From e90c24927415b84db50e8881e6300f158857a3c0 Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Fri, 30 Jan 2026 16:27:41 +0100 Subject: [PATCH] common: introduce common (#19852) Signed-off-by: Jens Langhammer --- Makefile | 2 +- authentik/api/authentication.py | 2 +- authentik/api/tests/test_auth.py | 2 +- authentik/common/__init__.py | 0 authentik/common/oauth/__init__.py | 0 .../oauth2 => common/oauth}/constants.py | 0 authentik/common/saml/__init__.py | 0 .../processors => common/saml}/constants.py | 0 .../connectors/agent/views/apple_token.py | 2 +- .../ws_federation/processors/constants.py | 2 +- .../ws_federation/processors/metadata.py | 2 +- authentik/providers/iframe_logout.py | 2 +- authentik/providers/oauth2/id_token.py | 8 +++--- authentik/providers/oauth2/models.py | 2 +- authentik/providers/oauth2/signals.py | 2 +- .../providers/oauth2/tests/test_authorize.py | 2 +- .../providers/oauth2/tests/test_introspect.py | 2 +- .../providers/oauth2/tests/test_token.py | 10 +++---- .../tests/test_token_cc_jwt_provider.py | 10 +++---- .../oauth2/tests/test_token_cc_jwt_source.py | 10 +++---- .../oauth2/tests/test_token_cc_standard.py | 8 +++--- .../tests/test_token_cc_standard_compat.py | 8 +++--- .../oauth2/tests/test_token_cc_user_pw.py | 16 +++++------ .../oauth2/tests/test_token_device.py | 8 +++--- .../providers/oauth2/tests/test_token_pkce.py | 2 +- authentik/providers/oauth2/views/authorize.py | 26 ++++++++--------- authentik/providers/oauth2/views/github.py | 2 +- authentik/providers/oauth2/views/provider.py | 6 ++-- authentik/providers/oauth2/views/token.py | 26 ++++++++--------- authentik/providers/oauth2/views/userinfo.py | 8 +++--- authentik/providers/saml/api/providers.py | 2 +- .../migrations/0009_auto_20201112_2016.py | 2 +- authentik/providers/saml/models.py | 26 ++++++++--------- .../providers/saml/processors/assertion.py | 26 ++++++++--------- .../saml/processors/authn_request_parser.py | 12 ++++---- .../saml/processors/logout_request.py | 14 +++++----- .../saml/processors/logout_request_parser.py | 2 +- .../providers/saml/processors/metadata.py | 8 +++--- .../saml/processors/metadata_parser.py | 10 +++---- .../saml/tests/test_auth_n_request.py | 12 ++++---- .../providers/saml/tests/test_idp_logout.py | 10 +++---- .../tests/test_logout_processor_and_parser.py | 8 +++--- .../saml/tests/test_logout_request_parser.py | 2 +- .../tests/test_logout_request_processor.py | 8 +++--- .../providers/saml/tests/test_metadata.py | 2 +- .../saml/tests/test_models_session.py | 6 ++-- .../providers/saml/tests/test_views_sp_slo.py | 2 +- .../0001_squashed_0009_auto_20210301_0949.py | 2 +- authentik/sources/saml/models.py | 28 +++++++++---------- authentik/sources/saml/processors/metadata.py | 6 ++-- authentik/sources/saml/processors/request.py | 12 ++++---- authentik/sources/saml/processors/response.py | 20 ++++++------- .../saml/tests/test_property_mappings.py | 2 +- tests/e2e/test_provider_oauth2_grafana.py | 12 ++++---- tests/e2e/test_provider_oidc.py | 12 ++++---- tests/e2e/test_provider_oidc_implicit.py | 12 ++++---- tests/e2e/test_provider_saml.py | 2 +- 57 files changed, 215 insertions(+), 215 deletions(-) create mode 100644 authentik/common/__init__.py create mode 100644 authentik/common/oauth/__init__.py rename authentik/{providers/oauth2 => common/oauth}/constants.py (100%) create mode 100644 authentik/common/saml/__init__.py rename authentik/{sources/saml/processors => common/saml}/constants.py (100%) diff --git a/Makefile b/Makefile index 0850d7cd23..b2566b2453 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ lint-fix: lint-codespell ## Lint and automatically fix errors in the python sou lint-codespell: ## Reports spelling errors. $(UV) run codespell -w -lint: ci-bandit ## Lint the python and golang sources +lint: ci-bandit ci-mypy ## Lint the python and golang sources golangci-lint run -v core-install: diff --git a/authentik/api/authentication.py b/authentik/api/authentication.py index bb59897218..cc0b1323f6 100644 --- a/authentik/api/authentication.py +++ b/authentik/api/authentication.py @@ -13,10 +13,10 @@ from rest_framework.exceptions import AuthenticationFailed from rest_framework.request import Request from structlog.stdlib import get_logger +from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API from authentik.core.middleware import CTX_AUTH_VIA from authentik.core.models import Token, TokenIntents, User, UserTypes from authentik.outposts.models import Outpost -from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API LOGGER = get_logger() _tmp = Path(gettempdir()) diff --git a/authentik/api/tests/test_auth.py b/authentik/api/tests/test_auth.py index 56f6d36bf6..ae6f60fea8 100644 --- a/authentik/api/tests/test_auth.py +++ b/authentik/api/tests/test_auth.py @@ -11,12 +11,12 @@ from rest_framework.exceptions import AuthenticationFailed from authentik.api.authentication import IPCUser, TokenAuthentication from authentik.blueprints.tests import reconcile_app +from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API from authentik.core.models import Token, TokenIntents, UserTypes from authentik.core.tests.utils import create_test_admin_user, create_test_flow from authentik.lib.generators import generate_id from authentik.outposts.apps import MANAGED_OUTPOST from authentik.outposts.models import Outpost -from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API from authentik.providers.oauth2.models import AccessToken, OAuth2Provider diff --git a/authentik/common/__init__.py b/authentik/common/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/authentik/common/oauth/__init__.py b/authentik/common/oauth/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/authentik/providers/oauth2/constants.py b/authentik/common/oauth/constants.py similarity index 100% rename from authentik/providers/oauth2/constants.py rename to authentik/common/oauth/constants.py diff --git a/authentik/common/saml/__init__.py b/authentik/common/saml/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/authentik/sources/saml/processors/constants.py b/authentik/common/saml/constants.py similarity index 100% rename from authentik/sources/saml/processors/constants.py rename to authentik/common/saml/constants.py diff --git a/authentik/enterprise/endpoints/connectors/agent/views/apple_token.py b/authentik/enterprise/endpoints/connectors/agent/views/apple_token.py index eb6e696fea..77bb03005d 100644 --- a/authentik/enterprise/endpoints/connectors/agent/views/apple_token.py +++ b/authentik/enterprise/endpoints/connectors/agent/views/apple_token.py @@ -10,6 +10,7 @@ from jwt import PyJWTError, decode, encode, get_unverified_header from rest_framework.exceptions import ValidationError from structlog.stdlib import get_logger +from authentik.common.oauth.constants import TOKEN_TYPE from authentik.core.models import AuthenticatedSession, Session, User from authentik.core.sessions import SessionStore from authentik.crypto.apps import MANAGED_KEY @@ -26,7 +27,6 @@ from authentik.events.models import Event, EventAction from authentik.events.signals import SESSION_LOGIN_EVENT from