mirror of
https://github.com/goauthentik/authentik
synced 2026-04-25 17:15:26 +02:00
e426f88401
* web: Separate global styles from element roots. * web: Flesh out style strategy plugin, fixes for imported styles. * web: Clean up applying of dark theme. web: unminify. * web: Fix alignment, rendering on high contrast. web: Apply footer resize. web: Fix application of global styles in style roots. web: Fix missing layout attribute. web: Normalize background alignment. web: Fix layout issues, color overrides. web: Fix alignment, colors, jank. web: Separate method into function. web: Clean up alignment, reflow. web: Fix colors, compatibility mode. web: Add content left/right support. web: Fix colors, compatibility mode overrides. * Fix issue where missing config throws runtime error. * web: Refactor. * Update tests. * web: Fix Storybook imports. * Fix order of theme application. * web: Fix storybook asset paths. * web: Flesh out tests surrounding source buttons, fix alignment, contrast. * Update tests, clarify errors. * Update test selectors, assertions. * Clarify redirect handling. * Adjust user check. * Update logs. * web: Fix selector timing. * Fix alignment. * Fix selectors, timing. * Log current URL content. * Refine shadow selector, add delay. * Replace IDs with named elements. * Fix overlay color. * Fix footer padding. * Fix contrast. * Add selectable name to button. * Fix alignment, mobile layout. * web: Spread exported parts to stages. * Fix z-index order. * Tidy colors, behaviors, layout. * Fix overflow scroll. * Clean up duplicate color styles. * Clarify selector order. Fix overrides, color contrast. * Attempt to read JSON multiple times. * Clarify error. * web: Fix timeouts, URL changes. * web: Fix disabled styles. * Fix color flip. * Fix selector. * Fix issue where hidden tables will alter test URLs. * Use DOM to look for connection, rather than API. Update selectors. * Immediately navigate to tab. * Upgrade Dex. * Ensure Dex redirects. * Use same host during tests. * web: Update package-lock.json * Add delay.
274 lines
9.8 KiB
Python
274 lines
9.8 KiB
Python
"""Proxy and Outpost e2e tests"""
|
|
|
|
from base64 import b64encode
|
|
from dataclasses import asdict
|
|
from json import dumps
|
|
from sys import platform
|
|
from time import sleep
|
|
from unittest.case import skip, skipUnless
|
|
|
|
from channels.testing import ChannelsLiveServerTestCase
|
|
from jwt import decode
|
|
from selenium.webdriver.common.by import By
|
|
|
|
from authentik.blueprints.tests import apply_blueprint, reconcile_app
|
|
from authentik.core.models import Application
|
|
from authentik.flows.models import Flow
|
|
from authentik.lib.generators import generate_id
|
|
from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostConfig, OutpostType
|
|
from authentik.outposts.tasks import outpost_connection_discovery
|
|
from authentik.providers.proxy.models import ProxyProvider
|
|
from tests.e2e.utils import SeleniumTestCase, retry
|
|
|
|
|
|
class TestProviderProxy(SeleniumTestCase):
|
|
"""Proxy and Outpost e2e tests"""
|
|
|
|
def setUp(self):
|
|
super().setUp()
|
|
self.run_container(
|
|
image="traefik/whoami:latest",
|
|
ports={
|
|
"80": "80",
|
|
},
|
|
)
|
|
|
|
def start_proxy(self, outpost: Outpost):
|
|
"""Start proxy container based on outpost created"""
|
|
self.run_container(
|
|
image=self.get_container_image("ghcr.io/goauthentik/dev-proxy"),
|
|
ports={
|
|
"9000": "9000",
|
|
},
|
|
environment={
|
|
"AUTHENTIK_TOKEN": outpost.token.key,
|
|
},
|
|
)
|
|
|
|
@retry()
|
|
@apply_blueprint(
|
|
"default/flow-default-authentication-flow.yaml",
|
|
"default/flow-default-invalidation-flow.yaml",
|
|
)
|
|
@apply_blueprint(
|
|
"default/flow-default-provider-authorization-implicit-consent.yaml",
