Merge branch 'goauthentik:main' into sdko/integration-batch-updates/a

goauthentik · Feb 6, 2025 · c18eda8 · c18eda8
2 parents 2dd7a8e + fb7d637
commit c18eda8
Show file tree

Hide file tree

Showing 48 changed files with 2,680 additions and 58 deletions.
diff --git a/Makefile b/Makefile
@@ -6,6 +6,8 @@ UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
 PY_SOURCES = authentik tests scripts lifecycle .github
+GO_SOURCES = cmd internal
+WEB_SOURCES = web/src web/packages
 DOCKER_IMAGE ?= "authentik:test"
 
 GEN_API_TS = "gen-ts-api"
@@ -19,11 +21,12 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
-		authentik \
-		internal \
-		cmd \
-		web/src \
+		-S 'website/developer-docs/api/reference/**' \
+		-S '**/node_modules/**' \
+		-S '**/dist/**' \
+		$(PY_SOURCES) \
+		$(GO_SOURCES) \
+		$(WEB_SOURCES) \
 		website/src \
 		website/blog \
 		website/docs \

diff --git a/authentik/blueprints/v1/importer.py b/authentik/blueprints/v1/importer.py
@@ -51,6 +51,7 @@
     MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.enterprise.providers.ssf.models import StreamEvent
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
     EndpointDevice,
     EndpointDeviceConnection,
@@ -131,6 +132,7 @@ def excluded_models() -> list[type[Model]]:
         EndpointDevice,
         EndpointDeviceConnection,
         DeviceToken,
+        StreamEvent,
     )
 
 

diff --git a/authentik/core/models.py b/authentik/core/models.py
@@ -599,6 +599,14 @@ def get_provider(self) -> Provider | None:
             return None
         return candidates[-1]
 
+    def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
+        """Get Backchannel provider for a specific type"""
+        providers = self.backchannel_providers.filter(
+            **{f"{provider_type._meta.model_name}__isnull": False},
+            **kwargs,
+        )
+        return getattr(providers.first(), provider_type._meta.model_name)
+
     def __str__(self):
         return str(self.name)
 

