Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expression policy error builtins.KeyError: 'flow_plan' #9486

Closed
ToshY opened this issue Apr 27, 2024 · 3 comments
Closed

Expression policy error builtins.KeyError: 'flow_plan' #9486

ToshY opened this issue Apr 27, 2024 · 3 comments

Comments

@ToshY
Copy link

ToshY commented Apr 27, 2024
edited
Loading

Problem

Originally posted by @ToshY in #9477 (comment)

Using an expression policy in default-enrollment-flow fails with error Expression policy error builtins.KeyError: 'flow_plan'.

Reproduction

Following-up from #9477, I've continued testing with with ghcr.io/goauthentik/dev-server:gh-bfc340df160328e1aa0f7dfa4f1592729923ae9c, and if I add another expression policy (e.g. custom-enrollment-group; example taken from docs) with execution logging disabled, and bind the policy to the default-source-enrollment as well, I get both the policy message that user is not allowed to login (from the previous google-email-expression policy), but also an additonal message containing flow_plan.

default-source-enrollment

image

default-source-enrollment policies:

image

custom-enrollment-group

image

Response

Response for user1@gmail.com (allowed)

image

Response for user3@gmail.com (not allowed)

image

So it shows flow_plan in the message as well. Looking in the UI notification the following message is shown:

Traceback (most recent call last):\n  File \"custom-enrollment-group\", line 6, in <module>\n  File \"custom-enrollment-group\", line 4, in handler\nbuiltins.KeyError: 'flow_plan'"

So apparently now my second expression policy is broken due to the usage of request.context["flow_plan"]. The example was taken from the docs, so what am I doing wrong here?
@BeryJu
Copy link
Member

BeryJu commented Apr 27, 2024

The docs should be clearer on this, but the error happens due to the fact that the policies bound directly to a flow are evaluated before the flow planner starts - and as such there's no flow_plan available yet and it can't be accessed in policies

@ToshY
Copy link
Author

ToshY commented Apr 28, 2024

Hey @BeryJu ,

the policies bound directly to a flow are evaluated before the flow planner starts

Does this correspond with the "pre-flow policies" as denoted by the flow diagram?

and as such there's no flow_plan available yet and it can't be accessed in policies

Would you then have any suggestions or alternatives on how should I proceed? My objective is to add the users to one (or mulitple) groups automatically.

@ToshY
Copy link
Author

ToshY commented Apr 29, 2024

Hey @BeryJu

I'll close this as I figured out what I was doing wrong, which was that I added the policy to the "Policy / Group / User Bindings" tab (which are apparently "pre-flow policies"), but what I needed was to add the policy inside the "Stage bindings" tab under the default-source-enrollment-write.

image

I totally not notice or just overlooked the dropdown arrow icon there, so I had no idea I could open it to add policies to it🤦‍♂️ Makes a lot more sense now, as I see the policy in my flow diagram before the user write stage (which the docs do point out correctly).

image

@ToshY ToshY closed this as completed Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BeryJu @ToshY