Skip to content

Commit

Permalink
switch to blueprints property mappings, improvements to frontend
Browse files Browse the repository at this point in the history
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
  • Loading branch information
rissson committed Sep 24, 2024
1 parent bc74bb1 commit 4dfc2f5
Show file tree
Hide file tree
Showing 10 changed files with 203 additions and 167 deletions.
31 changes: 5 additions & 26 deletions authentik/sources/kerberos/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@
from structlog.stdlib import get_logger

from authentik.core.models import (
USER_PATH_SERVICE_ACCOUNT,
GroupSourceConnection,
PropertyMapping,
Source,
Expand Down Expand Up @@ -164,33 +163,13 @@ def sync_lock(self) -> pglock.advisory:
)

def get_base_user_properties(self, principal: str, **kwargs):
localpart, realm = principal.rsplit("@", 1)
is_service_account = "/" in localpart
username = localpart

# By default, don't sync system principals
denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/"]
for prefix in denied_prefixes:
if username.lower().startswith(prefix.lower()):
username = None
break
# By default, don't sync principals from another realm
if realm.upper() != self.realm.upper():
username = None

properties = {
"username": username,
localpart, _ = principal.rsplit("@", 1)

Check warning on line 166 in authentik/sources/kerberos/models.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/models.py#L166

Added line #L166 was not covered by tests

return {

Check warning on line 168 in authentik/sources/kerberos/models.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/models.py#L168

Added line #L168 was not covered by tests
"username": localpart,
"type": UserTypes.INTERNAL,
"path": self.get_user_path(),
}
if is_service_account:
properties.update(
{
"type": UserTypes.SERVICE_ACCOUNT,
"path": USER_PATH_SERVICE_ACCOUNT,
}
)
return properties

def get_base_group_properties(self, group_id: str, **kwargs):
return {

Check warning on line 175 in authentik/sources/kerberos/models.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/models.py#L175

Added line #L175 was not covered by tests
Expand Down Expand Up @@ -346,7 +325,7 @@ class KerberosSourcePropertyMapping(PropertyMapping):

@property
def component(self) -> str:
return "ak-property-mapping-kerberos-form"
return "ak-property-mapping-source-kerberos-form"

Check warning on line 328 in authentik/sources/kerberos/models.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/models.py#L328

Added line #L328 was not covered by tests

@property
def serializer(self) -> type[Serializer]:
Expand Down
7 changes: 6 additions & 1 deletion authentik/sources/kerberos/signals.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,12 @@ def kerberos_sync_password(sender, user: User, password: str, **_):
"""Connect to kerberos and update password."""
user_source_connections = UserKerberosSourceConnection.objects.select_related(
"source__kerberossource"
).filter(user=user, source__enabled=True, source__kerberossource__sync_users=True, source__kerberossource__sync_users_password=True)
).filter(
user=user,
source__enabled=True,
source__kerberossource__sync_users=True,
source__kerberossource__sync_users_password=True,
)
for user_source_connection in user_source_connections:
source = user_source_connection.source.kerberossource
with Krb5ConfContext(source):
Expand Down
1 change: 1 addition & 0 deletions authentik/sources/kerberos/tests/test_auth.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
"""Kerberos Source Auth tests"""

from django.contrib.auth.hashers import is_password_usable

Check warning on line 3 in authentik/sources/kerberos/tests/test_auth.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_auth.py#L3

Added line #L3 was not covered by tests

from authentik.core.models import User
from authentik.lib.generators import generate_id
from authentik.sources.kerberos.auth import KerberosBackend
Expand Down
20 changes: 18 additions & 2 deletions authentik/sources/kerberos/tests/test_sync.py
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
"""Kerberos Source sync tests"""

from authentik.core.models import User
from authentik.blueprints.tests import apply_blueprint
from authentik.lib.generators import generate_id
from authentik.sources.kerberos.models import KerberosSourcePropertyMapping, KerberosSource
from authentik.sources.kerberos.models import KerberosSource, KerberosSourcePropertyMapping
from authentik.sources.kerberos.sync import KerberosSync
from authentik.sources.kerberos.tasks import kerberos_sync_all
from authentik.sources.kerberos.tests.utils import KerberosTestCase

Check warning on line 9 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L3-L9

Added lines #L3 - L9 were not covered by tests
Expand All @@ -11,6 +12,7 @@
class TestKerberosSync(KerberosTestCase):

Check warning on line 12 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L12

Added line #L12 was not covered by tests
"""Kerberos Sync tests"""

@apply_blueprint("system/sources-kerberos.yaml")
def setUp(self):
self.source: KerberosSource = KerberosSource.objects.create(

Check warning on line 17 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L15-L17

Added lines #L15 - L17 were not covered by tests
name="kerberos",
Expand All @@ -21,10 +23,24 @@ def setUp(self):
sync_principal=self.realm.admin_princ,
sync_password=self.realm.password("admin"),
)
self.source.user_property_mappings.set(KerberosSourcePropertyMapping.objects.filter(managed__startswith="goauthentik.io/sources/kerberos/user/default/"))

Check warning on line 26 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L26

Added line #L26 was not covered by tests

def test_default_mappings(self):

Check warning on line 28 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L28

Added line #L28 was not covered by tests
"""Test default mappings"""
KerberosSync(self.source).sync()

Check warning on line 30 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L30

Added line #L30 was not covered by tests

self.assertTrue(

Check warning on line 32 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L32

Added line #L32 was not covered by tests
User.objects.filter(username=self.realm.user_princ.rsplit("@", 1)[0]).exists()
)
self.assertFalse(

Check warning on line 35 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L35

