coop-cloud/authentik
coop-cloud
/
authentik
1
0
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity

Fix nondeterministic blueprint behaviour
continuous-integration/drone/push Build is passing Details

This commit is contained in:
Moritz 2023-08-01 02:20:40 +02:00
parent 3df66b1be7
commit 566bffb7af
6 changed files with 107 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
README.md
View File

@ -89,42 +89,104 @@ Run this command after every deploy/upgrade:
## Blueprints ## Blueprints
Blueprint Dependency Requirements: These blueprints overwrite default blueprint values:
- flow_translation.yaml
- flow_authentication.yaml
The following default blueprints will be overwritten by customizations:
- flow-password-change.yaml
- flow-default-authentication-flow.yaml
- flow-default-user-settings-flow.yaml
- flow-default-source-enrollment.yaml
The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
### Blueprint Overwrite/Use Dependencies
- Recovery with email verification - Recovery with email verification
- Default - Password change flow - Default - Password change flow
- USE:
- `default-password-change-prompt`
- `default-password-change-write`
- Default - Authentication flow - Default - Authentication flow
- USE:
- `default-authentication-login`
- Custom Authentication Flow - Custom Authentication Flow
- Default - Authentication flow - Default - Authentication flow
- USE:
- `default-authentication-password`
- OVERWRITE:
- `default-authentication-flow`
- APPEND:
- `default-authentication-identification`
- `default-authentication-login`
- REMOVE: `authentik_flows.flowstagebinding order:20`
- Recovery with email verification - Recovery with email verification
- USE:
- `default-recovery-flow`
- Invitation Enrollment Flow - Invitation Enrollment Flow
- Default - User settings flow - Default - User settings flow
- USE:
- `default-user-settings-field-name`
- `default-user-settings-field-email`
- Default - Password change flow
- USE:
- `default-password-change-field-password`
- `default-password-change-field-password-repeat`
- Default - Authentication flow - Default - Authentication flow
- USE:
- `default-authentication-login`
- Default - Source enrollment flow - Default - Source enrollment flow
- USE:
- `default-source-enrollment-field-username`
- `default-source-enrollment-write`
- Custom Invalidation Flow - Custom Invalidation Flow
- Default - Invalidation flow - Default - Invalidation flow
- APPEND_ATTR:
- `authentik_flows.flowstagebinding order: 0`
- Flow Translations - Flow Translations
- Recovery with email verification - Recovery with email verification
- APPEND: `default-recovery-flow`
- Default - Password change flow - Default - Password change flow
- OVERWRITE:
- `default-password-change-field-password`
- `default-password-change-field-password-repeat`
- Default - User settings flow - Default - User settings flow
- OVERWRITE:
- `default-user-settings-field-username`
- `default-user-settings-field-name`
- Default - Source enrollment flow - Default - Source enrollment flow
- OVERWRITE:
- `default-source-enrollment-field-username`
- Custom System Tenant - Custom System Tenant
- Default - Tenant - Default - Tenant
- APPEND: `authentik_tenants.tenant domain: authentik-default`
- Recovery with email verification - Recovery with email verification
- USE:
- `default-recovery-flow`
Blueprint Dependency Graph: ### Blueprint Dependency Execution Order
5. Custom System Tenant 5. Custom System Tenant
- Default - Tenant - Default - Tenant
4. Invitation Enrollment Flow 1. Recovery with email verification
3. Flow Translations - Default - Authentication flow
- Default - User settings flow - Default - Password change flow
- Default - Source enrollment flow 4. Invitation Enrollment Flow
2. Custom Authentication Flow 3. Flow Translations
1. Recovery with email verification - Default - User settings flow
- Default - Authentication flow - Default - Source enrollment flow
- Default - Password change flow 1. Recovery with email verification
- Default - Authentication flow
- Default - Password change flow
2. Custom Authentication Flow
1. Recovery with email verification
- Default - Authentication flow
- Default - Password change flow
6. Custom Invalidation Flow 6. Custom Invalidation Flow
- Default - Invalidation flow - Default - Invalidation flow

