core: improve messaging on flow_manager, authenticate user when they linked their account after not having been authenticateed

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Makefile

@@ -1,4 +1,4 @@
-all: lint-fix lint coverage gen
+all: lint-fix lint test gen
 
 test-integration:
 	k3d cluster create || exit 0
@@ -8,7 +8,7 @@ test-integration:
 test-e2e:
 	coverage run manage.py test --failfast -v 3 tests/e2e
 
-coverage:
+test:
 	coverage run manage.py test -v 3 authentik
 	coverage html
 	coverage report

authentik/core/sources/flow_manager.py

@@ -134,7 +134,9 @@ class SourceFlowManager:
             SourceUserMatchingModes.EMAIL_DENY,
             SourceUserMatchingModes.USERNAME_DENY,
         ]:
+            self._logger.info("denying source because user exists", user=user)
             return Action.DENY, None
+        # Should never get here as default enroll case is returned above.
         return Action.DENY, None
 
     def update_connection(
@@ -146,17 +148,25 @@ class SourceFlowManager:
     def get_flow(self, **kwargs) -> HttpResponse:
         """Get the flow response based on user_matching_mode"""
         action, connection = self.get_action()
-        if action == Action.LINK:
-            self._logger.debug("Linking existing user")
-            return self.handle_existing_user_link()
         if not connection:
             return redirect("/")
+        if action == Action.LINK:
+            self._logger.debug("Linking existing user")
+            return self.handle_existing_user_link(connection)
         if action == Action.AUTH:
             self._logger.debug("Handling auth user")
             return self.handle_auth_user(connection)
         if action == Action.ENROLL:
             self._logger.debug("Handling enrollment of new user")
             return self.handle_enroll(connection)
+        # Default case, assume deny
+        messages.error(
+            self.request,
+            _(
+                "Request to authenticate with %(source)s has been denied!"
+                % {"source": self.source.name}
+            ),
+        )
         return redirect("/")
 
     # pylint: disable=unused-argument
@@ -216,9 +226,11 @@ class SourceFlowManager:
 
     def handle_existing_user_link(
         self,
+        connection: UserSourceConnection,
     ) -> HttpResponse:
         """Handler when the user was already authenticated and linked an external source
         to their account."""
+        # Connection has already been saved
         Event.new(
             EventAction.SOURCE_LINKED,
             message="Linked Source",
@@ -228,6 +240,9 @@ class SourceFlowManager:
             self.request,
             _("Successfully linked %(source)s!" % {"source": self.source.name}),
         )
+        # When request isn't authenticated we jump straight to auth
+        if not self.request.user.is_authenticated:
+            return self.handle_auth_user(connection)
         return redirect(
             reverse(
                 "authentik_core:if-admin",

azure-pipelines.yml

@@ -201,7 +201,7 @@ stages:
             displayName: Run full test suite
             inputs:
               script: |
-                pipenv run make coverage
+                pipenv run make test
           - task: CmdLine@2
             inputs:
               script: |

internal/web/web_proxy.go

@@ -11,6 +11,7 @@ func (ws *WebServer) configureProxy() {
 	u, _ := url.Parse("http://localhost:8000")
 	rp := httputil.NewSingleHostReverseProxy(u)
 	rp.ErrorHandler = ws.proxyErrorHandler
+	rp.ModifyResponse = ws.proxyModifyResponse
 	ws.m.PathPrefix("/").Handler(rp)
 }
 
@@ -18,3 +19,8 @@ func (ws *WebServer) proxyErrorHandler(rw http.ResponseWriter, req *http.Request
 	ws.log.WithError(err).Warning("proxy error")
 	rw.WriteHeader(http.StatusBadGateway)
 }
+
+func (ws *WebServer) proxyModifyResponse(r *http.Response) error {
+	r.Header.Set("X-authentik-from", "authentik")
+	return nil
+}

website/docs/releases/v2021.4.md

@@ -40,7 +40,6 @@ slug: "2021.4"
 
 - You can now specify the amount of processes started in docker-compose using the `WORKERS` environment variable.
 
-
 ## Fixed in 2021.4.2
 
 - core: fix propertymapping API returning invalid value for components (https://github.com/goauthentik/authentik/issues/746)
@@ -134,8 +133,8 @@ This release does not introduce any new requirements.
 
 ### docker-compose
 
-Download the latest docker-compose file from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.4/docker-compose.yml). Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`.
+Download the latest docker-compose file from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.4/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
 
 ### Kubernetes
 
-Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`.
+Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik -f values.yaml`.