Skip to content

enterprise/providers/google: initial account sync to google workspace#9384

Merged
BeryJu merged 51 commits intomainfrom
enterprise/providers/google
May 7, 2024
Merged

enterprise/providers/google: initial account sync to google workspace#9384
BeryJu merged 51 commits intomainfrom
enterprise/providers/google

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Apr 23, 2024
edited
Loading

Details

Sync users in authentik to google workspace using their native API

  • Implement basic sync logic
  • Implement user and group property mappings
  • Error handling
  • UI
  • Testing
  • Discovery

Somewhat unrelated things this PR includes

  • Rework the old SCIM sync client into something more abstract that can be re-used for the Google and future Entra provider
  • SkipObjectException which can be raised from property mappings to exclude objects from being synced
  • Making group name unique on the API level
  • Generalize sync stats in admin dashboard
  • Increase wizard height

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@notion-workspace
Copy link

notion-workspace bot commented Apr 23, 2024

Google Workspace Integration

@netlify
Copy link

netlify bot commented Apr 23, 2024
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit 363d3ba
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/663a61dbc75dde0008a8b1c7

@netlify
Copy link

netlify bot commented Apr 23, 2024
edited
Loading

Deploy Preview for authentik-docs canceled.

Name Link
🔨 Latest commit 363d3ba
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/663a61db2242c9000878423a

@codecov
Copy link

codecov bot commented Apr 23, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 88.19703% with 127 lines in your changes are missing coverage. Please review.

Project coverage is 92.44%. Comparing base (74d29e2) to head (363d3ba).
Report is 20 commits behind head on main.

Files Patch % Lines
...prise/providers/google_workspace/clients/groups.py 74.19% 32 Missing ⚠️
authentik/lib/sync/outgoing/tasks.py 85.60% 19 Missing ⚠️
...erprise/providers/google_workspace/clients/base.py 63.26% 18 Missing ⚠️
...rprise/providers/google_workspace/clients/users.py 80.00% 15 Missing ⚠️
authentik/providers/scim/clients/groups.py 71.42% 8 Missing ⚠️
authentik/lib/sync/outgoing/base.py 82.50% 7 Missing ⚠️
authentik/providers/scim/clients/users.py 70.00% 6 Missing ⚠️
authentik/lib/sync/outgoing/api.py 82.60% 4 Missing ⚠️
...ik/enterprise/providers/google_workspace/models.py 96.34% 3 Missing ⚠️
authentik/providers/scim/clients/base.py 70.00% 3 Missing ⚠️
... and 9 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9384      +/-   ##
==========================================
- Coverage   92.50%   92.44%   -0.07%     
==========================================
  Files         669      688      +19     
  Lines       32899    33639     +740     
==========================================
+ Hits        30434    31096     +662     
- Misses       2465     2543      +78
Flag Coverage Δ
e2e 50.15% <35.12%> (-0.42%) ⬇️
integration 25.65% <24.85%> (-0.28%) ⬇️
unit 89.79% <88.19%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu BeryJu force-pushed the enterprise/providers/google branch 4 times, most recently from 952564d to b2386e2 Compare April 28, 2024 16:44
@BeryJu BeryJu force-pushed the enterprise/providers/google branch from 4de285b to dfc490a Compare May 5, 2024 14:28
BeryJu added 21 commits May 6, 2024 15:10
@BeryJu
providers/google: initial account sync to google workspace
62da031 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
start separating scim sync client
0b743fa 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
generalize more...ish
d1bfecd 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
set dispatch_uid
24c1fab 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
start generalizing task
7beddb4 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fully separate tasks
50adc2a 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix more
ce0fcd2 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix signals...?
85c1143 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
start google dedupe
65b124d 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
drawing the rest of the owl
ee41396 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
more
152a7a9 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
juse use a whole lot less magic
936eb31 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
member sync, better implement conflict/retry-able exceptions
a557df7 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
max wizards taller
5697942 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
gen api, basic UI
3958734 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix some bugs
aadf6f7 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix a bunch more bugs
5985fe1 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
generalize sync status API
022a678 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
rework sync chart
c1bf6bf 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add slugify to evaluator
f93649b 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add test property mappings
99776f3 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
BeryJu added 5 commits May 6, 2024 15:44
@BeryJu
make group name unique in API
98ec1a1 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix reference to old wrapper
0291ba5 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
start adding tests
68e92b2 
man this api client is awful

