Skip to content

Commit

Permalink
Merge branch 'main' into web/policy-wizard-3
Browse files Browse the repository at this point in the history
* main:
  providers/oauth2: add indexes on tokens (#11524)
  website/scripts/docsmg: final version (#11501)
  web: bump ts-pattern from 5.3.1 to 5.4.0 in /web (#11512)
  web: bump @sentry/browser from 8.31.0 to 8.32.0 in /web in the sentry group across 1 directory (#11510)
  web: bump @types/node from 22.7.0 to 22.7.2 in /web (#11511)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11516)
  web: bump @types/jquery from 3.5.30 to 3.5.31 in /web (#11513)
  web: bump @types/jquery from 3.5.30 to 3.5.31 in /web/sfe (#11514)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#11517)
  core: bump twilio from 9.3.1 to 9.3.2 (#11515)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#11518)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11519)
  website: bump @types/react from 18.3.8 to 18.3.9 in /website (#11502)
  core: bump debugpy from 1.8.5 to 1.8.6 (#11503)
  core: bump google-api-python-client from 2.146.0 to 2.147.0 (#11504)
  web: bump @types/node from 22.6.1 to 22.7.0 in /web (#11505)
  core, web: update translations (#11500)
  sources/ldap: fix mapping check, fix debug endpoint (#11442)
  • Loading branch information
kensternberg-authentik committed Sep 26, 2024
2 parents 13e1c3f + 035648f commit 63b50bd
Show file tree
Hide file tree
Showing 41 changed files with 3,907 additions and 5,870 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Generated by Django 5.0.9 on 2024-09-26 16:25

from django.conf import settings
from django.db import migrations, models


class Migration(migrations.Migration):

dependencies = [
("authentik_providers_oauth2", "0018_alter_accesstoken_expires_and_more"),
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
]

operations = [
migrations.AddIndex(
model_name="accesstoken",
index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
),
migrations.AddIndex(
model_name="refreshtoken",
index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
),
]
6 changes: 6 additions & 0 deletions authentik/providers/oauth2/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -376,6 +376,9 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
_id_token = models.TextField()

class Meta:
indexes = [
models.Index(fields=["token"]),
]
verbose_name = _("OAuth2 Access Token")
verbose_name_plural = _("OAuth2 Access Tokens")

Expand Down Expand Up @@ -419,6 +422,9 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
_id_token = models.TextField(verbose_name=_("ID Token"))

class Meta:
indexes = [
models.Index(fields=["token"]),
]
verbose_name = _("OAuth2 Refresh Token")
verbose_name_plural = _("OAuth2 Refresh Tokens")

Expand Down
37 changes: 29 additions & 8 deletions authentik/sources/ldap/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
from typing import Any

from django.core.cache import cache
from django.utils.translation import gettext_lazy as _
from drf_spectacular.utils import extend_schema, inline_serializer
from guardian.shortcuts import get_objects_for_user
from rest_framework.decorators import action
Expand Down Expand Up @@ -39,21 +40,40 @@ def get_connectivity(self, source: LDAPSource) -> dict[str, dict[str, str]] | No
"""Get cached source connectivity"""
return cache.get(CACHE_KEY_STATUS + source.slug, None)

def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
def validate_sync_users_password(self, sync_users_password: bool) -> bool:
"""Check that only a single source has password_sync on"""
sync_users_password = attrs.get("sync_users_password", True)
if sync_users_password:
sources = LDAPSource.objects.filter(sync_users_password=True)
if self.instance:
sources = sources.exclude(pk=self.instance.pk)
if sources.exists():
raise ValidationError(
{
"sync_users_password": (
"sync_users_password": _(
"Only a single LDAP Source with password synchronization is allowed"
)
}
)
return sync_users_password

def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
"""Validate property mappings with sync_ flags"""
types = ["user", "group"]
for type in types:
toggle_value = attrs.get(f"sync_{type}s", False)
mappings_field = f"{type}_property_mappings"
mappings_value = attrs.get(mappings_field, [])
if toggle_value and len(mappings_value) == 0:
raise ValidationError(
{
mappings_field: _(
(
"When 'Sync {type}s' is enabled, '{type}s property "
"mappings' cannot be empty."
).format(type=type)
)
}
)
return super().validate(attrs)

class Meta:
Expand Down Expand Up @@ -166,11 +186,12 @@ def debug(self, request: Request, slug: str) -> Response:
for sync_class in SYNC_CLASSES:
class_name = sync_class.name()
all_objects.setdefault(class_name, [])
for obj in sync_class(source).get_objects(size_limit=10):
obj: dict
obj.pop("raw_attributes", None)
obj.pop("raw_dn", None)
all_objects[class_name].append(obj)
for page in sync_class(source).get_objects(size_limit=10):
for obj in page:
obj: dict
obj.pop("raw_attributes", None)
obj.pop("raw_dn", None)
all_objects[class_name].append(obj)
return Response(data=all_objects)


