Fix nondeterministic blueprint behaviour
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
This commit is contained in:
parent
3df66b1be7
commit
566bffb7af
82
README.md
82
README.md
|
@ -89,42 +89,104 @@ Run this command after every deploy/upgrade:
|
||||||
|
|
||||||
## Blueprints
|
## Blueprints
|
||||||
|
|
||||||
Blueprint Dependency Requirements:
|
These blueprints overwrite default blueprint values:
|
||||||
|
|
||||||
|
- flow_translation.yaml
|
||||||
|
- flow_authentication.yaml
|
||||||
|
|
||||||
|
The following default blueprints will be overwritten by customizations:
|
||||||
|
|
||||||
|
- flow-password-change.yaml
|
||||||
|
- flow-default-authentication-flow.yaml
|
||||||
|
- flow-default-user-settings-flow.yaml
|
||||||
|
- flow-default-source-enrollment.yaml
|
||||||
|
|
||||||
|
The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
|
||||||
|
|
||||||
|
|
||||||
|
### Blueprint Overwrite/Use Dependencies
|
||||||
|
|
||||||
- Recovery with email verification
|
- Recovery with email verification
|
||||||
- Default - Password change flow
|
- Default - Password change flow
|
||||||
|
- USE:
|
||||||
|
- `default-password-change-prompt`
|
||||||
|
- `default-password-change-write`
|
||||||
- Default - Authentication flow
|
- Default - Authentication flow
|
||||||
|
- USE:
|
||||||
|
- `default-authentication-login`
|
||||||
- Custom Authentication Flow
|
- Custom Authentication Flow
|
||||||
- Default - Authentication flow
|
- Default - Authentication flow
|
||||||
|
- USE:
|
||||||
|
- `default-authentication-password`
|
||||||
|
- OVERWRITE:
|
||||||
|
- `default-authentication-flow`
|
||||||
|
- APPEND:
|
||||||
|
- `default-authentication-identification`
|
||||||
|
- `default-authentication-login`
|
||||||
|
- REMOVE: `authentik_flows.flowstagebinding order:20`
|
||||||
- Recovery with email verification
|
- Recovery with email verification
|
||||||
|
- USE:
|
||||||
|
- `default-recovery-flow`
|
||||||
- Invitation Enrollment Flow
|
- Invitation Enrollment Flow
|
||||||
- Default - User settings flow
|
- Default - User settings flow
|
||||||
|
- USE:
|
||||||
|
- `default-user-settings-field-name`
|
||||||
|
- `default-user-settings-field-email`
|
||||||
|
- Default - Password change flow
|
||||||
|
- USE:
|
||||||
|
- `default-password-change-field-password`
|
||||||
|
- `default-password-change-field-password-repeat`
|
||||||
- Default - Authentication flow
|
- Default - Authentication flow
|
||||||
|
- USE:
|
||||||
|
- `default-authentication-login`
|
||||||
- Default - Source enrollment flow
|
- Default - Source enrollment flow
|
||||||
|
- USE:
|
||||||
|
- `default-source-enrollment-field-username`
|
||||||
|
- `default-source-enrollment-write`
|
||||||
- Custom Invalidation Flow
|
- Custom Invalidation Flow
|
||||||
- Default - Invalidation flow
|
- Default - Invalidation flow
|
||||||
|
- APPEND_ATTR:
|
||||||
|
- `authentik_flows.flowstagebinding order: 0`
|
||||||
- Flow Translations
|
- Flow Translations
|
||||||
- Recovery with email verification
|
- Recovery with email verification
|
||||||
|
- APPEND: `default-recovery-flow`
|
||||||
- Default - Password change flow
|
- Default - Password change flow
|
||||||
|
- OVERWRITE:
|
||||||
|
- `default-password-change-field-password`
|
||||||
|
- `default-password-change-field-password-repeat`
|
||||||
- Default - User settings flow
|
- Default - User settings flow
|
||||||
|
- OVERWRITE:
|
||||||
|
- `default-user-settings-field-username`
|
||||||
|
- `default-user-settings-field-name`
|
||||||
- Default - Source enrollment flow
|
- Default - Source enrollment flow
|
||||||
|
- OVERWRITE:
|
||||||
|
- `default-source-enrollment-field-username`
