Skip to content

policies/geoip: distance + impossible travel #12541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BeryJu merged 7 commits into from
Feb 17, 2025
Merged

policies/geoip: distance + impossible travel #12541

BeryJu merged 7 commits into from
Feb 17, 2025

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Jan 2, 2025

Details

Add options to the GeoIP policy for distance checks and impossible travel checks

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu BeryJu requested review from a team as code owners January 2, 2025 20:30
@netlify
Copy link

netlify bot commented Jan 2, 2025
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit a5c1ca7
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/67b346bae4bdce00083f353a
😎 Deploy Preview https://deploy-preview-12541--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@netlify
Copy link

netlify bot commented Jan 2, 2025
edited
Loading

Deploy Preview for authentik-docs canceled.

Name Link
🔨 Latest commit a5c1ca7
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/67b346ba8be7000008cc90c7

@codecov
Copy link

codecov bot commented Jan 2, 2025
edited
Loading

❌ 1 Tests Failed:

Tests completed Failed Passed Skipped
1707 1 1706 2
View the full list of 1 ❄️ flaky tests 
authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage::test_session_management

Flake rate in main: 37.50% (Passed 5 times, Failed 3 times)

Stack Traces | 0.881s run time 
self = <unittest.case._Outcome object at 0x7f56178a8e30>
test_case = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
subTest = False

    @contextlib.contextmanager
    def testPartExecutor(self, test_case, subTest=False):
        old_success = self.success
        self.success = True
        try:
>           yield

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:58: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
result = <TestCaseFunction test_session_management>

    def run(self, result=None):
        if result is None:
            result = self.defaultTestResult()
            startTestRun = getattr(result, 'startTestRun', None)
            stopTestRun = getattr(result, 'stopTestRun', None)
            if startTestRun is not None:
                startTestRun()
        else:
            stopTestRun = None
    
        result.startTest(self)
        try:
            testMethod = getattr(self, self._testMethodName)
            if (getattr(self.__class__, "__unittest_skip__", False) or
                getattr(testMethod, "__unittest_skip__", False)):
                # If the class or method was skipped.
                skip_why = (getattr(self.__class__, '__unittest_skip_why__', '')
                            or getattr(testMethod, '__unittest_skip_why__', ''))
                _addSkip(result, self, skip_why)
                return result
    
            expecting_failure = (
                getattr(self, "__unittest_expecting_failure__", False) or
                getattr(testMethod, "__unittest_expecting_failure__", False)
            )
            outcome = _Outcome(result)
            start_time = time.perf_counter()
            try:
                self._outcome = outcome
    
                with outcome.testPartExecutor(self):
                    self._callSetUp()
                if outcome.success:
                    outcome.expecting_failure = expecting_failure
                    with outcome.testPartExecutor(self):
>                       self._callTestMethod(testMethod)

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:634: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
method = <bound method TestAuthenticatorEmailStage.test_session_management of <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>>

    def _callTestMethod(self, method):
>       if method() is not None:

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:589: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>

    def test_session_management(self):
        """Test session device management"""
        # Test device creation in session
        with patch(
            "authentik.stages.authenticator_email.models.AuthenticatorEmailStage.backend_class",
            PropertyMock(return_value=EmailBackend),
        ):
            # Delete any existing devices for this test
            EmailDevice.objects.filter(user=self.user).delete()
    
            response = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            )
            self.assertIn(SESSION_KEY_EMAIL_DEVICE, self.client.session)
            device = self.client.session[SESSION_KEY_EMAIL_DEVICE]
            self.assertIsInstance(device, EmailDevice)
            self.assertFalse(device.confirmed)
            self.assertEqual(device.user, self.user)
    
            # Test device confirmation and cleanup
            device.confirmed = True
            device.email = "[email protected]"  # Use a different email
            self.client.session[SESSION_KEY_EMAIL_DEVICE] = device
            self.client.session.save()
            response = self.client.post(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                data={"component": "ak-stage-authenticator-email", "code": device.token},
            )
            self.assertEqual(response.status_code, 200)
            self.assertTrue(device.confirmed)
            # Session key should be removed after device is saved
            device.save()
>           self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, self.client.session)

