stages/user_write: add option to add newly created users to a group

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Makefile

@@ -62,7 +62,7 @@ gen-outpost:
 		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true,disallowAdditionalPropertiesIfNotPresent=false
 	rm -f api/go.mod api/go.sum
 
-gen: gen-build gen-clean gen-web gen-outpost
+gen: gen-build gen-clean gen-web
 
 migrate:
 	python -m lifecycle.migrate

authentik/stages/user_write/api.py

@@ -12,7 +12,7 @@ class UserWriteStageSerializer(StageSerializer):
     class Meta:
 
         model = UserWriteStage
-        fields = StageSerializer.Meta.fields + ["create_users_as_inactive"]
+        fields = StageSerializer.Meta.fields + ["create_users_as_inactive", "create_users_group"]
 
 
 class UserWriteStageViewSet(UsedByMixin, ModelViewSet):

authentik/stages/user_write/migrations/0004_userwritestage_create_users_group.py

@@ -0,0 +1,26 @@
+# Generated by Django 3.2.7 on 2021-09-14 19:27
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0028_alter_token_intent"),
+        ("authentik_stages_user_write", "0003_userwritestage_create_users_as_inactive"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="userwritestage",
+            name="create_users_group",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Optionally add newly created users to this group.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.group",
+            ),
+        ),
+    ]

authentik/stages/user_write/models.py

@@ -6,6 +6,7 @@ from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.serializers import BaseSerializer
 
+from authentik.core.models import Group
 from authentik.flows.models import Stage
 
 
@@ -18,6 +19,14 @@ class UserWriteStage(Stage):
         help_text=_("When set, newly created users are inactive and cannot login."),
     )
 
+    create_users_group = models.ForeignKey(
+        Group,
+        null=True,
+        default=None,
+        on_delete=models.SET_DEFAULT,
+        help_text=_("Optionally add newly created users to this group."),
+    )
+
     @property
     def serializer(self) -> BaseSerializer:
         from authentik.stages.user_write.api import UserWriteStageSerializer

authentik/stages/user_write/stage.py

@@ -92,6 +92,8 @@ class UserWriteStageView(StageView):
         try:
             with transaction.atomic():
                 user.save()
+                if self.executor.current_stage.create_users_group:
+                    user.ak_groups.add(self.executor.current_stage.create_users_group)
         except IntegrityError as exc:
             LOGGER.warning("Failed to save user", exc=exc)
             return self.executor.stage_invalid()

authentik/stages/user_write/tests.py

@@ -7,7 +7,7 @@ from django.urls import reverse
 from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 
-from authentik.core.models import USER_ATTRIBUTE_SOURCES, Source, User, UserSourceConnection
+from authentik.core.models import USER_ATTRIBUTE_SOURCES, Group, Source, User, UserSourceConnection
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION
 from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.markers import StageMarker
@@ -29,7 +29,10 @@ class TestUserWriteStage(APITestCase):
             slug="test-write",
             designation=FlowDesignation.AUTHENTICATION,
         )
-        self.stage = UserWriteStage.objects.create(name="write")
+        self.group = Group.objects.create(name="test-group")
+        self.stage = UserWriteStage.objects.create(
+            name="write", create_users_as_inactive=True, create_users_group=self.group
+        )
         self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
         self.source = Source.objects.create(name="fake_source")
 
@@ -67,6 +70,7 @@ class TestUserWriteStage(APITestCase):
         user_qs = User.objects.filter(username=plan.context[PLAN_CONTEXT_PROMPT]["username"])
         self.assertTrue(user_qs.exists())
         self.assertTrue(user_qs.first().check_password(password))
+        self.assertEqual(list(user_qs.first().ak_groups.all()), [self.group])
         self.assertEqual(user_qs.first().attributes, {USER_ATTRIBUTE_SOURCES: [self.source.name]})
 
     def test_user_update(self):

schema.yml

@@ -17949,6 +17949,11 @@ paths:
         name: create_users_as_inactive
         schema:
           type: boolean
+      - in: query
+        name: create_users_group
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: name
         schema:
@@ -26628,6 +26633,11 @@ components:
         create_users_as_inactive:
           type: boolean
           description: When set, newly created users are inactive and cannot login.
+        create_users_group:
+          type: string
+          format: uuid
+          nullable: true
+          description: Optionally add newly created users to this group.
     PatchedWebAuthnDeviceRequest:
       type: object
       description: Serializer for WebAuthn authenticator devices
@@ -29283,6 +29293,11 @@ components:
         create_users_as_inactive:
           type: boolean
           description: When set, newly created users are inactive and cannot login.
+        create_users_group:
+          type: string
+          format: uuid
+          nullable: true
+          description: Optionally add newly created users to this group.
       required:
       - component
       - name
@@ -29302,6 +29317,11 @@ components:
         create_users_as_inactive:
           type: boolean
           description: When set, newly created users are inactive and cannot login.
+        create_users_group:
+          type: string
+          format: uuid
+          nullable: true
+          description: Optionally add newly created users to this group.
       required:
       - name
     ValidationError:

web/src/locales/en.po

@@ -1888,6 +1888,7 @@ msgstr "Go to previous page"
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/providers/ldap/LDAPProviderForm.ts
+#: src/pages/stages/user_write/UserWriteStageForm.ts
 msgid "Group"
 msgstr "Group"
 
