Fix nondeterministic blueprint behaviour
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
This commit is contained in:
parent
3df66b1be7
commit
566bffb7af
66
README.md
66
README.md
|
@ -89,38 +89,100 @@ Run this command after every deploy/upgrade:
|
|||
|
||||
## Blueprints
|
||||
|
||||
Blueprint Dependency Requirements:
|
||||
These blueprints overwrite default blueprint values:
|
||||
|
||||
- flow_translation.yaml
|
||||
- flow_authentication.yaml
|
||||
|
||||
The following default blueprints will be overwritten by customizations:
|
||||
|
||||
- flow-password-change.yaml
|
||||
- flow-default-authentication-flow.yaml
|
||||
- flow-default-user-settings-flow.yaml
|
||||
- flow-default-source-enrollment.yaml
|
||||
|
||||
The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.
|
||||
|
||||
|
||||
### Blueprint Overwrite/Use Dependencies
|
||||
|
||||
- Recovery with email verification
|
||||
- Default - Password change flow
|
||||
- USE:
|
||||
- `default-password-change-prompt`
|
||||
- `default-password-change-write`
|
||||
- Default - Authentication flow
|
||||
- USE:
|
||||
- `default-authentication-login`
|
||||
- Custom Authentication Flow
|
||||
- Default - Authentication flow
|
||||
- USE:
|
||||
- `default-authentication-password`
|
||||
- OVERWRITE:
|
||||
- `default-authentication-flow`
|
||||
- APPEND:
|
||||
- `default-authentication-identification`
|
||||
- `default-authentication-login`
|
||||
- REMOVE: `authentik_flows.flowstagebinding order:20`
|
||||
- Recovery with email verification
|
||||
- USE:
|
||||
- `default-recovery-flow`
|
||||
- Invitation Enrollment Flow
|
||||
- Default - User settings flow
|
||||
- USE:
|
||||
- `default-user-settings-field-name`
|
||||
- `default-user-settings-field-email`
|
||||
- Default - Password change flow
|
||||
- USE:
|
||||
- `default-password-change-field-password`
|
||||
- `default-password-change-field-password-repeat`
|
||||
- Default - Authentication flow
|
||||
- USE:
|
||||
- `default-authentication-login`
|
||||
- Default - Source enrollment flow
|
||||
- USE:
|
||||
- `default-source-enrollment-field-username`
|
||||
- `default-source-enrollment-write`
|
||||
- Custom Invalidation Flow
|
||||
- Default - Invalidation flow
|
||||
- APPEND_ATTR:
|
||||
- `authentik_flows.flowstagebinding order: 0`
|
||||
- Flow Translations
|
||||
- Recovery with email verification
|
||||
- APPEND: `default-recovery-flow`
|
||||
- Default - Password change flow
|
||||
- OVERWRITE:
|
||||
- `default-password-change-field-password`
|
||||
- `default-password-change-field-password-repeat`
|
||||
- Default - User settings flow
|
||||
- OVERWRITE:
|
||||
- `default-user-settings-field-username`
|
||||
- `default-user-settings-field-name`
|
||||
- Default - Source enrollment flow
|
||||
- OVERWRITE:
|
||||
- `default-source-enrollment-field-username`
|
||||
- Custom System Tenant
|
||||
- Default - Tenant
|
||||
- APPEND: `authentik_tenants.tenant domain: authentik-default`
|
||||
- Recovery with email verification
|
||||
- USE:
|
||||
- `default-recovery-flow`
|
||||
|
||||
|
||||
Blueprint Dependency Graph:
|
||||
### Blueprint Dependency Execution Order
|
||||
|
||||
5. Custom System Tenant
|
||||
- Default - Tenant
|
||||
1. Recovery with email verification
|
||||
- Default - Authentication flow
|
||||
- Default - Password change flow
|
||||
4. Invitation Enrollment Flow
|
||||
3. Flow Translations
|
||||
- Default - User settings flow
|
||||
- Default - Source enrollment flow
|
||||
1. Recovery with email verification
|
||||
- Default - Authentication flow
|
||||
- Default - Password change flow
|
||||
2. Custom Authentication Flow
|
||||
1. Recovery with email verification
|
||||
- Default - Authentication flow
|
||||
|
|
39
abra.sh
39
abra.sh
|
@ -95,15 +95,24 @@ rotate_db_pass() {
|
|||
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
|
||||
}
|
||||
|
||||
# This function is for blueprints that are overwriting custom blueprints
|
||||
# It deactivates the affected custom blueprints to avoid changes to be reverted
|
||||
apply_blueprints() {
|
