providers/sync: improve v3 (goauthentik#9966)

* make external id field externally visible Signed-off-by: Jens Langhammer <[email protected]> * catch up scim provider Signed-off-by: Jens Langhammer <[email protected]> * add missing views to scim provider Signed-off-by: Jens Langhammer <[email protected]> * make neither user nor group required for mapping testing Signed-off-by: Jens Langhammer <[email protected]> * improve SkipObject handling Signed-off-by: Jens Langhammer <[email protected]> * allow deletion of connection objects Signed-off-by: Jens Langhammer <[email protected]> * make entra logs less noisy Signed-off-by: Jens Langhammer <[email protected]> * make event_matcher less noisy Signed-off-by: Jens Langhammer <[email protected]> --------- Signed-off-by: Jens Langhammer <[email protected]>
yonasBSD · Jun 6, 2024 · 88e9c9b · 88e9c9b
1 parent 0c652a2
commit 88e9c9b
Show file tree

Hide file tree

Showing 28 changed files with 963 additions and 51 deletions.
diff --git a/authentik/blueprints/v1/importer.py b/authentik/blueprints/v1/importer.py
@@ -58,7 +58,7 @@
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
-from authentik.providers.scim.models import SCIMGroup, SCIMUser
+from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
@@ -97,8 +97,8 @@ def excluded_models() -> list[type[Model]]:
         # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
         FlowToken,
         LicenseUsage,
-        SCIMGroup,
-        SCIMUser,
+        SCIMProviderGroup,
+        SCIMProviderUser,
         Tenant,
         SystemTask,
         ConnectionToken,

diff --git a/authentik/core/api/property_mappings.py b/authentik/core/api/property_mappings.py
@@ -80,8 +80,10 @@ class PropertyMappingViewSet(
     class PropertyMappingTestSerializer(PolicyTestSerializer):
         """Test property mapping execution for a user/group with context"""
 
-        user = PrimaryKeyRelatedField(queryset=User.objects.all(), required=False)
-        group = PrimaryKeyRelatedField(queryset=Group.objects.all(), required=False)
+        user = PrimaryKeyRelatedField(queryset=User.objects.all(), required=False, allow_null=True)
+        group = PrimaryKeyRelatedField(
+            queryset=Group.objects.all(), required=False, allow_null=True
+        )
 
     queryset = PropertyMapping.objects.select_subclasses()
     serializer_class = PropertyMappingSerializer

diff --git a/authentik/enterprise/providers/google_workspace/api/groups.py b/authentik/enterprise/providers/google_workspace/api/groups.py
@@ -19,6 +19,7 @@ class Meta:
         model = GoogleWorkspaceProviderGroup
         fields = [
             "id",
+            "google_id",
             "group",
             "group_obj",
             "provider",

diff --git a/authentik/enterprise/providers/google_workspace/api/users.py b/authentik/enterprise/providers/google_workspace/api/users.py
@@ -19,6 +19,7 @@ class Meta:
         model = GoogleWorkspaceProviderUser
         fields = [
             "id",
+            "google_id",
             "user",
             "user_obj",
             "provider",

diff --git a/authentik/enterprise/providers/microsoft_entra/api/groups.py b/authentik/enterprise/providers/microsoft_entra/api/groups.py
@@ -19,6 +19,7 @@ class Meta:
         model = MicrosoftEntraProviderGroup
         fields = [
             "id",
+            "microsoft_id",
             "group",
             "group_obj",
             "provider",

diff --git a/authentik/enterprise/providers/microsoft_entra/api/users.py b/authentik/enterprise/providers/microsoft_entra/api/users.py
@@ -19,6 +19,7 @@ class Meta:
         model = MicrosoftEntraProviderUser
         fields = [
             "id",
+            "microsoft_id",
             "user",
             "user_obj",
             "provider",

diff --git a/authentik/lib/logging.py b/authentik/lib/logging.py
@@ -102,6 +102,8 @@ def get_logger_config():
         "gunicorn": "INFO",
         "requests_mock": "WARNING",
         "hpack": "WARNING",
+        "httpx": "WARNING",
+        "azure": "WARNING",
     }
     for handler_name, level in handler_level_map.items():
         base_config["loggers"][handler_name] = {