39
abra.sh
View File

@ -95,15 +95,24 @@ rotate_db_pass() {
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';""" psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
} }
# This function is for blueprints that are overwriting custom blueprints
# It deactivates the affected custom blueprints to avoid changes to be reverted
apply_blueprints() { apply_blueprints() {
enable_blueprint default/flow-default-authentication-flow.yaml update_and_disable_blueprint default/flow-password-change.yaml
enable_blueprint default/flow-default-user-settings-flow.yaml update_and_disable_blueprint default/flow-default-authentication-flow.yaml
enable_blueprint default/flow-password-change.yaml update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
ak apply_blueprint 6_flow_invalidation.yaml 2>&1 | quieten update_and_disable_blueprint default/flow-default-source-enrollment.yaml
ak apply_blueprint 5_system_tenant.yaml 2>&1 | quieten
disable_blueprint default/flow-default-authentication-flow.yaml apply_blueprint 3_flow_translation.yaml
disable_blueprint default/flow-default-user-settings-flow.yaml apply_blueprint 2_flow_authentication.yaml
disable_blueprint default/flow-password-change.yaml }
update_and_disable_blueprint() {
enable_blueprint $@ 2>&1 | quieten
sleep 1
apply_blueprint $@
sleep 1
disable_blueprint $@ 2>&1 | quieten
} }
disable_blueprint() { disable_blueprint() {
@ -114,12 +123,24 @@ enable_blueprint() {
blueprint_state True $@ blueprint_state True $@
} }
apply_blueprint() {
echo apply blueprint $@
ak apply_blueprint $@ 2>&1 | quieten
}
blueprint_state() { blueprint_state() {
/manage.py shell -c """ /manage.py shell -c """
import time
blueprint_state=$1 blueprint_state=$1
blueprint_path='$2' blueprint_path='$2'
blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first() blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
blueprint.enabled = blueprint_state blueprint.enabled = blueprint_state
# Hacky workaround to reduce chance of a race condition
blueprint.save()
time.sleep(1)
blueprint.save()
time.sleep(1)
blueprint.save()
print(f'{blueprint.name} enabled: {blueprint.enabled}') print(f'{blueprint.name} enabled: {blueprint.enabled}')
""" 2>&1 | quieten """ 2>&1 | quieten
@ -146,7 +167,7 @@ for name, url in applications.items():
quieten(){ quieten(){
grep -v '{"event"' grep -v -e '{"event"' -e '{"action"'
} }
set_icons(){ set_icons(){

4
flow_authentication.yaml.tmpl
View File

@ -22,9 +22,6 @@ entries:
attrs: attrs:
name: !Context welcome_message name: !Context welcome_message
title: !Context welcome_message title: !Context welcome_message
user_fields:
- email
- username
### STAGES ### STAGES
- identifiers: - identifiers:
name: default-authentication-identification name: default-authentication-identification
@ -42,6 +39,7 @@ entries:
attrs: attrs:
session_duration: seconds=0 session_duration: seconds=0
# After the first run this will produce a RelatedObjectDoesNotExist error
- identifiers: - identifiers:
order: 20 order: 20
stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]] stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]

1
flow_invalidation.yaml.tmpl
View File

@ -13,6 +13,7 @@ entries:
### STAGE BINDINGS ### STAGE BINDINGS
# This is specified only for setting an id (this stagebinding does not have an identifier)
- identifiers: - identifiers:
order: 0 order: 0
stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]] stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]

4
flow_translation.yaml.tmpl
View File

@ -4,7 +4,7 @@ metadata:
blueprints.goauthentik.io/instantiate: "true" blueprints.goauthentik.io/instantiate: "true"
name: Flow Translations name: Flow Translations
context: context:
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }} transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }} transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }} transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }} transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
@ -15,7 +15,7 @@ entries:
- model: authentik_blueprints.metaapplyblueprint - model: authentik_blueprints.metaapplyblueprint
attrs: attrs:
identifiers: identifiers:
name: Custom Authentication Flow name: Recovery with email verification
required: true required: true
- model: authentik_blueprints.metaapplyblueprint - model: authentik_blueprints.metaapplyblueprint
attrs: attrs:

2
system_tenant.yaml.tmpl
View File

@ -13,7 +13,7 @@ entries:
- model: authentik_blueprints.metaapplyblueprint - model: authentik_blueprints.metaapplyblueprint
attrs: attrs:
identifiers: identifiers:
name: Invitation Enrollment Flow name: Recovery with email verification
required: true required: true