WIP delete user policy

2024-07-15 18:55:29 +02:00
5 changed files with 45 additions and 4 deletions
--- a/.env.sample
+++ b/.env.sample
@ -1,7 +1,7 @@
 TYPE=authentik
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-# POST_DEPLOY_CMDS="worker worker apply_blueprints|worker add_applications"
+# POST_DEPLOY_CMDS="worker set_admin_pass|worker apply_blueprints|worker add_applications"
 LETS_ENCRYPT_ENV=production

 DOMAIN=authentik.example.com
--- a/README.md
+++ b/README.md
@ -35,6 +35,7 @@ abra app secret generate -a <app_name>
 abra app undeploy <app_name>
 abra app deploy <app_name>
 abra app cmd <app_name> db rotate_db_pass
+abra app cmd <app_name> app set_admin_pass
 ```

 ## Add SSO for Nextcloud
--- a/abra.sh
+++ b/abra.sh
@ -73,7 +73,30 @@ with open('/tmp/$1', newline='') as file:
 }

 set_admin_pass() {
-echo "The set_admin_pass function is depricated"
+password=$(cat /run/secrets/admin_pass)
+token=$(cat /run/secrets/admin_token)
+/manage.py shell -c """
+akadmin = User.objects.get(username='akadmin')
+akadmin.set_password('$password')
+akadmin.save()
+print('Changed akadmin password')
+
+from authentik.core.models import TokenIntents
+key='$token'
+if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
+    token.key=key
+    token.save()
+    print('Changed authentik-bootstrap-token')
+else:
+    Token.objects.create(
+        identifier='authentik-bootstrap-token',
+        user=akadmin,
+        intent=TokenIntents.INTENT_API,
+        expiring=False,
+        key=key,
+    )
+    print('Created authentik-bootstrap-token')
+""" 2>&1 | quieten
 }

 rotate_db_pass() {
--- a/compose.yml
+++ b/compose.yml
@ -8,8 +8,6 @@ x-env: &env
    - AUTHENTIK_REDIS__HOST=redis
    - AUTHENTIK_ERROR_REPORTING__ENABLED
    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
-    - AUTHENTIK_BOOTSTRAP_PASSWORD=file:///run/secrets/admin_pass
-    - AUTHENTIK_BOOTSTRAP_TOKEN=file:///run/secrets/admin_token
    - AUTHENTIK_EMAIL__HOST
    - AUTHENTIK_EMAIL__PORT
    - AUTHENTIK_EMAIL__USERNAME
--- a/delete_user.py
+++ b/delete_user.py
@ -0,0 +1,19 @@
+model_actions = ["model_deleted"]
+model_app = "authentik_core"
+model_name = "user"
+
+event = request.context.get("event", None)
+if not event:
+    ak_logger.info("delete_user: No event")
+    return False
+if event.action not in model_actions:
+    ak_logger.info("delete_user: Non-matching action")
+    return False
+if (
+    event.context["model"]["app"] != model_app
+    or event.context["model"]["model_name"] != model_name
+):
+    ak_logger.info("delete_user: Invalid model")
+    return False
+
+ak_logger.info(f'model: {event.context["model"]}')