 
 ## Blueprints
 
-Blueprint Dependency Requirements:
+These blueprints overwrite default blueprint values:
+
+- flow_translation.yaml
+- flow_authentication.yaml
+
+The following default blueprints will be overwritten by customizations:
+
+- flow-password-change.yaml
+- flow-default-authentication-flow.yaml
+- flow-default-user-settings-flow.yaml
+- flow-default-source-enrollment.yaml
+
+The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
+
+
+### Blueprint Overwrite/Use Dependencies
 
 - Recovery with email verification
     - Default - Password change flow
+        - USE:
+            - `default-password-change-prompt`
+            - `default-password-change-write`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
 - Custom Authentication Flow
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-password`
+        - OVERWRITE:
+            - `default-authentication-flow`
+        - APPEND:
+            - `default-authentication-identification`
+            - `default-authentication-login`
+        - REMOVE: `authentik_flows.flowstagebinding order:20`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 - Invitation Enrollment Flow
     - Default - User settings flow
+        - USE:
+            - `default-user-settings-field-name`
+            - `default-user-settings-field-email`
+    - Default - Password change flow
+        - USE:
+            - `default-password-change-field-password`
+            - `default-password-change-field-password-repeat`
     - Default - Authentication flow
+        - USE:
+            - `default-authentication-login`
     - Default - Source enrollment flow
+        - USE:
+            - `default-source-enrollment-field-username`
+            - `default-source-enrollment-write`
 - Custom Invalidation Flow
     - Default - Invalidation flow
+        - APPEND_ATTR:
+            - `authentik_flows.flowstagebinding order: 0`
 - Flow Translations
     - Recovery with email verification
+        - APPEND: `default-recovery-flow`
     - Default - Password change flow
+        - OVERWRITE:
+           - `default-password-change-field-password`
+           - `default-password-change-field-password-repeat`
     - Default - User settings flow
+        - OVERWRITE:
+            - `default-user-settings-field-username`
+            - `default-user-settings-field-name`
     - Default - Source enrollment flow
+        - OVERWRITE:
+            - `default-source-enrollment-field-username`
 - Custom System Tenant
     - Default - Tenant
+        - APPEND: `authentik_tenants.tenant  domain: authentik-default`
     - Recovery with email verification
+        - USE:
+            - `default-recovery-flow`
 
 
-Blueprint Dependency Graph:
+### Blueprint Dependency Execution Order
 
 5. Custom System Tenant
     - Default - Tenant
-    4. Invitation Enrollment Flow
-        3. Flow Translations
-            - Default - User settings flow
-            - Default - Source enrollment flow
-            2. Custom Authentication Flow
-                1. Recovery with email verification
-                    - Default - Authentication flow
-                        - Default - Password change flow
+    1. Recovery with email verification
+        - Default - Authentication flow
+            - Default - Password change flow
+4. Invitation Enrollment Flow
+    3. Flow Translations
+        - Default - User settings flow
+        - Default - Source enrollment flow
+        1. Recovery with email verification
+            - Default - Authentication flow
+                - Default - Password change flow
+2. Custom Authentication Flow
+    1. Recovery with email verification
+        - Default - Authentication flow
+            - Default - Password change flow
 6. Custom Invalidation Flow
     - Default - Invalidation flow
 
diff --git a/abra.sh b/abra.sh
index 9b40219..2774409 100644
--- a/abra.sh
+++ b/abra.sh
@@ -95,15 +95,24 @@ rotate_db_pass() {
     psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
 }
 
+# This function is for blueprints that are overwriting custom blueprints
+# It deactivates the affected custom blueprints to avoid changes to be reverted
 apply_blueprints() {
-    enable_blueprint default/flow-default-authentication-flow.yaml
-    enable_blueprint default/flow-default-user-settings-flow.yaml
-    enable_blueprint default/flow-password-change.yaml
-    ak apply_blueprint 6_flow_invalidation.yaml 2>&1 | quieten
-    ak apply_blueprint 5_system_tenant.yaml 2>&1 | quieten
-    disable_blueprint default/flow-default-authentication-flow.yaml
-    disable_blueprint default/flow-default-user-settings-flow.yaml
-    disable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-password-change.yaml
+    update_and_disable_blueprint default/flow-default-authentication-flow.yaml
+    update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
+    update_and_disable_blueprint default/flow-default-source-enrollment.yaml
+    
+    apply_blueprint 3_flow_translation.yaml
+    apply_blueprint 2_flow_authentication.yaml
+}
+
+update_and_disable_blueprint() {
+    enable_blueprint $@ 2>&1 | quieten
+    sleep 1
+    apply_blueprint $@
+    sleep 1
+    disable_blueprint $@ 2>&1 | quieten
 }
 
 disable_blueprint() {
@@ -114,12 +123,24 @@ enable_blueprint() {
     blueprint_state True $@
 }
 
+apply_blueprint() {
+    echo apply blueprint $@
+    ak apply_blueprint $@ 2>&1 | quieten
+}
+
 blueprint_state() {
 /manage.py shell -c """
+import time
 blueprint_state=$1
 blueprint_path='$2'
 blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
 blueprint.enabled = blueprint_state
+# Hacky workaround to reduce chance of a race condition
+blueprint.save()
+time.sleep(1)
+blueprint.save()
+time.sleep(1)
+blueprint.save()
 print(f'{blueprint.name} enabled: {blueprint.enabled}')
 """ 2>&1 | quieten
 
@@ -146,7 +167,7 @@ for name, url in applications.items():
 
 
 quieten(){
-    grep -v '{"event"'
+    grep -v -e '{"event"' -e '{"action"'
 }
 
 set_icons(){
diff --git a/flow_authentication.yaml.tmpl b/flow_authentication.yaml.tmpl
index 8eefce4..7484f04 100644
--- a/flow_authentication.yaml.tmpl
+++ b/flow_authentication.yaml.tmpl
@@ -22,9 +22,6 @@ entries:
   attrs:
     name: !Context welcome_message
     title: !Context welcome_message
-    user_fields:
-    - email
-    - username
 ### STAGES
 - identifiers:
     name: default-authentication-identification
@@ -42,6 +39,7 @@ entries:
   attrs:
     session_duration: seconds=0
 
+# After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:
     order: 20
     stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
diff --git a/flow_invalidation.yaml.tmpl b/flow_invalidation.yaml.tmpl
index 8a13332..c639cca 100644
--- a/flow_invalidation.yaml.tmpl
+++ b/flow_invalidation.yaml.tmpl
@@ -13,6 +13,7 @@ entries:
 
 ### STAGE BINDINGS
 
+# This is specified only for setting an id (this stagebinding does not have an identifier)
 - identifiers:
     order: 0
     stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
diff --git a/flow_translation.yaml.tmpl b/flow_translation.yaml.tmpl
index 1627263..2baaa3f 100644
--- a/flow_translation.yaml.tmpl
+++ b/flow_translation.yaml.tmpl
@@ -4,7 +4,7 @@ metadata:
     blueprints.goauthentik.io/instantiate: "true"
   name: Flow Translations
 context:
-  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
+  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
   transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
   transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
   transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
@@ -15,7 +15,7 @@ entries:
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Custom Authentication Flow
+      name: Recovery with email verification
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
diff --git a/system_tenant.yaml.tmpl b/system_tenant.yaml.tmpl
index f941788..448d4dd 100644
--- a/system_tenant.yaml.tmpl
+++ b/system_tenant.yaml.tmpl
@@ -13,7 +13,7 @@ entries:
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Invitation Enrollment Flow
+      name: Recovery with email verification
     required: true