* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* web/bugfix/fix-reporting-in-wizard-submit
# What
- Preserves the errors locally for the Wizard, providing explanation and links to fix the issues
# Why
Just a silly mistake on my part. There shouldn't be two copies of errors (and there isn't in the BIG
PRs), but this is how it's designed right now and making the errors show up is an easy fix. In doing
so, the "hack" to move the "bad provider name" to the provider page is included.
* Updated package.json to use Chromedriver 130
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* First things first: save the blueprint that initializes the test runner.
* Committing to having the PKs be a string, and streamlining an event handler. Type solidity needed for the footer control.
* web/admin/better-footer-links
# What
- A data control that takes two string fields and returns the JSON object for a FooterLink
- A data control that takes a control like the one above and assists the user in entering a
collection of such objects.
# Why
We're trying to move away from CodeMirror for the simple things, like tables of what is essentially
data entry. Jens proposed this ArrayInput thing, and I've simplified it so you define what "a row"
is as a small, lightweight custom Component that returns and validates the datatype for that row,
and ArrayInput creates a table of rows, and that's that.
We're still working out the details, but the demo is to replace the "Name & URL" table in
AdminSettingsForm with this, since it was silly to ask the customer to hand-write JSON or YAML,
getting the keys right every time, for an `Array<Record<{ name: string, href: string }>>`. And some
client-side validation can't hurt.
Storybook included. Tests to come.
* Not ready for prime time.
* One lint. Other lints are still in progress.
* web: lots of 'as unknown as Foo'
I know this is considered bad practice, but we use Lit and Lit.spread
to send initialization arguments to functions that create DOM
objects, and Lit's prefix convention of '.' for object, '?' for
boolean, and '@' for event handler doesn't map at all to the Interface
declarations of Typescript. So we have to cast these types when
sending them via functions to constructors.
* web/admin/better-footer-links
# What
- Remove the "JSON or YAML" language from the AdminSettings page for describing FooterLinks inputs.
- Add unit tests for ArrayInput and AdminSettingsFooterLinks.
- Provide a property for accessing a component's value
# Why
Providing a property by which the JSONified version of the value can be accessed enhances the
ability of tests to independently check that the value is in a state we desire, since properties can
easily be accessed across the wire protocol used by browser-based testing environments.
* Ensure the UI is built from _current_ before running tests.
* core: add ability to provide reason for impersonation
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* tenants api things
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* add missing implem
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* A tooltip needs a DOM object to determine the coordinates where it should render. A solitary string is not enough; a is needed here.
* web: user impersonation reason
To determine where to render the Tooltip content, the object associated with the Tooltip must be a DOM object with an HTML tag. A naked string is not enough; a `<span>` will do nicely here.
Also, fixed a build failure: PFSize was not defined in RelatedUserList.
* add and fix tests
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* avoid migration change
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* small fixes
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Ken Sternberg <ken@goauthentik.io>
* main:
website: bump elliptic from 6.5.7 to 6.6.0 in /website (#11869)
core: bump selenium from 4.25.0 to 4.26.0 (#11875)
core: bump goauthentik.io/api/v3 from 3.2024083.14 to 3.2024100.1 (#11876)
website/docs: add info about invalidation flow, default flows in general (#11800)
website: fix docs redirect (#11873)
website: remove RC disclaimer for version 2024.10 (#11871)
website: update supported versions (#11841)
web: bump API Client version (#11870)
root: backport version bump 2024.10.0 (#11868)
website/docs: 2024.8.4 release notes (#11862)
web/admin: provide default invalidation flows for LDAP and Radius (#11861)
core, web: update translations (#11858)
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* web/admin: provide default invalidation flows for LDAP provider.
* admin/web: the default invalidation flows for LDAP and Radius are different from the others.
* main:
web/admin: fix code-based MFA toggle not working in wizard (#11854)
sources/kerberos: add kiprop to ignored system principals (#11852)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11846)
translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#11845)
translate: Updates for file web/xliff/en.xlf in zh_CN (#11847)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#11848)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11849)
translate: Updates for file web/xliff/en.xlf in it (#11850)
website: 2024.10 Release Notes (#11839)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#11814)
core, web: update translations (#11821)
core: bump goauthentik.io/api/v3 from 3.2024083.13 to 3.2024083.14 (#11830)
core: bump service-identity from 24.1.0 to 24.2.0 (#11831)
core: bump twilio from 9.3.5 to 9.3.6 (#11832)
core: bump pytest-randomly from 3.15.0 to 3.16.0 (#11833)
website/docs: Update social-logins github (#11822)
website/docs: remove � (#11823)
lifecycle: fix kdc5-config missing (#11826)
website/docs: update preview status of different features (#11817)
## What
- For LDAP, OAuth2, Radius, SAML, SCIM, and Proxy providers, extract the literal form rendering
component of each provider into a function. After all, that's what they are: they take input (the
render state) and produce output (HTML with event handlers).