|
||||||
- Custom System Tenant
|
- Custom System Tenant
|
||||||
- Default - Tenant
|
- Default - Tenant
|
||||||
|
- APPEND: `authentik_tenants.tenant domain: authentik-default`
|
||||||
- Recovery with email verification
|
- Recovery with email verification
|
||||||
|
- USE:
|
||||||
|
- `default-recovery-flow`
|
||||||
|
|
||||||
|
|
||||||
Blueprint Dependency Graph:
|
### Blueprint Dependency Execution Order
|
||||||
|
|
||||||
5. Custom System Tenant
|
5. Custom System Tenant
|
||||||
- Default - Tenant
|
- Default - Tenant
|
||||||
4. Invitation Enrollment Flow
|
1. Recovery with email verification
|
||||||
3. Flow Translations
|
- Default - Authentication flow
|
||||||
- Default - User settings flow
|
- Default - Password change flow
|
||||||
- Default - Source enrollment flow
|
4. Invitation Enrollment Flow
|
||||||
2. Custom Authentication Flow
|
3. Flow Translations
|
||||||
1. Recovery with email verification
|
- Default - User settings flow
|
||||||
- Default - Authentication flow
|
- Default - Source enrollment flow
|
||||||
- Default - Password change flow
|
1. Recovery with email verification
|
||||||
|
- Default - Authentication flow
|
||||||
|
- Default - Password change flow
|
||||||
|
2. Custom Authentication Flow
|
||||||
|
1. Recovery with email verification
|
||||||
|
- Default - Authentication flow
|
||||||
|
- Default - Password change flow
|
||||||
6. Custom Invalidation Flow
|
6. Custom Invalidation Flow
|
||||||
- Default - Invalidation flow
|
- Default - Invalidation flow
|
||||||
|
|
||||||
|
|
39
abra.sh
39
abra.sh
|
@ -95,15 +95,24 @@ rotate_db_pass() {
|
||||||
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
|
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# This function is for blueprints that are overwriting custom blueprints
|
||||||
|
# It deactivates the affected custom blueprints to avoid changes to be reverted
|
||||||
apply_blueprints() {
|
apply_blueprints() {
|
||||||
enable_blueprint default/flow-default-authentication-flow.yaml
|
update_and_disable_blueprint default/flow-password-change.yaml
|
||||||
enable_blueprint default/flow-default-user-settings-flow.yaml
|
update_and_disable_blueprint default/flow-default-authentication-flow.yaml
|
||||||
enable_blueprint default/flow-password-change.yaml
|
update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
|
||||||
ak apply_blueprint 6_flow_invalidation.yaml 2>&1 | quieten
|
update_and_disable_blueprint default/flow-default-source-enrollment.yaml
|
||||||
ak apply_blueprint 5_system_tenant.yaml 2>&1 | quieten
|
|
||||||
disable_blueprint default/flow-default-authentication-flow.yaml
|
apply_blueprint 3_flow_translation.yaml
|
||||||
disable_blueprint default/flow-default-user-settings-flow.yaml
|
apply_blueprint 2_flow_authentication.yaml
|
||||||
disable_blueprint default/flow-password-change.yaml
|
}
|
||||||
|
|
||||||
|
update_and_disable_blueprint() {
|
||||||
|
enable_blueprint $@ 2>&1 | quieten
|
||||||
|
sleep 1
|
||||||
|
apply_blueprint $@
|
||||||
|
sleep 1
|
||||||
|
disable_blueprint $@ 2>&1 | quieten
|
||||||
}
|
}
|
||||||
|
|
||||||
disable_blueprint() {
|
disable_blueprint() {
|
||||||
|
@ -114,12 +123,24 @@ enable_blueprint() {
|
||||||
blueprint_state True $@
|
blueprint_state True $@
|
||||||
}
|
}
|
||||||
|
|
||||||
|
apply_blueprint() {
|
||||||
|
echo apply blueprint $@
|
||||||
|
ak apply_blueprint $@ 2>&1 | quieten
|
||||||
|
}
|
||||||
|
|
||||||
blueprint_state() {
|
blueprint_state() {
|
||||||
/manage.py shell -c """
|
/manage.py shell -c """
|
||||||
|
import time
|
||||||
blueprint_state=$1
|
blueprint_state=$1
|
||||||
blueprint_path='$2'
|
blueprint_path='$2'
