АРХ - NODEDC PLATFORM: bootstrap Authentik applications

2026-05-04 11:07:09 +03:00 · 2026-05-04 11:07:09 +03:00 · 4a10726b2e
parent afa53d59c1
commit 4a10726b2e
7 changed files with 330 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,6 +8,8 @@

 # dependencies and build output
 node_modules/
+__pycache__/
+*.pyc
 dist/
 build/
 .turbo/
--- a/docs/DEPLOYMENT_LOCAL.md
+++ b/docs/DEPLOYMENT_LOCAL.md
@ -97,6 +97,27 @@ cd /Users/dcconstructions/Downloads/mnt/NODEDC/platform
 docker compose --env-file infra/.env -f infra/docker-compose.dev.yml up -d
 ```

+## Authentik bootstrap
+
+After Authentik is healthy, bootstrap local NODE.DC identity objects:
+
+```bash
+NODEDC_BOOTSTRAP_ADMIN_EMAIL=dcctouch@gmail.com infra/scripts/bootstrap-authentik-dev.sh
+```
+
+This creates:
+
+- `nodedc:superadmin`;
+- `nodedc:launcher:admin`;
+- `nodedc:launcher:user`;
+- `nodedc:taskmanager:admin`;
+- `nodedc:taskmanager:user`;
+- `NODE.DC Launcher` application with OAuth2/OIDC provider;
+- `NODE.DC Task Manager` application with OAuth2/OIDC provider;
+- group bindings for application access.
+
+The script fills missing `LAUNCHER_OIDC_CLIENT_SECRET` and `PLANE_OIDC_CLIENT_SECRET` values in ignored `infra/.env`. Secrets are not committed.
+
 Проверка:

 ```bash
--- a/infra/.env.example
+++ b/infra/.env.example
@ -29,14 +29,14 @@ AUTHENTIK_ERROR_REPORTING__ENABLED=false

 # launcher oidc
 LAUNCHER_OIDC_ISSUER=http://auth.local.nodedc/application/o/launcher/
-LAUNCHER_OIDC_CLIENT_ID=
-LAUNCHER_OIDC_CLIENT_SECRET=
+LAUNCHER_OIDC_CLIENT_ID=nodedc-launcher
+LAUNCHER_OIDC_CLIENT_SECRET=change-me-generate-with-bootstrap-authentik-dev
 LAUNCHER_OIDC_REDIRECT_URI=http://launcher.local.nodedc/auth/callback

 # plane oidc
 PLANE_OIDC_ISSUER=http://auth.local.nodedc/application/o/task-manager/
-PLANE_OIDC_CLIENT_ID=
-PLANE_OIDC_CLIENT_SECRET=
+PLANE_OIDC_CLIENT_ID=nodedc-task-manager
+PLANE_OIDC_CLIENT_SECRET=change-me-generate-with-bootstrap-authentik-dev
 PLANE_OIDC_REDIRECT_URI=http://task.local.nodedc/auth/oidc/callback

 # security
--- a/infra/README.md
+++ b/infra/README.md
@ -59,10 +59,20 @@ docker compose --env-file infra/.env -f infra/docker-compose.dev.yml up -d
 ```bash
 docker compose --env-file infra/.env -f infra/docker-compose.dev.yml ps
 curl -I -H 'Host: auth.local.nodedc' http://127.0.0.1/
+curl -I -H 'Host: launcher.local.nodedc' http://127.0.0.1/
+curl -I -H 'Host: task.local.nodedc' http://127.0.0.1/
 ```

 Generated Authentik bootstrap credentials are stored only in `infra/.env`.

+5. Bootstrap local Authentik groups and OIDC applications:
+
+```bash
+NODEDC_BOOTSTRAP_ADMIN_EMAIL=dcctouch@gmail.com infra/scripts/bootstrap-authentik-dev.sh
+```
+
+The script is idempotent. It creates NODE.DC groups, Launcher and Task Manager OAuth2 providers, application tiles, group access bindings and local OIDC client secrets in `infra/.env`.
+
 ## Current local status

 This stack was verified locally with `PLATFORM_PROXY_IMAGE=nodedc/plane-proxy:ru`:
@ -71,6 +81,7 @@ This stack was verified locally with `PLATFORM_PROXY_IMAGE=nodedc/plane-proxy:ru
 - `launcher.local.nodedc` returns `200` from the current Vite launcher through Caddy;
 - `task.local.nodedc` returns `200` from the current Plane runtime through Caddy;
 - Authentik server, Authentik worker and PostgreSQL report healthy in Docker Compose.
+- Authentik login via `auth.local.nodedc` has been verified manually with the local admin user.

