expressions: add restricted evaluator

[rissson]

Details

Very much a WIP, I've only tested it a bit, and it seems to work with our existing blueprints. It also throws errors when trying to import something. Haven't tested stuff like open.

We also probably need to come up with a list of stuff to import "by default". For now I have the following, feel free to edit this description to add more:

• json
• yaml
• re

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)
• The translation files have been updated (make i18n-extract)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	efdecf9
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/662fdd40c2ab1500071ed4d4
😎 Deploy Preview	https://deploy-preview-8002--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[rissson]

It's a bit of a shame that this won't validate whether the expression will run. For instance, it won't check that import module will work, because that relies on the builtin __import__ being there, and we purposefully remove it when we call exec.

[codecov]

Codecov Report

Attention: Patch coverage is 77.04918% with 28 lines in your changes are missing coverage. Please review.

Project coverage is 52.18%. Comparing base (c5b0998) to head (efdecf9).
Report is 1 commits behind head on main.

Files	Patch %	Lines
authentik/lib/expression/evaluator.py	83.90%	14 Missing ⚠️
authentik/api/authentication.py	14.28%	6 Missing ⚠️
authentik/policies/expression/tests.py	0.00%	6 Missing ⚠️
authentik/lib/tests/test_evaluator.py	0.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #8002       +/-   ##
===========================================
- Coverage   92.45%   52.18%   -40.28%     
===========================================
  Files         669      670        +1     
  Lines       32712    32813      +101     
===========================================
- Hits        30245    17124    -13121     
- Misses       2467    15689    +13222     

Flag	Coverage Δ
e2e	50.74% <77.04%> (+0.09%)	⬆️
integration	26.07% <48.36%> (+0.08%)	⬆️
unit	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[netlify]

✅ Deploy Preview for authentik ready!

Name	Link
🔨 Latest commit	365809f
🔍 Latest deploy log	https://app.netlify.com/sites/authentik/deploys/658c2ea8f9d1630008c3cf03
😎 Deploy Preview	https://deploy-preview-8002--authentik.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[rissson]

TODO: look into making a Runtime abstraction
TODO: use python client instead of importing models

[rissson]

Note to self: pre-importing django models won't prevent access to other tenants' data, as you can do Model.objects.raw() and type whatever sql you'd like.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	efdecf9
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/662fdd401830cb0008dd1d61
😎 Deploy Preview	https://deploy-preview-8002--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[notion-workspace]

Restricted policy runtime