initial role

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
goauthentik · Sep 20, 2023 · 1d78d8c · 1d78d8c
1 parent 48cc984
commit 1d78d8c
Show file tree

Hide file tree

Showing 8 changed files with 425 additions and 31 deletions.
diff --git a/authentik/core/api/rbac.py b/authentik/core/api/rbac.py
@@ -1,6 +1,6 @@
 """common RBAC serializers"""
 from django.contrib.auth.models import Permission
-from guardian.models import UserObjectPermission
+from guardian.models import UserObjectPermission, GroupObjectPermission
 from rest_framework.fields import ReadOnlyField
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ReadOnlyModelViewSet
@@ -24,6 +24,15 @@ class Meta:
         model = UserObjectPermission
         fields = ["id", "codename", "model", "app_label"]
 
+class GroupObjectPermissionSerializer(ModelSerializer):
+    app_label = ReadOnlyField(source="content_type.app_label")
+    model = ReadOnlyField(source="content_type.model")
+    codename = ReadOnlyField(source="permission.codename")
+
+    class Meta:
+        model = GroupObjectPermission
+        fields = ["id", "codename", "model", "app_label"]
+
 
 class RBACPermissionViewSet(ReadOnlyModelViewSet):
     """Read-only list of all permissions, filterable by model and app"""

diff --git a/authentik/core/api/rbac_role.py b/authentik/core/api/rbac_role.py
@@ -0,0 +1,52 @@
+"""common RBAC serializers"""
+from django.db.models import Q, QuerySet
+from django_filters.filters import CharFilter, ChoiceFilter
+from django_filters.filterset import FilterSet
+from rest_framework.mixins import ListModelMixin
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.rbac import GroupObjectPermissionSerializer
+from django.contrib.auth.models import Group
+from authentik.core.api.users import UserGroupSerializer
+from authentik.policies.event_matcher.models import model_choices
+
+
+class RoleAssignedObjectPermissionSerializer(UserGroupSerializer):
+    permissions = GroupObjectPermissionSerializer(many=True, source="groupobjectpermission_set")
+
+    class Meta:
+        model = UserGroupSerializer.Meta.model
+        fields = UserGroupSerializer.Meta.fields + ["permissions"]
+
+
+class AssignedPermissionFilter(FilterSet):
+    model = ChoiceFilter(choices=model_choices(), method="filter_model", required=True)
+    object_pk = CharFilter(method="filter_object_pk")
+
+    def filter_model(self, queryset: QuerySet, name, value: str) -> QuerySet:
+        app, _, model = value.partition(".")
+        return queryset.filter(
+            Q(
+                permissions__content_type__app_label=app,
+                permissions__content_type__model=model,
+            )
+            | Q(
+                groupobjectpermission__permission__content_type__app_label=app,
+                groupobjectpermission__permission__content_type__model=model,
+            )
+        )
+
+    def filter_object_pk(self, queryset: QuerySet, name, value: str) -> QuerySet:
+        return queryset.filter(
+            Q(groupobjectpermission__object_pk=value)
+        )
+
+
+class RoleAssignedPermissionViewSet(ListModelMixin, GenericViewSet):
+    """Get assigned object permissions for a single object"""
+
+    serializer_class = RoleAssignedObjectPermissionSerializer
+    # The filtering is done in the filterset,
+    # which has a required filter that does the heavy lifting
+    queryset = Group.objects.all()
+    filterset_class = AssignedPermissionFilter
diff --git a/authentik/core/urls.py b/authentik/core/urls.py
@@ -14,6 +14,7 @@
 from authentik.core.api.propertymappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
 from authentik.core.api.rbac import RBACPermissionViewSet
+from authentik.core.api.rbac_role import RoleAssignedPermissionViewSet
 from authentik.core.api.rbac_user import UserAssignedPermissionViewSet
 from authentik.core.api.roles import RoleViewSet
 from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSet
@@ -85,6 +86,7 @@
     ("core/tokens", TokenViewSet),
     ("core/rbac/permissions", RBACPermissionViewSet),
     ("core/rbac/user", UserAssignedPermissionViewSet),
+    ("core/rbac/role", RoleAssignedPermissionViewSet),
     ("sources/all", SourceViewSet),
     ("sources/user_connections/all", UserSourceConnectionViewSet),
     ("providers/all", ProviderViewSet),

diff --git a/schema.yml b/schema.yml
@@ -3726,6 +3726,213 @@ paths:
               schema:
                 $ref: '#/components/schemas/GenericError'
           description: ''
+  /core/rbac/role/:
+    get:
+      operationId: core_rbac_role_list
+      description: Get assigned object permissions for a single object
+      parameters:
+      - in: query
+        name: model
+        schema:
+          type: string
+          enum:
+          - authentik_blueprints.blueprintinstance
+          - authentik_core.application
+          - authentik_core.group
+          - authentik_core.token
+          - authentik_core.user
+          - authentik_crypto.certificatekeypair
+          - authentik_events.event
+          - authentik_events.notification
+          - authentik_events.notificationrule
+          - authentik_events.notificationtransport
+          - authentik_events.notificationwebhookmapping
+          - authentik_flows.flow
+          - authentik_flows.flowstagebinding
+          - authentik_outposts.dockerserviceconnection
+          - authentik_outposts.kubernetesserviceconnection
+          - authentik_outposts.outpost
+          - authentik_policies.policybinding
+          - authentik_policies_dummy.dummypolicy
+          - authentik_policies_event_matcher.eventmatcherpolicy
+          - authentik_policies_expiry.passwordexpirypolicy
+          - authentik_policies_expression.expressionpolicy
+          - authentik_policies_password.passwordpolicy
+          - authentik_policies_reputation.reputation
+          - authentik_policies_reputation.reputationpolicy
+          - authentik_providers_ldap.ldapprovider
+          - authentik_providers_oauth2.accesstoken
+          - authentik_providers_oauth2.authorizationcode
+          - authentik_providers_oauth2.oauth2provider
+          - authentik_providers_oauth2.refreshtoken
+          - authentik_providers_oauth2.scopemapping
+          - authentik_providers_proxy.proxyprovider
+          - authentik_providers_radius.radiusprovider
+          - authentik_providers_saml.samlpropertymapping
+          - authentik_providers_saml.samlprovider
+          - authentik_providers_scim.scimmapping
+          - authentik_providers_scim.scimprovider
+          - authentik_sources_ldap.ldappropertymapping
+          - authentik_sources_ldap.ldapsource
+          - authentik_sources_oauth.oauthsource
+          - authentik_sources_oauth.useroauthsourceconnection
+          - authentik_sources_plex.plexsource
+          - authentik_sources_plex.plexsourceconnection
+          - authentik_sources_saml.samlsource
+          - authentik_sources_saml.usersamlsourceconnection
+          - authentik_stages_authenticator_duo.authenticatorduostage
+          - authentik_stages_authenticator_duo.duodevice
+          - authentik_stages_authenticator_sms.authenticatorsmsstage
+          - authentik_stages_authenticator_sms.smsdevice
+          - authentik_stages_authenticator_static.authenticatorstaticstage
+          - authentik_stages_authenticator_static.staticdevice
+          - authentik_stages_authenticator_totp.authenticatortotpstage
+          - authentik_stages_authenticator_totp.totpdevice
+          - authentik_stages_authenticator_validate.authenticatorvalidatestage
+          - authentik_stages_authenticator_webauthn.authenticatewebauthnstage
+          - authentik_stages_authenticator_webauthn.webauthndevice
+          - authentik_stages_captcha.captchastage
+          - authentik_stages_consent.consentstage
+          - authentik_stages_consent.userconsent
+          - authentik_stages_deny.denystage
+          - authentik_stages_dummy.dummystage
+          - authentik_stages_email.emailstage
+          - authentik_stages_identification.identificationstage
+          - authentik_stages_invitation.invitation
+          - authentik_stages_invitation.invitationstage
+          - authentik_stages_password.passwordstage
+          - authentik_stages_prompt.prompt
+          - authentik_stages_prompt.promptstage
+          - authentik_stages_user_delete.userdeletestage
+          - authentik_stages_user_login.userloginstage
+          - authentik_stages_user_logout.userlogoutstage
+          - authentik_stages_user_write.userwritestage
+          - authentik_tenants.tenant
+        description: |-