Added line #L35 was not covered by tests
User.objects.filter(username=self.realm.nfs_princ.rsplit("@", 1)[0]).exists()
)

def test_sync_mapping(self):

Check warning on line 39 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L39

Added line #L39 was not covered by tests
"""Test property mappings"""
noop = KerberosSourcePropertyMapping.objects.create(name=generate_id(), expression="return {}")
noop = KerberosSourcePropertyMapping.objects.create(

Check warning on line 41 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L41

Added line #L41 was not covered by tests
name=generate_id(), expression="return {}"
)
email = KerberosSourcePropertyMapping.objects.create(

Check warning on line 44 in authentik/sources/kerberos/tests/test_sync.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/kerberos/tests/test_sync.py#L44

Added line #L44 was not covered by tests
name=generate_id(), expression='return {"email": principal.lower()}'
)
Expand Down
5 changes: 0 additions & 5 deletions blueprints/schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -6892,11 +6892,6 @@
"title": "Spnego ccache",
"description": "Credential cache to use for SPNEGO in form type:residual"
},
"password_login_enabled": {
"type": "boolean",
"title": "Password login enabled",
"description": "Enable the passwword authentication backend"
},
"password_login_update_internal_password": {
"type": "boolean",
"title": "Password login update internal password",
Expand Down
58 changes: 58 additions & 0 deletions blueprints/system/sources-kerberos.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/system: "true"
name: System - Kerberos Source - Mappings
entries:
- identifiers:
managed: goauthentik.io/sources/kerberos/user/default/multipart-principals-as-service-accounts
model: authentik_sources_kerberos.kerberossourcepropertymapping
attrs:
name: "authentik default Kerberos User Mapping: Multipart principals as service accounts"
expression: |
from authentik.core.models import USER_PATH_SERVICE_ACCOUNT, UserTypes
localpart, _ = principal.rsplit("@", 1)
is_service_account = "/" in localpart
attrs = {}
if is_service_account:
attrs = {
"type": UserTypes.SERVICE_ACCOUNT,
"path": USER_PATH_SERVICE_ACCOUNT,
}
return attrs
- identifiers:
managed: goauthentik.io/sources/kerberos/user/default/realm-as-group
model: authentik_sources_kerberos.kerberossourcepropertymapping
attrs:
name: "authentik default Kerberos User Mapping: Add realm as group"
expression: |
localpart, realm = principal.rsplit("@", 1)
return {
"groups": [realm.upper()]
}
- identifiers:
managed: goauthentik.io/sources/kerberos/user/default/ignore-other-realms
model: authentik_sources_kerberos.kerberossourcepropertymapping
attrs:
name: "authentik default Kerberos User Mapping: Ignore other realms"
expression: |
localpart, realm = principal.rsplit("@", 1)
attrs = {}
if realm.upper() != source.realm.upper():
attrs["username"] = None
return attrs
- identifiers:
managed: goauthentik.io/sources/kerberos/user/default/ignore-system-principals
model: authentik_sources_kerberos.kerberossourcepropertymapping
attrs:
name: "authentik default Kerberos User Mapping: Ignore system principals"
expression: |
localpart, realm = principal.rsplit("@", 1)
attrs = {}
denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/"]
for prefix in denied_prefixes:
if localpart.lower().startswith(prefix.lower()):
attrs["username"] = None
break
return attrs
17 changes: 0 additions & 17 deletions schema.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25440,10 +25440,6 @@ paths:
description: Number of results to return per page.
schema:
type: integer
- in: query
name: password_login_enabled
schema:
type: boolean
- in: query
name: password_login_update_internal_password
schema:
Expand Down Expand Up @@ -42035,10 +42031,6 @@ components:
type: string
icon:
type: string
nullable: true
description: |-
Get the URL to the Icon. If the name is /static or
starts with http it is returned as-is
readOnly: true
group_matching_mode:
allOf:
Expand Down Expand Up @@ -42077,9 +42069,6 @@ components:
spnego_ccache:
type: string
description: Credential cache to use for SPNEGO in form type:residual
password_login_enabled:
type: boolean
description: Enable the passwword authentication backend
password_login_update_internal_password:
type: boolean
description: If enabled, the authentik-stored password will be updated upon
Expand Down Expand Up @@ -42254,9 +42243,6 @@ components:
spnego_ccache:
type: string
description: Credential cache to use for SPNEGO in form type:residual
password_login_enabled:
type: boolean
description: Enable the passwword authentication backend
password_login_update_internal_password:
type: boolean
description: If enabled, the authentik-stored password will be updated upon
Expand Down Expand Up @@ -47459,9 +47445,6 @@ components:
spnego_ccache:
type: string
description: Credential cache to use for SPNEGO in form type:residual
password_login_enabled:
type: boolean
description: Enable the passwword authentication backend
password_login_update_internal_password:
type: boolean
description: If enabled, the authentik-stored password will be updated upon
Expand Down
8 changes: 1 addition & 7 deletions web/src/admin/sources/kerberos/KerberosSourceConnectivity.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,7 @@ export class KerberosSourceConnectivity extends AKElement {
}
return html`<ul class="pf-c-list">
${Object.keys(this.connectivity).map((serverKey) => {
let serverLabel = html`${serverKey}`;
if (serverKey === "__all__") {
serverLabel = html`<b>${msg("Global status")}</b>`;
}
const server = this.connectivity![serverKey];
const content = html`${serverLabel}: ${server.status}`;
return html`<li>${content}</li>`;
return html`<li>${serverKey}: ${this.connectivity![serverKey]}</li>`;
})}
</ul>`;
}
Expand Down
Loading

0 comments on commit 4dfc2f5

Please sign in to comment.