trustchain-oc1-orchestral/authentik
Archived
10
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/policies/expression.md
Jens L 1cfe1aff13
wip: rename to authentik (#361) 
* root: initial rename

* web: rename custom element prefix

* root: rename external functions with pb_ prefix

* root: fix formatting

* root: replace domain with goauthentik.io

* proxy: update path

* root: rename remaining prefixes

* flows: rename file extension

* root: pbadmin -> akadmin

* docs: fix image filenames

* lifecycle: ignore migration files

* ci: copy default config from current source before loading last tagged

* *: new sentry dsn

* tests: fix missing python3.9-dev package

* root: add additional migrations for service accounts created by outposts

* core: mark system-created service accounts with attribute

* policies/expression: fix pb_ replacement not working

* web: fix last linting errors, add lit-analyse

* policies/expressions: fix lint errors

* web: fix sidebar display on screens where not all items fit

* proxy: attempt to fix proxy pipeline

* proxy: use go env GOPATH to get gopath

* lib: fix user_default naming inconsistency

* docs: add upgrade docs

* docs: update screenshots to use authentik

* admin: fix create button on empty-state of outpost

* web: fix modal submit not refreshing SiteShell and Table

* web: fix height of app-card and height of generic icon

* web: fix rendering of subtext

* admin: fix version check error not being caught

* web: fix worker count not being shown

* docs: update screenshots

* root: new icon

* web: fix lint error

* admin: fix linting error

* root: migrate coverage config to pyproject
2020-12-05 22:08:42 +01:00

1.8 KiB
Raw Blame History

title
Expression Policies

:::note These variables are available in addition to the common variables/functions defined in Expressions :::

The passing of the policy is determined by the return value of the code. Use return True to pass a policy and return False to fail it.

Available Functions

ak_message(message: str)

Add a message, visible by the end user. This can be used to show the reason why they were denied.

Example:

ak_message("Access denied")
return False

Context variables

  • request: A PolicyRequest object, which has the following properties:

    • request.user: The current user, against which the policy is applied. (ref)
    • request.http_request: The Django HTTP Request. (ref)
    • request.obj: A Django Model instance. This is only set if the policy is ran against an object.
    • request.context: A dictionary with dynamic data. This depends on the origin of the execution.

  • ak_is_sso_flow: Boolean which is true if request was initiated by authenticating through an external provider.

  • ak_client_ip: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be compared, for example

    return ak_client_ip in ip_network('10.0.0.0/24')

Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the context object.

This includes the following:

  • prompt_data: Data which has been saved from a prompt stage or an external source.
  • application: The application the user is in the process of authorizing.
  • pending_user: The currently pending user