add outpost blueprint tests; update forward-auth docs

d-buckner · d-buckner · commit 9bd72d027d41 · 2026-01-12T17:42:02.000-08:00
- Add tests for GenerateOutpostBlueprint (provider refs, config values)
- Add test for blueprint removal when no providers
- Update authentik-integration.md to document blueprint-based approach
diff --git a/docs/design/authentik-integration.md b/docs/design/authentik-integration.md
@@ -232,11 +232,21 @@ entries:
 
 2. **external_host must be root URL**: Set to `http://localhost:8080` (not `http://localhost:8080/embed/qbittorrent/`). The OAuth callback path `/outpost.goauthentik.io/callback` is appended to this, and Traefik only routes this at the root level.
 
-3. **Embedded outpost association**: After creating the proxy provider via blueprint, the host-agent must add it to the "authentik Embedded Outpost" via API. Blueprints create providers but don't automatically associate them with outposts.
+3. **Embedded outpost association**: The host-agent generates a `bloud-outpost.yaml` blueprint that adds all forward-auth proxy providers to the embedded outpost and configures `authentik_host`/`authentik_host_browser` for correct OAuth redirects. This blueprint uses `!Find` to reference providers by name, so they can be created by separate app blueprints.
 
-```go
-// Host-agent adds provider to embedded outpost after blueprint applies
-client.AddProviderToEmbeddedOutpost("qBittorrent Proxy Provider")
+```yaml
+# bloud-outpost.yaml (auto-generated)
+entries:
+  - model: authentik_outposts.outpost
+    state: present
+    identifiers:
+      name: authentik Embedded Outpost
+    attrs:
+      providers:
+        - !Find [authentik_providers_proxy.proxyprovider, [name, "App Proxy Provider"]]
+      config:
+        authentik_host: "http://localhost:8080"
+        authentik_host_browser: "http://localhost:8080"
 ```
 
 ---
diff --git a/services/host-agent/internal/sso/blueprint_test.go b/services/host-agent/internal/sso/blueprint_test.go
@@ -175,3 +175,87 @@ func TestDeleteBlueprint_NonExistent(t *testing.T) {
 		t.Errorf("DeleteBlueprint should not error for non-existent file: %v", err)
 	}
 }
+
+func TestGenerateOutpostBlueprint(t *testing.T) {
+	dir := t.TempDir()
+
+	gen := NewBlueprintGenerator(
+		"test-secret",
+		"http://localhost:8080",
+		"http://localhost:8080",
+		dir,
+	)
+
+	providers := []ForwardAuthProvider{
+		{DisplayName: "App One"},
+		{DisplayName: "App Two"},
+	}
+
+	err := gen.GenerateOutpostBlueprint(providers)
+	if err != nil {
+		t.Fatalf("GenerateOutpostBlueprint failed: %v", err)
+	}
+
+	// Read the generated file
+	content, err := os.ReadFile(filepath.Join(dir, "bloud-outpost.yaml"))
+	if err != nil {
+		t.Fatalf("ReadFile failed: %v", err)
+	}
+
+	contentStr := string(content)
+	t.Logf("Generated blueprint:\n%s", contentStr)
+
+	// Verify it references the embedded outpost
+	if !strings.Contains(contentStr, "authentik Embedded Outpost") {
+		t.Error("Expected 'authentik Embedded Outpost' identifier not found")
+	}
+
+	// Verify provider references using !Find syntax
+	if !strings.Contains(contentStr, `"App One Proxy Provider"`) {
+		t.Error("Expected App One provider reference not found")
+	}
+	if !strings.Contains(contentStr, `"App Two Proxy Provider"`) {
+		t.Error("Expected App Two provider reference not found")
+	}
+
+	// Verify config includes authentik_host and authentik_host_browser
+	if !strings.Contains(contentStr, `authentik_host: "http://localhost:8080"`) {
+		t.Error("Expected authentik_host config not found")
+	}
+	if !strings.Contains(contentStr, `authentik_host_browser: "http://localhost:8080"`) {
+		t.Error("Expected authentik_host_browser config not found")
+	}
+}
+
+func TestGenerateOutpostBlueprint_NoProviders(t *testing.T) {
+	dir := t.TempDir()
+
+	gen := NewBlueprintGenerator(
+		"test-secret",
+		"http://localhost:8080",
+		"http://localhost:8080",
+		dir,
+	)
+
+	// Create a blueprint file first
+	err := gen.GenerateOutpostBlueprint([]ForwardAuthProvider{{DisplayName: "Test"}})
+	if err != nil {
+		t.Fatalf("GenerateOutpostBlueprint failed: %v", err)
+	}
+
+	blueprintPath := filepath.Join(dir, "bloud-outpost.yaml")
+	if _, err := os.Stat(blueprintPath); os.IsNotExist(err) {
+		t.Fatal("Blueprint file was not created")
+	}
+
+	// Call with empty providers - should remove the file
+	err = gen.GenerateOutpostBlueprint([]ForwardAuthProvider{})
+	if err != nil {
+		t.Fatalf("GenerateOutpostBlueprint with empty providers failed: %v", err)
+	}
+
+	// Verify file is removed
+	if _, err := os.Stat(blueprintPath); !os.IsNotExist(err) {
+		t.Error("Blueprint file should be removed when no providers")
+	}
+}