diff --git a/authentik/enterprise/providers/ssf/__init__.py b/authentik/enterprise/providers/ssf/__init__.py
diff --git a/authentik/enterprise/providers/ssf/api/__init__.py b/authentik/enterprise/providers/ssf/api/__init__.py
diff --git a/authentik/enterprise/providers/ssf/api/providers.py b/authentik/enterprise/providers/ssf/api/providers.py
@@ -0,0 +1,64 @@
+"""SSF Provider API Views"""
+
+from django.urls import reverse
+from rest_framework.fields import SerializerMethodField
+from rest_framework.request import Request
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.tokens import TokenSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.providers.ssf.models import SSFProvider
+
+
+class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+    """SSFProvider Serializer"""
+
+    ssf_url = SerializerMethodField()
+    token_obj = TokenSerializer(source="token", required=False, read_only=True)
+
+    def get_ssf_url(self, instance: SSFProvider) -> str | None:
+        request: Request = self._context.get("request")
+        if not request:
+            return None
+        if not instance.backchannel_application:
+            return None
+        return request.build_absolute_uri(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={
+                    "application_slug": instance.backchannel_application.slug,
+                },
+            )
+        )
+
+    class Meta:
+        model = SSFProvider
+        fields = [
+            "pk",
+            "name",
+            "component",
+            "verbose_name",
+            "verbose_name_plural",
+            "meta_model_name",
+            "signing_key",
+            "token_obj",
+            "oidc_auth_providers",
+            "ssf_url",
+            "event_retention",
+        ]
+        extra_kwargs = {}
+
+
+class SSFProviderViewSet(UsedByMixin, ModelViewSet):
+    """SSFProvider Viewset"""
+
+    queryset = SSFProvider.objects.all()
+    serializer_class = SSFProviderSerializer
+    filterset_fields = {
+        "application": ["isnull"],
+        "name": ["iexact"],
+    }
+    search_fields = ["name"]
+    ordering = ["name"]
diff --git a/authentik/enterprise/providers/ssf/api/streams.py b/authentik/enterprise/providers/ssf/api/streams.py
@@ -0,0 +1,37 @@
+"""SSF Stream API Views"""
+
+from rest_framework.viewsets import ReadOnlyModelViewSet
+
+from authentik.core.api.utils import ModelSerializer
+from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
+from authentik.enterprise.providers.ssf.models import Stream
+
+
+class SSFStreamSerializer(ModelSerializer):
+    """SSFStream Serializer"""
+
+    provider_obj = SSFProviderSerializer(source="provider", read_only=True)
+
+    class Meta:
+        model = Stream
+        fields = [
+            "pk",
+            "provider",
+            "provider_obj",
+            "delivery_method",
+            "endpoint_url",
+            "events_requested",
+            "format",
+            "aud",
+            "iss",
+        ]
+
+
+class SSFStreamViewSet(ReadOnlyModelViewSet):
+    """SSFStream Viewset"""
+
+    queryset = Stream.objects.all()
+    serializer_class = SSFStreamSerializer
+    filterset_fields = ["provider", "endpoint_url", "delivery_method"]
+    search_fields = ["provider__name", "endpoint_url"]
+    ordering = ["provider", "uuid"]
diff --git a/authentik/enterprise/providers/ssf/apps.py b/authentik/enterprise/providers/ssf/apps.py
@@ -0,0 +1,13 @@
+"""SSF app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderSSF(EnterpriseConfig):
+    """authentik enterprise ssf app config"""
+
+    name = "authentik.enterprise.providers.ssf"
+    label = "authentik_providers_ssf"
+    verbose_name = "authentik Enterprise.Providers.SSF"
+    default = True
+    mountpoint = ""
diff --git a/authentik/enterprise/providers/ssf/migrations/0001_initial.py b/authentik/enterprise/providers/ssf/migrations/0001_initial.py
@@ -0,0 +1,201 @@
+# Generated by Django 5.0.11 on 2025-02-05 16:20
+
+import authentik.lib.utils.time
+import django.contrib.postgres.fields
+import django.db.models.deletion
+import uuid
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
+        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SSFProvider",
+            fields=[
+                (
+                    "provider_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.provider",
+                    ),
+                ),
+                (
+                    "event_retention",
+                    models.TextField(
+                        default="days=30",
+                        validators=[authentik.lib.utils.time.timedelta_string_validator],
+                    ),
+                ),
+                (
+                    "oidc_auth_providers",
+                    models.ManyToManyField(
+                        blank=True, default=None, to="authentik_providers_oauth2.oauth2provider"
+                    ),
+                ),
+                (
+                    "signing_key",
+                    models.ForeignKey(
+                        help_text="Key used to sign the SSF Events.",
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_crypto.certificatekeypair",
+                        verbose_name="Signing Key",
+                    ),
+                ),
+                (
+                    "token",
+                    models.ForeignKey(
+                        default=None,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_core.token",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Shared Signals Framework Provider",
+                "verbose_name_plural": "Shared Signals Framework Providers",
+                "permissions": [("add_stream", "Add stream to SSF provider")],
+            },
+            bases=("authentik_core.provider",),
+        ),
+        migrations.CreateModel(
+            name="Stream",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "delivery_method",
+                    models.TextField(
+                        choices=[
+                            (
+                                "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                                "Risc Push",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/risc/delivery-method/poll",
+                                "Risc Poll",
+                            ),
+                        ]
+                    ),
+                ),
+                ("endpoint_url", models.TextField(null=True)),
+                (
+                    "events_requested",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.TextField(
+                            choices=[
+                                (
+                                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                                    "Caep Session Revoked",
+                                ),
+                                (
+                                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                                    "Caep Credential Change",
+                                ),
+                                (
+                                    "https://schemas.openid.net/secevent/ssf/event-type/verification",
+                                    "Set Verification",
+                                ),
+                            ]
+                        ),
+                        default=list,
+                        size=None,
+                    ),
+                ),
+                ("format", models.TextField()),
+                (
+                    "aud",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.TextField(), default=list, size=None
+                    ),
+                ),
+                ("iss", models.TextField()),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_ssf.ssfprovider",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSF Stream",
+                "verbose_name_plural": "SSF Streams",
+                "default_permissions": ["change", "delete", "view"],
+            },
+        ),
+        migrations.CreateModel(
+            name="StreamEvent",
+            fields=[
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "status",
+                    models.TextField(
+                        choices=[
+                            ("pending_new", "Pending New"),
+                            ("pending_failed", "Pending Failed"),
+                            ("sent", "Sent"),
+                        ]
+                    ),
+                ),
+                (
+                    "type",
+                    models.TextField(
+                        choices=[
+                            (
+                                "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                                "Caep Session Revoked",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                                "Caep Credential Change",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/ssf/event-type/verification",
+                                "Set Verification",
+                            ),
+                        ]
+                    ),
+                ),
+                ("payload", models.JSONField(default=dict)),
+                (
+                    "stream",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_ssf.stream",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSF Stream Event",
+                "verbose_name_plural": "SSF Stream Events",
+                "ordering": ("-created",),
+            },
+        ),
+    ]
diff --git a/authentik/enterprise/providers/ssf/migrations/__init__.py b/authentik/enterprise/providers/ssf/migrations/__init__.py