wip add username whitespace check to invitation flow blueprint

2024-02-15 15:02:38 +01:00
8 changed files with 33 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -169,7 +169,7 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
            - `default-source-enrollment-field-username`
 - Custom System Tenant
    - Default - Tenant
-        - APPEND: `authentik_brands.brand  domain: authentik-default`
+        - APPEND: `authentik_tenants.tenant  domain: authentik-default`
    - Recovery with email verification
        - USE:
            - `default-recovery-flow`
--- a/abra.sh
+++ b/abra.sh
@ -1,6 +1,6 @@
 export CUSTOM_CSS_VERSION=v2
 export FLOW_AUTHENTICATION_VERSION=v3
-export FLOW_INVITATION_VERSION=v2
+export FLOW_INVITATION_VERSION=v1
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
 export FLOW_TRANSLATION_VERSION=v2
--- a/compose.yml
+++ b/compose.yml
@ -32,7 +32,7 @@ x-env: &env
 version: '3.8'
 services:
  app:
-    image: ghcr.io/goauthentik/server:2024.2.2
+    image: ghcr.io/goauthentik/server:2023.10.7
    command: server
    depends_on:
      - db
@ -76,11 +76,11 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=5.0.1+2024.2.2"
+        - "coop-cloud.${STACK_NAME}.version=4.2.0+2023.10.7"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"

  worker:
-    image: ghcr.io/goauthentik/server:2024.2.2
+    image: ghcr.io/goauthentik/server:2023.10.7
    command: worker
    depends_on:
      - db
--- a/custom_flows.yaml.tmpl
+++ b/custom_flows.yaml.tmpl
@ -402,4 +402,4 @@ entries:
  identifiers:
    pk: 047cce25-aae2-4b02-9f96-078e155f803d
  id: system_tenant
-  model: authentik_brands.brand
+  model: authentik_tenants.tenant
--- a/flow_invitation.yaml.tmpl
+++ b/flow_invitation.yaml.tmpl
@ -26,16 +26,22 @@ entries:

 ### POLICIES
 - attrs:
-    expression: |
-      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
-          return True
-      ak_message("Username must not contain any whitespace!")
-      return False
+    expression: "if not regex_match(request.context.get('prompt_data').get('username'),\
+      \ '\\s'):\n    return True\n\nak_message(\"Username must not contain\
+      \ whitespace!\")\nreturn False"
+    name: username-without-spaces-policy
  id: username-without-spaces-policy
  identifiers:
    name: username-without-spaces-policy
  model: authentik_policies_expression.expressionpolicy

+### POLICY BINDINGS
+- identifiers:
+    policy: !KeyOf username-without-spaces-policy
+    target: !KeyOf prompt-stage-binding
+    order: 10
+  model: authentik_policies.policybinding
+
 ### STAGES
 - identifiers:
    name: invitation-stage
@ -53,8 +59,6 @@ entries:
      - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
      - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
-    validation_policies:
-      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]

 ### STAGE BINDINGS
 - identifiers:
@ -67,6 +71,7 @@ entries:
    stage: !KeyOf enrollment-prompt-userdata
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
+  id: prompt-stage-binding
 - identifiers:
    order: 20
    stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-source-enrollment-write]]
--- a/flow_translation.yaml.tmpl
+++ b/flow_translation.yaml.tmpl
@ -69,3 +69,16 @@ entries:
  attrs:
    label: !Context transl_username
    placeholder: !Context transl_username
+
+### POLICIES
+- model: authentik_policies_expression.expressionpolicy
+  identifiers:
+    name: username-without-spaces-policy
+  attrs:
+    expression: "if not regex_match(request.context.get('prompt_data').get('username'),\
+      \ '\\s'):\n    return True\n\nak_message(\"Benutzername darf kein Leerzeichen\
+      \ enthalten\")\nreturn False"
+      name: username-without-spaces-policy
+  id: username-without-spaces-policy
+
+Benutzername darf kein Leerzeichen enthalten\")\n
--- a/release/5.0.0+2024.2.2
+++ b/release/5.0.0+2024.2.2
@ -1 +0,0 @@
-Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2
--- a/system_tenant.yaml.tmpl
+++ b/system_tenant.yaml.tmpl
@ -21,7 +21,7 @@ entries:
 # remove custom tenant from old recipe
 - identifiers:
    domain: {{ env "DOMAIN" }}
-  model: authentik_brands.brand
+  model: authentik_tenants.tenant
  state: absent

 - attrs:
@ -32,4 +32,4 @@ entries:
  identifiers:
    default: true
    domain: authentik-default
-  model: authentik_brands.brand
+  model: authentik_tenants.tenant
				`@ -1 +0,0 @@`
				`Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2`