make sure embedded outpost is disabled when tenants are enabled

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
This commit is contained in:
Marc 'risson' Schmitt 2023-12-04 07:53:13 +01:00
parent e14f1e2cfb
commit fc851a8eff
No known key found for this signature in database
GPG Key ID: 9C3FA22FABF1AA8D
5 changed files with 33 additions and 17 deletions

View File

@ -111,9 +111,8 @@ cert_discovery_dir: /certs
default_token_length: 60 default_token_length: 60
tenants: tenants:
api:
enabled: false enabled: false
key: "" api_key: ""
blueprints_dir: /blueprints blueprints_dir: /blueprints

View File

@ -1,6 +1,7 @@
"""Serializer for tenants models""" """Serializer for tenants models"""
from hmac import compare_digest from hmac import compare_digest
from django.http import Http404
from django_tenants.utils import get_tenant from django_tenants.utils import get_tenant
from rest_framework import permissions from rest_framework import permissions
from rest_framework.authentication import get_authorization_header from rest_framework.authentication import get_authorization_header
@ -23,7 +24,7 @@ class TenantManagementKeyPermission(permissions.BasePermission):
def has_permission(self, request: Request, view: View) -> bool: def has_permission(self, request: Request, view: View) -> bool:
token = validate_auth(get_authorization_header(request)) token = validate_auth(get_authorization_header(request))
key = CONFIG.get("tenants.api.key") key = CONFIG.get("tenants.api_key")
if compare_digest("", key): if compare_digest("", key):
return False return False
return compare_digest(token, key) return compare_digest(token, key)
@ -55,6 +56,11 @@ class TenantViewSet(ModelViewSet):
permission_classes = [TenantManagementKeyPermission] permission_classes = [TenantManagementKeyPermission]
filter_backends = [OrderingFilter, SearchFilter] filter_backends = [OrderingFilter, SearchFilter]
def dispatch(self, request, *args, **kwargs):
if not CONFIG.get_bool("tenants.enabled", True):
return Http404()
return super().dispatch(request, *args, **kwargs)
class DomainSerializer(ModelSerializer): class DomainSerializer(ModelSerializer):
"""Domain Serializer""" """Domain Serializer"""

View File

@ -0,0 +1,17 @@
from django.core.checks import Error, register
from authentik.lib.config import CONFIG
@register()
def check_embedded_outpost_disabled(app_configs, **kwargs):
if CONFIG.get_bool("tenants.enabled", False) and not CONFIG.get_bool(
"outposts.disable_embedded_outpost"
):
return [
Error(
"Embedded outpost must be disabled when tenants API is enabled.",
hint="Disable embedded outpost by setting outposts.disable_embedded_outpost to False, or disable the tenants API by setting tenants.enabled to False",
)
]
return []

View File

@ -1,17 +1,12 @@
"""API URLs""" """API URLs"""
from django.urls import path from django.urls import path
from authentik.lib.config import CONFIG
from authentik.tenants.api import SettingsView, TenantViewSet from authentik.tenants.api import SettingsView, TenantViewSet
api_urlpatterns = [ api_urlpatterns = [
path("admin/settings/", SettingsView.as_view(), name="tenant_settings"), path("admin/settings/", SettingsView.as_view(), name="tenant_settings"),
]
if CONFIG.get_bool("tenants.api.enabled", False):
api_urlpatterns += [
( (
"tenants", "tenants",
TenantViewSet, TenantViewSet,
), ),
] ]

View File

@ -14,15 +14,14 @@ with open("local.env.yml", "w", encoding="utf-8") as _config:
}, },
"outposts": { "outposts": {
"container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s", "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
"disable_embedded_outpost": False,
}, },
"blueprints_dir": "./blueprints", "blueprints_dir": "./blueprints",
"cert_discovery_dir": "./certs", "cert_discovery_dir": "./certs",
"geoip": "tests/GeoLite2-City-Test.mmdb", "geoip": "tests/GeoLite2-City-Test.mmdb",
"tenants": { "tenants": {
"api": { "enabled": False,
"enabled": True, "api_key": generate_id(),
"key": generate_id(),
},
}, },
}, },
_config, _config,