|
|
"default/flow-default-provider-invalidation.yaml",
|
|
)
|
|
@apply_blueprint(
|
|
"system/providers-oauth2.yaml",
|
|
"system/providers-proxy.yaml",
|
|
)
|
|
@reconcile_app("authentik_crypto")
|
|
def test_proxy_simple(self):
|
|
"""Test simple outpost setup with single provider"""
|
|
# set additionalHeaders to test later
|
|
self.user.attributes["additionalHeaders"] = {"X-Foo": "bar"}
|
|
self.user.save()
|
|
|
|
proxy: ProxyProvider = ProxyProvider.objects.create(
|
|
name=generate_id(),
|
|
authorization_flow=Flow.objects.get(
|
|
slug="default-provider-authorization-implicit-consent"
|
|
),
|
|
invalidation_flow=Flow.objects.get(slug="default-provider-invalidation-flow"),
|
|
internal_host=f"http://{self.host}",
|
|
external_host="http://localhost:9000",
|
|
)
|
|
# Ensure OAuth2 Params are set
|
|
proxy.set_oauth_defaults()
|
|
proxy.save()
|
|
# we need to create an application to actually access the proxy
|
|
Application.objects.create(name=generate_id(), slug=generate_id(), provider=proxy)
|
|
outpost: Outpost = Outpost.objects.create(
|
|
name=generate_id(),
|
|
type=OutpostType.PROXY,
|
|
)
|
|
outpost.providers.add(proxy)
|
|
outpost.build_user_permissions(outpost.user)
|
|
|
|
self.start_proxy(outpost)
|
|
|
|
sleep(5)
|
|
|
|
self.driver.get("http://localhost:9000/api")
|
|
self.login()
|
|
sleep(1)
|
|
|
|
body = self.parse_json_content()
|
|
headers = body.get("headers", {})
|
|
snippet = dumps(body, indent=2)[:500].replace("\n", " ")
|
|
|
|
self.assertEqual(
|
|
headers.get("X-Authentik-Username"),
|
|
[self.user.username],
|
|
f"X-Authentik-Username header mismatch at {self.driver.current_url}: {snippet}",
|
|
)
|
|
self.assertEqual(
|
|
headers.get("X-Foo"),
|
|
["bar"],
|
|
f"X-Foo header mismatch at {self.driver.current_url}: {snippet}",
|
|
)
|
|
raw_jwt: str = headers.get("X-Authentik-Jwt", [None])[0]
|
|
jwt = decode(raw_jwt, options={"verify_signature": False})
|
|
|
|
self.assertIsNotNone(jwt["sid"], "Missing 'sid' in JWT")
|
|
self.assertIsNotNone(jwt["ak_proxy"], "Missing 'ak_proxy' in JWT")
|
|
|
|
self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out")
|
|
sleep(2)
|
|
|
|
flow_executor = self.get_shadow_root("ak-flow-executor")
|
|
session_end_stage = self.get_shadow_root("ak-stage-session-end", flow_executor)
|
|
flow_card = self.get_shadow_root("ak-flow-card", session_end_stage)
|
|
title = flow_card.find_element(By.CSS_SELECTOR, ".pf-c-title.pf-m-3xl").text
|
|
|
|
self.assertIn(
|
|
"You've logged out of",
|
|
title,
|
|
f"Logout title mismatch at {self.driver.current_url}: {title}",
|
|
)
|
|
|
|
@retry()
|
|
@apply_blueprint(
|
|
"default/flow-default-authentication-flow.yaml",
|
|
"default/flow-default-invalidation-flow.yaml",
|
|
)
|
|
@apply_blueprint(
|
|
"default/flow-default-provider-authorization-implicit-consent.yaml",
|
|
"default/flow-default-provider-invalidation.yaml",
|
|
)
|
|
@apply_blueprint(
|
|
"system/providers-oauth2.yaml",
|
|
"system/providers-proxy.yaml",
|
|
)
|
|
@reconcile_app("authentik_crypto")
|
|
def test_proxy_basic_auth(self):
|
|
"""Test simple outpost setup with single provider"""
|
|
cred = generate_id()
|
|
attr = "basic-password" # nosec
|
|
self.user.attributes["basic-username"] = cred
|
|
self.user.attributes[attr] = cred
|
|
self.user.save()
|
|
|
|
proxy: ProxyProvider = ProxyProvider.objects.create(
|
|
name=generate_id(),
|
|
authorization_flow=Flow.objects.get(
|
|
slug="default-provider-authorization-implicit-consent"
|
|
),
|
|
invalidation_flow=Flow.objects.get(slug="default-provider-invalidation-flow"),
|
|
internal_host=f"http://{self.host}",
|
|
external_host="http://localhost:9000",
|
|
basic_auth_enabled=True,
|
|
basic_auth_user_attribute="basic-username",
