From 1a239281095981337c639e3a03606b3c09b9b914 Mon Sep 17 00:00:00 2001
From: Yuri Tatishchev <itatishch@gmail.com>
Date: Fri, 20 Dec 2024 19:17:39 -0800
Subject: [PATCH] authentik: refactor oauth2 app blueprints, add group policies

---
 .idea/jsonSchemas.xml                         |   2 +-
 group_vars/alpina/vars.yml                    |   2 +
 group_vars/alpina/vault.yml                   | 191 ++++++++++--------
 .../authentik/blueprints/apps-oauth2.yaml.j2  |  48 +++--
 .../blueprints/services-oauth2.yaml.j2        |  56 -----
 5 files changed, 142 insertions(+), 157 deletions(-)
 delete mode 100644 roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2

diff --git a/.idea/jsonSchemas.xml b/.idea/jsonSchemas.xml
index 149082e..ed8f142 100644
--- a/.idea/jsonSchemas.xml
+++ b/.idea/jsonSchemas.xml
@@ -31,7 +31,7 @@
                 <list>
                   <Item>
                     <option name="directory" value="true" />
-                    <option name="path" value="roles/alpina/collections/services/authentik/templates/blueprints" />
+                    <option name="path" value="roles/alpina/templates/services/authentik/blueprints" />
                     <option name="mappingKind" value="Directory" />
                   </Item>
                 </list>
diff --git a/group_vars/alpina/vars.yml b/group_vars/alpina/vars.yml
index feab25c..ef77661 100644
--- a/group_vars/alpina/vars.yml
+++ b/group_vars/alpina/vars.yml
@@ -14,6 +14,8 @@ authentik_secret_key: "{{ vault_authentik_secret_key }}"
 authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"
 
 auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
+auth_gitea_client_secret: "{{ vault_auth_gitea_client_secret }}"
+auth_nextcloud_client_secret: "{{ vault_auth_nextcloud_client_secret }}"
 arrstack_password: "{{ vault_arrstack_password }}"
 
 # Minio
diff --git a/group_vars/alpina/vault.yml b/group_vars/alpina/vault.yml
index 59af3e3..bbb32aa 100644
--- a/group_vars/alpina/vault.yml
+++ b/group_vars/alpina/vault.yml
@@ -1,88 +1,105 @@
 $ANSIBLE_VAULT;1.1;AES256
-36636236366435333738633465323539336231393239656538643863643233346563333836623335
-3136393936656261396434316232356338313838373666660a653464613833306133343232623864
-61666561336462376664363463313533353238623031613664353063396236343663643936303730
-6235646336306636360a653238633038306532613436633132363231613862383636313838623461
-32633366326136346435613232396632396365656138643361643139353430663637353565383664
-36623961663030653639316131376535363138343965636437653139646233613765323439393030
-31666137346339663162393836636638636431326232323461353661613062623032306130393965
-38313931313935666633343835303232333961633232623538383138366262663335323764323939
-32373333663834626633363265373632356439633862316562323565646530383534653338353165
-38396434353332623164346137383238343536303130616666643065306431656137303263323135
-34316662353031653932396239623733313037383935383762623136346636323434363231623161
-30393864353466643637316566663366363231373335663331323932663837626239663633663965
-66333531323861663130353531323339386566303630366236636135393439356634393732623033
-31336231363935633436363962316666666336303338313636386163313666636336343464336133
-33313730303961663632323435323963663530623265663664343735643061323332343265343431
-61363039333730623562363233373537633138663239313132336666313237373137353663326538
-32366130326635366433393434653735616132366264386461363063393265623765666461626366
-38636239376534653230663932393930343162333262643130633835343363613061623932363761
-64643164323335376565646137643763316562343565366462376162333633313737303465373362
-63343734633536353661353165346632666230616138396461336332623365366432313734343837
-30613736313961663334326335333834336634373338326631313739363765303036303132346166
-37313030373264383564383936396339623061616134356663333733653838393537306336313135
-32336261356437653863653839373130323035346538343938646265653239376236373932646433
-35373932326535643763396563373138626239393661373231393066323335336264373835336635
-38393732643630336364363834303534663334396363623261383339313939663461303236646237
-36393330373534383836373065373239353836653137306338336638396662363434303839363466
-37303332343464663733653632363239366337656364333532313237633935616637333361383763
-62363063323362323565363837333264346161353032643039323839336666656333336433376231