+          * `authentik_crypto.certificatekeypair` - Certificate-Key Pair
+          * `authentik_events.event` - Event
+          * `authentik_events.notificationtransport` - Notification Transport
+          * `authentik_events.notification` - Notification
+          * `authentik_events.notificationrule` - Notification Rule
+          * `authentik_events.notificationwebhookmapping` - Webhook Mapping
+          * `authentik_flows.flow` - Flow
+          * `authentik_flows.flowstagebinding` - Flow Stage Binding
+          * `authentik_outposts.dockerserviceconnection` - Docker Service-Connection
+          * `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection
+          * `authentik_outposts.outpost` - outpost
+          * `authentik_policies_dummy.dummypolicy` - Dummy Policy
+          * `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy
+          * `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy
+          * `authentik_policies_expression.expressionpolicy` - Expression Policy
+          * `authentik_policies_password.passwordpolicy` - Password Policy
+          * `authentik_policies_reputation.reputationpolicy` - Reputation Policy
+          * `authentik_policies_reputation.reputation` - Reputation Score
+          * `authentik_policies.policybinding` - Policy Binding
+          * `authentik_providers_ldap.ldapprovider` - LDAP Provider
+          * `authentik_providers_oauth2.scopemapping` - Scope Mapping
+          * `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider
+          * `authentik_providers_oauth2.authorizationcode` - Authorization Code
+          * `authentik_providers_oauth2.accesstoken` - OAuth2 Access Token
+          * `authentik_providers_oauth2.refreshtoken` - OAuth2 Refresh Token
+          * `authentik_providers_proxy.proxyprovider` - Proxy Provider
+          * `authentik_providers_radius.radiusprovider` - Radius Provider
+          * `authentik_providers_saml.samlprovider` - SAML Provider
+          * `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping
+          * `authentik_providers_scim.scimprovider` - SCIM Provider
+          * `authentik_providers_scim.scimmapping` - SCIM Mapping
+          * `authentik_sources_ldap.ldapsource` - LDAP Source
+          * `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping
+          * `authentik_sources_oauth.oauthsource` - OAuth Source
+          * `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection
+          * `authentik_sources_plex.plexsource` - Plex Source
+          * `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection
+          * `authentik_sources_saml.samlsource` - SAML Source
+          * `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection
+          * `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage
+          * `authentik_stages_authenticator_duo.duodevice` - Duo Device
+          * `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage
+          * `authentik_stages_authenticator_sms.smsdevice` - SMS Device
+          * `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Stage
+          * `authentik_stages_authenticator_static.staticdevice` - Static device
+          * `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage
+          * `authentik_stages_authenticator_totp.totpdevice` - TOTP device
+          * `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage
+          * `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage
+          * `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device
+          * `authentik_stages_captcha.captchastage` - Captcha Stage
+          * `authentik_stages_consent.consentstage` - Consent Stage
+          * `authentik_stages_consent.userconsent` - User Consent
+          * `authentik_stages_deny.denystage` - Deny Stage
+          * `authentik_stages_dummy.dummystage` - Dummy Stage
+          * `authentik_stages_email.emailstage` - Email Stage
+          * `authentik_stages_identification.identificationstage` - Identification Stage
+          * `authentik_stages_invitation.invitationstage` - Invitation Stage
+          * `authentik_stages_invitation.invitation` - Invitation
+          * `authentik_stages_password.passwordstage` - Password Stage
+          * `authentik_stages_prompt.prompt` - Prompt