||||
enable_blueprint default/flow-default-authentication-flow.yaml
|
||||
enable_blueprint default/flow-default-user-settings-flow.yaml
|
||||
enable_blueprint default/flow-password-change.yaml
|
||||
ak apply_blueprint 6_flow_invalidation.yaml 2>&1 | quieten
|
||||
ak apply_blueprint 5_system_tenant.yaml 2>&1 | quieten
|
||||
disable_blueprint default/flow-default-authentication-flow.yaml
|
||||
disable_blueprint default/flow-default-user-settings-flow.yaml
|
||||
disable_blueprint default/flow-password-change.yaml
|
||||
update_and_disable_blueprint default/flow-password-change.yaml
|
||||
update_and_disable_blueprint default/flow-default-authentication-flow.yaml
|
||||
update_and_disable_blueprint default/flow-default-user-settings-flow.yaml
|
||||
update_and_disable_blueprint default/flow-default-source-enrollment.yaml
|
||||
|
||||
apply_blueprint 3_flow_translation.yaml
|
||||
apply_blueprint 2_flow_authentication.yaml
|
||||
}
|
||||
|
||||
update_and_disable_blueprint() {
|
||||
enable_blueprint $@ 2>&1 | quieten
|
||||
sleep 1
|
||||
apply_blueprint $@
|
||||
sleep 1
|
||||
disable_blueprint $@ 2>&1 | quieten
|
||||
}
|
||||
|
||||
disable_blueprint() {
|
||||
|
@ -114,12 +123,24 @@ enable_blueprint() {
|
|||
blueprint_state True $@
|
||||
}
|
||||
|
||||
apply_blueprint() {
|
||||
echo apply blueprint $@
|
||||
ak apply_blueprint $@ 2>&1 | quieten
|
||||
}
|
||||
|
||||
blueprint_state() {
|
||||
/manage.py shell -c """
|
||||
import time
|
||||
blueprint_state=$1
|
||||
blueprint_path='$2'
|
||||
blueprint = BlueprintInstance.objects.filter(path=blueprint_path).first()
|
||||
blueprint.enabled = blueprint_state
|
||||
# Hacky workaround to reduce chance of a race condition
|
||||
blueprint.save()
|
||||
time.sleep(1)
|
||||
blueprint.save()
|
||||
time.sleep(1)
|
||||
blueprint.save()
|
||||
print(f'{blueprint.name} enabled: {blueprint.enabled}')
|
||||
""" 2>&1 | quieten
|
||||
|
||||
|
@ -146,7 +167,7 @@ for name, url in applications.items():
|
|||
|
||||
|
||||
quieten(){
|
||||
grep -v '{"event"'
|
||||
grep -v -e '{"event"' -e '{"action"'
|
||||
}
|
||||
|
||||
set_icons(){
|
||||
|
|
|
@ -22,9 +22,6 @@ entries:
|
|||
attrs:
|
||||
name: !Context welcome_message
|
||||
title: !Context welcome_message
|
||||
user_fields:
|
||||
- email
|
||||
- username
|
||||
### STAGES
|
||||
- identifiers:
|
||||
name: default-authentication-identification
|
||||
|
@ -42,6 +39,7 @@ entries:
|
|||
attrs:
|
||||
session_duration: seconds=0
|
||||
|
||||
# After the first run this will produce a RelatedObjectDoesNotExist error
|
||||
- identifiers:
|
||||
order: 20
|
||||
stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
|
||||
|
|
|
@ -13,6 +13,7 @@ entries:
|
|||
|
||||
### STAGE BINDINGS
|
||||
|
||||
# This is specified only for setting an id (this stagebinding does not have an identifier)
|
||||
- identifiers:
|
||||
order: 0
|
||||
stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
|
||||
|
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
blueprints.goauthentik.io/instantiate: "true"
|
||||
name: Flow Translations
|
||||
context:
|
||||
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
|
||||
transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort zurücksetzen" {{ else }} "Reset your password" {{ end }}
|
||||
transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
|
||||
transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
|
||||
transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
|
||||
|
@ -15,7 +15,7 @@ entries:
|
|||
- model: authentik_blueprints.metaapplyblueprint
|
||||
attrs:
|
||||
identifiers:
|
||||
name: Custom Authentication Flow
|
||||
name: Recovery with email verification
|
||||
required: true
|
||||
- model: authentik_blueprints.metaapplyblueprint
|
||||
attrs:
|
||||
|
|
|
@ -13,7 +13,7 @@ entries:
|
|||
- model: authentik_blueprints.metaapplyblueprint
|
||||
attrs:
|
||||
identifiers:
|
||||
name: Invitation Enrollment Flow
|
||||
name: Recovery with email verification
|
||||
required: true
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue