web: Clean up error handling. Prep for permission checks.
- Add clearer reporting for API and network errors.
- Tidy error checking.
- Partial type safety for events.
web: Fix issues surrounding markdown rendering.
- Fix issue where Mermaid diagrams do not render.
- Fix link colors in dark mode.
- Fix anchored links triggering router.
- Fix issue where links occasionally link to missing page.
website/docs: Flesh out Apple Business Manager integration.
- Fix missing required attribute.
- Adjust visible headers in table of contents.
- Fix Docusaurus warning for nested paragraphs.
* web: sources: disable "delete" button for built-in source
* poetry doesn't like that I use python 3.13 / implement check on backend too
* fix ruff i think
Signed-off-by: Dominic R <git@sdko.org>
* nvm
Signed-off-by: Dominic R <git@sdko.org>
* reformat
* check by managed attribute
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* like this?
---------
Signed-off-by: Dominic R <git@sdko.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Dominic R <git@sdko.org>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* providers/scim: override AWS patch support
AWS /ServiceProviderConfig query responds that it supports patch,
but they only support patching a single group property.
resolves#12321
* introduce compatibility mode for scim provider instead of hack
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* add option for slack
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* Change token_expiry type from integer to text in Email Stage to unify with timedelta_string_validator
* Add migration file for token_expiry format, change from number to text field in the UI
* Fix token_expiry new format in stage.py in Email Stage
* fix linting
* Update web/src/admin/stages/email/EmailStageForm.ts
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>
* Use db_alias and using() for the queries
* Make valid_delta more readable
* use <ak-utils-time-delta-help> in the UI
* fix missing import
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* wip
* wip
* try to make this work with ken's writeup
Signed-off-by: Dominic R <dominic@sdko.org>
* wip
---------
Signed-off-by: Dominic R <dominic@sdko.org>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: fix display bug for assigned users in application bindings in the wizard
## What
Modifies the type-of-binding detection algorithm to check if there's a user field and
that it's a number.
## Why
The original type-of-binding detector checked if the field was set and asserted that it was a string
of at least one character. Unfortunately, this doesn't work for `user`, where the primary key is an
integer. Changing the algorithm to "It's really a string with something in it, *or* it's a number,"
works.
## Testing
- Ensure you have at least one user you can use, and that user has a username.
- Navigate through the Application Wizard until you reach the binding page.
- Create a user binding
- See that the user shows up in the table.
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: allow admins to show only active users in Group assignments
## What
Adds a flag and a visible control to the "Add users to groups" dialog to limit the users
shown to only those marked as "active."
## Why
Requested, it was small, it made sense, and it was fairly trivial to implement. All the
infrastructure already existed.
## Testing
- Ensure you have both "active" and "inactive" users in your sample group.
- Visit Groups -> (One Group) -> Users ->. Click "Add existing user." Click the `+` symbol.
- A new toggle control, "Show inactive users," should now be visible.
- Click it and note whether or not the visible display corresponds to the stote of the control.
## Note
This commit does not address the second half of the request, "... the ability to add more than one
user to an entitlement." We recommend that if you have a group of people who correspond to a given
entitlement that you create a named group for them.
## Related Issue:
- [Hide disabled users when adding users to a group or entitlement
#12653](https://github.com/goauthentik/authentik/issues/12653)
* Provided an explanation for the odd expression around `CoreApi.coreUsersList:isActive`
* Use logical CSS; give room to expand
* Disambiguate variable names
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: fix markdown being completely whited out in dark mode on proxy provider pages
## What
Removed the `pf-m-light` hard-code specification from the wrapper for Markdown.
## Why
Color themes backed with CSS custom properties are vulnerable to overspecification, and that's what
this class did; overspecified the background color to always be in "light mode," which the Markdown
component then inherited.
## Testing
Create a proxy provider page for Forward Auth Proxy (Domain-Level). Using the browser's inspector,
choose the "Styles" tab and click on the paintbrush. Alternate between dark mode and light, and
observe that the styled markdown is changing color along with the rest of the application.
## Related Issue:
- [Proxy Provider setup section completely whited out.
#13335](https://github.com/goauthentik/authentik/issues/13335)
* web/admin: use card background color directly when not in dark mode
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: decorative display in user's page breaks in other locales
## What
Move the decorations out of the display string and make them part of the presentation instead:
```
- <small>${item.name === "" ? msg("<No name set>") : item.name}</small>
+ <small>${item.name ? item.name : html`<${msg("No name set")}>`}</small>
```
Also a bit of logic re-arrangement; whenever possible, try to put the fallback condition in the
secondary position. A ternary is appropriate here; the nullish coalescing operator (`??`) is not
triggered by an empty string.
## Why
The decorations are being misinterpreted as HTML markers. The localization function re-interprets
the ampersand a second time, creating the string `&lt;No name set&gt;.
## Testing
- Visit the user administration page in English mode:
http://localhost:9000/if/admin/#/identity/users
- Create a user but do NOT fill in the Name field (the second field, which lacks an asterisk
indicating "required.")