|
||||||
blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
|
blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
|
||||||
blueprint.enabled = blueprint_state
|
blueprint.enabled = blueprint_state
|
||||||
|
# Hacky workaround to reduce chance of a race condition
|
||||||
|
blueprint.save()
|
||||||
|
time.sleep(1)
|
||||||
|
blueprint.save()
|
||||||
|
time.sleep(1)
|
||||||
|
blueprint.save()
|
||||||
print(f'{blueprint.name} enabled: {blueprint.enabled}')
|
print(f'{blueprint.name} enabled: {blueprint.enabled}')
|
||||||
""" 2>&1 | quieten
|
""" 2>&1 | quieten
|
||||||
|
|
||||||
|
@ -146,7 +167,7 @@ for name, url in applications.items():
|
||||||
|
|
||||||
|
|
||||||
quieten(){
|
quieten(){
|
||||||
grep -v '{"event"'
|
grep -v -e '{"event"' -e '{"action"'
|
||||||
}
|
}
|
||||||
|
|
||||||
set_icons(){
|
set_icons(){
|
||||||
|
|
|
@ -22,9 +22,6 @@ entries:
|
||||||
attrs:
|
attrs:
|
||||||
name: !Context welcome_message
|
name: !Context welcome_message
|
||||||
title: !Context welcome_message
|
title: !Context welcome_message
|
||||||
user_fields:
|
|
||||||
- email
|
|
||||||
- username
|
|
||||||
### STAGES
|
### STAGES
|
||||||
- identifiers:
|
- identifiers:
|
||||||
name: default-authentication-identification
|
name: default-authentication-identification
|
||||||
|
@ -42,6 +39,7 @@ entries:
|
||||||
attrs:
|
attrs:
|
||||||
session_duration: seconds=0
|
session_duration: seconds=0
|
||||||
|
|
||||||
|
# After the first run this will produce a RelatedObjectDoesNotExist error
|
||||||
- identifiers:
|
- identifiers:
|
||||||
order: 20
|
order: 20
|
||||||
stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
|
stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
|
||||||
|
|
|
@ -13,6 +13,7 @@ entries:
|
||||||
|
|
||||||
### STAGE BINDINGS
|
### STAGE BINDINGS
|
||||||
|
|
||||||
|
# This is specified only for setting an id (this stagebinding does not have an identifier)
|
||||||
- identifiers:
|
- identifiers:
|
||||||
order: 0
|
order: 0
|
||||||
stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
|
stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
|
||||||
|
|
|
@ -4,7 +4,7 @@ metadata:
|
||||||
blueprints.goauthentik.io/instantiate: "true"
|
blueprints.goauthentik.io/instantiate: "true"
|
||||||
name: Flow Translations
|
name: Flow Translations
|
||||||
context:
|
context:
|
||||||
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
|
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
|
||||||
transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
|
transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
|
||||||
transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
|
transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
|
||||||
transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
|
transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
|
||||||
|
@ -15,7 +15,7 @@ entries:
|
||||||
- model: authentik_blueprints.metaapplyblueprint
|
- model: authentik_blueprints.metaapplyblueprint
|
||||||
attrs:
|
attrs:
|
||||||
identifiers:
|
identifiers:
|
||||||
name: Custom Authentication Flow
|
name: Recovery with email verification
|
||||||
required: true
|
required: true
|
||||||
- model: authentik_blueprints.metaapplyblueprint
|
- model: authentik_blueprints.metaapplyblueprint
|
||||||
attrs:
|
attrs:
|
||||||
|
|
|
@ -13,7 +13,7 @@ entries:
|
||||||
- model: authentik_blueprints.metaapplyblueprint
|
- model: authentik_blueprints.metaapplyblueprint
|
||||||
attrs:
|
attrs:
|
||||||
identifiers:
|
identifiers:
|
||||||
name: Invitation Enrollment Flow
|
name: Recovery with email verification
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue