policies/geoip: distance + impossible travel #12541
Conversation
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found. Additional details and impacted files@@ Coverage Diff @@
## main #12541 +/- ##
==========================================
+ Coverage 92.76% 92.77% +0.01%
==========================================
Files 769 769
Lines 38879 38934 +55
==========================================
+ Hits 36067 36122 +55
Misses 2812 2812
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
BeryJu
force-pushed
the
policies/geoip/distance
branch
from
a2cc87e to
bec9606
Compare
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-bec96066e44fabf7f7a68a72487a655241197a2c
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sFor arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-bec96066e44fabf7f7a68a72487a655241197a2c-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-bec96066e44fabf7f7a68a72487a655241197a2cFor arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-bec96066e44fabf7f7a68a72487a655241197a2c-arm64Afterwards, run the upgrade commands from the latest release notes. |
Signed-off-by: Jens Langhammer <[email protected]>
Signed-off-by: Jens Langhammer <[email protected]>
Signed-off-by: Jens Langhammer <[email protected]>
Signed-off-by: Jens Langhammer <[email protected]>
Signed-off-by: Jens Langhammer <[email protected]>
Signed-off-by: Jens Langhammer <[email protected]>
BeryJu
force-pushed
the
policies/geoip/distance
branch
from
bec9606 to
7ac0d30
Compare
| <ak-form-group> | ||
| <span slot="header"> ${msg("Distance settings")} </span> | ||
| <div slot="body" class="pf-c-form"> | ||
| <ak-form-element-horizontal name="checkHistoryDistance"> |
There was a problem hiding this comment.
ak-switch-input could be used here
| )} | ||
| </p> | ||
| </ak-form-element-horizontal> | ||
| <ak-form-element-horizontal |
There was a problem hiding this comment.
No ak-number-input though, it doesn't support min yet. cc. @kensternberg-authentik for awareness
| @@ -37,21 +52,27 @@ def passes(self, request: PolicyRequest) -> PolicyResult: | |||
| - the client IP is advertised by an autonomous system with ASN in the `asns` | |||
| - the client IP is geolocated in a country of `countries` | |||
| """ | |||
| results: list[PolicyResult] = [] | |||
| static_results: list[PolicyResult] = [] | |||
| dynamic_results: list[PolicyResult] = [] | |||
There was a problem hiding this comment.
Any advantage in having two separate lists here?
| if not geoip_data: | ||
| return PolicyResult(False) | ||
| for previous_login in previous_logins: | ||
| previous_login_geoip: GeoIPDict = previous_login.context.get("geo") |
There was a problem hiding this comment.
| previous_login_geoip: GeoIPDict = previous_login.context.get("geo") | |
| previous_login_geoip: GeoIPDict = previous_login.context["geo"] |
We've checked previously. I'd rather it fails on that line if something went wrong, than a None error later on
| # than max distance per hour times the amount of hours since the previous login | ||
| # (round down to the lowest closest time of hours) | ||
| # clamped to be at least 1 hour | ||
| rel_time_hours = max(int((_now - previous_login.created).total_seconds() / 86400), 1) |
There was a problem hiding this comment.
| rel_time_hours = max(int((_now - previous_login.created).total_seconds() / 86400), 1) | |
| rel_time_hours = max(int((_now - previous_login.created).total_seconds() / 3600), 1) |
an hour is 60 secs * 60 mins = 3600 seconds, right?
Details
Add options to the GeoIP policy for distance checks and impossible travel checks
Checklist
ak test authentik/)make lint-fix)If an API change has been made
make gen-build)If changes to the frontend have been made
make web)If applicable
make website)