- Note that the user shows up, and `<No name set>` is displayed for the user's display name.
- Visit the user administration page in French mode:
http://localhost:9000/if/admin/?locale=fr#/identity/users
- Note that the user shows up, and `<No name set>` (or, if the field is translated, "Aucun nom
spécifié") is displayed for the user's display name.
## Related Issue:
- [Users list wrong display when Locale is not "EN - English"
#12951](https://github.com/goauthentik/authentik/issues/12951)
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web: Make using the wizard the default for new applications
# What
1. I removed the "Wizard Hint" bar and migrated the "Create With Wizard" button down to the default
position as "Create With Provider," moving the "Create" button to a secondary position.
Primary coloring has been kept for both.
2. Added an alert to the "Create" legacy dialog:
> Using this form will only create an Application. In order to authenticate with the application,
> you will have to manually pair it with a Provider.
3. Updated the subtitle on the Wizard dialog:
``` diff
- wizardDescription = msg("Create a new application");
+ wizardDescription = msg("Create a new application and configure a provider for it.");
```
4. Updated the User page so that, if the User is-a Administrator and the number of Applications in
the system is zero, the user will be invited to create a new Application using the Wizard rather
than the legacy Form:
```diff
renderNewAppButton() {
const href = paramURL("/core/applications", {
- createForm: true,
+ createWizard: true,
});
```
5. Fixed a bug where, on initial render, if the `this.brand` field was not available, an error would
appear in the console. The effects were usually harmless, as brand information came quickly and
filled in before the user could notice, but it looked bad in the debugger.
6. Fixed a bug in testing where the wizard page "Configure Policy Bindings" had been changed to
"Configure Policy/User/Group Binding".
# Testing
Since the wizard OUID didn't change (`data-ouia-component-id="start-application-wizard"`), the E2E
tests for "Application Wizard" completed without any substantial changes to the routine or to the
tests.
``` sh
npm run test:e2e:watch -- --spec ./tests/specs/new-application-by-wizard.ts
```
# User documentation changes required.
These changes were made at the request of docs, as an initial draft to show how the page looks with
the Application Wizard as he default tool for creating new Applications.
# Developer documentation changes required.
None.
* stages/authenticator_email: Add basic structure for stages/authenticator_email
* stages/authenticator_email: Add stages/authenticator_email django app to settings.py
* stages/authenticator_email: Fix imports due changes introduced in #12598
* stages/authenticator_email: fix linting
* stages/authenticator_email: Add tests for token verification
* Add UI structure for authenticator_email
* Add autheticator_email to AuthenticatorValidateStageForm.ts and create AuthenticatorEmailStageForm.ts
* Add serializer property to emaildevice
* Add DeviceClasses.EMAIL to DeviceClasses
* Add migration file for DeviceClasses change (added email)
* Add new schema.yml and blueprints/schema.json to refelct email authenticator
* Fix UI to show the Email Authenticator
* Add support for email templates for the email authenticator
* Add templates
* Add DeviceClasses.EMAIL option to authenticator_validate/stage.py
* Fix logic for sending emails in stage.py and use the proper class AuthenticatorEmailStage in tasks.py
* Fix token expiration display in the email templates
* Fix authenticator email stage set up
* Add template and email to api response for Authenticator Email stage
* Fix Authenticator Email stage set up form
* Use different flow if the user has an email configured or not for Authenticator Email stage UI
* Use the correct field for the token in AuthenticatorEmailStage.ts
* Fix linting and code style
* Use the correct assertions in tests
* Fix mask email helper
* Add missing cases for Email Authenticator in the UI
* Fix email sending, add _compose_email() method to EmailDevice
* Fix cosmetic changes
* Add support for email device challenge validation in validate_selected_challenge
* Fix tests
* Add from_address to email template
* Refactor tests
* Update API Schema
* Refactor AuthenticatorEmailStage UI for cleaner code
* Fix saving token_expiry in the stage configuration
* Remove debug statements
* Add email connection settings to the Email authenticator stage configuration UI
* Remove unused field activate_on_success from AuthenticatorEmailStage
* Add tests for duplicate email, token expiration and template error
* cosmetic/styling changes
* Use authentik's GroupMemberSerializer and ManagedAppConfig in api and apps for email authenticathor
* stages/authenticator_email: Fix typos, styling and unused fields
* stages/authenticator_email: remove unused field responseStatus
* stages/authenticator_email: regen migrations
* Fix linting issues
* Fix app label issue, typos, missing user field
* Add a trailing space in email_otp.txt RFC 3676 sec. 4.3
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>
* Move mask_email method to a helper function in authentik.lib.utils.email
* Remove unused function
* Use authentik.stages.email.tasks instead of authentik.stages.authenticator_email.tasks, delete authentik.stages.authenticator_email.tasks
* Fix use global settings not using the global setting if there's a default
* Revert "Fix use global settings not using the global setting if there's a default"
This reverts commit 3825248bb4.
