Merge branch 'master' into dependabot/go_modules/github.com/PuerkitoB…

…io/goquery-1.10.0

go.mod

@@ -20,11 +20,11 @@ require (
 	github.com/marshallbrekka/go-u2fhost v0.0.0-20210111072507-3ccdec8c8105
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pkg/errors v0.9.1
-	github.com/playwright-community/playwright-go v0.4700.0
+	github.com/playwright-community/playwright-go v0.4702.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/stretchr/testify v1.9.0
-	github.com/tidwall/gjson v1.17.3
+	github.com/tidwall/gjson v1.18.0
 	github.com/trimble-oss/go-webauthn-client v0.3.0
 	golang.org/x/net v0.29.0
 	gopkg.in/ini.v1 v1.67.0

go.sum

@@ -138,8 +138,8 @@ github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/9
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/playwright-community/playwright-go v0.4700.0 h1:Eee2aPPLSgrEbaEZwUVfuczqjCITVf1cEl6EYqh2FI0=
-github.com/playwright-community/playwright-go v0.4700.0/go.mod h1:bpArn5TqNzmP0jroCgw4poSOG9gSeQg490iLqWAaa7w=
+github.com/playwright-community/playwright-go v0.4702.0 h1:3CwNpk4RoA42tyhmlgPDMxYEYtMydaeEqMYiW0RNlSY=
+github.com/playwright-community/playwright-go v0.4702.0/go.mod h1:bpArn5TqNzmP0jroCgw4poSOG9gSeQg490iLqWAaa7w=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -179,8 +179,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tidwall/gjson v1.17.3 h1:bwWLZU7icoKRG+C+0PNwIKC6FCJO/Q3p2pZvuP0jN94=
-github.com/tidwall/gjson v1.17.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=

pkg/provider/authentik/authentik.go

@@ -156,11 +156,12 @@ func (kc *Client) queryNext(ctx *authentikContext) (bool, string, error) {
 	if err != nil {
 		return false, "", err
 	}
-	if payload.isTypeRedirect() {
+
+	if payload.isTypeRedirect() || payload.isComponentFlowRedirect() {
 		// login success if there is a redirect
 		logger.Debug("Login success, redirect to saml response")
 		return false, payload.RedirectTo, nil
-	} else if !payload.isTypeNative() {
+	} else if !payload.isTypeNative() && !payload.isTypeEmpty() {
 		return false, "", errors.New("Unknown type: " + payload.Type)
 	}
 

pkg/provider/authentik/authentik_test.go

@@ -318,3 +318,215 @@ func Test_authWithCombinedUsernamePassword(t *testing.T) {
 	assert.Nil(err)
 	assert.Equal(result, samlResponse)
 }
+
+// Test_simplifiedFlowAuthWithSeperatedUsernamePassword Password only if username/email verified
+func Test_simplifiedFlowAuthWithSeperatedUsernamePassword(t *testing.T) {
+	defer gock.Off()
+	samlResponse := "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaX"
+	gock.New("http://127.0.0.1").
+		Get("/application/saml/aws/sso/binding/init").
+		Reply(302).
+		SetHeader("Set-Cookie", "[authentik_session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzaWQiOiJ6cHI3NGdzMjNnOGNqbmF1bXNheGQ1dXVrc2VtZGZpNyIsImlzcyI6ImF1dGhlbnRpayIsInN1YiI6ImFub255bW91cyIsImF1dGhlbnRpY2F0ZWQiOmZhbHNlLCJhY3IiOiJnb2F1dGhlbnRpay5pby9jb3JlL2RlZmF1bHQifQ.zNiX4pk6G9ABeDip0PLs8-0irm2aQ_Arr_RgTxTGCQM; HttpOnly; Path=/; SameSite=None; Secure]").
+		SetHeader("Location", "/flows/-/default/authentication/?next=/application/saml/aws/sso/binding/init/")
+
+	gock.New("http://127.0.0.1").
+		Get("/flows/-/default/authentication").
+		Reply(302).
+		SetHeader("Location", "/if/flow/default-authentication-flow/?next=%2Fapplication%2Fsaml%2Faws%2Fsso%2Fbinding%2Finit%2F")
+
+	gock.New("http://127.0.0.1").
+		Get("/if/flow/default-authentication-flow").
+		Reply(200).
+		BodyString("")
+
+	gock.New("http://127.0.0.1").
+		Get("/api/v3/flows/executor/default-authentication-flow").
+		Reply(200).
+		JSON(map[string]interface{}{
+			"flow_info":          map[string]interface{}{"title": "Welcome to authentik!", "background": "/static/dist/assets/images/flow_background.jpg", "cancel_url": "/flows/-/cancel/", "layout": "stacked"},
+			"component":          "ak-stage-identification",
+			"user_fields":        []string{"username", "email"},
+			"password_fields":    false,
+			"application_pre":    "aws",
+			"primary_action":     "Log in",
+			"sources":            []string{},
+			"show_source_labels": false,
+		})
+
+	gock.New("http://127.0.0.1").
+		Post("/api/v3/flows/executor/default-authentication-flow").
+		Reply(302).
+		SetHeader("Location", "/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F")
+
+	gock.New("http://127.0.0.1").
+		Get("api/v3/flows/executor/default-authentication-flow").
+		Reply(200).
+		JSON(map[string]interface{}{
+			"flow_info":           map[string]interface{}{"title": "Welcome to authentik!", "background": "/static/dist/assets/images/flow_background.jpg", "cancel_url": "/flows/-/cancel/", "layout": "stacked"},
+			"component":           "ak-stage-password",
+			"pending_user":        "user",
+			"pending_user_avatar": "https://secure.gravatar.com/avatar/0932141298741243?s=158&r=g",
+		})
+	gock.New("http://127.0.0.1").
+		Post("/api/v3/flows/executor/default-authentication-flow").
+		Reply(302).
+		SetHeader("Location", "/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F")
+
+	gock.New("http://127.0.0.1").
+		Get("/api/v3/flows/executor/default-authentication-flow").
+		Reply(302).
+		SetHeader("Location", "/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F")
+
+	gock.New("http://127.0.0.1").
+		Get("/api/v3/flows/executor/default-authentication-flow").
+		Reply(200).
+		JSON(map[string]interface{}{
+			"component": "xak-flow-redirect",
+			"to":        "http://127.0.0.1/application/saml/aws/sso/binding/init",
+		})
+
+	gock.New("http://127.0.0.1").
+		Get("/application/saml/aws/sso/binding/init").
+		Reply(302).
+		SetHeader("Location", "/if/flow/default-provider-authorization-implicit-consent/")
+
+	gock.New("http://127.0.0.1").
+		Get("/if/flow/default-provider-authorization-implicit-consent/").
+		Reply(200)
+
+	gock.New("http://127.0.0.1").
+		Get("/api/v3/flows").
+		Reply(200).
+		JSON(map[string]interface{}{
+			"flow_info": map[string]interface{}{
+				"title":      "Redirecting to aws",
+				"background": "/static/dist/assets/images/flow_background.jpg",
+				"cancel_url": "/flows/-/cancel/",
+				"layout":     "stacked",
+			},
+			"component": "ak-stage-autosubmit",
+			"url":       "https://signin.amazonaws.com/saml",
+			"attrs": map[string]interface{}{
+				"ACSUrl":       "https://signin.amazonaws.com/saml",
+				"SAMLResponse": samlResponse,
+			},
+		})
+	client, _ := New(&cfg.IDPAccount{})
+	loginDetails := &creds.LoginDetails{
+		Username: "user",
+		Password: "pwd",
+		URL:      "http://127.0.0.1/application/saml/aws/sso/binding/init",
+	}
+	gock.InterceptClient(&client.client.Client)
+	result, err := client.Authenticate(loginDetails)
+
+	assert := assert.New(t)
+	assert.Nil(err)
+	assert.Equal(result, samlResponse)
+}
+
+// Test_simplifiedFlowAuthWithCombinedUsernamePassword Username/email and password in one page
+func Test_simplifiedFlowAuthWithCombinedUsernamePassword(t *testing.T) {
