-
-
Notifications
You must be signed in to change notification settings - Fork 986
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
policies/reputation: save to database directly #10059
Conversation
✅ Deploy Preview for authentik-storybook canceled.
|
✅ Deploy Preview for authentik-docs canceled.
|
c17571f
to
5294625
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #10059 +/- ##
==========================================
- Coverage 92.64% 92.64% -0.01%
==========================================
Files 713 711 -2
Lines 34884 34854 -30
==========================================
- Hits 32317 32289 -28
+ Misses 2567 2565 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
b7132d1
to
6f1758a
Compare
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
542891b
to
e756aac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some things
"ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {}, | ||
"ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {}, | ||
} | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll also need to update the expiry timestamp here based on the setting above...and maybe wrap this call in a transaction/catch errors as any saving here would prevent logins from happening due to this being in a sync signal
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Weird that the expiry wasn't updated previously.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As for the catching exception, the previous code didn't and I think it's a good thing, as if we can't save the reputation score anywhere, you shouldn't be able to login as that data can be used for security purposes.
def save_reputation(self: SystemTask): | ||
"""Save currently cached reputation to database""" | ||
objects_to_update = [] | ||
for _, score in cache.get_many(cache.keys(CACHE_KEY_PREFIX + "*")).items(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might still want to keep this task around/update the other task to attempt to run a vacuum on this table occasionally since there could be quite a bit of writing/deleting to/from it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's already the expiring model cleanup which will remove the expired data.
For vacuuming, I think we should let postgres' autovacuum do its thing for now, and if we have report that things are slow, we can implement that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
true, although I dont know what the default settings for autovacuum are both for compose and k8s installs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be pretty sensible, I think they're the same as a default postgres installation
identifier=identifier, | ||
defaults={ | ||
"score": amount, | ||
"ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think both this and ip_asn_data
we should maybe dynamically fetch instead of storing in it in the database as the lookup can take quite a bit of time? And then we can cache results of GEOIP_CONTEXT_PROCESSOR
based on the IP within the process? (or in redis..?) (maybe this is premature optimization)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everything should be in memory so it should be quite fast, maybe even faster than storing things in Redis.
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
indexes = [ | ||
models.Index(fields=["identifier"]), | ||
models.Index(fields=["ip"]), | ||
models.Index(fields=["ip", "identifier"]), | ||
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not fully sure about those either, but it should help a bit
"ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {}, | ||
"ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {}, | ||
} | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As for the catching exception, the previous code didn't and I think it's a good thing, as if we can't save the reputation score anywhere, you shouldn't be able to login as that data can be used for security purposes.
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-b5dd60b62b6d8a890d9b470561c7dfa5c6983362
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s For arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-b5dd60b62b6d8a890d9b470561c7dfa5c6983362-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s Afterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-b5dd60b62b6d8a890d9b470561c7dfa5c6983362 For arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-b5dd60b62b6d8a890d9b470561c7dfa5c6983362-arm64 Afterwards, run the upgrade commands from the latest release notes. |
* main: website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094)
* main: website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094)
* dev: (335 commits) website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094) website/developer-docs: add a baby Style Guide (#9900) website/integrations: gitlab: update certificate key pair location and specify sha (#9925) root: handle asgi exception (#10085) website: bump prettier from 3.3.1 to 3.3.2 in /website (#10082) web: bump prettier from 3.3.1 to 3.3.2 in /web (#10081) ...
* main: website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094)
* main: (196 commits) website/docs: release notes for 2024.6 (#9812) policies/reputation: save to database directly (#10059) providers/enterprise: import user/group data when manually linking objects (#10089) core, web: update translations (#10108) web: Add enterprise / FIPS notification to the AdminOverviewPage (#10090) core: bump github.com/getsentry/sentry-go from 0.28.0 to 0.28.1 (#10095) web: bump API Client version (#10107) admin: system api: do not show FIPS status if no valid license (#10091) root: add configuration option to enable fips (#10088) web: bump the sentry group across 1 directory with 2 updates (#10101) web: bump ts-pattern from 5.1.2 to 5.2.0 in /web (#10098) web: bump the storybook group across 1 directory with 7 updates (#10102) core: bump github.com/gorilla/websocket from 1.5.2 to 1.5.3 (#10103) core: bump pydantic from 2.7.3 to 2.7.4 (#10093) core: bump bandit from 1.7.8 to 1.7.9 (#10094) website/developer-docs: add a baby Style Guide (#9900) website/integrations: gitlab: update certificate key pair location and specify sha (#9925) root: handle asgi exception (#10085) website: bump prettier from 3.3.1 to 3.3.2 in /website (#10082) web: bump prettier from 3.3.1 to 3.3.2 in /web (#10081) ...
Details
REPLACE ME
Checklist
ak test authentik/
)make lint-fix
)If an API change has been made
make gen-build
)If changes to the frontend have been made
make web
)If applicable
make website
)