 Browser testing still requires `/etc/hosts` entries on the host machine.

--- a/infra/authentik/bootstrap-dev.py
+++ b/infra/authentik/bootstrap-dev.py
@ -0,0 +1,210 @@
+from os import environ
+
+from django.db import transaction
+
+from authentik.common.oauth.constants import SubModes
+from authentik.core.models import Application, Group, User
+from authentik.flows.models import Flow
+from authentik.policies.models import PolicyBinding
+from authentik.providers.oauth2.models import (
+    ClientTypes,
+    IssuerMode,
+    OAuth2LogoutMethod,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
+
+GROUP_SPECS = [
+    ("nodedc:superadmin", False),
+    ("nodedc:launcher:admin", False),
+    ("nodedc:launcher:user", False),
+    ("nodedc:taskmanager:admin", False),
+    ("nodedc:taskmanager:user", False),
+]
+
+APP_SPECS = [
+    {
+        "slug": "launcher",
+        "name": "NODE.DC Launcher",
+        "provider_name": "NODE.DC Launcher OIDC",
+        "client_id_env": "LAUNCHER_OIDC_CLIENT_ID",
+        "client_secret_env": "LAUNCHER_OIDC_CLIENT_SECRET",
+        "redirect_uri_env": "LAUNCHER_OIDC_REDIRECT_URI",
+        "launch_url": "http://launcher.local.nodedc",
+        "logout_uri": "http://launcher.local.nodedc/logout",
+        "groups": ["nodedc:superadmin", "nodedc:launcher:admin", "nodedc:launcher:user"],
+        "description": "NODE.DC control plane launcher.",
+    },
+    {
+        "slug": "task-manager",
+        "name": "NODE.DC Task Manager",
+        "provider_name": "NODE.DC Task Manager OIDC",
+        "client_id_env": "PLANE_OIDC_CLIENT_ID",
+        "client_secret_env": "PLANE_OIDC_CLIENT_SECRET",
+        "redirect_uri_env": "PLANE_OIDC_REDIRECT_URI",
+        "launch_url": "http://task.local.nodedc",
+        "logout_uri": "http://task.local.nodedc/logout",
+        "groups": ["nodedc:superadmin", "nodedc:taskmanager:admin", "nodedc:taskmanager:user"],
+        "description": "NODE.DC Plane-based task manager.",
+    },
+]
+
+
+def required_env(name):
+    value = environ.get(name, "").strip()
+    if not value:
+        raise RuntimeError(f"{name} is required")
+    return value
+
+
+def ensure_group(name, is_superuser=False):
+    group, _ = Group.objects.get_or_create(name=name)
+    group.is_superuser = is_superuser
+    group.save()
+    return group
+
+
+def ensure_groups():
+    groups = {}
+    for name, is_superuser in GROUP_SPECS:
+        groups[name] = ensure_group(name, is_superuser)
+    return groups
+
+
+def ensure_user_groups(groups):
+    admin_email = environ.get("NODEDC_BOOTSTRAP_ADMIN_EMAIL", "").strip()
+    if not admin_email:
+        return None
+
+    user = User.objects.filter(email__iexact=admin_email).first() or User.objects.filter(
+        username=admin_email
+    ).first()
+    if user is None:
+        user = User(username=admin_email, email=admin_email, name=admin_email, type="internal")
+
+    user.username = admin_email
+    user.email = admin_email
+    user.is_active = True
+    user.type = "internal"
+    if environ.get("NODEDC_BOOTSTRAP_ADMIN_PASSWORD"):
+        user.set_password(environ["NODEDC_BOOTSTRAP_ADMIN_PASSWORD"])
+    user.save()
+
+    authentik_admins = Group.objects.filter(name="authentik Admins").first()
+    if authentik_admins:
+        user.groups.add(authentik_admins)
+
+    for name in groups:
+        user.groups.add(groups[name])
+    return user
+
+
+def ensure_groups_scope_mapping():
+    mapping, _ = ScopeMapping.objects.get_or_create(
+        name="NODE.DC OAuth Mapping: groups",
+        defaults={