authentik.flows.planner import PLAN_CONTEXT_DEVICE from authentik.lib.utils.time import timedelta_from_string -from authentik.providers.oauth2.constants import TOKEN_TYPE from authentik.providers.oauth2.id_token import IDToken from authentik.providers.oauth2.models import JWTAlgorithms from authentik.root.middleware import SessionMiddleware diff --git a/authentik/enterprise/providers/ws_federation/processors/constants.py b/authentik/enterprise/providers/ws_federation/processors/constants.py index 4abb701023..4bcdaa48af 100644 --- a/authentik/enterprise/providers/ws_federation/processors/constants.py +++ b/authentik/enterprise/providers/ws_federation/processors/constants.py @@ -1,4 +1,4 @@ -from authentik.sources.saml.processors.constants import NS_MAP as _map +from authentik.common.saml.constants import NS_MAP as _map WS_FED_ACTION_SIGN_IN = "wsignin1.0" WS_FED_ACTION_SIGN_OUT = "wsignout1.0" diff --git a/authentik/enterprise/providers/ws_federation/processors/metadata.py b/authentik/enterprise/providers/ws_federation/processors/metadata.py index a33fe9ec9d..2acaf27f27 100644 --- a/authentik/enterprise/providers/ws_federation/processors/metadata.py +++ b/authentik/enterprise/providers/ws_federation/processors/metadata.py @@ -1,6 +1,7 @@ from django.urls import reverse from lxml.etree import SubElement, _Element # nosec +from authentik.common.saml.constants import NS_SAML_METADATA from authentik.enterprise.providers.ws_federation.processors.constants import ( NS_ADDRESSING, NS_MAP, @@ -8,7 +9,6 @@ from authentik.enterprise.providers.ws_federation.processors.constants import ( NS_WSI, ) from authentik.providers.saml.processors.metadata import MetadataProcessor as BaseMetadataProcessor -from authentik.sources.saml.processors.constants import NS_SAML_METADATA class MetadataProcessor(BaseMetadataProcessor): diff --git a/authentik/providers/iframe_logout.py b/authentik/providers/iframe_logout.py index a01ccb034a..617e038310 100644 --- a/authentik/providers/iframe_logout.py +++ b/authentik/providers/iframe_logout.py @@ -3,9 +3,9 @@ from django.http import HttpResponse from rest_framework.fields import CharField, DictField, ListField +from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS from authentik.flows.challenge import Challenge, ChallengeResponse from authentik.flows.stage import ChallengeStageView -from authentik.providers.oauth2.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS from authentik.providers.saml.views.flows import PLAN_CONTEXT_SAML_LOGOUT_IFRAME_SESSIONS diff --git a/authentik/providers/oauth2/id_token.py b/authentik/providers/oauth2/id_token.py index 1e27660f14..23922b6348 100644 --- a/authentik/providers/oauth2/id_token.py +++ b/authentik/providers/oauth2/id_token.py @@ -7,10 +7,7 @@ from typing import TYPE_CHECKING, Any from django.http import HttpRequest from django.utils import timezone -from authentik.core.models import default_token_duration -from authentik.events.signals import get_login_event -from authentik.lib.generators import generate_id -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( ACR_AUTHENTIK_DEFAULT, AMR_MFA, AMR_PASSWORD, @@ -18,6 +15,9 @@ from authentik.providers.oauth2.constants import ( AMR_WEBAUTHN, SubModes, ) +from authentik.core.models import default_token_duration +from authentik.events.signals import get_login_event +from authentik.lib.generators import generate_id from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS if TYPE_CHECKING: diff --git a/authentik/providers/oauth2/models.py b/authentik/providers/oauth2/models.py index e6d6a20965..07aaf284f2 100644 --- a/authentik/providers/oauth2/models.py +++ b/authentik/providers/oauth2/models.py @@ -33,6 +33,7 @@ from rest_framework.serializers import Serializer from structlog.stdlib import get_logger from authentik.brands.models import WebfingerProvider +from authentik.common.oauth.constants import SubModes from authentik.core.models import ( AuthenticatedSession, ExpiringModel, @@ -44,7 +45,6 @@ from authentik.crypto.models import CertificateKeyPair from authentik.lib.generators import generate_code_fixed_length, generate_id, generate_key from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel from authentik.lib.utils.time import timedelta_string_validator -from authentik.providers.oauth2.constants import SubModes from authentik.sources.oauth.models import OAuthSource if TYPE_CHECKING: diff --git a/authentik/providers/oauth2/signals.py b/authentik/providers/oauth2/signals.py index d675c8288a..dfd0606ea7 100644 --- a/authentik/providers/oauth2/signals.py +++ b/authentik/providers/oauth2/signals.py @@ -4,11 +4,11 @@ from django.db.models.signals import post_save, pre_delete from django.dispatch import receiver from structlog.stdlib import get_logger +from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS from authentik.core.models import AuthenticatedSession, User from authentik.flows.models import in_memory_stage from authentik.outposts.tasks import hash_session_key from authentik.providers.iframe_logout import IframeLogoutStageView -from authentik.providers.oauth2.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS from authentik.providers.oauth2.models import ( AccessToken, DeviceToken, diff --git a/authentik/providers/oauth2/tests/test_authorize.py b/authentik/providers/oauth2/tests/test_authorize.py index 85ba3bf4aa..f69744fa9b 100644 --- a/authentik/providers/oauth2/tests/test_authorize.py +++ b/authentik/providers/oauth2/tests/test_authorize.py @@ -8,6 +8,7 @@ from django.urls import reverse from django.utils.timezone import now from authentik.blueprints.tests import apply_blueprint +from authentik.common.oauth.constants import SCOPE_OFFLINE_ACCESS, SCOPE_OPENID, TOKEN_TYPE from authentik.core.models import Application from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow from authentik.events.models import Event, EventAction @@ -16,7 +17,6 @@ from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER from authentik.flows.views.executor import SESSION_KEY_PLAN from authentik.lib.generators import generate_id from authentik.lib.utils.time import timedelta_from_string -from authentik.providers.oauth2.constants import SCOPE_OFFLINE_ACCESS, SCOPE_OPENID, TOKEN_TYPE from authentik.providers.oauth2.errors import AuthorizeError, ClientIdError, RedirectUriError from authentik.providers.oauth2.models import ( AccessToken, diff --git a/authentik/providers/oauth2/tests/test_introspect.py b/authentik/providers/oauth2/tests/test_introspect.py index b753801792..5758fac6c1 100644 --- a/authentik/providers/oauth2/tests/test_introspect.py +++ b/authentik/providers/oauth2/tests/test_introspect.py @@ -7,10 +7,10 @@ from dataclasses import asdict from django.urls import reverse from django.utils import timezone +from authentik.common.oauth.constants import ACR_AUTHENTIK_DEFAULT from authentik.core.models import Application from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow from authentik.lib.generators import generate_id -from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT from authentik.providers.oauth2.id_token import IDToken from