Skip to content

core: rework recursive group membership#6017

Merged
BeryJu merged 5 commits intomainfrom
core/rework-groups
Aug 18, 2023
Merged

core: rework recursive group membership#6017
BeryJu merged 5 commits intomainfrom
core/rework-groups

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Jun 20, 2023
edited
Loading

…l list of groups

Details

Currently we can only check group membership recursively for access control

This PR changes it to get a list all all groups (direct and indirect) a user is member of

Needs a bunch of optimisation

Needs notes in the release notes about being a "breaking" change (not really breaking but a changed behaviour of a well defined API)

closes #5338
closes https://github.com/goauthentik/meta/issues/69
closes #6477

#6016, #3622, #1278, #3284

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)
  • The translation files have been updated (make i18n-extract)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu BeryJu requested a review from a team as a code owner June 20, 2023 13:39
@netlify
Copy link

netlify bot commented Jun 20, 2023
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit 95e60a0
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/64df7a64a99d3e0008884b60

@BeryJu BeryJu self-assigned this Jun 20, 2023
@BeryJu BeryJu marked this pull request as draft June 20, 2023 13:41
@codecov
Copy link

codecov bot commented Jun 20, 2023
edited
Loading

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.01% 🎉

Comparison is base (9e17b1b) 92.46% compared to head (95e60a0) 92.46%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6017      +/-   ##
==========================================
+ Coverage   92.46%   92.46%   +0.01%     
==========================================
  Files         561      561              
  Lines       27083    27092       +9     
==========================================
+ Hits        25039    25048       +9     
  Misses       2044     2044
Flag Coverage Δ
e2e 51.61% <40.00%> (-<0.01%) ⬇️
integration 26.57% <4.00%> (-<0.01%) ⬇️
unit 89.28% <100.00%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed Coverage Δ
authentik/core/api/users.py 91.20% <100.00%> (ø)
authentik/core/models.py 92.82% <100.00%> (+0.11%) ⬆️
authentik/core/tests/test_groups.py 100.00% <100.00%> (ø)
authentik/lib/expression/evaluator.py 78.33% <100.00%> (ø)

... and 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions
Copy link
Contributor

github-actions bot commented Jun 20, 2023
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-core-rework-groups-1692368361-95e60a0
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-core-rework-groups-1692368361-95e60a0-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-core-rework-groups-1692368361-95e60a0

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-core-rework-groups-1692368361-95e60a0-arm64

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu BeryJu added this to the Release 2023.7 milestone Jun 25, 2023
@BeryJu BeryJu marked this pull request as ready for review July 24, 2023 15:41
@BeryJu BeryJu force-pushed the core/rework-groups branch from 1e28c4a to 35cf681 Compare August 1, 2023 17:36
@netlify
Copy link

netlify bot commented Aug 1, 2023
edited
Loading

Deploy Preview for authentik ready!

Name Link
🔨 Latest commit 1a2ddd6
🔍 Latest deploy log https://app.netlify.com/sites/authentik/deploys/64df58d6b2f1c80007e3d98b
😎 Deploy Preview https://deploy-preview-6017--authentik.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@BeryJu BeryJu mentioned this pull request Aug 5, 2023
Closed
BeryJu added 4 commits August 18, 2023 13:40
@BeryJu
rework checking group membership and add user.all_groups to get ful…
1e0dd78 
…l list of groups

