stages: authenticator_endpoint_gdtc (#10477)

* rework Signed-off-by: Jens Langhammer <[email protected]> * add loading overlay for chrome Signed-off-by: Jens Langhammer <[email protected]> * start docs Signed-off-by: Jens Langhammer <[email protected]> * Apply suggestions from code review Co-authored-by: Tana M Berry <[email protected]> Signed-off-by: Jens L. <[email protected]> * save data Signed-off-by: Jens Langhammer <[email protected]> * fix web ui, prevent deletion Signed-off-by: Jens Langhammer <[email protected]> * fix Signed-off-by: Jens Langhammer <[email protected]> * text fixes Signed-off-by: Jens Langhammer <[email protected]> --------- Signed-off-by: Jens Langhammer <[email protected]> Signed-off-by: Jens L. <[email protected]> Co-authored-by: Tana M Berry <[email protected]>
goauthentik · Oct 22, 2024 · cec3fdb · cec3fdb
1 parent 0e4e7cc
commit cec3fdb
Show file tree

Hide file tree

Showing 30 changed files with 1,959 additions and 187 deletions.
diff --git a/authentik/blueprints/v1/importer.py b/authentik/blueprints/v1/importer.py
@@ -51,6 +51,10 @@
     MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    EndpointDevice,
+    EndpointDeviceConnection,
+)
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
@@ -119,6 +123,8 @@ def excluded_models() -> list[type[Model]]:
         GoogleWorkspaceProviderGroup,
         MicrosoftEntraProviderUser,
         MicrosoftEntraProviderGroup,
+        EndpointDevice,
+        EndpointDeviceConnection,
     )
 
 

diff --git a/authentik/core/api/devices.py b/authentik/core/api/devices.py
@@ -6,7 +6,6 @@
     BooleanField,
     CharField,
     DateTimeField,
-    IntegerField,
     SerializerMethodField,
 )
 from rest_framework.permissions import IsAuthenticated
@@ -15,6 +14,7 @@
 from rest_framework.viewsets import ViewSet
 
 from authentik.core.api.utils import MetaNameSerializer
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
 from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
@@ -24,7 +24,7 @@
 class DeviceSerializer(MetaNameSerializer):
     """Serializer for Duo authenticator devices"""
 
-    pk = IntegerField()
+    pk = CharField()
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
@@ -41,6 +41,8 @@ def get_extra_description(self, instance: Device) -> str:
         """Get extra description"""
         if isinstance(instance, WebAuthnDevice):
             return instance.device_type.description
+        if isinstance(instance, EndpointDevice):
+            return instance.data.get("deviceSignals", {}).get("deviceModel")
         return ""
 
 

diff --git a/authentik/core/management/commands/shell.py b/authentik/core/management/commands/shell.py
@@ -4,6 +4,7 @@
 import platform
 import sys
 import traceback
+from pprint import pprint
 
 from django.apps import apps
 from django.core.management.base import BaseCommand
@@ -34,7 +35,9 @@ def add_arguments(self, parser):
 
     def get_namespace(self):
         """Prepare namespace with all models"""
-        namespace = {}
+        namespace = {
+            "pprint": pprint,
+        }
 
         # Gather Django models and constants from each app
         for app in apps.get_app_configs():

diff --git a/authentik/core/tests/test_devices_api.py b/authentik/core/tests/test_devices_api.py
@@ -29,7 +29,7 @@ def test_user_api(self):
         self.assertEqual(response.status_code, 200)
         body = loads(response.content.decode())
         self.assertEqual(len(body), 1)
-        self.assertEqual(body[0]["pk"], self.device1.pk)
+        self.assertEqual(body[0]["pk"], str(self.device1.pk))
 
     def test_user_api_as_admin(self):
         """Test user API"""
@@ -54,4 +54,6 @@ def test_admin_api(self):
         self.assertEqual(response.status_code, 200)
         body = loads(response.content.decode())
         self.assertEqual(len(body), 2)
-        self.assertEqual({body[0]["pk"], body[1]["pk"]}, {self.device1.pk, self.device2.pk})
+        self.assertEqual(
+            {body[0]["pk"], body[1]["pk"]}, {str(self.device1.pk), str(self.device2.pk)}
+        )
diff --git a/authentik/enterprise/settings.py b/authentik/enterprise/settings.py
@@ -17,6 +17,7 @@
     "authentik.enterprise.providers.google_workspace",
     "authentik.enterprise.providers.microsoft_entra",
     "authentik.enterprise.providers.rac",
+    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     "authentik.enterprise.stages.source",
 ]
 