Expand Down
9 changes: 4 additions & 5 deletions authentik/sources/ldap/signals.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,17 +26,16 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
"""Ensure that source is synced on save (if enabled)"""
if not instance.enabled:
return
ldap_connectivity_check.delay(instance.pk)
# Don't sync sources when they don't have any property mappings. This will only happen if:
# - the user forgets to set them or
# - the source is newly created, this is the first save event
# and the mappings are created with an m2m event
if (
not instance.user_property_mappings.exists()
or not instance.group_property_mappings.exists()
):
if instance.sync_users and not instance.user_property_mappings.exists():
return
if instance.sync_groups and not instance.group_property_mappings.exists():
return
ldap_sync_single.delay(instance.pk)
ldap_connectivity_check.delay(instance.pk)


@receiver(password_validate)
Expand Down
32 changes: 32 additions & 0 deletions authentik/sources/ldap/tests/test_api.py
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,35 @@ def test_sync_users_password_invalid(self):
}
)
self.assertFalse(serializer.is_valid())

def test_sync_users_mapping_empty(self):
"""Check that when sync_users is enabled, property mappings must be set"""
serializer = LDAPSourceSerializer(
data={
"name": "foo",
"slug": " foo",
"server_uri": "ldaps://1.2.3.4",
"bind_cn": "",
"bind_password": LDAP_PASSWORD,
"base_dn": "dc=foo",
"sync_users": True,
"user_property_mappings": [],
}
)
self.assertFalse(serializer.is_valid())

def test_sync_groups_mapping_empty(self):
"""Check that when sync_groups is enabled, property mappings must be set"""
serializer = LDAPSourceSerializer(
data={
"name": "foo",
"slug": " foo",
"server_uri": "ldaps://1.2.3.4",
"bind_cn": "",
"bind_password": LDAP_PASSWORD,
"base_dn": "dc=foo",
"sync_groups": True,
"group_property_mappings": [],
}
)
self.assertFalse(serializer.is_valid())
6 changes: 5 additions & 1 deletion locale/en/LC_MESSAGES/django.po
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-09-08 00:09+0000\n"
"POT-Creation-Date: 2024-09-25 00:08+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
Expand Down Expand Up @@ -1849,6 +1849,10 @@ msgstr ""
msgid "Used recovery-link to authenticate."
msgstr ""

#: authentik/sources/ldap/api.py
msgid "Only a single LDAP Source with password synchronization is allowed"
msgstr ""

#: authentik/sources/ldap/models.py
msgid "Server URI"
msgstr ""
Expand Down
6 changes: 5 additions & 1 deletion locale/zh-Hans/LC_MESSAGES/django.po
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-09-08 00:09+0000\n"
"POT-Creation-Date: 2024-09-25 00:08+0000\n"
"PO-Revision-Date: 2022-09-26 16:47+0000\n"
"Last-Translator: deluxghost, 2024\n"
"Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
Expand Down Expand Up @@ -1882,6 +1882,10 @@ msgstr "创建一个密钥,可用于恢复对 authentik 的访问权限。"
msgid "Used recovery-link to authenticate."
msgstr "已使用恢复链接进行身份验证。"

#: authentik/sources/ldap/api.py
msgid "Only a single LDAP Source with password synchronization is allowed"
msgstr "仅允许使用密码同步的单个 LDAP 源"

#: authentik/sources/ldap/models.py
msgid "Server URI"
msgstr "服务器 URI"
Expand Down
6 changes: 5 additions & 1 deletion locale/zh_CN/LC_MESSAGES/django.po
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-09-08 00:09+0000\n"
"POT-Creation-Date: 2024-09-25 00:08+0000\n"
"PO-Revision-Date: 2022-09-26 16:47+0000\n"
"Last-Translator: deluxghost, 2024\n"
"Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
Expand Down Expand Up @@ -1881,6 +1881,10 @@ msgstr "创建一个密钥,可用于恢复对 authentik 的访问权限。"
msgid "Used recovery-link to authenticate."
msgstr "已使用恢复链接进行身份验证。"

#: authentik/sources/ldap/api.py
msgid "Only a single LDAP Source with password synchronization is allowed"
msgstr "仅允许使用密码同步的单个 LDAP 源"

#: authentik/sources/ldap/models.py
msgid "Server URI"
msgstr "服务器 URI"
Expand Down
58 changes: 29 additions & 29 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 63b50bd

Please sign in to comment.