@@ -2371,6 +2372,7 @@ msgstr "Loading"
 #: src/pages/stages/password/PasswordStageForm.ts
 #: src/pages/stages/prompt/PromptStageForm.ts
 #: src/pages/stages/prompt/PromptStageForm.ts
+#: src/pages/stages/user_write/UserWriteStageForm.ts
 #: src/pages/tenants/TenantForm.ts
 #: src/pages/tenants/TenantForm.ts
 #: src/pages/tenants/TenantForm.ts
@@ -2644,6 +2646,10 @@ msgstr "Negates the outcome of the binding. Messages are unaffected."
 msgid "New version available!"
 msgstr "New version available!"
 
+#: src/pages/stages/user_write/UserWriteStageForm.ts
+msgid "Newly created users are added to this group, if a group is selected."
+msgstr "Newly created users are added to this group, if a group is selected."
+
 #: src/elements/oauth/UserRefreshList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts

web/src/locales/pseudo-LOCALE.po

@@ -1880,6 +1880,7 @@ msgstr ""
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/providers/ldap/LDAPProviderForm.ts
+#: src/pages/stages/user_write/UserWriteStageForm.ts
 msgid "Group"
 msgstr ""
 
@@ -2363,6 +2364,7 @@ msgstr ""
 #: src/pages/stages/password/PasswordStageForm.ts
 #: src/pages/stages/prompt/PromptStageForm.ts
 #: src/pages/stages/prompt/PromptStageForm.ts
+#: src/pages/stages/user_write/UserWriteStageForm.ts
 #: src/pages/tenants/TenantForm.ts
 #: src/pages/tenants/TenantForm.ts
 #: src/pages/tenants/TenantForm.ts
@@ -2636,6 +2638,10 @@ msgstr ""
 msgid "New version available!"
 msgstr ""
 
+#: src/pages/stages/user_write/UserWriteStageForm.ts
+msgid "Newly created users are added to this group, if a group is selected."
+msgstr ""
+
 #: src/elements/oauth/UserRefreshList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts

web/src/pages/stages/user_write/UserWriteStageForm.ts

@@ -1,4 +1,4 @@
-import { UserWriteStage, StagesApi } from "@goauthentik/api";
+import { UserWriteStage, StagesApi, CoreApi } from "@goauthentik/api";
 import { t } from "@lingui/macro";
 import { customElement } from "lit-element";
 import { html, TemplateResult } from "lit-html";
@@ -8,6 +8,7 @@ import "../../../elements/forms/HorizontalFormElement";
 import "../../../elements/forms/FormGroup";
 import { ModelForm } from "../../../elements/forms/ModelForm";
 import { first } from "../../../utils";
+import { until } from "lit-html/directives/until";
 
 @customElement("ak-stage-user-write-form")
 export class UserWriteStageForm extends ModelForm<UserWriteStage, string> {
@@ -70,6 +71,33 @@ export class UserWriteStageForm extends ModelForm<UserWriteStage, string> {
                             ${t`Mark newly created users as inactive.`}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal label=${t`Group`} name="searchGroup">
+                        <select class="pf-c-form-control">
+                            <option
+                                value=""
+                                ?selected=${this.instance?.createUsersGroup === undefined}
+                            >
+                                ---------
+                            </option>
+                            ${until(
+                                new CoreApi(DEFAULT_CONFIG).coreGroupsList({}).then((groups) => {
+                                    return groups.results.map((group) => {
+                                        return html`<option
+                                            value=${ifDefined(group.pk)}
+                                            ?selected=${this.instance?.createUsersGroup ===
+                                            group.pk}
+                                        >
+                                            ${group.name}
+                                        </option>`;
+                                    });
+                                }),
+                                html`<option>${t`Loading...`}</option>`,
+                            )}
+                        </select>
+                        <p class="pf-c-form__helper-text">
+                            ${t`Newly created users are added to this group, if a group is selected.`}
+                        </p>
+                    </ak-form-element-horizontal>
                 </div>
             </ak-form-group>
         </form>`;