+	defer gock.Off()
+	samlResponse := "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaX"
+	gock.New("http://127.0.0.1").
+		Get("/application/saml/aws/sso/binding/init").
+		Reply(302).
+		SetHeader("Set-Cookie", "[authentik_session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzaWQiOiJ6cHI3NGdzMjNnOGNqbmF1bXNheGQ1dXVrc2VtZGZpNyIsImlzcyI6ImF1dGhlbnRpayIsInN1YiI6ImFub255bW91cyIsImF1dGhlbnRpY2F0ZWQiOmZhbHNlLCJhY3IiOiJnb2F1dGhlbnRpay5pby9jb3JlL2RlZmF1bHQifQ.zNiX4pk6G9ABeDip0PLs8-0irm2aQ_Arr_RgTxTGCQM; HttpOnly; Path=/; SameSite=None; Secure]").
+		SetHeader("Location", "/flows/-/default/authentication/?next=/application/saml/aws/sso/binding/init/")
+
+	gock.New("http://127.0.0.1").
+		Get("/flows/-/default/authentication").
+		Reply(302).
+		SetHeader("Location", "/if/flow/default-authentication-flow/?next=%2Fapplication%2Fsaml%2Faws%2Fsso%2Fbinding%2Finit%2F")
+
+	gock.New("http://127.0.0.1").
+		Get("/if/flow/default-authentication-flow").
+		Reply(200).
+		BodyString("")
+
+	gock.New("http://127.0.0.1").
+		Get("/api/v3/flows/executor/default-authentication-flow").
+		Reply(200).
+		JSON(map[string]interface{}{
+			"flow_info":          map[string]interface{}{"title": "Welcome to authentik!", "background": "/static/dist/assets/images/flow_background.jpg", "cancel_url": "/flows/-/cancel/", "layout": "stacked"},
+			"component":          "ak-stage-identification",
+			"user_fields":        []string{"username", "email"},
+			"password_fields":    true,
+			"application_pre":    "aws",
+			"primary_action":     "Log in",
+			"sources":            []string{},
+			"show_source_labels": false,
+		})
+
+	gock.New("http://127.0.0.1").
+		Post("/api/v3/flows/executor/default-authentication-flow").
+		Reply(302).
+		SetHeader("Location", "/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F")
+
+	gock.New("http://127.0.0.1").
+		Get("api/v3/flows/executor/default-authentication-flow").
+		Reply(200).
+		JSON(map[string]interface{}{
+			"flow_info":           map[string]interface{}{"title": "Welcome to authentik!", "background": "/static/dist/assets/images/flow_background.jpg", "cancel_url": "/flows/-/cancel/", "layout": "stacked"},
+			"component":           "ak-stage-password",
+			"pending_user":        "user",
+			"pending_user_avatar": "https://secure.gravatar.com/avatar/0932141298741243?s=158&r=g",
+		})
+	gock.New("http://127.0.0.1").
+		Post("/api/v3/flows/executor/default-authentication-flow").
+		Reply(302).
+		SetHeader("Location", "/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F")
+
+	gock.New("http://127.0.0.1").
+		Get("/api/v3/flows/executor/default-authentication-flow").
+		Reply(302).
+		SetHeader("Location", "/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F")
+
+	gock.New("http://127.0.0.1").
+		Get("/api/v3/flows/executor/default-authentication-flow").
+		Reply(200).
+		JSON(map[string]interface{}{
+			"component": "xak-flow-redirect",
+			"to":        "http://127.0.0.1/application/saml/aws/sso/binding/init",
+		})
+
+	gock.New("http://127.0.0.1").
+		Get("/application/saml/aws/sso/binding/init").
+		Reply(302).
+		SetHeader("Location", "/if/flow/default-provider-authorization-implicit-consent/")
+
+	gock.New("http://127.0.0.1").
+		Get("/if/flow/default-provider-authorization-implicit-consent/").
+		Reply(200)
+
+	gock.New("http://127.0.0.1").
+		Get("/api/v3/flows").
+		Reply(200).
+		JSON(map[string]interface{}{
+			"flow_info": map[string]interface{}{
+				"title":      "Redirecting to aws",
+				"background": "/static/dist/assets/images/flow_background.jpg",
+				"cancel_url": "/flows/-/cancel/",
+				"layout":     "stacked",
+			},
+			"component": "ak-stage-autosubmit",
+			"url":       "https://signin.amazonaws.com/saml",
+			"attrs": map[string]interface{}{
+				"ACSUrl":       "https://signin.amazonaws.com/saml",
+				"SAMLResponse": samlResponse,
+			},
+		})
+	client, _ := New(&cfg.IDPAccount{})
+	loginDetails := &creds.LoginDetails{
+		Username: "user",
+		Password: "pwd",
+		URL:      "http://127.0.0.1/application/saml/aws/sso/binding/init",
+	}
+	gock.InterceptClient(&client.client.Client)
+	result, err := client.Authenticate(loginDetails)
+
+	assert := assert.New(t)
+	assert.Nil(err)
+	assert.Equal(result, samlResponse)
+}

pkg/provider/authentik/model.go

@@ -49,6 +49,14 @@ func (payload *authentikPayload) isTypeRedirect() bool {
 	return payload.Type == "redirect"
 }
 
+func (payload *authentikPayload) isTypeEmpty() bool {
+	return payload.Type == ""
+}
+
 func (payload *authentikPayload) isComponentStageAutosubmit() bool {
 	return payload.Component == "ak-stage-autosubmit"
 }
+
+func (payload *authentikPayload) isComponentFlowRedirect() bool {
+	return payload.Component == "xak-flow-redirect"
+}