policies: add GeoIP policy

[gergosimonyi]

Closes #4433

Introduces the new GeoIP policy with the functionality to match client ASN or country (for now).

Opening a draft of this for a high-level overview. There are still many details to iron out like

• Back-end tests
• Handle disabled geoip
• Handle IP missing in geoip database
• Handle empty lists of ASNs and countries
• Translations
• Types on web
• Multiselect on web

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	063a55a
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/66b0ebb1691e850008eaefb3
😎 Deploy Preview	https://deploy-preview-10454--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	063a55a
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/66b0ebb1c0088900088ddefb
😎 Deploy Preview	https://deploy-preview-10454--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[gergosimonyi]

An alternative to this is adding a dependency like iso3166 or django-countries.

Since ISO 3166 changes infrequently, I erred on the side of fewer dependencies.

[BeryJu]

I don't mind adding a dependency for this, especially since we should add gettext calls to all these humanized names, and some dependency might have full translation for all the country names already

[gergosimonyi]

Added django-countries. I'm unfamiliar with drf-spectacular and needed a bit of dark magic to make it work. If there's an easier way, let me know.

[gergosimonyi]

The use of an async function here for a static list of 2 is probably the worst part of this PR. I'll look to improve this.

[kensternberg-authentik]

Yeah, search select is specifically for complex objects that have subtitles and complex interactions. Consider using a Switch for a boolean choice, or if the ergonomics are bad (it's sometimes hard to word), a Radio.

[gergosimonyi]

Defaults should be part of the back-end. Also some botched types here.

[kensternberg-authentik]

Yeah, I'm looking at this and thinking that I'm seeing a lot of mixed messages compared to the types generated from the schema. You shouldn't have to be splitting anything; the API should be giving those to you, and the TypeScript definitions in GeoIPPolicy.ts say getting strings where arrays are expected shouldn't be possible). This function is probably the wrong place to be doing this.

If you're crafting a blob to send, start with a default and overwrite it with what you get from the form instead.

[codecov]

Codecov Report

Attention: Patch coverage is 99.39024% with 1 line in your changes missing coverage. Please review.

Project coverage is 92.56%. Comparing base (3824815) to head (2300a7b).
Report is 21 commits behind head on main.

Files	Patch %	Lines
authentik/policies/geoip/models.py	98.03%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10454      +/-   ##
==========================================
+ Coverage   92.51%   92.56%   +0.04%     
==========================================
  Files         720      727       +7     
  Lines       35254    35418     +164     
==========================================
+ Hits        32615    32784     +169     
+ Misses       2639     2634       -5     

Flag	Coverage Δ
e2e	49.58% <40.85%> (-0.05%)	⬇️
integration	25.29% <14.02%> (-0.06%)	⬇️
unit	90.07% <99.39%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[kensternberg-authentik]

Overall, the Typescript is really promising! Good work. There's a bit of rough edges, and it's obviously not done, but it's getting there.

[kensternberg-authentik]

Yeah, I'm looking at this and thinking that I'm seeing a lot of mixed messages compared to the types generated from the schema. You shouldn't have to be splitting anything; the API should be giving those to you, and the TypeScript definitions in GeoIPPolicy.ts say getting strings where arrays are expected shouldn't be possible). This function is probably the wrong place to be doing this.

If you're crafting a blob to send, start with a default and overwrite it with what you get from the form instead.

[kensternberg-authentik]

?required=${true} isn't needed here (and I really need to break @BeryJu of the habit). required is all that's needed. You only need the ? syntax for boolean attributes if the attribute can be changed by client code, for example:
?hidden=${!this.open}

[BeryJu]

Yeah we should probably just rip off the bandaid and change all of those wrong attributes to the correct ones

[kensternberg-authentik]

first is a leftover from earlier iterations of TypeScript. Please use the idiom:
${this.instance?.executionLogging ?? false}

Although in this case I suspect you could just use the boolean forcing expression: ${!!this.instance?.executionLogging}

[kensternberg-authentik]

Yeah, search select is specifically for complex objects that have subtitles and complex interactions. Consider using a Switch for a boolean choice, or if the ergonomics are bad (it's sometimes hard to word), a Radio.

[kensternberg-authentik]

... and given that you've done it twice, break it out into a variable or something so you'll only have to change it once if the rules change. :-)

[kensternberg-authentik]

Since you've provided a not-undefined value for falsity, ifDefined(this.instance?.countryList || "") will always be defined. You can replace that whole expression with this.instance?.countryList ?? ""

[BeryJu]

both of these cases can also happen if ASN/GeoIP is not configured (pretty rare since we include the DB by default, but it is possible to disable)

[gergosimonyi]

(We've had a bit of an offline discussion, but no resolution to this.) I kept the behavior for now, this way we don't leak information on whether a GeoIP database is available.

Let me know if you don't agree.

[BeryJu]

Usually we don't have this as a setting directly on the policy but instead use the negate flag on the policy binding to inverse the effects. For this case I'm a bit on the fence as you can do two different things in the same policy with it

[gergosimonyi]

Oh, I didn't notice that flag! That makes everything so much simpler. I'm not on the fence about it at all 😄

Then there's no need for *_mode and this model will just have 2 fields: asn_list and country_list. Same as Event Matcher Policy for least astonishment:

If any of the configured values match, the policy passes.

