102 lines
3.7 KiB
Django/Jinja
102 lines
3.7 KiB
Django/Jinja
# Noble — authentication flow for the **lab** hostname Brand: only members of operator groups may continue.
|
|
# Reuses default identification / password / MFA / login stages; adds a policy on the password stage binding.
|
|
version: 1
|
|
metadata:
|
|
name: noble-lab-operator-authentication
|
|
labels:
|
|
blueprints.goauthentik.io/instantiate: "true"
|
|
entries:
|
|
- model: authentik_blueprints.metaapplyblueprint
|
|
attrs:
|
|
identifiers:
|
|
name: Default - Password change flow
|
|
required: false
|
|
- model: authentik_flows.flow
|
|
id: flow
|
|
identifiers:
|
|
slug: {{ noble_authentik_blueprint_lab_flow_slug | trim | to_json }}
|
|
attrs:
|
|
name: Noble lab (operators)
|
|
title: Noble lab — operators only
|
|
designation: authentication
|
|
authentication: none
|
|
- id: noble-lab-identification-binding
|
|
model: authentik_flows.flowstagebinding
|
|
identifiers:
|
|
order: 10
|
|
stage: !Find [authentik_stages_identification.identificationstage, [name, default-authentication-identification]]
|
|
target: !KeyOf flow
|
|
- id: noble-lab-password-binding
|
|
model: authentik_flows.flowstagebinding
|
|
identifiers:
|
|
order: 20
|
|
stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
|
|
target: !KeyOf flow
|
|
attrs:
|
|
re_evaluate_policies: true
|
|
- id: noble-lab-authenticator-binding
|
|
model: authentik_flows.flowstagebinding
|
|
identifiers:
|
|
order: 30
|
|
stage: !Find [authentik_stages_authenticator_validate.authenticatorvalidatestage, [name, default-authentication-mfa-validation]]
|
|
target: !KeyOf flow
|
|
- model: authentik_flows.flowstagebinding
|
|
identifiers:
|
|
order: 100
|
|
stage: !Find [authentik_stages_user_login.userloginstage, [name, default-authentication-login]]
|
|
target: !KeyOf flow
|
|
- model: authentik_policies_expression.expressionpolicy
|
|
id: noble-lab-password-optional
|
|
identifiers:
|
|
name: noble-lab-password-optional
|
|
attrs:
|
|
expression: |
|
|
flow_plan = request.context.get("flow_plan")
|
|
if not flow_plan:
|
|
return True
|
|
return not hasattr(flow_plan.context.get("pending_user"), "backend")
|
|
- model: authentik_policies_expression.expressionpolicy
|
|
id: noble-lab-authenticator-validate-optional
|
|
identifiers:
|
|
name: noble-lab-authenticator-validate-optional
|
|
attrs:
|
|
expression: |
|
|
flow_plan = request.context.get("flow_plan")
|
|
if not flow_plan:
|
|
return True
|
|
return not (flow_plan.context.get("auth_method") == "auth_webauthn_pwl")
|
|
- model: authentik_policies_expression.expressionpolicy
|
|
id: noble-lab-operators-only
|
|
identifiers:
|
|
name: {{ noble_authentik_blueprint_operator_policy_name | trim | to_json }}
|
|
attrs:
|
|
expression: |
|
|
u = context.get("pending_user")
|
|
if u is None:
|
|
return False
|
|
{% for g in noble_authentik_blueprint_lab_operator_groups | default([]) %}
|
|
if ak_is_group_member(u, name={{ g | trim | to_json }}):
|
|
return True
|
|
{% endfor %}
|
|
ak_message("This login URL is for administrators only. Use the public Authentik hostname instead.")
|
|
return False
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 5
|
|
target: !KeyOf noble-lab-password-binding
|
|
policy: !KeyOf noble-lab-operators-only
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 10
|
|
target: !KeyOf noble-lab-password-binding
|
|
policy: !KeyOf noble-lab-password-optional
|
|
attrs:
|
|
failure_result: true
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 10
|
|
target: !KeyOf noble-lab-authenticator-binding
|
|
policy: !KeyOf noble-lab-authenticator-validate-optional
|
|
attrs:
|
|
failure_result: true
|