-36363335626137366135373230613436653232663138343862623562306331336330356630316166
-30613264353165343634663461373630653632366333313837373237613339336638396338376465
-64633638373263376330343561303664666139663237326637663964386133623164626339346635
-66636365366562343636653362656133306164353761346661343430356633613063656466316262
-31633932313532663930303837353863333664393563646566396164666236633832633235653362
-63663931353436623034653733313766393465363466363831643130643939356335643166356436
-38386530333264313263636438376134666235646636316233653330613735323234313036356639
-61316164376434616239646235326661323363333835393430646462323234356138653163616530
-65623233636435396462343437626130353735643530376538633762346332653162353563386366
-32656633633935626238323431643631633434633032303435383037353834653964326336616530
-30363765663133313239373664383830393238303439653531316664636532363135636563356666
-34376636373033353665373261363536393562653638306661663832326139383565613862333831
-38616238616332326532656430393331383161376237393365666639363732363164306332343336
-37366638326464373261386431623731306663616262633837313965633530616265326536323136
-62366365666461383535663637633332626464643062653139623333663038316536353930653266
-37343830613062346533613762663738343138383537396435643765323237623130363564396462
-61663063643135303539313062396338353061346336303938626361343238366366393533363638
-31313437623631626437393761366537636664393863306164373431653133316639623630353336
-65313037636533393362363266366231393334613264343331623531393666336336626265366163
-34663161396633666162326564313735373137303337386538633866653331646635633532336465
-34386166373436386566656135313438363733353139663630613430363332656239356139393532
-35626337666639376664346631323938316538333066353363646562323266353165366632656137
-66366162376165626564363230353062666364646363366637666433636333316536623435623836
-62346566363362363939353038396566653238666138666531396338323262323965383031336362
-34613332363334653531383231363539343133333531666564386133346562323338366139663438
-31613466366438643566333632326239653662636464373337326537313234393038306132343730
-36633136366162643966396362643165313336383862653435343630646431306366656636353230
-64326633346561613662383863356531306563623439363566643733336535303335303164633535
-36356463616162313039386434323637383937613133623131373033373462363365643730666166
-65383166346638313533326366346433656461346439343838306564393336383536633732343965
-39306231386130303433616361366363366163646534316138623362393063663438313165643762
-39393332653564333762663762366633386135353865366338396138666265653662373535666366
-35613937613366323064316561643435353830316239396464393737613835373964626437316464
-39643664656565633966393832643033323130636562383233323636363361353430353062323439
-39396464633336623963633963326461316562333162333766613064336462613235336531623437
-30383063653666633839646533386239366637346230363033306161386537303039376465303535
-34643162323065326264343662303138313063303834353832393663616239383739313133393532
-62393766343037666564326132386139346661383564366366646530346434373366326531356138
-31323531653338653130303733363764636430336563336439666132626434363463306631363334
-39623332376334383338633132653262653735346563626365613336623435396539383630366332
-31316638393562376131363166633163333332633332393062393962613132366538653865663264
-38313237393436353333323431336361653938343034346164353335366535396265633961333138
-65386137356161643732636531613166633464326163303336303439383435376331373935333563
-64633961623761393131333234656530653737346563643963643833383262383434653266343362
-35623832643032346133346363646136646438663761363330666231316434306232623339656535
-34393337666237656262313439386336336466373466663663616139353463316265396135626366
-62313562306334343831616364633933343463386233323637313832316635346235623830333461
-33663530343966383739643261653736363865323438363430653661653964643339633833386438
-36333331366334366461346636636462343335313234663864613864366134356161396662383632
-36663538373761353937313666363262626435623537646665646364353934373638366261333234
-36353439303663656531666637376364313838386130343966316138356338643135316139363630
-30386635376565363931333331336431303562346431323534643238333337386264616161356163
-35663766306635626235373663643064393233346364666663393236353561653362373361666164
-65653566666234626464356338613834323332383939643935323337376162316163333034643062