[BeryJu]

This is somewhat of a downside of the generated API client, but this value here should never be undefined so this if shouldn't be required

[gergosimonyi]

Combined with the check below (which is still needed because "".split(",") is non-empty)

[BeryJu]

I don't mind adding a dependency for this, especially since we should add gettext calls to all these humanized names, and some dependency might have full translation for all the country names already

[gergosimonyi]

This is an exact copy of authentik/policies/geoip/views:11-14. Weirdly, importing it from there results in gen-build silently failing to generate this part of the schema. I'm out of my depth here, so I just duplicated these 4 lines.

[BeryJu]

That is very odd but also doesn't surprise me

[gergosimonyi]

There may or may not be a better place for this.

@BeryJu?

[BeryJu]

I'd usually prefer to do it as policies/geoip/iso3166/, but obviously that could potentially cause errors due to that path also having the primary key...as a fallback I'd go with policies/geoip_iso3166/ I guess?

[gergosimonyi]

The actual type of data slightly differs from GeoIPPolicy.

I haven't found an easy way to reconcile them (the "proper" way is probably building a component on top of <input> to run a transforming function when its value is read), so I opted for the type assertion.

[kensternberg-authentik]

You could just write:

data.asns = (data.asns?.toString() ?? "") === "" ? [] : (data.asns as unknown as string).split(",").map(Number);

... but it feels like the toString() thing is a crutch you're using, and I'm not sure why.

[gergosimonyi]

This currently hits the API for no reason every time there's a change in search. I'll add an optimization.

[BeryJu]

Yeah this is due to the assumption that the search filtering is done in the backend and not that the endpoint will return everything

[kensternberg-authentik]

You can write a provider that caches the result, and then provides the (locally reduces) results locally. Or you could look at ak-dual-select, which doesn't use the API; you could fetch the results once and then use the Web Component directly without having to go through the Element's API layer.

[BeryJu]

mostly LGTM

[BeryJu]

Yeah this is due to the assumption that the search filtering is done in the backend and not that the endpoint will return everything

[BeryJu]

Yeah we should probably just rip off the bandaid and change all of those wrong attributes to the correct ones

[BeryJu]

That is very odd but also doesn't surprise me

[BeryJu]

I'd usually prefer to do it as policies/geoip/iso3166/, but obviously that could potentially cause errors due to that path also having the primary key...as a fallback I'd go with policies/geoip_iso3166/ I guess?

[tanberry]

Yay we have a GeoIP policy! Thanks so much for updating the docs. A few nits, mostly about capitalization... I see that this whole page does not follow our Style Guide about using sentence-case capitalization for headers/titles. ("GeoIP policy" not "GeoIP Policy".)

[tanberry]

Suggested change

	authentik supports GeoIP to add additional information to login/authorization/enrollment requests. Additionally, a [GeoIP Policy](../policies/#geoip-policy) may be used to make policy decisions based on the lookup result.
	authentik supports GeoIP to add additional information to login/authorization/enrollment requests. Additionally, a [GeoIP policy](../policies/#geoip-policy) can be used to make policy decisions based on the lookup result.

[tanberry]

Is there an example where we can use both "country" and "continent"? Will most people know the parms? (I wouldn't have know that continent was an option.)

[gergosimonyi]

It's possible, e.g. countries in Eurovision famously include Australia 🙂

    return context["geoip"]["continent"] == "EU" or context["geoip"]["country"] == "AU"

but I believe this might be more confusing than just keeping it simple. The params are listed right above, so I don't think "new confusion" arises from changing this.

(I changed this just to suggest something other that what could be done with a GeoIP policy.)

[tanberry]

Suggested change

	For basic ASN matching, consider using a [GeoIP Policy](index.md#geoip-policy).
	For basic ASN matching, consider using a [GeoIP policy](index.md#geoip-policy).

[tanberry]

Suggested change

	For basic country matching, consider using a [GeoIP Policy](index.md#geoip-policy).
	For basic country matching, consider using a [GeoIP policy](index.md#geoip-policy).

[tanberry]

Suggested change

	## GeoIP Policy
	## GeoIP policy

[tanberry]

Hmmm I see that all of the other headers/titles for policies also capitalize "Policy". Our style is to use sentence style capitalization for headings... do you mind also changing all of the other headings to on this age to use a lower-case "p" on "policies"? :-)

[tanberry]

Suggested change

	Use this policy for simple GeoIP lookups, such as country or ASN matching. (For a more advanced GeoIP lookup, use an [Expression Policy](expression.mdx).)
	Use this policy for simple GeoIP lookups, such as country or ASN matching. (For a more advanced GeoIP lookup, use an [Expression policy](expression.mdx).)

[tanberry]

Thanks so much for updating the Docs!

[kensternberg-authentik]

Overall, this looks quite good. I have a few quibbles about syntax and idioms, but they're more of a "I wouldn't do it this way, but it works and it's not wrong, so let's go with it." If you want to tighten up a few of the wordier expressions, feel free, but otherwise I'm happy.

[kensternberg-authentik]

You could just write:

data.asns = (data.asns?.toString() ?? "") === "" ? [] : (data.asns as unknown as string).split(",").map(Number);

... but it feels like the toString() thing is a crutch you're using, and I'm not sure why.

[kensternberg-authentik]

You can write a provider that caches the result, and then provides the (locally reduces) results locally. Or you could look at ak-dual-select, which doesn't use the API; you could fetch the results once and then use the Web Component directly without having to go through the Element's API layer.

[rissson]

Some nitpicking, but otherwise looks quite good!