- Rip out all of the forms in the wizard and replace them with ☝️
- Write E2E tests that exercise *all* of the components in *all* of the forms mentioned. See test
results. These tests come in two flavors, "simple" (minimum amount needed to make the provider
"pass" the backend's parsers) and "complete" (touches every legal field in the form according to
the authentik `./schema.yml` file). As a result, every field is validated against the schema
(although the schema is currently ported into the test by hand.
- Fixed some serious bugginess in the way the wizard `commit` phase handles errors.
## Details
### Providers
In some cases, I broke up the forms into smaller units:
- Proxy, especially, with standalone units now for `renderHttpBasic`, `renderModeSelector`,
`renderSettings`, and the differing modes)
- SAML now has a `renderHasSigningKp` object, which makes that part of the code much more readable.
I also extracted a few of static `options` collections into static const objects, so that the form
object itself would be a bit more readable.
### Wizard
Just ripped out all of the Provider forms. All of them. They weren't going to be needed in our
glorious new future.
Using the information provided by the `providerTypes` object, it was easy to extract all of the
information that had once been in `ak-application-wizard-authentication-method-choice.choices`. The
only thing left now is the renderers, one for each of the forms ripped out. Everything else is just
gone.
As a result, though, that's no longer a static list. It has to be derived from information sent via
the API. So now it's in a context that's built when the wizard is initialized, and accessed by the
`createTypes` pass as well as the specific provider.
The error handling in the `commit` pass was just broken. I have improved it quite a bit, and now it
actually displays helpful messages when things go wrong.
### Tests
Wrote a simple test runner that iterates through a collection of fields, setting their values via
field-type instructions contained in each line. For example, the "simple" OAuth2 Provider test looks
like this:
```
export const simpleOAuth2ProviderForm: TestProvider = () => [
[setTypeCreate, "selectProviderType", "OAuth2/OpenID Provider"],
[clickButton, "Next"],
[setTextInput, "name", newObjectName("New Oauth2 Provider")],
[setSearchSelect, "authorizationFlow", /default-provider-authorization-explicit-consent/],
];
```
Each control checks for the existence of the object, and in most cases its current `display`.
(SearchSelect only checks existence, due to the oddness of the portaled popup.) Where a field can't
reasonably be modified and still pass, we at least verify that the name provided in `schema.yml`
corresponds to an existing, available control on the form or wizard panel.
Combined with a routine for logging in and navigating to the Provider page, and another one to
validate that a new and uniqute "Successfully Created Provider" notification appeared, this makes
testing each provider a simple message of filling out the table of fields you want populated.
Equally simple: these *exact same tests* can be incorporated into a wrapper for logging in,
navigating to the Application page, and filling out an Application, and then a new and unique
Provider for that Application, by Provider Type.
As a special case, the Wizard variant checks the `TestSequence` object returned by the
`TestProvider` function and removes the `name` field, since the Wizard pre-populates that
automatically.
As a result of this, the contents of `./web/src` has lost 1,504 lines of code. And results like
these, where the behavior has been cross-checked three ways (the forms, the tests (and so the
back-end), *and the schema* all agree on field names and behaviors, gives me much more confidence
that the refactor works as expected:
```
[chrome 130.0.6723.70 mac #0-1] Running: chrome (v130.0.6723.70) on mac
[chrome 130.0.6723.70 mac #0-1] Session ID: 039c70690eebc83ffbc2eef97043c774
[chrome 130.0.6723.70 mac #0-1]
[chrome 130.0.6723.70 mac #0-1] » /tests/specs/providers.ts
[chrome 130.0.6723.70 mac #0-1] Configuring Providers
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Simple LDAP provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Simple OAuth2 provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Simple Radius provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Simple SAML provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Simple SCIM provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Simple Proxy provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Simple Forward Auth (single application) provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Simple Forward Auth (domain level) provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Complete OAuth2 provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Complete LDAP provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Complete Radius provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Complete SAML provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Complete SCIM provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Complete Proxy provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Complete Forward Auth (single application) provider
[chrome 130.0.6723.70 mac #0-1] ✓ Should successfully configure a Complete Forward Auth (domain level) provider
[chrome 130.0.6723.70 mac #0-1]
[chrome 130.0.6723.70 mac #0-1] 16 passing (1m 48.5s)
------------------------------------------------------------------
[chrome 130.0.6723.70 mac #0-2] Running: chrome (v130.0.6723.70) on mac
[chrome 130.0.6723.70 mac #0-2] Session ID: 5a3ae12c851eff8fffd2686096759146
[chrome 130.0.6723.70 mac #0-2]
[chrome 130.0.6723.70 mac #0-2] » /tests/specs/new-application-by-wizard.ts
[chrome 130.0.6723.70 mac #0-2] Configuring Applications Via the Wizard