+            "scope_name": "groups",
+            "description": "Adds Authentik group names to NODE.DC OIDC tokens.",
+            "expression": 'return {"groups": [group.name for group in request.user.groups.all()]}',
+        },
+    )
+    mapping.scope_name = "groups"
+    mapping.description = "Adds Authentik group names to NODE.DC OIDC tokens."
+    mapping.expression = 'return {"groups": [group.name for group in request.user.groups.all()]}'
+    mapping.save()
+    return mapping
+
+
+def default_scope_mappings():
+    scope_names = ["openid", "email", "profile", "offline_access"]
+    mappings = list(ScopeMapping.objects.filter(scope_name__in=scope_names))
+    mappings.append(ensure_groups_scope_mapping())
+    return mappings
+
+
+def ensure_provider(spec, mappings):
+    authorization_flow = Flow.objects.get(slug="default-provider-authorization-implicit-consent")
+    invalidation_flow = Flow.objects.get(slug="default-provider-invalidation-flow")
+
+    provider = OAuth2Provider.objects.filter(name=spec["provider_name"]).first()
+    if provider is None:
+        provider = OAuth2Provider(name=spec["provider_name"])
+
+    provider.name = spec["provider_name"]
+    provider.client_type = ClientTypes.CONFIDENTIAL
+    provider.client_id = required_env(spec["client_id_env"])
+    provider.client_secret = required_env(spec["client_secret_env"])
+    provider.redirect_uris = [
+        RedirectURI(RedirectURIMatchingMode.STRICT, required_env(spec["redirect_uri_env"]))
+    ]
+    provider.logout_uri = spec["logout_uri"]
+    provider.logout_method = OAuth2LogoutMethod.FRONTCHANNEL
+    provider.include_claims_in_id_token = True
+    provider.sub_mode = SubModes.USER_UUID
+    provider.issuer_mode = IssuerMode.PER_PROVIDER
+    provider.authorization_flow = authorization_flow
+    provider.invalidation_flow = invalidation_flow
+    provider.save()
+    provider.property_mappings.set(mappings)
+    return provider
+
+
+def ensure_application(spec, provider, groups):
+    application = Application.objects.filter(slug=spec["slug"]).first()
+    if application is None:
+        application = Application(slug=spec["slug"], name=spec["name"])
+
+    application.name = spec["name"]
+    application.slug = spec["slug"]
+    application.group = "NODE.DC"
+    application.provider = provider
+    application.meta_launch_url = spec["launch_url"]
+    application.meta_description = spec["description"]
+    application.meta_publisher = "NODE.DC"
+    application.open_in_new_tab = False
+    application.policy_engine_mode = "any"
+    application.save()
+
+    PolicyBinding.objects.filter(target=application).exclude(
+        group__name__in=spec["groups"]
+    ).delete()
+    for order, group_name in enumerate(spec["groups"]):
+        binding = PolicyBinding.objects.filter(target=application, group=groups[group_name]).first()
+        if binding is None:
+            binding = PolicyBinding(target=application, group=groups[group_name])
+        binding.enabled = True
+        binding.negate = False
+        binding.timeout = 30
+        binding.failure_result = False
+        binding.order = order
+        binding.save()
+
+    return application
+
+
+@transaction.atomic
+def main():
+    groups = ensure_groups()
+    user = ensure_user_groups(groups)
+    mappings = default_scope_mappings()
+    applications = []
+    providers = []
+
+    for spec in APP_SPECS:
+        provider = ensure_provider(spec, mappings)
+        application = ensure_application(spec, provider, groups)
+        providers.append(provider)