authentik.providers.oauth2.models import ( AccessToken, diff --git a/authentik/providers/oauth2/tests/test_token.py b/authentik/providers/oauth2/tests/test_token.py index 90d2a99e94..10a86f523d 100644 --- a/authentik/providers/oauth2/tests/test_token.py +++ b/authentik/providers/oauth2/tests/test_token.py @@ -8,15 +8,15 @@ from django.urls import reverse from django.utils import timezone from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application -from authentik.core.tests.utils import create_test_admin_user, create_test_flow -from authentik.events.models import Event, EventAction -from authentik.lib.generators import generate_id, generate_key -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_REFRESH_TOKEN, TOKEN_TYPE, ) +from authentik.core.models import Application +from authentik.core.tests.utils import create_test_admin_user, create_test_flow +from authentik.events.models import Event, EventAction +from authentik.lib.generators import generate_id, generate_key from authentik.providers.oauth2.errors import TokenError from authentik.providers.oauth2.models import ( AccessToken, diff --git a/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py b/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py index abe1b5c757..9f37e0a419 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py +++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py @@ -9,17 +9,17 @@ from django.utils.timezone import now from jwt import decode from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application, Group -from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user -from authentik.lib.generators import generate_id -from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE, TOKEN_TYPE, ) +from authentik.core.models import Application, Group +from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user +from authentik.lib.generators import generate_id +from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.models import ( AccessToken, OAuth2Provider, diff --git a/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py b/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py index 5de0bd7ebc..f43b5de12c 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py +++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py @@ -8,17 +8,17 @@ from django.urls import reverse from jwt import decode from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application, Group -from authentik.core.tests.utils import create_test_cert, create_test_flow -from authentik.lib.generators import generate_id -from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE, TOKEN_TYPE, ) +from authentik.core.models import Application, Group +from authentik.core.tests.utils import create_test_cert, create_test_flow +from authentik.lib.generators import generate_id +from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.models import ( OAuth2Provider, RedirectURI, diff --git a/authentik/providers/oauth2/tests/test_token_cc_standard.py b/authentik/providers/oauth2/tests/test_token_cc_standard.py index b534621731..79c7a46eb6 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_standard.py +++ b/authentik/providers/oauth2/tests/test_token_cc_standard.py @@ -7,10 +7,7 @@ from django.urls import reverse from jwt import decode from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes -from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow -from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD, SCOPE_OPENID, @@ -18,6 +15,9 @@ from authentik.providers.oauth2.constants import ( SCOPE_OPENID_PROFILE, TOKEN_TYPE, ) +from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes +from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow +from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.errors import TokenError from authentik.providers.oauth2.models import ( AccessToken, diff --git a/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py b/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py index 01e38b5cc8..5fa547ce4d 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py +++ b/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py @@ -8,10 +8,7 @@ from django.urls import reverse from jwt import decode from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes -from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow -from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD, SCOPE_OPENID, @@ -19,6 +16,9 @@ from authentik.providers.oauth2.constants import ( SCOPE_OPENID_PROFILE, TOKEN_TYPE, ) +from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes +from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow +from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.errors import TokenError from authentik.providers.oauth2.models import ( OAuth2Provider, diff --git a/authentik/providers/oauth2/tests/test_token_cc_user_pw.py b/authentik/providers/oauth2/tests/test_token_cc_user_pw.py index eb236ecfd3..6540865b7a 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_user_pw.py +++ b/authentik/providers/oauth2/tests/test_token_cc_user_pw.py @@ -7,6 +7,14 @@ from django.urls import reverse from jwt import decode from authentik.blueprints.tests import apply_blueprint +from authentik.common.oauth.constants import ( + GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_PASSWORD, + SCOPE_OPENID, + SCOPE_OPENID_EMAIL, + SCOPE_OPENID_PROFILE, + TOKEN_TYPE, +) from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes from authentik.core.tests.utils import ( create_test_admin_user, @@ -15,14 +23,6 @@ from authentik.core.tests.utils import ( create_test_user, ) from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( - GRANT_TYPE_CLIENT_CREDENTIALS, - GRANT_TYPE_PASSWORD, - SCOPE_OPENID, - SCOPE_OPENID_EMAIL, - SCOPE_OPENID_PROFILE, - TOKEN_TYPE, -) from authentik.providers.oauth2.errors import TokenError from authentik.providers.oauth2.models import ( OAuth2Provider, diff --git a/authentik/providers/oauth2/tests/test_token_device.py b/authentik/providers/oauth2/tests/test_token_device.py index 212828897e..0a02ffdf7e 100644 --- a/authentik/providers/oauth2/tests/test_token_device.py +++ b/authentik/providers/oauth2/tests/test_token_device.py @@ -6,14 +6,14 @@ from django.test import RequestFactory from django.urls import reverse from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application -from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow -from authentik.lib.generators import generate_code_fixed_length, generate_id -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_DEVICE_CODE, SCOPE_OPENID, SCOPE_OPENID_EMAIL, ) +from authentik.core.models import Application +from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow +from authentik.lib.generators import generate_code_fixed_length, generate_id from authentik.providers.oauth2.models import ( AccessToken, DeviceToken, diff --git a/authentik/providers/oauth2/tests/test_token_pkce.py b/authentik/providers/oauth2/tests/test_token_pkce.py index 348dce5ea2..7ffc1d6607 100644 --- a/authentik/providers/oauth2/tests/test_token_pkce.py +++ b/authentik/providers/oauth2/tests/test_token_pkce.py @@ -5,10 +5,10 @@ from base64 import