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Simple LDAP provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Simple OAuth2 provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Simple Radius provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Simple SAML provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Simple SCIM provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Simple Proxy provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Simple Forward Auth (single) provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Simple Forward Auth (domain) provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Complete OAuth2 provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Complete LDAP provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Complete Radius provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Complete SAML provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Complete SCIM provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Complete Proxy provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Complete Forward Auth (single) provider
[chrome 130.0.6723.70 mac #0-2] ✓ Should successfully configure an application with a Complete Forward Auth (domain) provider
[chrome 130.0.6723.70 mac #0-2]
[chrome 130.0.6723.70 mac #0-2] 16 passing (2m 3s)
```
🎉
* main: (22 commits)
lifecycle: fix missing krb5 deps for full testing in image (#11815)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#11810)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11809)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11808)
web: bump API Client version (#11807)
core: bump goauthentik.io/api/v3 from 3.2024083.12 to 3.2024083.13 (#11806)
core: bump ruff from 0.7.0 to 0.7.1 (#11805)
core: bump twilio from 9.3.4 to 9.3.5 (#11804)
core, web: update translations (#11803)
providers/scim: handle no members in group in consistency check (#11801)
stages/identification: add captcha to identification stage (#11711)
website/docs: improve root page and redirect (#11798)
providers/scim: clamp batch size for patch requests (#11797)
web/admin: fix missing div in wizard forms (#11794)
providers/proxy: fix handling of AUTHENTIK_HOST_BROWSER (#11722)
core, web: update translations (#11789)
core: bump goauthentik.io/api/v3 from 3.2024083.11 to 3.2024083.12 (#11790)
core: bump gssapi from 1.8.3 to 1.9.0 (#11791)
web: bump API Client version (#11792)
stages/authenticator_validate: autoselect last used 2fa device (#11087)
...
* add captcha to identification stage
* simplify component invocations
* fail fast on `onTokenChange` default behavior
* reword docs
* rename `token` to `captcha_token` in Identification stage contexts
(In Captcha stage contexts the name `token` seems well-scoped.)
* use `nothing` instead of ``` html`` ```
* remove rendered Captcha component from document flow on Identification stages
Note: this doesn't remove the captcha itself, if interactive, only the loading
indicator.
* add invisible requirement to captcha on Identification stage
* stylize docs
* add friendlier error messages to Captcha stage
* fix tests
* make captcha error messages even friendlier
* add test case to retriable captcha
* use default
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* authenticator_validate: autoselect last used device class
* improve usability of `AuthenticatorValidationStage`
* don't automatically offer the recovery key authenticator validation
I believe this could confuse users more than help them
* web: move mutator block into the `willUpdate` override
Removed the section of code from the renderer that updates the state of the component;
Mutating in the middle of a render is strongly discouraged. This block contains an
algorithm for determining if the selectedDeviceChallenge should be set and how; since
`selectedDeviceChallenge` is a state, we don't want to be changing it outside of those
lifecycle methods that do not trigger a rerender.
* web: move styles() to top of class, extract custom CSS to a named block.
* lint: collapse multiple early returns, missing curly brace.
* autoselect device only once even if the user only has 1 device
* make `DeviceChallenge.last_used` nullable instead of optional
* clarify button text
* fix typo
* add docs for automatic device selection
* update docs
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
* fix punctuation
---------
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Ken Sternberg <ken@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
* main:
web/admin: Add InvalidationFlow to Radius Provider dialogues (#11786)
core, web: update translations (#11782)
providers/oauth2: fix amr claim not set due to login event not associated (#11780)
web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* main: (44 commits)
web/admin: add strict dompurify config for diagram (#11783)
core: bump cryptography from 43.0.1 to 43.0.3 (#11750)
web: bump API Client version (#11781)
sources: add Kerberos (#10815)
root: rework CSRF middleware to set secure flag (#11753)
web/admin: improve invalidation flow default & field grouping (#11769)
providers/scim: add comparison with existing group on update and delta update users (#11414)
website: bump mermaid from 10.6.0 to 10.9.3 in /website (#11766)
web/flows: use dompurify for footer links (#11773)
core, web: update translations (#11775)
core: bump goauthentik.io/api/v3 from 3.2024083.10 to 3.2024083.11 (#11776)
website: bump @types/react from 18.3.11 to 18.3.12 in /website (#11777)
website: bump http-proxy-middleware from 2.0.6 to 2.0.7 in /website (#11771)
web: bump API Client version (#11770)
stages: authenticator_endpoint_gdtc (#10477)
core: add prompt_data to auth flow (#11702)
tests/e2e: fix dex tests failing (#11761)
web/rac: disable DPI scaling (#11757)
web/admin: update flow background (#11758)
website/docs: fix some broken links (#11742)
...
- Pull the OAuth2 Provider Form `render()` method out into a standalone function.
- Why: So it can be shared by both the Wizard and the Provider function. The renderer is (or at
least, can be) a pure function: you give it input and it produces HTML, *and then it stops*.
- Provide a test harness that can test the OAuth2 provider form.
