[#1377] added Authentik OAuth2 provider

Co-authored-by: Marc Singer <ms@pr0.tech>
2023-01-16 11:47:08 +02:00
parent fd97732d4d
commit 6d08a5f36f
41 changed files with 261 additions and 116 deletions
@@ -47,6 +47,7 @@ type Settings struct {
 	StravaAuth    AuthProviderConfig `form:"stravaAuth" json:"stravaAuth"`
 	GiteeAuth     AuthProviderConfig `form:"giteeAuth" json:"giteeAuth"`
 	LivechatAuth  AuthProviderConfig `form:"livechatAuth" json:"livechatAuth"`
+	AuthentikAuth AuthProviderConfig `form:"authentikAuth" json:"authentikAuth"`
 }

 // New creates and returns a new default Settings instance.
@@ -136,6 +137,9 @@ func New() *Settings {
 		LivechatAuth: AuthProviderConfig{
 			Enabled: false,
 		},
+		AuthentikAuth: AuthProviderConfig{
+			Enabled: false,
+		},
 	}
 }

@@ -168,6 +172,7 @@ func (s *Settings) Validate() error {
 		validation.Field(&s.StravaAuth),
 		validation.Field(&s.GiteeAuth),
 		validation.Field(&s.LivechatAuth),
+		validation.Field(&s.AuthentikAuth),
 	)
 }

@@ -225,6 +230,7 @@ func (s *Settings) RedactClone() (*Settings, error) {
 		&clone.StravaAuth.ClientSecret,
 		&clone.GiteeAuth.ClientSecret,
 		&clone.LivechatAuth.ClientSecret,
+		&clone.AuthentikAuth.ClientSecret,
 	}

 	// mask all sensitive fields
@@ -257,6 +263,7 @@ func (s *Settings) NamedAuthProviderConfigs() map[string]AuthProviderConfig {
 		auth.NameStrava:    s.StravaAuth,
 		auth.NameGitee:     s.GiteeAuth,
 		auth.NameLivechat:  s.LivechatAuth,
+		auth.NameAuthentik: s.AuthentikAuth,
 	}
 }

@@ -54,6 +54,8 @@ func TestSettingsValidate(t *testing.T) {
 	s.GiteeAuth.ClientId = ""
 	s.LivechatAuth.Enabled = true
 	s.LivechatAuth.ClientId = ""
+	s.AuthentikAuth.Enabled = true
+	s.AuthentikAuth.ClientId = ""

 	// check if Validate() is triggering the members validate methods.
 	err := s.Validate()
@@ -85,6 +87,7 @@ func TestSettingsValidate(t *testing.T) {
 		`"stravaAuth":{`,
 		`"giteeAuth":{`,
 		`"livechatAuth":{`,
+		`"authentikAuth":{`,
 	}

 	errBytes, _ := json.Marshal(err)
@@ -139,6 +142,8 @@ func TestSettingsMerge(t *testing.T) {
 	s2.GiteeAuth.ClientId = "gitee_test"
 	s2.LivechatAuth.Enabled = true
 	s2.LivechatAuth.ClientId = "livechat_test"
+	s2.AuthentikAuth.Enabled = true
+	s2.AuthentikAuth.ClientId = "authentik_test"

 	if err := s1.Merge(s2); err != nil {
 		t.Fatal(err)
@@ -213,6 +218,7 @@ func TestSettingsRedactClone(t *testing.T) {
 	s1.StravaAuth.ClientSecret = "test123"
 	s1.GiteeAuth.ClientSecret = "test123"
 	s1.LivechatAuth.ClientSecret = "test123"
+	s1.AuthentikAuth.ClientSecret = "test123"

 	s2, err := s1.RedactClone()
 	if err != nil {
@@ -224,7 +230,7 @@ func TestSettingsRedactClone(t *testing.T) {
 		t.Fatal(err)
 	}