diff --git a/authentik/lib/sync/mapper.py b/authentik/lib/sync/mapper.py
@@ -57,6 +57,8 @@ def iter_eval(
             mapping.set_context(user, request, **kwargs)
             try:
                 value = mapping.evaluate(mapping.model.expression)
+            except PropertyMappingExpressionException as exc:
+                raise exc from exc
             except Exception as exc:
                 raise PropertyMappingExpressionException(exc, mapping.model) from exc
             if value is None:

diff --git a/authentik/lib/sync/outgoing/base.py b/authentik/lib/sync/outgoing/base.py
@@ -91,10 +91,9 @@ def to_schema(self, obj: TModel, connection: TConnection | None, **defaults) ->
             }
             eval_kwargs.setdefault("user", None)
             for value in self.mapper.iter_eval(**eval_kwargs):
-                try:
-                    always_merger.merge(raw_final_object, value)
-                except SkipObjectException as exc:
-                    raise exc from exc
+                always_merger.merge(raw_final_object, value)
+        except SkipObjectException as exc:
+            raise exc from exc
         except PropertyMappingExpressionException as exc:
             # Value error can be raised when assigning invalid data to an attribute
             Event.new(
@@ -104,7 +103,7 @@ def to_schema(self, obj: TModel, connection: TConnection | None, **defaults) ->
             ).save()
             raise StopSync(exc, obj, exc.mapping) from exc
         if not raw_final_object:
-            raise StopSync(ValueError("No user mappings configured"), obj)
+            raise StopSync(ValueError("No mappings configured"), obj)
         for key, value in defaults.items():
             raw_final_object.setdefault(key, value)
         return raw_final_object

diff --git a/authentik/lib/sync/outgoing/tasks.py b/authentik/lib/sync/outgoing/tasks.py
@@ -125,6 +125,7 @@ def sync_objects(self, object_type: str, page: int, provider_pk: int):
             try:
                 client.write(obj)
             except SkipObjectException:
+                self.logger.debug("skipping object due to SkipObject", obj=obj)
                 continue
             except BadRequestSyncException as exc:
                 self.logger.warning("failed to sync object", exc=exc, obj=obj)

diff --git a/authentik/policies/event_matcher/models.py b/authentik/policies/event_matcher/models.py
@@ -102,7 +102,7 @@ def passes(self, request: PolicyRequest) -> PolicyResult:
             result = checker(request, event)
             if result is None:
                 continue
-            LOGGER.info(
+            LOGGER.debug(
                 "Event matcher check result",
                 checker=checker.__name__,
                 result=result,

diff --git a/authentik/providers/scim/api/groups.py b/authentik/providers/scim/api/groups.py
@@ -0,0 +1,43 @@
+"""SCIMProviderGroup API Views"""
+
+from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.users import UserGroupSerializer
+from authentik.providers.scim.models import SCIMProviderGroup
+
+
+class SCIMProviderGroupSerializer(ModelSerializer):
+    """SCIMProviderGroup Serializer"""
+
+    group_obj = UserGroupSerializer(source="group", read_only=True)
+
+    class Meta:
+
+        model = SCIMProviderGroup
+        fields = [
+            "id",
+            "scim_id",
+            "group",
+            "group_obj",
+            "provider",
+        ]
+
+
+class SCIMProviderGroupViewSet(
+    mixins.CreateModelMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """SCIMProviderGroup Viewset"""
+
+    queryset = SCIMProviderGroup.objects.all().select_related("group")
+    serializer_class = SCIMProviderGroupSerializer
+    filterset_fields = ["provider__id", "group__name", "group__group_uuid"]
+    search_fields = ["provider__name", "group__name"]
+    ordering = ["group__name"]
diff --git a/authentik/providers/scim/api/users.py b/authentik/providers/scim/api/users.py
@@ -0,0 +1,43 @@
+"""SCIMProviderUser API Views"""
+
+from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.providers.scim.models import SCIMProviderUser
+
+
+class SCIMProviderUserSerializer(ModelSerializer):
+    """SCIMProviderUser Serializer"""
+
+    user_obj = GroupMemberSerializer(source="user", read_only=True)
+
+    class Meta:
+
+        model = SCIMProviderUser
+        fields = [
+            "id",
+            "scim_id",
+            "user",
+            "user_obj",
+            "provider",
+        ]
+
+
+class SCIMProviderUserViewSet(
+    mixins.CreateModelMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """SCIMProviderUser Viewset"""
+
+    queryset = SCIMProviderUser.objects.all().select_related("user")
+    serializer_class = SCIMProviderUserSerializer
+    filterset_fields = ["provider__id", "user__username", "user__id"]
+    search_fields = ["provider__name", "user__username"]
+    ordering = ["user__username"]
diff --git a/authentik/providers/scim/clients/groups.py b/authentik/providers/scim/clients/groups.py
@@ -19,13 +19,18 @@
 )
 from authentik.providers.scim.clients.schema import SCIM_GROUP_SCHEMA, PatchRequest
 from authentik.providers.scim.clients.schema import Group as SCIMGroupSchema
-from authentik.providers.scim.models import SCIMGroup, SCIMMapping, SCIMProvider, SCIMUser
+from authentik.providers.scim.models import (
+    SCIMMapping,
+    SCIMProvider,
+    SCIMProviderGroup,
+    SCIMProviderUser,
+)
 