+        applications.append(application)
+
+    summary = {
+        "groups": list(groups),
+        "admin_user": user.email if user else None,
+        "applications": [application.slug for application in applications],
+        "providers": [provider.name for provider in providers],
+    }
+    print(summary)
+
+
+main()
--- a/infra/scripts/bootstrap-authentik-dev.sh
+++ b/infra/scripts/bootstrap-authentik-dev.sh
@ -0,0 +1,78 @@
+#!/usr/bin/env sh
+set -eu
+
+SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+INFRA_DIR=$(CDPATH= cd -- "$SCRIPT_DIR/.." && pwd)
+ROOT_DIR=$(CDPATH= cd -- "$INFRA_DIR/.." && pwd)
+ENV_FILE="$INFRA_DIR/.env"
+COMPOSE_FILE="$INFRA_DIR/docker-compose.dev.yml"
+BOOTSTRAP_SCRIPT="$INFRA_DIR/authentik/bootstrap-dev.py"
+
+if [ ! -f "$ENV_FILE" ]; then
+  echo "Missing $ENV_FILE. Run infra/scripts/init-dev-env.sh first." >&2
+  exit 1
+fi
+
+rand_hex() {
+  openssl rand -hex "$1" | tr -d '\n'
+}
+
+upsert_env() {
+  key="$1"
+  value="$2"
+  python3 - "$ENV_FILE" "$key" "$value" <<'PY'
+from pathlib import Path
+from sys import argv
+
+path = Path(argv[1])
+key = argv[2]
+value = argv[3]
+lines = path.read_text().splitlines()
+prefix = f"{key}="
+for index, line in enumerate(lines):
+    if line.startswith(prefix):
+        lines[index] = f"{key}={value}"
+        break
+else:
+    lines.append(f"{key}={value}")
+path.write_text("\n".join(lines) + "\n")
+PY
+}
+
+get_env() {
+  key="$1"
+  awk -F= -v key="$key" '$1 == key {print substr($0, length(key) + 2)}' "$ENV_FILE" | tail -n 1
+}
+
+ensure_env_value() {
+  key="$1"
+  fallback="$2"
+  value=$(get_env "$key")
+  if [ -z "$value" ]; then
+    value="$fallback"
+    upsert_env "$key" "$value"
+  fi
+}
+
+ensure_env_value LAUNCHER_OIDC_CLIENT_ID nodedc-launcher
+ensure_env_value PLANE_OIDC_CLIENT_ID nodedc-task-manager
+ensure_env_value LAUNCHER_OIDC_CLIENT_SECRET "$(rand_hex 48)"
+ensure_env_value PLANE_OIDC_CLIENT_SECRET "$(rand_hex 48)"
+ensure_env_value LAUNCHER_OIDC_REDIRECT_URI http://launcher.local.nodedc/auth/callback
+ensure_env_value PLANE_OIDC_REDIRECT_URI http://task.local.nodedc/auth/oidc/callback
+
+set -a
+. "$ENV_FILE"
+set +a
+
+cd "$ROOT_DIR"
+docker compose --env-file "$ENV_FILE" -f "$COMPOSE_FILE" exec -T \
+  -e NODEDC_BOOTSTRAP_ADMIN_EMAIL="${NODEDC_BOOTSTRAP_ADMIN_EMAIL:-}" \
+  -e NODEDC_BOOTSTRAP_ADMIN_PASSWORD="${NODEDC_BOOTSTRAP_ADMIN_PASSWORD:-}" \
+  -e LAUNCHER_OIDC_CLIENT_ID="$LAUNCHER_OIDC_CLIENT_ID" \
+  -e LAUNCHER_OIDC_CLIENT_SECRET="$LAUNCHER_OIDC_CLIENT_SECRET" \
+  -e LAUNCHER_OIDC_REDIRECT_URI="$LAUNCHER_OIDC_REDIRECT_URI" \
+  -e PLANE_OIDC_CLIENT_ID="$PLANE_OIDC_CLIENT_ID" \
+  -e PLANE_OIDC_CLIENT_SECRET="$PLANE_OIDC_CLIENT_SECRET" \
+  -e PLANE_OIDC_REDIRECT_URI="$PLANE_OIDC_REDIRECT_URI" \
+  authentik-server ak shell < "$BOOTSTRAP_SCRIPT"
--- a/infra/scripts/init-dev-env.sh
+++ b/infra/scripts/init-dev-env.sh
@ -44,14 +44,14 @@ AUTHENTIK_BOOTSTRAP_TOKEN=$(rand 36)

 # launcher oidc
 LAUNCHER_OIDC_ISSUER=http://auth.local.nodedc/application/o/launcher/
-LAUNCHER_OIDC_CLIENT_ID=
-LAUNCHER_OIDC_CLIENT_SECRET=
+LAUNCHER_OIDC_CLIENT_ID=nodedc-launcher
+LAUNCHER_OIDC_CLIENT_SECRET=$(openssl rand -hex 48 | tr -d '\n')
 LAUNCHER_OIDC_REDIRECT_URI=http://launcher.local.nodedc/auth/callback

 # plane oidc
 PLANE_OIDC_ISSUER=http://auth.local.nodedc/application/o/task-manager/
-PLANE_OIDC_CLIENT_ID=
-PLANE_OIDC_CLIENT_SECRET=
+PLANE_OIDC_CLIENT_ID=nodedc-task-manager
+PLANE_OIDC_CLIENT_SECRET=$(openssl rand -hex 48 | tr -d '\n')
 PLANE_OIDC_REDIRECT_URI=http://task.local.nodedc/auth/oidc/callback

 # security