-	expected := `{"meta":{"appName":"test123","appUrl":"http://localhost:8090","hideControls":false,"senderName":"Support","senderAddress":"support@example.com","verificationTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eThank you for joining us at {APP_NAME}.\u003c/p\u003e\n\u003cp\u003eClick on the button below to verify your email address.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eVerify\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Verify your {APP_NAME} email","actionUrl":"{APP_URL}/_/#/auth/confirm-verification/{TOKEN}"},"resetPasswordTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to reset your password.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eReset password\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to reset your password, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Reset your {APP_NAME} password","actionUrl":"{APP_URL}/_/#/auth/confirm-password-reset/{TOKEN}"},"confirmEmailChangeTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to confirm your new email address.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eConfirm new email\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to change your email address, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Confirm your {APP_NAME} new email address","actionUrl":"{APP_URL}/_/#/auth/confirm-email-change/{TOKEN}"}},"logs":{"maxDays":5},"smtp":{"enabled":false,"host":"smtp.example.com","port":587,"username":"","password":"******","authMethod":"","tls":true},"s3":{"enabled":false,"bucket":"","region":"","endpoint":"","accessKey":"","secret":"******","forcePathStyle":false},"adminAuthToken":{"secret":"******","duration":1209600},"adminPasswordResetToken":{"secret":"******","duration":1800},"recordAuthToken":{"secret":"******","duration":1209600},"recordPasswordResetToken":{"secret":"******","duration":1800},"recordEmailChangeToken":{"secret":"******","duration":1800},"recordVerificationToken":{"secret":"******","duration":604800},"emailAuth":{"enabled":false,"exceptDomains":null,"onlyDomains":null,"minPasswordLength":0},"googleAuth":{"enabled":false,"clientSecret":"******"},"facebookAuth":{"enabled":false,"clientSecret":"******"},"githubAuth":{"enabled":false,"clientSecret":"******"},"gitlabAuth":{"enabled":false,"clientSecret":"******"},"discordAuth":{"enabled":false,"clientSecret":"******"},"twitterAuth":{"enabled":false,"clientSecret":"******"},"microsoftAuth":{"enabled":false,"clientSecret":"******"},"spotifyAuth":{"enabled":false,"clientSecret":"******"},"kakaoAuth":{"enabled":false,"clientSecret":"******"},"twitchAuth":{"enabled":false,"clientSecret":"******"},"stravaAuth":{"enabled":false,"clientSecret":"******"},"giteeAuth":{"enabled":false,"clientSecret":"******"},"livechatAuth":{"enabled":false,"clientSecret":"******"}}`
+	expected := `{"meta":{"appName":"test123","appUrl":"http://localhost:8090","hideControls":false,"senderName":"Support","senderAddress":"support@example.com","verificationTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eThank you for joining us at {APP_NAME}.\u003c/p\u003e\n\u003cp\u003eClick on the button below to verify your email address.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eVerify\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Verify your {APP_NAME} email","actionUrl":"{APP_URL}/_/#/auth/confirm-verification/{TOKEN}"},"resetPasswordTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to reset your password.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eReset password\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to reset your password, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Reset your {APP_NAME} password","actionUrl":"{APP_URL}/_/#/auth/confirm-password-reset/{TOKEN}"},"confirmEmailChangeTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to confirm your new email address.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eConfirm new email\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to change your email address, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Confirm your {APP_NAME} new email address","actionUrl":"{APP_URL}/_/#/auth/confirm-email-change/{TOKEN}"}},"logs":{"maxDays":5},"smtp":{"enabled":false,"host":"smtp.example.com","port":587,"username":"","password":"******","authMethod":"","tls":true},"s3":{"enabled":false,"bucket":"","region":"","endpoint":"","accessKey":"","secret":"******","forcePathStyle":false},"adminAuthToken":{"secret":"******","duration":1209600},"adminPasswordResetToken":{"secret":"******","duration":1800},"recordAuthToken":{"secret":"******","duration":1209600},"recordPasswordResetToken":{"secret":"******","duration":1800},"recordEmailChangeToken":{"secret":"******","duration":1800},"recordVerificationToken":{"secret":"******","duration":604800},"emailAuth":{"enabled":false,"exceptDomains":null,"onlyDomains":null,"minPasswordLength":0},"googleAuth":{"enabled":false,"clientSecret":"******"},"facebookAuth":{"enabled":false,"clientSecret":"******"},"githubAuth":{"enabled":false,"clientSecret":"******"},"gitlabAuth":{"enabled":false,"clientSecret":"******"},"discordAuth":{"enabled":false,"clientSecret":"******"},"twitterAuth":{"enabled":false,"clientSecret":"******"},"microsoftAuth":{"enabled":false,"clientSecret":"******"},"spotifyAuth":{"enabled":false,"clientSecret":"******"},"kakaoAuth":{"enabled":false,"clientSecret":"******"},"twitchAuth":{"enabled":false,"clientSecret":"******"},"stravaAuth":{"enabled":false,"clientSecret":"******"},"giteeAuth":{"enabled":false,"clientSecret":"******"},"livechatAuth":{"enabled":false,"clientSecret":"******"},"authentikAuth":{"enabled":false,"clientSecret":"******"}}`

 	if encodedStr := string(encoded); encodedStr != expected {
 		t.Fatalf("Expected\n%v\ngot\n%v", expected, encodedStr)
@@ -248,6 +254,7 @@ func TestNamedAuthProviderConfigs(t *testing.T) {
 	s.StravaAuth.ClientId = "strava_test"
 	s.GiteeAuth.ClientId = "gitee_test"
 	s.LivechatAuth.ClientId = "livechat_test"
+	s.AuthentikAuth.ClientId = "authentik_test"

 	result := s.NamedAuthProviderConfigs()

@@ -271,6 +278,7 @@ func TestNamedAuthProviderConfigs(t *testing.T) {
 		`"strava":{"enabled":false,"clientId":"strava_test"}`,
 		`"gitee":{"enabled":false,"clientId":"gitee_test"}`,
 		`"livechat":{"enabled":false,"clientId":"livechat_test"}`,
+		`"authentik":{"enabled":false,"clientId":"authentik_test"}`,
 	}
 	for _, p := range expectedParts {
 		if !strings.Contains(encodedStr, p) {