+          * `authentik_stages_prompt.promptstage` - Prompt Stage
+          * `authentik_stages_user_delete.userdeletestage` - User Delete Stage
+          * `authentik_stages_user_login.userloginstage` - User Login Stage
+          * `authentik_stages_user_logout.userlogoutstage` - User Logout Stage
+          * `authentik_stages_user_write.userwritestage` - User Write Stage
+          * `authentik_tenants.tenant` - Tenant
+          * `authentik_blueprints.blueprintinstance` - Blueprint Instance
+          * `authentik_core.group` - group
+          * `authentik_core.user` - User
+          * `authentik_core.application` - Application
+          * `authentik_core.token` - Token
+        required: true
+      - in: query
+        name: object_pk
+        schema:
+          type: string
+      - name: ordering
+        required: false
+        in: query
+        description: Which field to use when ordering the results.
+        schema:
+          type: string
+      - name: page
+        required: false
+        in: query
+        description: A page number within the paginated result set.
+        schema:
+          type: integer
+      - name: page_size
+        required: false
+        in: query
+        description: Number of results to return per page.
+        schema:
+          type: integer
+      - name: search
+        required: false
+        in: query
+        description: A search term.
+        schema:
+          type: string
+      tags:
+      - core
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/PaginatedRoleAssignedObjectPermissionList'
+          description: ''
+        '400':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ValidationError'
+          description: ''
+        '403':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GenericError'
+          description: ''
   /core/rbac/user/:
     get:
       operationId: core_rbac_user_list
@@ -31111,6 +31318,27 @@ components:
       required:
       - name
       - username
+    GroupObjectPermission:
+      type: object
+      properties:
+        id:
+          type: integer
+          readOnly: true
+        codename:
+          type: string
+          readOnly: true
+        model:
+          type: string
+          title: Python model class name
+          readOnly: true
+        app_label:
+          type: string
+          readOnly: true
+      required:
+      - app_label
+      - codename
+      - id
+      - model
     GroupRequest:
       type: object
       description: Group Serializer
@@ -34208,6 +34436,18 @@ components:
       required:
       - pagination
       - results
+    PaginatedRoleAssignedObjectPermissionList:
+      type: object
+      properties:
+        pagination:
+          $ref: '#/components/schemas/Pagination'
+        results:
+          type: array
+          items:
+            $ref: '#/components/schemas/RoleAssignedObjectPermission'
+      required:
+      - pagination
+      - results
     PaginatedSAMLPropertyMappingList:
       type: object
       properties:
@@ -38787,6 +39027,45 @@ components:
         * `discouraged` - Discouraged
         * `preferred` - Preferred
         * `required` - Required
+    RoleAssignedObjectPermission:
+      type: object
+      description: Simplified Group Serializer for user's groups
+      properties:
+        pk:
+          type: string
+          format: uuid
+          readOnly: true
+          title: Group uuid
+        num_pk:
+          type: integer
+          description: Get a numerical, int32 ID for the group
+          readOnly: true
+        name:
+          type: string
+          maxLength: 80
+        is_superuser:
+          type: boolean
+          description: Users added to this group will be superusers.
+        parent:
+          type: string
+          format: uuid
+          nullable: true
+        parent_name:
+          type: string
+          readOnly: true
+        attributes:
+          type: object
+          additionalProperties: {}
+        permissions:
+          type: array
+          items:
+            $ref: '#/components/schemas/GroupObjectPermission'
+      required:
+      - name
+      - num_pk
+      - parent_name
+      - permissions
+      - pk
     SAMLMetadata:
       type: object
       description: SAML Provider Metadata serializer