-63646237646234636561313038383636373936656164333735323461626233633337623764383830
-66383161346336633962643032376662656566396666343662656337306333313836613335643961
-64323961663032373239636430306430383639306333363938303837386139643230353061623937
-36373733636337616264313432643230303935626666633533666135666538626266626266643864
-376430653461346366626432636336653437
\ No newline at end of file
+38653531383530396363323730396534343535303634383664356639663630333762666230313765
+3466643833616230303437363430393635363931393635390a313233626236646362663630636562
+39626662396261653766383139303633653838393461613766643033373436333130383534393935
+3664353531333164300a613265643439653966353130363539353639623662393135393432393931
+35353665643635623235633233323933346436353139633962343631383434666530316561636164
+35356130306461343032643262346435613731383535343135646236383463313331376132353931
+35643634346364653361666365326230353330616565333331353338373862333038333834363565
+32326265316635653465643830353164376265666361383461383730353634383534313263316138
+35626565346561646135353762376661333136303763616438393435346165656436613630363866
+32616166623062643030616335356133366133653766353262633663353962616265383763326234
+33343565616161643433313934373465633334363965623230333938616631343630313132653132
+62363963356465663232353963343735383361396135346362313837386538343634636239633266
+65376138633032643464656563363234393032646666336662363963323435616532626439653737
+35643661666361386439656663313034636666636363373565633230356638656462393936623835
+61393264326634326631363731323061646631343733346531646337656135613666306531373735
+63636532373965363736366639323763396335316266643932353035343635373733323162363061
+39396564306565313561663138326166343931623539623362666137336536666366383135366364
+35373561663131316630643163663132373064313364646465643930343432336161386634376431
+32613663336637333434303236646334333566646337613661383862363339633833333532613062
+38376165366161373363333563656465363232643633353239336164653736316131326262353635
+32363931663930373166343263333136633439313630333564356262396431316566333166303861
+63346635626433373862646162303230613761623865336366643962653564336532623064383638
+35333939323935336533306666633936323338323734333136623063656366646164326539303165
+62633234376139323664666331396337376536383765386161383163646437383462653731653563
+66353037376165376137313436623562313730366430633930323264363466386530303065373865
+37323965663733396264346530643137626239343432396335353938316231666364373164653737
+33643034656334613635363836653439653966613062393531306235356363366338383365376162
+35373764613665333166303235343666643932303135303534323939356636613062346361323431
+38313238373032626632653161393435393861353532393431313062363638323862346564363265
+63393538626631323735363431313935323132643238643462303833646662633931626262333237
+62666466356162356338633430396363643263363964363466393034653362303338313464646463
+33353139616665646462646236333239326261393663613662666534313730323435646430366439
+39396631643435626137373630346331656631343361353862313533653739643737643666636163
+39623533316136366466343662316166396563666630633134623839386430303238663431323666
+36646331623334346664633361656335633764386437653035616435393866373538316366643835
+62633934313837393331376637613633623730363438613338313936646563303161303637356136
+38383330663361623333656235383363303263663436643137323732343138646231316633626532
+66653261616165346437383034613732373066333563656133303439303861343237396535333933
+62656632346264613962643230353564643635336264396537303130643230613435346361663865
+63383333636437623736326564633332343866323736353662313165316663346237393965663365
+37393831623231353266646561363337623039333234633233316331363538396133663261343430
+64656464646331616537313635353636636663316230623933363033346262653164363438666164
+33366639383765303464373636633661386337326330326339316263323835363166313233393337
+64663466346530323232643731346635376565643662656630346432383264323065643161336139
+34326661663236383064383732656432356361343961333333663337366261653132326166663639
+39303462653134643166666330393165653831336637383133623036333135666437323464643838
+64353338636161623763323261393563356533343961633338333339303461313036663530636131
+63663565613865633864353635386339633935303331316634303365653139383064353133323232
+62366662613931616664643665343332326333396230666430393637653965343233396265336433
+65643835663230626130643337353733353536396431656239376533303134663131623331666534
+66383061373238323238656366363639363039343937646532323265323131316531633363353937
+66643836613938366439663862343566643265376338323061383637346662316332303039313932
+66663032643063343539323537313932613933643336353538316331356433386634646131646637
+30646430313966663639363938316432333164313932643839656165373961623435356536323063
+32343933343338636465393030633433666562656531306162633033326365393361313032316661
+65373934383437636335623030663134643265333535356439346332616462666337386266386234
+30653033366565386561323135323465666463346137313239386536616431666266643664653862
+33653062653161306337646338613332363965653039393638656631303938616130373438646430
+64663334363031333264393134396336663835313632636665616233616163623639303266363434
+63633561366230353232313164663861656364356466313534626434373465626136613232336335
+32313834613561323462323637666135356432363430643664616431356163306266396432613738
+39633539323030353534653139386135633136623332363234313163353232313364396631333065
+38373336396566663633353239323264326331346434393065366666613733653562626139333032
+64313139636433616237343261333134373730373839306438343037363933613366623432613036
+39643062653537363031396331666336336530396430333634393936396266326430616632343163
+62653736363136386536303861643630663362336566303536306362386163373734333933636537
+32366135623836333439366131656461373962356666366135623530373534313939323036343834
+66663661343738373033633163316261666466336461383039386562636537356238643561653863
+38353735373833383766626336656432333363663935373631393739383535336661613465643336
+30366265636433373234653031393062353062333538396633326535363531366563623835363633
+62373732393734626666633965313734396635646561393061333632353832656333356466343934
+64303038383339653233353332613062306436313933336665343966653164363236663333313465
+63323037613934326133383763336530323330653966343038646130376564386530376264326232
+34373763386462333466616265653464346230396665333439303939333438383030643035303763
+61396565396536366133383335373736306139383332346537663737626538613031346235313132
+38663437303966373139663761363336366362303561613466356538303962316361653431323439
+61353237393432346235663836333439643630666438643033396333383765626163343966623638
+39316134383533393930323339663431643539356630383961666634323166653832393435623639
+34663231646435386261656266633266643437396561653662303866363365326339643561386563
+34376365376433653961353330363236616666366565376466666635356631623561633637643966
+32633234303663383061323261363062666535336534633836613861323764356634613961656636
+61643633666338353063363561343639636435393437383062323565306630326131613466316430
+38303963353931393437616233333666336639613163383964616361326365666561343762666136
+65633238623932316234366464383932373166343435633463306437316234646533336634666238
+66313735356137326266353966656631336262373261376139336238656331396366646635343963
+38396333333666306636376139656331626664616437313638353933653930343331643561393638
+33376265323437643937333035333735623563383530353636303261306539666465346138326564
+63326237623366356561396463383431326266623430376239656362623266386662343662626663
+64663437376530343736356331343135633433643339333330383663323230303665653065626337
+64666430613239643635313435633661653434323538653764323834633935376134356264656335
+32613139316533303861373532343335663666356562633133636230613165396463613831363761
+38663964633739626539636532613232353366366231643233323663313566383936383664373564
+61653931333239376363323064663364663638393735333463323661653138396165376238396161
+34346637373038306166646266306634613938646233306662643865386131356537616161643439
+38376363363263626366653136656133373133383662613239313463373139333136306164646437
+38663333376331353265393031306438346162326264333637616462393664633763663265353462
+64623239663139653339376366383961333461636633613837343637393261303338316234363431
+39643939376130656334643339636439313664653463303832623131343637393634623337383538
+39366132663631313261363161333865323536633066313965613437326633303638333763353635
+30336236356239633332633637613865343637326235653662643531653661383332626534346436
+63633563383662616138373565623731383535636463353530383362333733333637333662346632
+31333738363661316635383463663163663066666439306533616331376234353236623532383836
