release: 2024.8.0-rc1

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.4.2
+current_version = 2024.8.0-rc1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@@ -17,6 +17,8 @@ optional_value = final
 
 [bumpversion:file:pyproject.toml]
 
+[bumpversion:file:package.json]
+
 [bumpversion:file:docker-compose.yml]
 
 [bumpversion:file:schema.yml]

.github/actions/comment-pr-instructions/action.yml

@@ -54,9 +54,10 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            image:
-                repository: ghcr.io/goauthentik/dev-server
-                tag: ${{ inputs.tag }}
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}
             ```
 
             For arm64, use these values:
@@ -65,9 +66,10 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            image:
-                repository: ghcr.io/goauthentik/dev-server
-                tag: ${{ inputs.tag }}-arm64
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}-arm64
             ```
 
             Afterwards, run the upgrade commands from the latest release notes.

.github/actions/docker-push-variables/action.yml

@@ -29,9 +29,15 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
+  imageNames:
+    description: "Docker image names"
+    value: ${{ steps.ev.outputs.imageNames }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
+  imageMainName:
+    description: "Docker image main name"
+    value: ${{ steps.ev.outputs.imageMainName }}
 
 runs:
   using: "composite"

.github/actions/docker-push-variables/push_vars.py

@@ -7,7 +7,7 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -50,8 +50,9 @@ else:
             f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
         ]
 
-image_main_tag = image_tags[0]
+image_main_tag = image_tags[0].split(":")[-1]
 image_tags_rendered = ",".join(image_tags)
+image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldBuild={should_build}", file=_output)
@@ -59,4 +60,6 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
     print(f"imageTags={image_tags_rendered}", file=_output)
+    print(f"imageNames={image_names_rendered}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
+    print(f"imageMainName={image_tags[0]}", file=_output)

.github/dependabot.yml

@@ -21,7 +21,10 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: npm
-    directory: "/web"
+    directories:
+      - "/web"
+      - "/tests/wdio"
+      - "/web/sfe"
     schedule:
       interval: daily
       time: "04:00"
@@ -30,7 +33,6 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
-    # TODO: deduplicate these groups
     groups:
       sentry:
         patterns:
@@ -56,38 +58,10 @@ updates:
         patterns:
           - "@rollup/*"
           - "rollup-*"
-  - package-ecosystem: npm
-    directory: "/tests/wdio"
-    schedule:
-      interval: daily
-      time: "04:00"
-    labels:
-      - dependencies
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "web:"
-    # TODO: deduplicate these groups
-    groups:
-      sentry:
+      swc:
         patterns:
-          - "@sentry/*"
-          - "@spotlightjs/*"
-      babel:
-        patterns:
-          - "@babel/*"
-          - "babel-*"
-      eslint:
-        patterns:
-          - "@typescript-eslint/*"
-          - "eslint"
-          - "eslint-*"
-      storybook:
-        patterns:
-          - "@storybook/*"
-          - "*storybook*"
-      esbuild:
-        patterns:
-          - "@esbuild/*"
+          - "@swc/*"
+          - "swc-*"
       wdio:
         patterns:
           - "@wdio/*"

.github/workflows/api-ts-publish.yml

@@ -31,7 +31,12 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
-        working-directory: web/
+        working-directory: web
+        run: |
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION
+      - name: Upgrade /web/packages/sfe
+        working-directory: web/packages/sfe
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION

.github/workflows/ci-main.yml

@@ -213,13 +213,16 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -240,7 +243,8 @@ jobs:
       - name: generate ts client
         run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           secrets: |
@@ -251,8 +255,15 @@ jobs:
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
           platforms: linux/${{ matrix.arch }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   pr-comment:
     needs:
       - build
@@ -274,6 +285,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
-          tag: gh-${{ steps.ev.outputs.imageMainTag }}
+          tag: ${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -31,7 +31,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.54.2
+          version: latest
           args: --timeout 5000s --verbose
           skip-cache: true
   test-unittest:
@@ -71,12 +71,15 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -96,7 +99,8 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        id: push
+        uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
@@ -106,7 +110,14 @@ jobs:
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache,mode=max
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-binary:
     timeout-minutes: 120
     needs:

.github/workflows/ci-web.yml

@@ -12,14 +12,29 @@ on:
       - version-*
 
 jobs:
-  lint-eslint:
+  lint:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
+        command:
+          - lint
+          - lint:lockfile
+          - tsc
+          - prettier-check
         project:
           - web
           - tests/wdio
+        include:
+          - command: tsc
+            project: web
+          - command: lit-analyse
+            project: web
+        exclude:
+          - command: lint:lockfile
+            project: tests/wdio
+          - command: tsc
+            project: tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -28,85 +43,17 @@ jobs:
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: Eslint
-        working-directory: ${{ matrix.project }}/
-        run: npm run lint
-  lint-lockfile:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - working-directory: web/
-        run: |
-          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
-  lint-build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: TSC
-        working-directory: web/
-        run: npm run tsc
-  lint-prettier:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        project:
-          - web
-          - tests/wdio
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: ${{ matrix.project }}/package.json
-          cache: "npm"
-          cache-dependency-path: ${{ matrix.project }}/package-lock.json
-      - working-directory: ${{ matrix.project }}/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: prettier
-        working-directory: ${{ matrix.project }}/
-        run: npm run prettier-check
-  lint-lit-analyse:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
         run: |
           npm ci
-          # lit-analyse doesn't understand path rewrites, so make it
-          # belive it's an actual module
-          cd node_modules/@goauthentik
-          ln -s ../../src/ web
+          ${{ matrix.extra_setup }}
       - name: Generate API
         run: make gen-client-ts
-      - name: lit-analyse
-        working-directory: web/
-        run: npm run lit-analyse
+      - name: Lint
+        working-directory: ${{ matrix.project }}/
+        run: npm run ${{ matrix.command }}
   ci-web-mark:
     needs:
-      - lint-lockfile
-      - lint-eslint
-      - lint-prettier
-      - lint-lit-analyse
-      - lint-build
+      - lint
     runs-on: ubuntu-latest
     steps:
       - run: echo mark
@@ -128,3 +75,21 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
+  test:
+    needs:
+      - ci-web-mark
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: test
+        working-directory: web/
+        run: npm run test || exit 0

.github/workflows/ci-website.yml

@@ -12,27 +12,21 @@ on:
       - version-*
 
 jobs:
-  lint-lockfile:
+  lint:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        command:
+          - lint:lockfile
+          - prettier-check
     steps:
       - uses: actions/checkout@v4
-      - working-directory: website/
-        run: |
-          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
-  lint-prettier:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
       - working-directory: website/
         run: npm ci
-      - name: prettier
+      - name: Lint
         working-directory: website/
-        run: npm run prettier-check
+        run: npm run ${{ matrix.command }}
   test:
     runs-on: ubuntu-latest
     steps:
@@ -69,8 +63,7 @@ jobs:
         run: npm run ${{ matrix.job }}
   ci-website-mark:
     needs:
-      - lint-lockfile
-      - lint-prettier
+      - lint
       - test
       - build
     runs-on: ubuntu-latest

.github/workflows/release-publish.yml

@@ -11,10 +11,13 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -40,20 +43,32 @@ jobs:
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           push: true
           secrets: |
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            VERSION=${{ github.ref }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/amd64,linux/arm64
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -68,7 +83,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -94,13 +109,22 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
+        id: push
         with:
           push: true
+          build-args: |
+            VERSION=${{ github.ref }}
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -155,8 +179,8 @@ jobs:
       - uses: actions/checkout@v4
       - name: Run test suite in final docker images
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker compose pull -q
           docker compose up --no-start
           docker compose start postgresql redis
@@ -178,8 +202,8 @@ jobs:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
         run: |
-          docker pull ${{ steps.ev.outputs.imageMainTag }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainTag }})
+          docker pull ${{ steps.ev.outputs.imageMainName }}
+          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1

.github/workflows/release-tag.yml

@@ -14,8 +14,8 @@ jobs:
       - uses: actions/checkout@v4
       - name: Pre-release test
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker buildx install
           mkdir -p ./gen-ts-api
           docker build -t testing:latest .

.vscode/extensions.json

@@ -16,6 +16,6 @@
         "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
     ]
 }

.vscode/launch.json

@@ -22,6 +22,6 @@
             },
             "justMyCode": true,
             "django": true
-        },
+        }
     ]
 }

.vscode/settings.json

@@ -18,20 +18,21 @@
         "sso",
         "totp",
         "traefik",
-        "webauthn",
+        "webauthn"
     ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
-        "!Find sequence",
-        "!KeyOf scalar",
-        "!Context scalar",
-        "!Context sequence",
-        "!Format sequence",
         "!Condition sequence",
-        "!Env sequence",
+        "!Context scalar",
+        "!Enumerate sequence",
         "!Env scalar",
-        "!If sequence"
+        "!Find sequence",
+        "!Format sequence",
+        "!If sequence",
+        "!Index scalar",
+        "!KeyOf scalar",
+        "!Value scalar"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
@@ -48,9 +49,7 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": [
-        "-count=1"
-    ],
+    "go.testFlags": ["-count=1"],
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

.vscode/tasks.json

@@ -2,85 +2,67 @@
     "version": "2.0.0",
     "tasks": [
         {
-            "label": "authentik[core]: format & test",
+            "label": "authentik/core: make",
             "command": "poetry",
-            "args": [
-                "run",
-                "make"
-            ],
-            "group": "build",
+            "args": ["run", "make", "lint-fix", "lint"],
+            "presentation": {
+                "panel": "new"
+            },
+            "group": "test"
         },
         {
-            "label": "authentik[core]: run",
+            "label": "authentik/core: run",
             "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "run",
-            ],
+            "args": ["run", "ak", "server"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
-            "label": "authentik[web]: format",
+            "label": "authentik/web: make",
             "command": "make",
             "args": ["web"],
-            "group": "build",
+            "group": "build"
         },
         {
-            "label": "authentik[web]: watch",
+            "label": "authentik/web: watch",
             "command": "make",
             "args": ["web-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
             "label": "authentik: install",
             "command": "make",
-            "args": ["install"],
-            "group": "build",
+            "args": ["install", "-j4"],
+            "group": "build"
         },
         {
-            "label": "authentik: i18n-extract",
-            "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "i18n-extract"
-            ],
-            "group": "build",
-        },
-        {
-            "label": "authentik[website]: format",
+            "label": "authentik/website: make",
             "command": "make",
             "args": ["website"],
-            "group": "build",
+            "group": "build"
         },
         {
-            "label": "authentik[website]: watch",
+            "label": "authentik/website: watch",
             "command": "make",
             "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
-            "label": "authentik[api]: generate",
+            "label": "authentik/api: generate",
             "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "gen"
-            ],
+            "args": ["run", "make", "gen"],
             "group": "build"
-        },
+        }
     ]
 }

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:22 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
 
 ENV NODE_ENV=production
 
@@ -20,17 +20,22 @@ COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
 
+ARG GIT_BUILD_HASH
+ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production
 
 WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
+    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
+COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
@@ -38,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -75,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 as geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@@ -89,7 +94,10 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS python-deps
+
+ARG TARGETARCH
+ARG TARGETVARIANT
 
 WORKDIR /ak-root/poetry
 
@@ -116,17 +124,17 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     pip install --force-reinstall /wheels/*"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS final-image
 
-ARG GIT_BUILD_HASH
 ARG VERSION
+ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.url https://goauthentik.io
-LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
-LABEL org.opencontainers.image.source https://github.com/goauthentik/authentik
-LABEL org.opencontainers.image.version ${VERSION}
-LABEL org.opencontainers.image.revision ${GIT_BUILD_HASH}
+LABEL org.opencontainers.image.url=https://goauthentik.io
+LABEL org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info."
+LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
+LABEL org.opencontainers.image.version=${VERSION}
+LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
 
 WORKDIR /
 

Makefile

@@ -43,12 +43,12 @@ help:  ## Show this help
 		sort
 	@echo ""
 
-test-go:
+go-test:
 	go test -timeout 0 -v -race -cover ./...
 
 test-docker:  ## Run all tests in a docker-compose
-	echo "PG_PASS=$(shell openssl rand 32 | base64)" >> .env
-	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64)" >> .env
+	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
 	docker compose pull -q
 	docker compose up --no-start
 	docker compose start postgresql redis
@@ -60,9 +60,11 @@ test: ## Run the server tests and produce a coverage report (locally)
 	coverage html
 	coverage report
 
-lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	black $(PY_SOURCES)
 	ruff check --fix $(PY_SOURCES)
+
+lint-codespell:  ## Reports spelling errors.
 	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
@@ -203,11 +205,14 @@ gen: gen-build gen-client-ts
 web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build
 
-web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
+web: web-lint-fix web-lint web-check-compile web-test  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci
 
+web-test: ## Run tests for the Authentik UI
+	cd web && npm run test
+
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
 	rm -rf web/dist/
 	mkdir web/dist/
@@ -239,7 +244,7 @@ website: website-lint-fix website-build  ## Automatically fix formatting issues
 website-install:
 	cd website && npm ci
 