 
-class SCIMGroupClient(SCIMClient[Group, SCIMGroup, SCIMGroupSchema]):
+class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
     """SCIM client for groups"""
 
-    connection_type = SCIMGroup
+    connection_type = SCIMProviderGroup
     connection_type_query = "group"
     mapper: PropertyMappingManager
 
@@ -37,7 +42,7 @@ def __init__(self, provider: SCIMProvider):
             ["group", "provider", "connection"],
         )
 
-    def to_schema(self, obj: Group, connection: SCIMGroup) -> SCIMGroupSchema:
+    def to_schema(self, obj: Group, connection: SCIMProviderGroup) -> SCIMGroupSchema:
         """Convert authentik user into SCIM"""
         raw_scim_group = super().to_schema(
             obj,
@@ -52,7 +57,7 @@ def to_schema(self, obj: Group, connection: SCIMGroup) -> SCIMGroupSchema:
             scim_group.externalId = str(obj.pk)
 
         users = list(obj.users.order_by("id").values_list("id", flat=True))
-        connections = SCIMUser.objects.filter(provider=self.provider, user__pk__in=users)
+        connections = SCIMProviderUser.objects.filter(provider=self.provider, user__pk__in=users)
         members = []
         for user in connections:
             members.append(
@@ -66,7 +71,7 @@ def to_schema(self, obj: Group, connection: SCIMGroup) -> SCIMGroupSchema:
 
     def delete(self, obj: Group):
         """Delete group"""
-        scim_group = SCIMGroup.objects.filter(provider=self.provider, group=obj).first()
+        scim_group = SCIMProviderGroup.objects.filter(provider=self.provider, group=obj).first()
         if not scim_group:
             self.logger.debug("Group does not exist in SCIM, skipping")
             return None
@@ -88,9 +93,11 @@ def create(self, group: Group):
         scim_id = response.get("id")
         if not scim_id or scim_id == "":
             raise StopSync("SCIM Response with missing or invalid `id`")
-        return SCIMGroup.objects.create(provider=self.provider, group=group, scim_id=scim_id)
+        return SCIMProviderGroup.objects.create(
+            provider=self.provider, group=group, scim_id=scim_id
+        )
 
