Merge branch 'goauthentik:main' into feature/source_ldap_lookup_group…

…s_from_user
goauthentik · Feb 3, 2025 · f62efb2 · f62efb2
2 parents a66dc73 + e4b6df3
commit f62efb2
Show file tree

Hide file tree

Showing 16 changed files with 150 additions and 61 deletions.
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
@@ -2,6 +2,7 @@
     "recommendations": [
         "bashmish.es6-string-css",
         "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
+        "charliermarsh.ruff",
         "dbaeumer.vscode-eslint",
         "EditorConfig.EditorConfig",
         "esbenp.prettier-vscode",
@@ -10,12 +11,12 @@
         "Gruntfuggly.todo-tree",
         "mechatroner.rainbow-csv",
         "ms-python.black-formatter",
-        "charliermarsh.ruff",
+        "ms-python.black-formatter",
+        "ms-python.debugpy",
         "ms-python.python",
         "ms-python.vscode-pylance",
-        "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx"
+        "unifiedjs.vscode-mdx",
     ]
 }
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -2,26 +2,76 @@
     "version": "0.2.0",
     "configurations": [
         {
-            "name": "Python: PDB attach Server",
-            "type": "python",
+            "name": "Debug: Attach Server Core",
+            "type": "debugpy",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 6800
+                "port": 9901
             },
-            "justMyCode": true,
+            "pathMappings": [
+                {
+                    "localRoot": "${workspaceFolder}",
+                    "remoteRoot": "/"
+                }
+            ],
             "django": true
         },
         {
-            "name": "Python: PDB attach Worker",
-            "type": "python",
+            "name": "Debug: Attach Worker",
+            "type": "debugpy",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 6900
+                "port": 9901
             },
-            "justMyCode": true,
+            "pathMappings": [
+                {
+                    "localRoot": "${workspaceFolder}",
+                    "remoteRoot": "/"
+                }
+            ],
             "django": true
+        },
+        {
+            "name": "Debug: Start Server Router",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/server",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start LDAP Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/ldap",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start Proxy Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/proxy",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start RAC Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/rac",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start Radius Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/radius",
+            "cwd": "${workspaceFolder}"
         }
     ]
 }
diff --git a/Makefile b/Makefile
@@ -255,7 +255,7 @@ docker:  ## Build a docker image of the current source tree
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 
 test-docker:
-	./scripts/test_docker.sh
+	BUILD=true ./scripts/test_docker.sh
 
 #########################
 ## CI

diff --git a/authentik/core/management/commands/dev_server.py b/authentik/core/management/commands/dev_server.py
@@ -5,6 +5,7 @@
 from daphne.management.commands.runserver import Command as RunServer
 from daphne.server import Server
 
+from authentik.lib.debug import start_debug_server
 from authentik.root.signals import post_startup, pre_startup, startup
 
 
@@ -13,6 +14,7 @@ class SignalServer(Server):
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
+        start_debug_server()
 
         def ready_callable():
             pre_startup.send(sender=self)

diff --git a/authentik/core/management/commands/worker.py b/authentik/core/management/commands/worker.py
@@ -9,6 +9,7 @@
 from structlog.stdlib import get_logger
 
 from authentik.lib.config import CONFIG
+from authentik.lib.debug import start_debug_server
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -28,10 +29,7 @@ def add_arguments(self, parser):
     def handle(self, **options):
         LOGGER.debug("Celery options", **options)
         close_old_connections()
-        if CONFIG.get_bool("remote_debug"):
-            import debugpy
-
-            debugpy.listen(("0.0.0.0", 6900))  # nosec
+        start_debug_server()
         worker: Worker = CELERY_APP.Worker(
             no_color=False,
             quiet=True,

diff --git a/authentik/lib/config.py b/authentik/lib/config.py
@@ -422,4 +422,4 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
     if len(argv) < 2:  # noqa: PLR2004
         print(dumps(CONFIG.raw, indent=4, cls=AttrEncoder))
     else:
-        print(CONFIG.get(argv[1]))
+        print(CONFIG.get(argv[-1]))
diff --git a/authentik/lib/debug.py b/authentik/lib/debug.py
@@ -0,0 +1,26 @@
+from structlog.stdlib import get_logger
+
+from authentik.lib.config import CONFIG
+
+LOGGER = get_logger()
+
+
+def start_debug_server(**kwargs) -> bool:
+    """Attempt to start a debugpy server in the current process.
+    Returns true if the server was started successfully, otherwise false"""
+    if not CONFIG.get_bool("debug") and not CONFIG.get_bool("debugger"):
+        return
+    try:
+        import debugpy
+    except ImportError:
+        LOGGER.warning(
+            "Failed to import debugpy. debugpy is not included "
+            "in the default release dependencies and must be installed manually"
+        )
+        return False
+
+    listen: str = CONFIG.get("listen.listen_debug_py", "127.0.0.1:9901")
+    host, _, port = listen.rpartition(":")
+    debugpy.listen((host, int(port)), **kwargs)  # nosec
+    LOGGER.debug("Starting debug server", host=host, port=port)
+    return True
diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml
@@ -21,6 +21,7 @@ listen:
   listen_radius: 0.0.0.0:1812
   listen_metrics: 0.0.0.0:9300
   listen_debug: 0.0.0.0:9900
+  listen_debug_py: 0.0.0.0:9901
   trusted_proxy_cidrs:
     - 127.0.0.0/8
     - 10.0.0.0/8
@@ -57,7 +58,7 @@ cache:
 #   transport_options: ""
 