* Use user email from user attributes if exists
* Show masked email in AuthenticatorValidateStageCode
* Remove unused base.html template
* Fix linting issues
* Change token_expiry from integer to TextField, use timedelta_string_validator where necessary to process the change
* Move 'use global connection settings' up in the Email Authenticator Stage Configuration
* Show expanded connections settings when 'use global settings' is not activated for better UX
* Fix migration file, add missing validator
* Fix test for no prefilled email address
* Add tests to check session management, challenge generation and challenge response validation
* fix linting
* Add default value EmailStage for stage_class in stage.email.tasks.send_mail
* Change string representation for EmailDevice to handle authentik/events/tests/test_models.py::TestModels, add tests for the new __str__ method
* Add #nosec to skip false positive in linting validation
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>
* Change Email Authenticator Setup Stage name for consistency with other authenticators
* Add tests to test properties and methods of EmailDevice and AuthenticatorEmailStage, add test for email tasks
* Add tests for email challenge in authenticator_validate
* Update migration to reflect new verbose name for AuthenticatorEmailStage
* Update schema.yml to reflect new verbose name for AuthenticatorEmailStage
* Add default email subject in Email Authenticator Setup Stage configuration
* Remove from_address from email template to ensure global settings use if use global settings is on
* Add flow-default-authenticator-email-setup.yaml blueprint
* Move email authenticator blueprint to the examples folder
* Update authentik/stages/authenticator_email/models.py
Signed-off-by: Jens L. <jens@beryju.org>
* Change self.user_pk to self.user_id because user_pk doesn't exists here
* Remove unused logger import
* Remove more unused logger import
* Add error handling to authentik.lib.utils.email.mask_email
* fix linting
* don't catch Exception
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* update icons
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>
Signed-off-by: Jens L. <jens@beryju.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Jens L. <jens@beryju.org>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* enterprise/providers/ssf: check providers's application's policies to determine if an ssf event should be sent
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* add preview banner to ssf provider
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix and test
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* providers/ssf: fix txn being inside the event not the SET itself
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix incorrect ssf format
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix web form
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web: Update to OpenAPI 7.11.
This commit updates our Makefile to generate the Typescript api using OpenAPI 7.11, and updates
names (mostly of enum targets) in our product to correspond to the changes in how OpenAPI generates
enum source names.
1. Replaced `ProviderModelEnum.` (note terminal period) with `ProviderModelEnum.AuthentikProvider`.
For example:
```
- ProviderModelEnum.SamlSamlprovider
+ ProviderModelEnum.AuthentikProvidersSamlSamlprovider
```
2. Replaced `RbacPermissionsAssignedByUsersListModelEnum.` (note terminal period) with
`RbacPermissionsAssignedByUsersListModelEnum.Authentik`. For example:
```
- RbacPermissionsAssignedByUsersListModelEnum.ProvidersLdapLdapprovider.toString(),
+ RbacPermissionsAssignedByUsersListModelEnum.AuthentikProvidersLdapLdapprovider.toString(),
```
3. Replaced `SyncObjectModelEnum.` (note terminal period) with
`SyncObjectModelEnum.AuthentikCoreModels`. For example:
```
- model=${SyncObjectModelEnum.Group}
+ model=${SyncObjectModelEnum.AuthentikCoreModelsGroup}
```
4. Replaced `SignatureAlgorithmEnum._` (note terminal symbols) with
`SignatureAlgorithmEnum.HttpWwwW3Org`. For example:
```
- ["ECDSA-SHA256", SignatureAlgorithmEnum._200104XmldsigMoreecdsaSha256],
+ ["ECDSA-SHA256", SignatureAlgorithmEnum.HttpWwwW3Org200104XmldsigMoreecdsaSha256],
```
5. Replaced `DigestAlgorithmEnum._` (note terminal symbols) with `DigestAlgorithmEnum.HttpWwwW3Org`.
For example:
```
- ["SHA256", DigestAlgorithmEnum._200104Xmlencsha256, true],
+ ["SHA256", DigestAlgorithmEnum.HttpWwwW3Org200104Xmlencsha256, true],
```
6. Replaced `NameIdPolicyEnum._` (note terminal symbols) with
`NameIdPolicyEnum.UrnOasisNamesTcSaml`. This one is trickier than the others: If you look
closely, you'll see that how OpenAPI generates the names has changed, with `nameid` now being
`Nameid`, and `FormatemailAddress` now being `FormatEmailAddress`.
```
- value=${NameIdPolicyEnum._11nameidFormatemailAddress}
+ value=${NameIdPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
```
# How
After determining how the enum prefixes had changed, I just ran six of these, testing after each
step to ensure that `npm run lint:types` had fewer errors than the previous run, until the product
built without type errors.
``` sh
$ perl -pi.bak -e 's/DigestAlgorithmEnum\._/DigestAlgorithmEnum.HttpWwwW3Org/' $(rg -l 'DigestAlgorithmEnum\.' src/)
```
# Testing
You can validate that these items have changed by finding the prefixes in the source code and
assuring yourself that every option, checkbox, or radio associated with them is populated correctly.
# User documentation changes required.
None.
# Developer documentation changes required.
None.