+64633933626130633631373763373133623833643461663830353135333832613831356466653361
+30613163623936313466
\ No newline at end of file
diff --git a/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2 b/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
index 9128d3f..59c934e 100644
--- a/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
@@ -5,46 +5,68 @@ metadata:
   name: Alpina - OAuth2 Apps
 entries:
   {% set apps = {
+    "Grafana": {
+      "redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
+      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
+      "client_secret": auth_grafana_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
     "Gitea": {
-      "redirect_uris": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
+      "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
       "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
+      "client_secret": auth_gitea_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
     "Nextcloud": {
-      "redirect_uris": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
+      "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
       "icon": "https://nc."~ domain ~"/apps/theming/favicon",
+      "client_secret": auth_nextcloud_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
   } -%}
   {% for app in apps.keys() -%}
   - identifiers:
       name: {{ app }}
     model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
+    id: {{ app }}
     attrs:
-      access_code_validity: minutes=1
-      access_token_validity: minutes=5
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
       client_type: confidential
-      issuer_mode: per_provider
-      sub_mode: hashed_user_id
+      client_id: {{ app | lower }}
+      client_secret: {{ apps[app]["client_secret"] }}
       property_mappings:
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-      refresh_token_validity: days=30
+      redirect_uris:
+        - matching_mode: strict
+          url: {{ apps[app]["redirect_uri"] }}
       signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
 
   - identifiers:
       slug: {{ app | lower }}
     model: authentik_core.application
-    id: {{ app | lower }}
+    id: app-{{ app }}
     attrs:
       name: {{ app }}
-      group: "Apps"
+      group: "{{ apps[app]["ui_group"] }}"
       meta_description: "Hello, I'm {{ app }}!"
       meta_publisher: Alpina
       icon: "{{ apps[app]["icon"] }}"
       open_in_new_tab: true
-      policy_engine_mode: any
-      provider: !KeyOf {{ app | lower }}
+      provider: !KeyOf {{ app }}
+
+  {% for group in apps[app]["allowed_for_groups"] -%}
+  - identifiers:
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
+    model: authentik_policies.policybinding
+    attrs:
+      order: 10
+  {% endfor %}
+
   {% endfor %}
diff --git a/roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2 b/roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
deleted file mode 100644
index 6f47347..0000000
--- a/roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
+++ /dev/null
@@ -1,56 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Alpina - OAuth2 Services
-entries:
-  {% set apps = {
-    "Grafana": {
-      "redirect_uris": "https://grafana."~ domain ~"/login/generic_oauth",
-      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
-      "client_secret": auth_grafana_client_secret,
-    },
-  } -%}
-  # TODO: Add Minio
-
-  {% for app in apps.keys() -%}
-  - identifiers:
-      name: {{ app }}
-    model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
-    attrs:
-      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-      client_type: confidential
-      client_id: {{ app | lower }}
-      client_secret: {{ apps[app]["client_secret"] }}
-      property_mappings:
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-
-  - identifiers:
-      slug: {{ app | lower }}
-    model: authentik_core.application
-    attrs:
-      name: {{ app }}
-      group: "Services"
-      meta_description: "Hello, I'm {{ app }}!"
-      meta_publisher: Alpina
-      icon: "{{ apps[app]["icon"] }}"
-      open_in_new_tab: true
-      provider: !KeyOf {{ app | lower }}
-
-  - identifiers:
-      name: "{{ app }} Admins"
-    model: authentik_core.group
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [slug, {{ app | lower }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-
-  {% endfor %}