diff --git a/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py b/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
@@ -0,0 +1,82 @@
+"""AuthenticatorEndpointGDTCStage API Views"""
+
+from django_filters.rest_framework.backends import DjangoFilterBackend
+from rest_framework import mixins
+from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.permissions import IsAdminUser
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import GenericViewSet, ModelViewSet
+from structlog.stdlib import get_logger
+
+from authentik.api.authorization import OwnerFilter, OwnerPermissions
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    AuthenticatorEndpointGDTCStage,
+    EndpointDevice,
+)
+from authentik.flows.api.stages import StageSerializer
+
+LOGGER = get_logger()
+
+
+class AuthenticatorEndpointGDTCStageSerializer(EnterpriseRequiredMixin, StageSerializer):
+    """AuthenticatorEndpointGDTCStage Serializer"""
+
+    class Meta:
+        model = AuthenticatorEndpointGDTCStage
+        fields = StageSerializer.Meta.fields + [
+            "configure_flow",
+            "friendly_name",
+            "credentials",
+        ]
+
+
+class AuthenticatorEndpointGDTCStageViewSet(UsedByMixin, ModelViewSet):
+    """AuthenticatorEndpointGDTCStage Viewset"""
+
+    queryset = AuthenticatorEndpointGDTCStage.objects.all()
+    serializer_class = AuthenticatorEndpointGDTCStageSerializer
+    filterset_fields = [
+        "name",
+        "configure_flow",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]
+
+
+class EndpointDeviceSerializer(ModelSerializer):
+    """Serializer for Endpoint authenticator devices"""
+
+    class Meta:
+        model = EndpointDevice
+        fields = ["pk", "name"]
+        depth = 2
+
+
+class EndpointDeviceViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.ListModelMixin,
+    UsedByMixin,
+    GenericViewSet,
+):
+    """Viewset for Endpoint authenticator devices"""
+
+    queryset = EndpointDevice.objects.all()
+    serializer_class = EndpointDeviceSerializer
+    search_fields = ["name"]
+    filterset_fields = ["name"]
+    ordering = ["name"]
+    permission_classes = [OwnerPermissions]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+
+
+class EndpointAdminDeviceViewSet(ModelViewSet):
+    """Viewset for Endpoint authenticator devices (for admins)"""
+
+    permission_classes = [IsAdminUser]
+    queryset = EndpointDevice.objects.all()
+    serializer_class = EndpointDeviceSerializer
+    search_fields = ["name"]
+    filterset_fields = ["name"]
+    ordering = ["name"]
diff --git a/authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py b/authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py
@@ -0,0 +1,13 @@
+"""authentik Endpoint app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikStageAuthenticatorEndpointConfig(EnterpriseConfig):
+    """authentik endpoint config"""
+
+    name = "authentik.enterprise.stages.authenticator_endpoint_gdtc"
+    label = "authentik_stages_authenticator_endpoint_gdtc"
+    verbose_name = "authentik Enterprise.Stages.Authenticator.Endpoint GDTC"
+    default = True
+    mountpoint = "endpoint/gdtc/"
diff --git a/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py b/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py
@@ -0,0 +1,115 @@
+# Generated by Django 5.0.9 on 2024-10-22 11:40
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_flows", "0027_auto_20231028_1424"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AuthenticatorEndpointGDTCStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_flows.stage",
+                    ),
+                ),
+                ("friendly_name", models.TextField(null=True)),
+                ("credentials", models.JSONField()),
+                (
+                    "configure_flow",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        to="authentik_flows.flow",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Endpoint Authenticator Google Device Trust Connector Stage",
+                "verbose_name_plural": "Endpoint Authenticator Google Device Trust Connector Stages",
+            },
+            bases=("authentik_flows.stage", models.Model),
+        ),
+        migrations.CreateModel(
+            name="EndpointDevice",
+            fields=[
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                (
+                    "name",
+                    models.CharField(
+                        help_text="The human-readable name of this device.", max_length=64
+                    ),
+                ),
+                (
+                    "confirmed",
+                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
+                ),
+                ("last_used", models.DateTimeField(null=True)),
+                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                (
+                    "host_identifier",
+                    models.TextField(
+                        help_text="A unique identifier for the endpoint device, usually the device serial number",
+                        unique=True,
+                    ),
+                ),
+                ("data", models.JSONField()),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Endpoint Device",
+                "verbose_name_plural": "Endpoint Devices",
+            },
+        ),
+        migrations.CreateModel(
+            name="EndpointDeviceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("attributes", models.JSONField()),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_stages_authenticator_endpoint_gdtc.endpointdevice",
+                    ),
+                ),
+                (
+                    "stage",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
+                    ),
+                ),
+            ],
+        ),
+    ]
diff --git a/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/__init__.py b/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/__init__.py