b64encode from django.test import RequestFactory from django.urls import reverse +from authentik.common.oauth.constants import GRANT_TYPE_AUTHORIZATION_CODE from authentik.core.models import Application from authentik.core.tests.utils import create_test_admin_user, create_test_flow from authentik.lib.generators import generate_id -from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE from authentik.providers.oauth2.models import ( AuthorizationCode, OAuth2Provider, diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index 516979d52d..bc2744c3be 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -17,6 +17,19 @@ from django.utils import timezone, translation from django.utils.translation import gettext as _ from structlog.stdlib import get_logger +from authentik.common.oauth.constants import ( + PKCE_METHOD_PLAIN, + PKCE_METHOD_S256, + PROMPT_CONSENT, + PROMPT_LOGIN, + PROMPT_NONE, + QS_LOGIN_HINT, + SCOPE_GITHUB, + SCOPE_OFFLINE_ACCESS, + SCOPE_OPENID, + TOKEN_TYPE, + UI_LOCALES, +) from authentik.core.models import Application from authentik.events.models import Event, EventAction from authentik.events.signals import get_login_event @@ -33,19 +46,6 @@ from authentik.lib.utils.time import timedelta_from_string from authentik.lib.views import bad_request_message from authentik.policies.types import PolicyRequest from authentik.policies.views import BufferedPolicyAccessView, RequestValidationError -from authentik.providers.oauth2.constants import ( - PKCE_METHOD_PLAIN, - PKCE_METHOD_S256, - PROMPT_CONSENT, - PROMPT_LOGIN, - PROMPT_NONE, - QS_LOGIN_HINT, - SCOPE_GITHUB, - SCOPE_OFFLINE_ACCESS, - SCOPE_OPENID, - TOKEN_TYPE, - UI_LOCALES, -) from authentik.providers.oauth2.errors import ( AuthorizeError, ClientIdError, diff --git a/authentik/providers/oauth2/views/github.py b/authentik/providers/oauth2/views/github.py index 2ffcd228b1..de72b46b75 100644 --- a/authentik/providers/oauth2/views/github.py +++ b/authentik/providers/oauth2/views/github.py @@ -6,7 +6,7 @@ from django.utils.text import slugify from django.views import View from django.views.decorators.csrf import csrf_exempt -from authentik.providers.oauth2.constants import SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER_EMAIL +from authentik.common.oauth.constants import SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER_EMAIL from authentik.providers.oauth2.models import RefreshToken from authentik.providers.oauth2.utils import protected_resource_view diff --git a/authentik/providers/oauth2/views/provider.py b/authentik/providers/oauth2/views/provider.py index 50620cd3d5..b16113a60b 100644 --- a/authentik/providers/oauth2/views/provider.py +++ b/authentik/providers/oauth2/views/provider.py @@ -8,9 +8,7 @@ from django.views import View from guardian.shortcuts import get_anonymous_user from structlog.stdlib import get_logger -from authentik.core.expression.exceptions import PropertyMappingExpressionException -from authentik.core.models import Application -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( ACR_AUTHENTIK_DEFAULT, GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_CLIENT_CREDENTIALS, @@ -22,6 +20,8 @@ from authentik.providers.oauth2.constants import ( PKCE_METHOD_S256, SCOPE_OPENID, ) +from authentik.core.expression.exceptions import PropertyMappingExpressionException +from authentik.core.models import Application from authentik.providers.oauth2.models import ( OAuth2Provider, ResponseMode, diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 84fd07cb81..46f35140a2 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -19,6 +19,19 @@ from jwt import PyJWK, PyJWT, PyJWTError, decode from sentry_sdk import start_span from structlog.stdlib import get_logger +from authentik.common.oauth.constants import ( + CLIENT_ASSERTION, + CLIENT_ASSERTION_TYPE, + CLIENT_ASSERTION_TYPE_JWT, + GRANT_TYPE_AUTHORIZATION_CODE, + GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_DEVICE_CODE, + GRANT_TYPE_PASSWORD, + GRANT_TYPE_REFRESH_TOKEN, + PKCE_METHOD_S256, + SCOPE_OFFLINE_ACCESS, + TOKEN_TYPE, +) from authentik.core.middleware import CTX_AUTH_VIA from authentik.core.models import ( USER_ATTRIBUTE_EXPIRES, @@ -36,19 +49,6 @@ from authentik.events.signals import get_login_event from authentik.flows.planner import PLAN_CONTEXT_APPLICATION from authentik.lib.utils.time import timedelta_from_string from authentik.policies.engine import PolicyEngine -from authentik.providers.oauth2.constants import ( - CLIENT_ASSERTION, - CLIENT_ASSERTION_TYPE, - CLIENT_ASSERTION_TYPE_JWT, - GRANT_TYPE_AUTHORIZATION_CODE, - GRANT_TYPE_CLIENT_CREDENTIALS, - GRANT_TYPE_DEVICE_CODE, - GRANT_TYPE_PASSWORD, - GRANT_TYPE_REFRESH_TOKEN, - PKCE_METHOD_S256, - SCOPE_OFFLINE_ACCESS, - TOKEN_TYPE, -) from authentik.providers.oauth2.errors import DeviceCodeError, TokenError, UserAuthError from authentik.providers.oauth2.id_token import IDToken from authentik.providers.oauth2.models import ( diff --git a/authentik/providers/oauth2/views/userinfo.py b/authentik/providers/oauth2/views/userinfo.py index 53b66580fa..41b9cbe3fd 100644 --- a/authentik/providers/oauth2/views/userinfo.py +++ b/authentik/providers/oauth2/views/userinfo.py @@ -11,16 +11,16 @@ from django.views import View from django.views.decorators.csrf import csrf_exempt from structlog.stdlib import get_logger -from authentik.core.expression.exceptions import PropertyMappingExpressionException -from authentik.events.models import Event, EventAction -from authentik.flows.challenge import PermissionDict -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER, SCOPE_GITHUB_USER_EMAIL, SCOPE_GITHUB_USER_READ, SCOPE_OPENID, ) +from authentik.core.expression.exceptions import PropertyMappingExpressionException +from authentik.events.models import Event, EventAction +from authentik.flows.challenge import PermissionDict from authentik.providers.oauth2.models import ( BaseGrantModel, OAuth2Provider, diff --git a/authentik/providers/saml/api/providers.py b/authentik/providers/saml/api/providers.py index 61b7d64c18..125c90d532 100644 --- a/authentik/providers/saml/api/providers.py +++ b/authentik/providers/saml/api/providers.py @@ -24,6 +24,7 @@ from rest_framework.viewsets import ModelViewSet from structlog.stdlib import get_logger from authentik.api.validation import validate +from authentik.common.saml.constants import SAML_BINDING_POST, SAML_BINDING_REDIRECT from authentik.core.api.providers import ProviderSerializer from authentik.core.api.used_by import UsedByMixin from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer @@ -35,7 +36,6 @@ from authentik.providers.saml.processors.authn_request_parser import AuthNReques from authentik.providers.saml.processors.metadata import MetadataProcessor from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser from authentik.rbac.decorators import permission_required -from authentik.sources.saml.processors.constants import SAML_BINDING_POST, SAML_BINDING_REDIRECT LOGGER = get_logger() diff --git a/authentik/providers/saml/migrations/0009_auto_20201112_2016.py b/authentik/providers/saml/migrations/0009_auto_20201112_2016.py index