 debug: false
-remote_debug: false
+debugger: false
 
 log_level: info
 

diff --git a/authentik/providers/oauth2/tests/test_token.py b/authentik/providers/oauth2/tests/test_token.py
@@ -150,6 +150,7 @@ def test_auth_code_view(self):
                 "id_token": provider.encode(
                     access.id_token.to_dict(),
                 ),
+                "scope": "",
             },
         )
         self.validate_jwt(access, provider)
@@ -242,6 +243,7 @@ def test_refresh_token_view(self):
                 "id_token": provider.encode(
                     access.id_token.to_dict(),
                 ),
+                "scope": "offline_access",
             },
         )
         self.validate_jwt(access, provider)
@@ -301,6 +303,7 @@ def test_refresh_token_view_invalid_origin(self):
                 "id_token": provider.encode(
                     access.id_token.to_dict(),
                 ),
+                "scope": "offline_access",
             },
         )
 

diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py
@@ -627,6 +627,7 @@ def create_code_response(self) -> dict[str, Any]:
         response = {
             "access_token": access_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),
@@ -710,6 +711,7 @@ def create_refresh_response(self) -> dict[str, Any]:
             "access_token": access_token.token,
             "refresh_token": refresh_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),
@@ -736,6 +738,7 @@ def create_client_credentials_response(self) -> dict[str, Any]:
         return {
             "access_token": access_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),
@@ -767,6 +770,7 @@ def create_device_code_response(self) -> dict[str, Any]:
         response = {
             "access_token": access_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),

diff --git a/authentik/stages/authenticator_webauthn/mds/blob.jwt b/authentik/stages/authenticator_webauthn/mds/blob.jwt
diff --git a/internal/debug/debug.go b/internal/debug/debug.go
@@ -15,7 +15,6 @@ import (
 func EnableDebugServer() {
 	l := log.WithField("logger", "authentik.go_debugger")
 	if !config.Get().Debug {
-		l.Info("not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it.")
 		return
 	}
 	h := mux.NewRouter()

diff --git a/lifecycle/ak b/lifecycle/ak
@@ -55,6 +55,10 @@ function cleanup {
 }
 
 function prepare_debug {
+    # Only attempt to install debug dependencies if we're running in a container
+    if [ ! -d /ak-root ]; then
+        return
+    fi
     export DEBIAN_FRONTEND=noninteractive
     apt-get update
     apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
@@ -63,7 +67,7 @@ function prepare_debug {
     chown authentik:authentik /unittest.xml
 }
 
-if [[ "${AUTHENTIK_REMOTE_DEBUG}" == "true" ]]; then
+if [[ "$(python -m authentik.lib.config debugger 2> /dev/null)" == "True" ]]; then
     prepare_debug
 fi
 
@@ -92,7 +96,7 @@ elif [[ "$1" == "test-all" ]]; then
 elif [[ "$1" == "healthcheck" ]]; then
     run_authentik healthcheck $(cat $MODE_FILE)
 elif [[ "$1" == "dump_config" ]]; then
-    exec python -m authentik.lib.config
+    exec python -m authentik.lib.config $@
 elif [[ "$1" == "debug" ]]; then
     exec sleep infinity
 else

diff --git a/lifecycle/gunicorn.conf.py b/lifecycle/gunicorn.conf.py
@@ -13,6 +13,7 @@
 
 from authentik import get_full_version
 from authentik.lib.config import CONFIG
+from authentik.lib.debug import start_debug_server
 from authentik.lib.logging import get_logger_config
 from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.reflection import get_env
@@ -146,9 +147,5 @@ def post_worker_init(worker: DjangoUvicornWorker):
         except Exception:  # nosec
             pass
 
-if CONFIG.get_bool("remote_debug"):
-    import debugpy
-
-    debugpy.listen(("0.0.0.0", 6800))  # nosec
-
+start_debug_server()
 run_migrations()
diff --git a/poetry.lock b/poetry.lock