.../stages/authenticator_email/tests.py:305: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
member = '.../stages/authenticator_email/email_device'
container = <django.contrib.sessions.backends.cache.SessionStore object at 0x7f5618894bf0>
msg = None

    def assertNotIn(self, member, container, msg=None):
        """Just like self.assertTrue(a not in b), but with a nicer default message."""
        if member in container:
            standardMsg = '%s unexpectedly found in %s' % (safe_repr(member),
                                                        safe_repr(container))
>           self.fail(self._formatMessage(msg, standardMsg))

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:1159: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
msg = "'.../stages/authenticator_email/email_device' unexpectedly found in <django.contrib.sessions.backends.cache.SessionStore object at 0x7f5618894bf0>"

    def fail(self, msg=None):
        """Fail immediately, with the given message."""
>       raise self.failureException(msg)
E       AssertionError: '.../stages/authenticator_email/email_device' unexpectedly found in <django.contrib.sessions.backends.cache.SessionStore object at 0x7f5618894bf0>

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:715: AssertionError

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@BeryJu BeryJu force-pushed the policies/geoip/distance branch from a2cc87e to bec9606 Compare January 2, 2025 21:07
@github-actions
Copy link
Contributor

github-actions bot commented Jan 2, 2025
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-a5c1ca793dc7f5c5338c36ac1fa4f4b2a2438f11
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-a5c1ca793dc7f5c5338c36ac1fa4f4b2a2438f11

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu BeryJu force-pushed the policies/geoip/distance branch from bec9606 to 7ac0d30 Compare January 14, 2025 01:49
@notion-workspace
Copy link

notion-workspace bot commented Jan 15, 2025

GeoIP Policy: Distance & Impossible travel

rissson
rissson requested changes Jan 16, 2025
View reviewed changes
web/src/admin/policies/geoip/GeoIPPolicyForm.ts
<ak-form-group>
<span slot="header"> ${msg("Distance settings")} </span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal name="checkHistoryDistance">
Copy link
Member

@rissson rissson Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ak-switch-input could be used here

web/src/admin/policies/geoip/GeoIPPolicyForm.ts
)}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
Copy link
Member

@rissson rissson Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No ak-number-input though, it doesn't support min yet. cc. @kensternberg-authentik for awareness

Copy link
Member

@rissson rissson Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#12703

authentik/policies/geoip/models.py
"""
results: list[PolicyResult] = []
static_results: list[PolicyResult] = []
dynamic_results: list[PolicyResult] = []
Copy link
Member

@rissson rissson Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any advantage in having two separate lists here?

@BeryJu
add history distance checks
1863f86 
Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu
start impossible travel
4e5bc14 
Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu
optimise
eacbca8 
Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu
ui start
4fdc355 
Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu
fix and add tests
458e364 
Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu
fix ui, fix missing api
4222e0a 
Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu BeryJu force-pushed the policies/geoip/distance branch from 7ac0d30 to 4222e0a Compare February 17, 2025 14:20
@BeryJu
fix
a5c1ca7 
Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu BeryJu merged commit ab8f5a2 into main Feb 17, 2025
85 of 86 checks passed
@BeryJu BeryJu deleted the policies/geoip/distance branch February 17, 2025 17:47
kensternberg-authentik added a commit that referenced this pull request Feb 20, 2025
@kensternberg-authentik
Merge branch 'main' into dev
19f25d5 
* main:
  web/user: fix opening application with Enter not respecting new tab setting (#13115)
  web: bump API Client version (#13113)
  providers/rac: move to open source (#13015)
  website/docs: add 2025.2 release notes (#13002)
  core: clear expired database sessions (#13105)
  core: bump sentry-sdk from 2.21.0 to 2.22.0 (#13098)
  core: bump bandit from 1.8.2 to 1.8.3 (#13097)
  core: bump aws-cdk-lib from 2.178.2 to 2.179.0 (#13099)
  core: bump goauthentik.io/api/v3 from 3.2024123.4 to 3.2024123.6 (#13100)
  lifecycle/aws: bump aws-cdk from 2.178.2 to 2.179.0 in /lifecycle/aws (#13101)
  website/docs: Add AdventureLog Community Integration Documentation (#12928)
  website/docs: minor fixes (#13095)
  website/integrations: Update to Wizard and Styling Guide (#12919)
  web: bump API Client version (#13093)
  policies/geoip: distance + impossible travel (#12541)
  root: fix generated API docs not being excluded from codespell (#13091)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rissson rissson rissson requested changes

@gergosimonyi gergosimonyi Awaiting requested review from gergosimonyi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BeryJu @rissson