cd794b4fee..93eed5e046 100644 --- a/authentik/providers/saml/migrations/0009_auto_20201112_2016.py +++ b/authentik/providers/saml/migrations/0009_auto_20201112_2016.py @@ -4,7 +4,7 @@ from django.apps.registry import Apps from django.db import migrations, models from django.db.backends.base.schema import BaseDatabaseSchemaEditor -from authentik.sources.saml.processors import constants +from authentik.common.saml import constants def update_algorithms(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): diff --git a/authentik/providers/saml/models.py b/authentik/providers/saml/models.py index 2448a6d4dd..20f9532bd5 100644 --- a/authentik/providers/saml/models.py +++ b/authentik/providers/saml/models.py @@ -9,19 +9,7 @@ from django.utils.translation import gettext_lazy as _ from rest_framework.serializers import Serializer from structlog.stdlib import get_logger -from authentik.core.api.object_types import CreatableType -from authentik.core.models import ( - AuthenticatedSession, - ExpiringModel, - PropertyMapping, - Provider, - User, -) -from authentik.crypto.models import CertificateKeyPair -from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel -from authentik.lib.utils.time import timedelta_string_validator -from authentik.sources.saml.models import SAMLNameIDPolicy -from authentik.sources.saml.processors.constants import ( +from authentik.common.saml.constants import ( DSA_SHA1, ECDSA_SHA1, ECDSA_SHA256, @@ -36,6 +24,18 @@ from authentik.sources.saml.processors.constants import ( SHA384, SHA512, ) +from authentik.core.api.object_types import CreatableType +from authentik.core.models import ( + AuthenticatedSession, + ExpiringModel, + PropertyMapping, + Provider, + User, +) +from authentik.crypto.models import CertificateKeyPair +from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel +from authentik.lib.utils.time import timedelta_string_validator +from authentik.sources.saml.models import SAMLNameIDPolicy LOGGER = get_logger() diff --git a/authentik/providers/saml/processors/assertion.py b/authentik/providers/saml/processors/assertion.py index b3e0733388..ac0248b93b 100644 --- a/authentik/providers/saml/processors/assertion.py +++ b/authentik/providers/saml/processors/assertion.py @@ -11,6 +11,19 @@ from lxml import etree # nosec from lxml.etree import Element, SubElement, _Element # nosec from structlog.stdlib import get_logger +from authentik.common.saml.constants import ( + DIGEST_ALGORITHM_TRANSLATION_MAP, + NS_MAP, + NS_SAML_ASSERTION, + NS_SAML_PROTOCOL, + SAML_NAME_ID_FORMAT_EMAIL, + SAML_NAME_ID_FORMAT_PERSISTENT, + SAML_NAME_ID_FORMAT_TRANSIENT, + SAML_NAME_ID_FORMAT_UNSPECIFIED, + SAML_NAME_ID_FORMAT_WINDOWS, + SAML_NAME_ID_FORMAT_X509, + SIGN_ALGORITHM_TRANSFORM_MAP, +) from authentik.core.expression.exceptions import PropertyMappingExpressionException from authentik.events.models import Event, EventAction from authentik.events.signals import get_login_event @@ -26,19 +39,6 @@ from authentik.sources.saml.exceptions import ( InvalidSignature, UnsupportedNameIDFormat, ) -from authentik.sources.saml.processors.constants import ( - DIGEST_ALGORITHM_TRANSLATION_MAP, - NS_MAP, - NS_SAML_ASSERTION, - NS_SAML_PROTOCOL, - SAML_NAME_ID_FORMAT_EMAIL, - SAML_NAME_ID_FORMAT_PERSISTENT, - SAML_NAME_ID_FORMAT_TRANSIENT, - SAML_NAME_ID_FORMAT_UNSPECIFIED, - SAML_NAME_ID_FORMAT_WINDOWS, - SAML_NAME_ID_FORMAT_X509, - SIGN_ALGORITHM_TRANSFORM_MAP, -) from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS LOGGER = get_logger() diff --git a/authentik/providers/saml/processors/authn_request_parser.py b/authentik/providers/saml/processors/authn_request_parser.py index 30d3492b0d..13dbcade6a 100644 --- a/authentik/providers/saml/processors/authn_request_parser.py +++ b/authentik/providers/saml/processors/authn_request_parser.py @@ -9,12 +9,7 @@ import xmlsec from defusedxml import ElementTree from structlog.stdlib import get_logger -from authentik.lib.xml import lxml_from_string -from authentik.providers.saml.exceptions import CannotHandleAssertion -from authentik.providers.saml.models import SAMLProvider -from authentik.providers.saml.utils.encoding import decode_base64_and_inflate -from authentik.sources.saml.models import SAMLNameIDPolicy -from authentik.sources.saml.processors.constants import ( +from authentik.common.saml.constants import ( DSA_SHA1, NS_MAP, NS_SAML_PROTOCOL, @@ -24,6 +19,11 @@ from authentik.sources.saml.processors.constants import ( RSA_SHA512, SAML_NAME_ID_FORMAT_UNSPECIFIED, ) +from authentik.lib.xml import lxml_from_string +from authentik.providers.saml.exceptions import CannotHandleAssertion +from authentik.providers.saml.models import SAMLProvider +from authentik.providers.saml.utils.encoding import decode_base64_and_inflate +from authentik.sources.saml.models import SAMLNameIDPolicy ERROR_CANNOT_DECODE_REQUEST = "Cannot decode SAML request." ERROR_SIGNATURE_REQUIRED_BUT_ABSENT = ( diff --git a/authentik/providers/saml/processors/logout_request.py b/authentik/providers/saml/processors/logout_request.py index 9c7506b57b..1f7114db1f 100644 --- a/authentik/providers/saml/processors/logout_request.py +++ b/authentik/providers/saml/processors/logout_request.py @@ -7,13 +7,7 @@ import xmlsec from lxml import etree # nosec from lxml.etree import Element, _Element -from authentik.core.models import User -from authentik.lib.xml import remove_xml_newlines -from authentik.providers.saml.models import SAMLProvider -from authentik.providers.saml.utils import get_random_id -from authentik.providers.saml.utils.encoding import deflate_and_base64_encode -from authentik.providers.saml.utils.time import get_time_string -from authentik.sources.saml.processors.constants import ( +from authentik.common.saml.constants import ( DIGEST_ALGORITHM_TRANSLATION_MAP, NS_MAP, NS_SAML_ASSERTION, @@ -21,6 +15,12 @@ from authentik.sources.saml.processors.constants import ( SAML_NAME_ID_FORMAT_EMAIL, SIGN_ALGORITHM_TRANSFORM_MAP, ) +from authentik.core.models import User +from authentik.lib.xml import remove_xml_newlines +from authentik.providers.saml.models import SAMLProvider +from authentik.providers.saml.utils import get_random_id +from authentik.providers.saml.utils.encoding import deflate_and_base64_encode +from authentik.providers.saml.utils.time import get_time_string class LogoutRequestProcessor: diff --git a/authentik/providers/saml/processors/logout_request_parser.py b/authentik/providers/saml/processors/logout_request_parser.py index 23d40fd984..401804825c 100644 --- a/authentik/providers/saml/processors/logout_request_parser.py +++ b/authentik/providers/saml/processors/logout_request_parser.py @@ -5,11 +5,11 @@ from dataclasses import dataclass from defusedxml import ElementTree +from authentik.common.saml.constants import NS_SAML_ASSERTION, NS_SAML_PROTOCOL from authentik.providers.saml.exceptions import CannotHandleAssertion from authentik.providers.saml.models import SAMLProvider from authentik.providers.saml.processors.authn_request_parser import ERROR_CANNOT_DECODE_REQUEST from authentik.providers.saml.utils.encoding import decode_base64_and_inflate -from