Skip to content

Commit

Permalink
sources/scim: fix duplicate service account users and changing token (g…
Browse files Browse the repository at this point in the history
…oauthentik#10735)

Signed-off-by: Jens Langhammer <[email protected]>
  • Loading branch information
BeryJu authored Aug 2, 2024
1 parent 81493c6 commit 3541ec4
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 24 deletions.
3 changes: 0 additions & 3 deletions authentik/sources/scim/models.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
"""SCIM Source"""

from typing import Any
from uuid import uuid4

from django.db import models
from django.templatetags.static import static
Expand All @@ -20,8 +19,6 @@ class SCIMSource(Source):

@property
def service_account_identifier(self) -> str:
if not self.pk:
self.pk = uuid4()
return f"ak-source-scim-{self.pk}"

@property
Expand Down
45 changes: 24 additions & 21 deletions authentik/sources/scim/signals.py
Original file line number Diff line number Diff line change
@@ -1,41 +1,44 @@
from django.db.models import Model
from django.db.models.signals import pre_delete, pre_save
from django.db.models.signals import post_delete, post_save
from django.dispatch import receiver

from authentik.core.models import USER_PATH_SYSTEM_PREFIX, Token, TokenIntents, User, UserTypes
from authentik.events.middleware import audit_ignore
from authentik.sources.scim.models import SCIMSource

USER_PATH_SOURCE_SCIM = USER_PATH_SYSTEM_PREFIX + "/sources/scim"


@receiver(pre_save, sender=SCIMSource)
def scim_source_pre_save(sender: type[Model], instance: SCIMSource, **_):
@receiver(post_save, sender=SCIMSource)
def scim_source_post_save(sender: type[Model], instance: SCIMSource, created: bool, **_):
"""Create service account before source is saved"""
# .service_account_identifier will auto-assign a primary key uuid to the source
# if none is set yet, just so we can get the identifier before we save
identifier = instance.service_account_identifier
user = User.objects.create(
user, _ = User.objects.update_or_create(
username=identifier,
name=f"SCIM Source {instance.name} Service-Account",
type=UserTypes.INTERNAL_SERVICE_ACCOUNT,
path=USER_PATH_SOURCE_SCIM,
defaults={
"name": f"SCIM Source {instance.name} Service-Account",
"type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
"path": USER_PATH_SOURCE_SCIM,
},
)
token = Token.objects.create(
user=user,
token, token_created = Token.objects.update_or_create(
identifier=identifier,
intent=TokenIntents.INTENT_API,
expiring=False,
managed=f"goauthentik.io/sources/scim/{instance.pk}",
defaults={
"user": user,
"intent": TokenIntents.INTENT_API,
"expiring": False,
"managed": f"goauthentik.io/sources/scim/{instance.pk}",
},
)
instance.token = token
if created or token_created:
with audit_ignore():
instance.token = token
instance.save()


@receiver(pre_delete, sender=SCIMSource)
def scim_source_pre_delete(sender: type[Model], instance: SCIMSource, **_):
"""Delete SCIM Source service account before deleting source"""
Token.objects.filter(
identifier=instance.service_account_identifier, intent=TokenIntents.INTENT_API
).delete()
@receiver(post_delete, sender=SCIMSource)
def scim_source_post_delete(sender: type[Model], instance: SCIMSource, **_):
"""Delete SCIM Source service account after deleting source"""
User.objects.filter(
username=instance.service_account_identifier, type=UserTypes.INTERNAL_SERVICE_ACCOUNT
).delete()

0 comments on commit 3541ec4

Please sign in to comment.