-    def update(self, group: Group, connection: SCIMGroup):
+    def update(self, group: Group, connection: SCIMProviderGroup):
         """Update existing group"""
         scim_group = self.to_schema(group, connection)
         scim_group.id = connection.scim_id
@@ -158,16 +165,16 @@ def _patch_add_users(self, group: Group, users_set: set[int]):
         """Add users in users_set to group"""
         if len(users_set) < 1:
             return
-        scim_group = SCIMGroup.objects.filter(provider=self.provider, group=group).first()
+        scim_group = SCIMProviderGroup.objects.filter(provider=self.provider, group=group).first()
         if not scim_group:
             self.logger.warning(
                 "could not sync group membership, group does not exist", group=group
             )
             return
         user_ids = list(
-            SCIMUser.objects.filter(user__pk__in=users_set, provider=self.provider).values_list(
-                "scim_id", flat=True
-            )
+            SCIMProviderUser.objects.filter(
+                user__pk__in=users_set, provider=self.provider
+            ).values_list("scim_id", flat=True)
         )
         if len(user_ids) < 1:
             return
@@ -184,16 +191,16 @@ def _patch_remove_users(self, group: Group, users_set: set[int]):
         """Remove users in users_set from group"""
         if len(users_set) < 1:
             return
-        scim_group = SCIMGroup.objects.filter(provider=self.provider, group=group).first()
+        scim_group = SCIMProviderGroup.objects.filter(provider=self.provider, group=group).first()
         if not scim_group:
             self.logger.warning(
                 "could not sync group membership, group does not exist", group=group
             )
             return
         user_ids = list(
-            SCIMUser.objects.filter(user__pk__in=users_set, provider=self.provider).values_list(
-                "scim_id", flat=True
-            )
+            SCIMProviderUser.objects.filter(
+                user__pk__in=users_set, provider=self.provider
+            ).values_list("scim_id", flat=True)
         )
         if len(user_ids) < 1:
             return

diff --git a/authentik/providers/scim/clients/users.py b/authentik/providers/scim/clients/users.py
@@ -9,13 +9,13 @@
 from authentik.providers.scim.clients.base import SCIMClient
 from authentik.providers.scim.clients.schema import SCIM_USER_SCHEMA
 from authentik.providers.scim.clients.schema import User as SCIMUserSchema
-from authentik.providers.scim.models import SCIMMapping, SCIMProvider, SCIMUser
+from authentik.providers.scim.models import SCIMMapping, SCIMProvider, SCIMProviderUser
 
 
-class SCIMUserClient(SCIMClient[User, SCIMUser, SCIMUserSchema]):
+class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
     """SCIM client for users"""
 
-    connection_type = SCIMUser
+    connection_type = SCIMProviderUser
     connection_type_query = "user"
     mapper: PropertyMappingManager
 
@@ -27,7 +27,7 @@ def __init__(self, provider: SCIMProvider):
             ["provider", "connection"],
         )
 
-    def to_schema(self, obj: User, connection: SCIMUser) -> SCIMUserSchema:
+    def to_schema(self, obj: User, connection: SCIMProviderUser) -> SCIMUserSchema:
         """Convert authentik user into SCIM"""
         raw_scim_user = super().to_schema(
             obj,
@@ -44,7 +44,7 @@ def to_schema(self, obj: User, connection: SCIMUser) -> SCIMUserSchema:
 
     def delete(self, obj: User):
         """Delete user"""
-        scim_user = SCIMUser.objects.filter(provider=self.provider, user=obj).first()
+        scim_user = SCIMProviderUser.objects.filter(provider=self.provider, user=obj).first()
         if not scim_user:
             self.logger.debug("User does not exist in SCIM, skipping")
             return None
@@ -66,9 +66,9 @@ def create(self, user: User):
         scim_id = response.get("id")
         if not scim_id or scim_id == "":
             raise StopSync("SCIM Response with missing or invalid `id`")
-        return SCIMUser.objects.create(provider=self.provider, user=user, scim_id=scim_id)
+        return SCIMProviderUser.objects.create(provider=self.provider, user=user, scim_id=scim_id)
 
-    def update(self, user: User, connection: SCIMUser):
+    def update(self, user: User, connection: SCIMProviderUser):
         """Update existing user"""
         scim_user = self.to_schema(user, connection)
         scim_user.id = connection.scim_id

diff --git a/authentik/providers/scim/migrations/0008_rename_scimgroup_scimprovidergroup_and_more.py b/authentik/providers/scim/migrations/0008_rename_scimgroup_scimprovidergroup_and_more.py
@@ -0,0 +1,24 @@
+# Generated by Django 5.0.6 on 2024-06-04 07:45
+
+from django.conf import settings
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0035_alter_group_options_and_more"),
+        ("authentik_providers_scim", "0007_scimgroup_scim_id_scimuser_scim_id_and_more"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.RenameModel(
+            old_name="SCIMGroup",
+            new_name="SCIMProviderGroup",
+        ),
+        migrations.RenameModel(
+            old_name="SCIMUser",
+            new_name="SCIMProviderUser",
+        ),
+    ]