authentik.sources.saml.processors.constants import NS_SAML_ASSERTION, NS_SAML_PROTOCOL @dataclass(slots=True) diff --git a/authentik/providers/saml/processors/metadata.py b/authentik/providers/saml/processors/metadata.py index e68041c152..f7e694045d 100644 --- a/authentik/providers/saml/processors/metadata.py +++ b/authentik/providers/saml/processors/metadata.py @@ -8,10 +8,7 @@ from django.http import HttpRequest from django.urls import reverse from lxml.etree import Element, SubElement, _Element, tostring # nosec -from authentik.lib.xml import remove_xml_newlines -from authentik.providers.saml.models import SAMLProvider -from authentik.providers.saml.utils.encoding import strip_pem_header -from authentik.sources.saml.processors.constants import ( +from authentik.common.saml.constants import ( DIGEST_ALGORITHM_TRANSLATION_MAP, NS_MAP, NS_SAML_METADATA, @@ -25,6 +22,9 @@ from authentik.sources.saml.processors.constants import ( SAML_NAME_ID_FORMAT_X509, SIGN_ALGORITHM_TRANSFORM_MAP, ) +from authentik.lib.xml import remove_xml_newlines +from authentik.providers.saml.models import SAMLProvider +from authentik.providers.saml.utils.encoding import strip_pem_header class MetadataProcessor: diff --git a/authentik/providers/saml/processors/metadata_parser.py b/authentik/providers/saml/processors/metadata_parser.py index e66dff0aa4..c69f228e77 100644 --- a/authentik/providers/saml/processors/metadata_parser.py +++ b/authentik/providers/saml/processors/metadata_parser.py @@ -9,16 +9,16 @@ from defusedxml.lxml import fromstring from lxml import etree # nosec from structlog.stdlib import get_logger -from authentik.crypto.models import CertificateKeyPair, format_cert -from authentik.flows.models import Flow -from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider -from authentik.sources.saml.models import SAMLNameIDPolicy -from authentik.sources.saml.processors.constants import ( +from authentik.common.saml.constants import ( NS_MAP, NS_SAML_METADATA, SAML_BINDING_POST, SAML_BINDING_REDIRECT, ) +from authentik.crypto.models import CertificateKeyPair, format_cert +from authentik.flows.models import Flow +from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider +from authentik.sources.saml.models import SAMLNameIDPolicy LOGGER = get_logger() diff --git a/authentik/providers/saml/tests/test_auth_n_request.py b/authentik/providers/saml/tests/test_auth_n_request.py index 36e329c8ef..d874801b2e 100644 --- a/authentik/providers/saml/tests/test_auth_n_request.py +++ b/authentik/providers/saml/tests/test_auth_n_request.py @@ -9,6 +9,12 @@ from guardian.utils import get_anonymous_user from lxml import etree # nosec from authentik.blueprints.tests import apply_blueprint +from authentik.common.saml.constants import ( + NS_MAP, + SAML_BINDING_POST, + SAML_NAME_ID_FORMAT_EMAIL, + SAML_NAME_ID_FORMAT_UNSPECIFIED, +) from authentik.core.tests.utils import ( RequestFactory, create_test_admin_user, @@ -24,12 +30,6 @@ from authentik.providers.saml.processors.assertion import AssertionProcessor from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser from authentik.sources.saml.exceptions import MismatchedRequestID from authentik.sources.saml.models import SAMLSource -from authentik.sources.saml.processors.constants import ( - NS_MAP, - SAML_BINDING_POST, - SAML_NAME_ID_FORMAT_EMAIL, - SAML_NAME_ID_FORMAT_UNSPECIFIED, -) from authentik.sources.saml.processors.request import SESSION_KEY_REQUEST_ID, RequestProcessor from authentik.sources.saml.processors.response import ResponseProcessor diff --git a/authentik/providers/saml/tests/test_idp_logout.py b/authentik/providers/saml/tests/test_idp_logout.py index e77c1cb5b8..3ccb6d2761 100644 --- a/authentik/providers/saml/tests/test_idp_logout.py +++ b/authentik/providers/saml/tests/test_idp_logout.py @@ -5,6 +5,10 @@ from unittest.mock import Mock from django.test import RequestFactory, TestCase +from authentik.common.saml.constants import ( + RSA_SHA256, + SAML_NAME_ID_FORMAT_EMAIL, +) from authentik.core.tests.utils import create_test_flow from authentik.flows.planner import FlowPlan from authentik.flows.tests import FlowTestCase @@ -22,10 +26,6 @@ from authentik.providers.saml.views.flows import ( PLAN_CONTEXT_SAML_LOGOUT_IFRAME_SESSIONS, PLAN_CONTEXT_SAML_LOGOUT_NATIVE_SESSIONS, ) -from authentik.sources.saml.processors.constants import ( - RSA_SHA256, - SAML_NAME_ID_FORMAT_EMAIL, -) class TestNativeLogoutStageView(TestCase): @@ -295,7 +295,7 @@ class TestIframeLogoutStageView(TestCase): }, ] # OIDC sessions (pre-processed) - from authentik.providers.oauth2.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS + from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS plan.context[PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS] = [ { diff --git a/authentik/providers/saml/tests/test_logout_processor_and_parser.py b/authentik/providers/saml/tests/test_logout_processor_and_parser.py index cdc0dfc680..954bb55179 100644 --- a/authentik/providers/saml/tests/test_logout_processor_and_parser.py +++ b/authentik/providers/saml/tests/test_logout_processor_and_parser.py @@ -4,14 +4,14 @@ from urllib.parse import parse_qs, urlparse from django.test import TestCase +from authentik.common.saml.constants import ( + RSA_SHA256, + SAML_NAME_ID_FORMAT_EMAIL, +) from authentik.core.tests.utils import create_test_cert, create_test_flow from authentik.providers.saml.models import SAMLProvider from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser -from authentik.sources.saml.processors.constants import ( - RSA_SHA256, - SAML_NAME_ID_FORMAT_EMAIL, -) class TestLogoutIntegration(TestCase): diff --git a/authentik/providers/saml/tests/test_logout_request_parser.py b/authentik/providers/saml/tests/test_logout_request_parser.py index 524fdf93b0..20626cd0d6 100644 --- a/authentik/providers/saml/tests/test_logout_request_parser.py +++ b/authentik/providers/saml/tests/test_logout_request_parser.py @@ -3,11 +3,11 @@ from django.test import TestCase from authentik.blueprints.tests import apply_blueprint +from authentik.common.saml.constants import SAML_NAME_ID_FORMAT_TRANSIENT from authentik.core.tests.utils import create_test_cert, create_test_flow from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser from authentik.sources.saml.models import SAMLSource -from authentik.sources.saml.processors.constants import SAML_NAME_ID_FORMAT_TRANSIENT GET_LOGOUT_REQUEST = ( "lJLNauMwEMdfRejuSJbtEIvYsBAWDNlltyk99DaxJ41AllzNGNq3L3Z7CD0EehJo5vf/ENoTjH6yx/gSZ37A1xmJxdvo" diff --git a/authentik/providers/saml/tests/test_logout_request_processor.py b/authentik/providers/saml/tests/test_logout_request_processor.py index 3af7fd3b8f..c73e53402b 100644 --- a/authentik/providers/saml/tests/test_logout_request_processor.py +++ b/authentik/providers/saml/tests/test_logout_request_processor.py @@ -7,16 +7,16 @@ from urllib.parse import parse_qs, urlparse from django.test import TestCase from lxml import etree -from authentik.core.tests.utils import create_test_cert, create_test_flow -from authentik.providers.saml.models import SAMLProvider -from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor -from authentik.sources.saml.processors.constants import ( +from authentik.common.saml.constants import ( NS_MAP, NS_SAML_ASSERTION, NS_SAML_PROTOCOL, RSA_SHA256, SAML_NAME_ID_FORMAT_EMAIL, ) +from authentik.core.tests.utils import create_test_cert, create_test_flow +from authentik.providers.saml.models import SAMLProvider +from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor class TestLogoutRequestProcessor(TestCase): diff --git a/authentik/providers/saml/tests/test_metadata.py b/authentik/providers/saml/tests/test_metadata.py index 8cf3f59e03..ab70f7f09a 100644 --- a/authentik/providers/saml/tests/test_metadata.py +++ b/authentik/providers/saml/tests/test_metadata.py @@ -5,6 +5,7 @@ from defusedxml.lxml import fromstring from django.test import RequestFactory, TestCase from lxml import etree # nosec +from authentik.common.saml.constants import ECDSA_SHA256, NS_MAP, NS_SAML_METADATA from authentik.core.models import Application from authentik.core.tests.utils import create_test_cert, create_test_flow from authentik.crypto.builder import PrivateKeyAlg @@ -15,7 +16,6 @@ from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, S from authentik.providers.saml.processors.metadata import MetadataProcessor from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser from authentik.sources.saml.models import SAMLNameIDPolicy -from authentik.sources.saml.processors.constants import ECDSA_SHA256, NS_MAP, NS_SAML_METADATA class TestServiceProviderMetadataParser(TestCase): diff --git a/authentik/providers/saml/tests/test_models_session.py b/authentik/providers/saml/tests/test_models_session.py index 8496fa6df3..be53d87575 100644 --- a/authentik/providers/saml/tests/test_models_session.py +++ b/authentik/providers/saml/tests/test_models_session.py @@ -6,14 +6,14 @@ from django.db import IntegrityError from django.test import TestCase from django.utils import timezone +from authentik.common.saml.constants import ( + SAML_NAME_ID_FORMAT_EMAIL, +) from authentik.core.models import AuthenticatedSession, Session, User from authentik.core.tests.utils import create_test_flow from authentik.lib.generators import generate_id from authentik.providers.saml.api.sessions import SAMLSessionSerializer from authentik.providers.saml.models import SAMLProvider, SAMLSession -from authentik.sources.saml.processors.constants import ( - SAML_NAME_ID_FORMAT_EMAIL, -) class TestSAMLSessionModel(TestCase): diff --git a/authentik/providers/saml/tests/test_views_sp_slo.py b/authentik/providers/saml/tests/test_views_sp_slo.py index 0dc1472d06..59f450de1c 100644 --- a/authentik/providers/saml/tests/test_views_sp_slo.py +++ b/authentik/providers/saml/tests/test_views_sp_slo.py @@ -6,6 +6,7 @@ from django.http import Http404 from django.test import RequestFactory, TestCase from django.urls import reverse +from authentik.common.saml.constants import SAML_NAME_ID_FORMAT_EMAIL from authentik.core.models import Application from authentik.core.tests.utils import create_test_brand, create_test_flow from authentik.flows.planner import FlowPlan @@ -18,7 +19,6 @@ from authentik.providers.saml.views.sp_slo import ( SPInitiatedSLOBindingPOSTView, SPInitiatedSLOBindingRedirectView, ) -from authentik.sources.saml.processors.constants import SAML_NAME_ID_FORMAT_EMAIL class TestSPInitiatedSLOViews(TestCase): diff --git a/authentik/sources/saml/migrations/0001_squashed_0009_auto_20210301_0949.py b/authentik/sources/saml/migrations/0001_squashed_0009_auto_20210301_0949.py index 730e64fcd8..9178bc33aa 100644 --- a/authentik/sources/saml/migrations/0001_squashed_0009_auto_20210301_0949.py +++ b/authentik/sources/saml/migrations/0001_squashed_0009_auto_20210301_0949.py @@ -6,7 +6,7 @@ from django.db import migrations, models from django.db.backends.base.schema import BaseDatabaseSchemaEditor import authentik.lib.utils.time -from authentik.sources.saml.processors import constants +from authentik.common.saml import constants def update_algorithms(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): diff --git a/authentik/sources/saml/models.py b/authentik/sources/saml/models.py index 50fbc7f4ec..47f992273e 100644 --- a/authentik/sources/saml/models.py +++ b/authentik/sources/saml/models.py @@ -9,20 +9,7 @@ from django.urls import reverse from django.utils.translation import gettext_lazy as _ from rest_framework.serializers import Serializer -from authentik.core.models import ( - GroupSourceConnection, - PropertyMapping, - Source, - UserSourceConnection, -) -from authentik.core.types import UILoginButton, UserSettingSerializer -from authentik.crypto.models import CertificateKeyPair -from authentik.flows.challenge import RedirectChallenge -from authentik.flows.models import Flow -from authentik.lib.expression.evaluator import BaseEvaluator -from authentik.lib.models import DomainlessURLValidator -from authentik.lib.utils.time import timedelta_string_validator -from authentik.sources.saml.processors.constants import ( +from authentik.common.saml.constants import ( DSA_SHA1, ECDSA_SHA1, ECDSA_SHA256, @@ -47,6 +34,19 @@ from authentik.sources.saml.processors.constants import ( SHA384, SHA512, ) +from authentik.core.models import ( + GroupSourceConnection, + PropertyMapping, + Source, + UserSourceConnection, +) +from authentik.core.types import UILoginButton, UserSettingSerializer +from authentik.crypto.models import CertificateKeyPair +from authentik.flows.challenge import RedirectChallenge +from authentik.flows.models import Flow +from authentik.lib.expression.evaluator import BaseEvaluator +from authentik.lib.models import DomainlessURLValidator +from authentik.lib.utils.time import timedelta_string_validator class SAMLBindingTypes(models.TextChoices): diff --git a/authentik/sources/saml/processors/metadata.py b/authentik/sources/saml/processors/metadata.py index 134b4ea7bc..de3ab26235 100644 --- a/authentik/sources/saml/processors/metadata.py +++ b/authentik/sources/saml/processors/metadata.py @@ -3,14 +3,14 @@ from django.http import HttpRequest from lxml.etree import Element, SubElement, tostring # nosec -from authentik.providers.saml.utils.encoding import strip_pem_header -from authentik.sources.saml.models import SAMLSource -from authentik.sources.saml.processors.constants import ( +from authentik.common.saml.constants import ( NS_MAP, NS_SAML_METADATA, NS_SIGNATURE, SAML_BINDING_POST, ) +from authentik.providers.saml.utils.encoding import strip_pem_header +from authentik.sources.saml.models import SAMLSource class MetadataProcessor: diff --git a/authentik/sources/saml/processors/request.py b/authentik/sources/saml/processors/request.py index 9e290f9afb..265ac242e3 100644 --- a/authentik/sources/saml/processors/request.py +++ b/authentik/sources/saml/processors/request.py @@ -8,12 +8,7 @@ from django.http import HttpRequest from lxml import etree # nosec from lxml.etree import Element # nosec -from authentik.lib.xml import remove_xml_newlines -from authentik.providers.saml.utils import get_random_id -from authentik.providers.saml.utils.encoding import deflate_and_base64_encode -from authentik.providers.saml.utils.time