|
|
basic_auth_password_attribute=attr,
|
|
)
|
|
# Ensure OAuth2 Params are set
|
|
proxy.set_oauth_defaults()
|
|
proxy.save()
|
|
# we need to create an application to actually access the proxy
|
|
Application.objects.create(name=generate_id(), slug=generate_id(), provider=proxy)
|
|
outpost: Outpost = Outpost.objects.create(
|
|
name=generate_id(),
|
|
type=OutpostType.PROXY,
|
|
)
|
|
outpost.providers.add(proxy)
|
|
outpost.build_user_permissions(outpost.user)
|
|
|
|
self.start_proxy(outpost)
|
|
|
|
sleep(5)
|
|
|
|
self.driver.get("http://localhost:9000/api")
|
|
self.login()
|
|
sleep(1)
|
|
|
|
body = self.parse_json_content()
|
|
headers = body.get("headers", {})
|
|
snippet = dumps(body, indent=2)[:500].replace("\n", " ")
|
|
|
|
self.assertEqual(
|
|
headers.get("X-Authentik-Username"),
|
|
[self.user.username],
|
|
f"X-Authentik-Username header mismatch at {self.driver.current_url}: {snippet}",
|
|
)
|
|
|
|
auth_header = b64encode(f"{cred}:{cred}".encode()).decode()
|
|
|
|
self.assertEqual(
|
|
headers.get("Authorization"),
|
|
[f"Basic {auth_header}"],
|
|
f"Authorization header mismatch at {self.driver.current_url}: {snippet}",
|
|
)
|
|
|
|
self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out")
|
|
sleep(2)
|
|
|
|
flow_executor = self.get_shadow_root("ak-flow-executor")
|
|
session_end_stage = self.get_shadow_root("ak-stage-session-end", flow_executor)
|
|
flow_card = self.get_shadow_root("ak-flow-card", session_end_stage)
|
|
title = flow_card.find_element(By.CSS_SELECTOR, ".pf-c-title.pf-m-3xl").text
|
|
|
|
self.assertIn(
|
|
"You've logged out of",
|
|
title,
|
|
f"Logout title mismatch at {self.driver.current_url}: {title}",
|
|
)
|
|
|
|
|
|
# TODO: Fix flaky test
|
|
@skip("Flaky test")
|
|
@skipUnless(platform.startswith("linux"), "requires local docker")
|
|
class TestProviderProxyConnect(ChannelsLiveServerTestCase):
|
|
"""Test Proxy connectivity over websockets"""
|
|
|
|
@retry(exceptions=[AssertionError])
|
|
@apply_blueprint(
|
|
"default/flow-default-authentication-flow.yaml",
|
|
"default/flow-default-invalidation-flow.yaml",
|
|
)
|
|
@apply_blueprint(
|
|
"default/flow-default-provider-authorization-implicit-consent.yaml",
|
|
)
|
|
@reconcile_app("authentik_crypto")
|
|
def test_proxy_connectivity(self):
|
|
"""Test proxy connectivity over websocket"""
|
|
outpost_connection_discovery()
|
|
proxy: ProxyProvider = ProxyProvider.objects.create(
|
|
name=generate_id(),
|
|
authorization_flow=Flow.objects.get(
|
|
slug="default-provider-authorization-implicit-consent"
|
|
),
|
|
internal_host="http://localhost",
|
|
external_host="http://localhost:9000",
|
|
)
|
|
# Ensure OAuth2 Params are set
|
|
proxy.set_oauth_defaults()
|
|
proxy.save()
|
|
# we need to create an application to actually access the proxy
|
|
Application.objects.create(name=generate_id(), slug=generate_id(), provider=proxy)
|
|
service_connection = DockerServiceConnection.objects.get(local=True)
|
|
outpost: Outpost = Outpost.objects.create(
|
|
name=generate_id(),
|
|
type=OutpostType.PROXY,
|
|
service_connection=service_connection,
|
|
_config=asdict(OutpostConfig(authentik_host=self.live_server_url, log_level="debug")),
|
|
)
|
|
outpost.providers.add(proxy)
|
|
outpost.build_user_permissions(outpost.user)
|
|
|
|
# Wait until outpost healthcheck succeeds
|
|
healthcheck_retries = 0
|
|
while healthcheck_retries < 50: # noqa: PLR2004
|
|
if len(outpost.state) > 0:
|
|
state = outpost.state[0]
|
|
if state.last_seen and state.version:
|
|
break
|
|
healthcheck_retries += 1
|
|
sleep(0.5)
|
|
|
|
state = outpost.state
|
|
self.assertGreaterEqual(len(state), 1)
|
|
|
|
# Make sure to delete the outpost to remove the container
|
|
outpost.delete()
|