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
refactor some more for better performance
590dc5e 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
migrate things to use all_groups
f874588 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
update release notes
1a2ddd6 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the core/rework-groups branch from 67cf590 to 1a2ddd6 Compare August 18, 2023 11:41
@BeryJu
fix for django 4.2
95e60a0 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu merged commit 8bba3c0 into main Aug 18, 2023
@BeryJu BeryJu deleted the core/rework-groups branch August 18, 2023 15:31
@BeryJu BeryJu mentioned this pull request Aug 20, 2023
Merged
7 tasks
kensternberg-authentik added a commit that referenced this pull request Aug 21, 2023
@kensternberg-authentik
Merge branch 'main' into application-wizard-2
570516c 
* main: (70 commits)
  core: hotfix group membership check (#6584)
  web: bump core-js from 3.32.0 to 3.32.1 in /web (#6581)
  web: bump tslib from 2.6.1 to 2.6.2 in /web (#6583)
  web: bump the storybook group in /web with 5 updates (#6580)
  web/flows: update flow background (#6579)
  translate: Updates for file web/xliff/en.xlf in zh_CN on branch main (#6575)
  core: rework recursive group membership (#6017)
  core: bump goauthentik.io/api/v3 from 3.2023061.11 to 3.2023061.12 (#6572)
  core: bump ruff from 0.0.284 to 0.0.285 (#6570)
  ci: bump actions/setup-node from 3.8.0 to 3.8.1
  blueprints: fix blueprint importer logging potentially sensitive data (#6567)
  web: bump API Client version (#6568)
  stages/authenticator_static: make static token size adjustable (#6565)
  root: always use persistent database connections (#6560)
  website/blog: identity fun (#6564)
  web: bump the storybook group in /web with 1 update (#6561)
  web: bump @rollup/plugin-node-resolve from 15.1.0 to 15.2.0 in /web (#6562)
  web: bump @lit-labs/task from 3.0.0 to 3.0.1 in /web (#6544)
  web: bump prettier from 3.0.1 to 3.0.2 in /web (#6549)
  web: bump the storybook group in /web with 5 updates (#6559)
  ...
pklaschka added a commit to pklaschka/authentik that referenced this pull request Nov 24, 2024
@pklaschka
website/docs: Fix documentation about attribute merging for indirect …
5f28c55 
…membership

While for role memberships, it is true that they are only applied for _direct_ memberships, this does not appear to be the case for attributes (which is good as this also follows the "Hierarchy" system documented in the same file).

In terms of the implementation, this is the case due to the call to `all_groups()` in https://github.com/goauthentik/authentik/blob/3d5a189fa732ef462dbbd73b88c128ebaf1833f9/authentik/core/models.py#L312-L313, introduced in goauthentik#6017. Looking through the files in there, it is clear that this line in the documentation is from before that point: https://github.com/goauthentik/authentik/blob/95e60a035df11d6f89db18cba3ae978d13d212b8/website/docs/user-group/group.md?plain=1#L15.

tl;dr: the documentation was correct before goauthentik#6017, but is now out of date. This change fixes that.

Signed-off-by: Zuri Klaschka <pklaschka@users.noreply.github.com>
@pklaschka pklaschka mentioned this pull request Nov 24, 2024
Merged
6 tasks
tanberry pushed a commit that referenced this pull request Nov 26, 2024
@pklaschka
website/docs: Fix documentation about attribute merging for indirect …
709e413 
…membership (#12168)

While for role memberships, it is true that they are only applied for _direct_ memberships, this does not appear to be the case for attributes (which is good as this also follows the "Hierarchy" system documented in the same file).

In terms of the implementation, this is the case due to the call to `all_groups()` in https://github.com/goauthentik/authentik/blob/3d5a189fa732ef462dbbd73b88c128ebaf1833f9/authentik/core/models.py#L312-L313, introduced in #6017. Looking through the files in there, it is clear that this line in the documentation is from before that point: https://github.com/goauthentik/authentik/blob/95e60a035df11d6f89db18cba3ae978d13d212b8/website/docs/user-group/group.md?plain=1#L15.

tl;dr: the documentation was correct before #6017, but is now out of date. This change fixes that.

Signed-off-by: Zuri Klaschka <pklaschka@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@BeryJu BeryJu

Labels

None yet

Projects

None yet

Milestone

Release 2023.7

Development

Successfully merging this pull request may close these issues.

Proxy header X-Authentik-Groups does not include parent groups Problems with groups and group hierarchies.

1 participant

@BeryJu