import get_time_string -from authentik.sources.saml.models import SAMLSource -from authentik.sources.saml.processors.constants import ( +from authentik.common.saml.constants import ( DIGEST_ALGORITHM_TRANSLATION_MAP, NS_MAP, NS_SAML_ASSERTION, @@ -21,6 +16,11 @@ from authentik.sources.saml.processors.constants import ( SAML_BINDING_POST, SIGN_ALGORITHM_TRANSFORM_MAP, ) +from authentik.lib.xml import remove_xml_newlines +from authentik.providers.saml.utils import get_random_id +from authentik.providers.saml.utils.encoding import deflate_and_base64_encode +from authentik.providers.saml.utils.time import get_time_string +from authentik.sources.saml.models import SAMLSource SESSION_KEY_REQUEST_ID = "authentik/sources/saml/request_id" diff --git a/authentik/sources/saml/processors/response.py b/authentik/sources/saml/processors/response.py index 83a49c9c68..a476c3b3b7 100644 --- a/authentik/sources/saml/processors/response.py +++ b/authentik/sources/saml/processors/response.py @@ -14,6 +14,16 @@ from lxml import etree # nosec from lxml.etree import _Element # nosec from structlog.stdlib import get_logger +from authentik.common.saml.constants import ( + NS_MAP, + NS_SAML_ASSERTION, + NS_SAML_PROTOCOL, + SAML_NAME_ID_FORMAT_EMAIL, + SAML_NAME_ID_FORMAT_PERSISTENT, + SAML_NAME_ID_FORMAT_TRANSIENT, + SAML_NAME_ID_FORMAT_WINDOWS, + SAML_NAME_ID_FORMAT_X509, +) from authentik.core.models import ( USER_ATTRIBUTE_DELETE_ON_LOGOUT, USER_ATTRIBUTE_EXPIRES, @@ -35,16 +45,6 @@ from authentik.sources.saml.models import ( SAMLSource, UserSAMLSourceConnection, ) -from authentik.sources.saml.processors.constants import ( - NS_MAP, - NS_SAML_ASSERTION, - NS_SAML_PROTOCOL, - SAML_NAME_ID_FORMAT_EMAIL, - SAML_NAME_ID_FORMAT_PERSISTENT, - SAML_NAME_ID_FORMAT_TRANSIENT, - SAML_NAME_ID_FORMAT_WINDOWS, - SAML_NAME_ID_FORMAT_X509, -) from authentik.sources.saml.processors.request import SESSION_KEY_REQUEST_ID LOGGER = get_logger() diff --git a/authentik/sources/saml/tests/test_property_mappings.py b/authentik/sources/saml/tests/test_property_mappings.py index 2d8f769f5a..9bb530619b 100644 --- a/authentik/sources/saml/tests/test_property_mappings.py +++ b/authentik/sources/saml/tests/test_property_mappings.py @@ -5,11 +5,11 @@ from base64 import b64encode from defusedxml.lxml import fromstring from django.test import TestCase +from authentik.common.saml.constants import NS_SAML_ASSERTION from authentik.core.tests.utils import RequestFactory, create_test_flow from authentik.lib.generators import generate_id from authentik.lib.tests.utils import load_fixture from authentik.sources.saml.models import SAMLSource, SAMLSourcePropertyMapping -from authentik.sources.saml.processors.constants import NS_SAML_ASSERTION from authentik.sources.saml.processors.response import ResponseProcessor ROOT = fromstring(load_fixture("fixtures/response_success.xml").encode()) diff --git a/tests/e2e/test_provider_oauth2_grafana.py b/tests/e2e/test_provider_oauth2_grafana.py index bd540b7350..b8a4b07d23 100644 --- a/tests/e2e/test_provider_oauth2_grafana.py +++ b/tests/e2e/test_provider_oauth2_grafana.py @@ -8,6 +8,12 @@ from selenium.webdriver.common.by import By from selenium.webdriver.support import expected_conditions as ec from authentik.blueprints.tests import apply_blueprint, reconcile_app +from authentik.common.oauth.constants import ( + SCOPE_OFFLINE_ACCESS, + SCOPE_OPENID, + SCOPE_OPENID_EMAIL, + SCOPE_OPENID_PROFILE, +) from authentik.core.models import Application from authentik.core.tests.utils import create_test_cert from authentik.flows.models import Flow @@ -15,12 +21,6 @@ from authentik.lib.generators import generate_id, generate_key from authentik.policies.apps import BufferedPolicyAccessViewFlag from authentik.policies.expression.models import ExpressionPolicy from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( - SCOPE_OFFLINE_ACCESS, - SCOPE_OPENID, - SCOPE_OPENID_EMAIL, - SCOPE_OPENID_PROFILE, -) from authentik.providers.oauth2.models import ( ClientTypes, OAuth2Provider, diff --git a/tests/e2e/test_provider_oidc.py b/tests/e2e/test_provider_oidc.py index 05a0023201..dc54048da3 100644 --- a/tests/e2e/test_provider_oidc.py +++ b/tests/e2e/test_provider_oidc.py @@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By from selenium.webdriver.support import expected_conditions as ec from authentik.blueprints.tests import apply_blueprint, reconcile_app +from authentik.common.oauth.constants import ( + SCOPE_OFFLINE_ACCESS, + SCOPE_OPENID, + SCOPE_OPENID_EMAIL, + SCOPE_OPENID_PROFILE, +) from authentik.core.models import Application from authentik.core.tests.utils import create_test_cert from authentik.flows.models import Flow from authentik.lib.generators import generate_id, generate_key from authentik.policies.expression.models import ExpressionPolicy from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( - SCOPE_OFFLINE_ACCESS, - SCOPE_OPENID, - SCOPE_OPENID_EMAIL, - SCOPE_OPENID_PROFILE, -) from authentik.providers.oauth2.models import ( ClientTypes, OAuth2Provider, diff --git a/tests/e2e/test_provider_oidc_implicit.py b/tests/e2e/test_provider_oidc_implicit.py index 9394c9aad2..7301868710 100644 --- a/tests/e2e/test_provider_oidc_implicit.py +++ b/tests/e2e/test_provider_oidc_implicit.py @@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By from selenium.webdriver.support import expected_conditions as ec from authentik.blueprints.tests import apply_blueprint, reconcile_app +from authentik.common.oauth.constants import ( + SCOPE_OFFLINE_ACCESS, + SCOPE_OPENID, + SCOPE_OPENID_EMAIL, + SCOPE_OPENID_PROFILE, +) from authentik.core.models import Application from authentik.core.tests.utils import create_test_cert from authentik.flows.models import Flow from authentik.lib.generators import generate_id, generate_key from authentik.policies.expression.models import ExpressionPolicy from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( - SCOPE_OFFLINE_ACCESS, - SCOPE_OPENID, - SCOPE_OPENID_EMAIL, - SCOPE_OPENID_PROFILE, -) from authentik.providers.oauth2.models import ( ClientTypes, OAuth2Provider, diff --git a/tests/e2e/test_provider_saml.py b/tests/e2e/test_provider_saml.py index f4d6bacb25..60c3472086 100644 --- a/tests/e2e/test_provider_saml.py +++ b/tests/e2e/test_provider_saml.py @@ -8,6 +8,7 @@ from selenium.webdriver.common.by import By from selenium.webdriver.support import expected_conditions as ec from authentik.blueprints.tests import apply_blueprint, reconcile_app +from authentik.common.saml.constants import SAML_BINDING_POST from authentik.core.models import Application from authentik.core.tests.utils import create_test_cert from authentik.flows.models import Flow @@ -16,7 +17,6 @@ from authentik.policies.apps import BufferedPolicyAccessViewFlag from authentik.policies.expression.models import ExpressionPolicy from authentik.policies.models import PolicyBinding from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider -from authentik.sources.saml.processors.constants import SAML_BINDING_POST from authentik.tenants.flags import patch_flag from tests.e2e.utils import SeleniumTestCase, retry