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add SkipObject
1263ef0 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
dont use weak ref
6a98bf3 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@github-actions
Copy link
Contributor

github-actions bot commented May 6, 2024
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-363d3bac01f7ce33d5baa5e69caac49407950bff
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-363d3bac01f7ce33d5baa5e69caac49407950bff-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-363d3bac01f7ce33d5baa5e69caac49407950bff

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-363d3bac01f7ce33d5baa5e69caac49407950bff-arm64

Afterwards, run the upgrade commands from the latest release notes.

BeryJu added 3 commits May 6, 2024 22:09
@BeryJu
add group tests
4c56a05 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add user and group delete options
c4fbdf5 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
set user agent
97e4015 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the enterprise/providers/google branch from 473150b to 156a25c Compare May 6, 2024 21:07
@BeryJu
if the api's testing tools are awful, let's just make our own
2828320 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the enterprise/providers/google branch from 156a25c to 2828320 Compare May 6, 2024 21:10
@BeryJu
add more tests and already fix some more bugs
4e787b8 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu marked this pull request as ready for review May 7, 2024 00:27
@BeryJu BeryJu requested review from a team as code owners May 7, 2024 00:27
BeryJu added 3 commits May 7, 2024 13:07
@BeryJu
add discover
89b7f46 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add preview banner
477d1bf 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add group import test
2d669e4 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
rissson
rissson reviewed May 7, 2024
View reviewed changes
blueprints/system/providers-google-workspace.yaml
# and the remainder as family name
# if the user's name has no space the givenName is the entire name
if " " in request.user.name:
givenName, _, familyName = request.user.name.partition(" ")
Copy link
Member

@rissson rissson May 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
givenName, _, familyName = request.user.name.partition(" ")
givenName, _, familyName = request.user.name.rpartition(" ")

Maybe?

Copy link
Member Author

@BeryJu BeryJu May 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now I'd keep it as-is to be consistent with the SCIM provider that also uses partition

BeryJu added 5 commits May 7, 2024 17:35
@BeryJu
only import users/groups in the correct parent group
4220127 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix conflicting args
d2e32fe 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix missing schedule
34698cb 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix web ui
2c6871a 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add default_group_email_domain
363d3ba 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the enterprise/providers/google branch from e11fd87 to 363d3ba Compare May 7, 2024 17:16
@BeryJu BeryJu merged commit aeb1b45 into main May 7, 2024
@BeryJu BeryJu deleted the enterprise/providers/google branch May 7, 2024 17:52
@notion-workspace
Copy link

notion-workspace bot commented May 8, 2024

Google Workspace Integration

kensternberg-authentik added a commit that referenced this pull request May 8, 2024
@kensternberg-authentik
Merge branch 'main' into dev
e1d565d 
* main:
  core, web: update translations (#9633)
  core: bump google-api-python-client from 2.127.0 to 2.128.0 (#9641)
  core: bump goauthentik.io/api/v3 from 3.2024041.3 to 3.2024042.2 (#9635)
  core: bump golang from 1.22.2-bookworm to 1.22.3-bookworm (#9636)
  web: bump the esbuild group in /web with 2 updates (#9637)
  web: bump esbuild from 0.21.0 to 0.21.1 in /web (#9639)
  core: bump django from 5.0.5 to 5.0.6 (#9640)
  web: bump API Client version (#9630)
  enterprise/providers/google: initial account sync to google workspace (#9384)
  web/flows: fix error when using consecutive webauthn validator stages (#9629)
  web: bump API Client version (#9626)
  website/docs: refine intro page for sources (#9625)
  release: 2024.4.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rissson rissson rissson left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BeryJu @rissson