-website-lint-fix:
+website-lint-fix: lint-codespell
 	cd website && npm run prettier
 
 website-build:

README.md

@@ -15,7 +15,9 @@
 
 ## What is authentik?
 
-authentik is an open-source Identity Provider that emphasizes flexibility and versatility. It can be seamlessly integrated into existing environments to support new protocols. authentik is also a great solution for implementing sign-up, recovery, and other similar features in your application, saving you the hassle of dealing with them.
+authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols.
+
+Our [enterprise offer](https://goauthentik.io/pricing) can also be used as a self-hosted replacement for large-scale deployments of Okta/Auth0, Entra ID, Ping Identity, or other legacy IdPs for employees and B2B2C use.
 
 ## Installation
 

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version   | Supported |
-| --------- | --------- |
-| 2023.10.x | ✅        |
-| 2024.2.x  | ✅        |
+| Version  | Supported |
+| -------- | --------- |
+| 2024.4.x | ✅        |
+| 2024.6.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.4.2"
+__version__ = "2024.8.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/system.py

@@ -16,6 +16,7 @@ from rest_framework.views import APIView
 
 from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
+from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
@@ -32,7 +33,7 @@ class RuntimeDict(TypedDict):
     platform: str
     uname: str
     openssl_version: str
-    openssl_fips_mode: bool
+    openssl_fips_enabled: bool | None
     authentik_version: str
 
 
@@ -71,7 +72,9 @@ class SystemInfoSerializer(PassiveSerializer):
             "architecture": platform.machine(),
             "authentik_version": get_full_version(),
             "environment": get_env(),
-            "openssl_fips_enabled": backend._fips_enabled,
+            "openssl_fips_enabled": (
+                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
+            ),
             "openssl_version": OPENSSL_VERSION,
             "platform": platform.platform(),
             "python_version": python_version,

authentik/admin/api/version.py

@@ -12,6 +12,7 @@ from rest_framework.views import APIView
 from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
+from authentik.outposts.models import Outpost
 
 
 class VersionSerializer(PassiveSerializer):
@@ -22,6 +23,7 @@ class VersionSerializer(PassiveSerializer):
     version_latest_valid = SerializerMethodField()
     build_hash = SerializerMethodField()
     outdated = SerializerMethodField()
+    outpost_outdated = SerializerMethodField()
 
     def get_build_hash(self, _) -> str:
         """Get build hash, if version is not latest or released"""
@@ -47,6 +49,15 @@ class VersionSerializer(PassiveSerializer):
         """Check if we're running the latest version"""
         return parse(self.get_version_current(instance)) < parse(self.get_version_latest(instance))
 
+    def get_outpost_outdated(self, _) -> bool:
+        """Check if any outpost is outdated/has a version mismatch"""
+        any_outdated = False
+        for outpost in Outpost.objects.all():
+            for state in outpost.state:
+                if state.version_outdated:
+                    any_outdated = True
+        return any_outdated
+
 
 class VersionView(APIView):
     """Get running and latest version."""

authentik/api/templates/api/browser.html

@@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}
 
-{% load static %}
+{% load authentik_core %}
 
 {% block title %}
 API Browser - {{ brand.branding_title }}
 {% endblock %}
 
 {% block head %}
-<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

authentik/blueprints/management/commands/apply_blueprint.py

@@ -23,9 +23,11 @@ class Command(BaseCommand):
                 for blueprint_path in options.get("blueprints", []):
                     content = BlueprintInstance(path=blueprint_path).retrieve()
                     importer = Importer.from_string(content)
-                    valid, _ = importer.validate()
+                    valid, logs = importer.validate()
                     if not valid:
-                        self.stderr.write("blueprint invalid")
+                        self.stderr.write("Blueprint invalid")
+                        for log in logs:
+                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
                         sys_exit(1)
                     importer.apply()
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -113,16 +113,19 @@ class Command(BaseCommand):
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
             self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, serializer)
+                self.template_entry(model_path, model, serializer)
             )
 
-    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
+    def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict:
         """Template entry for a single model"""
         model_schema = self.to_jsonschema(serializer)
         model_schema["required"] = []
         def_name = f"model_{model_path}"
         def_path = f"#/$defs/{def_name}"
         self.schema["$defs"][def_name] = model_schema
+        def_name_perm = f"model_{model_path}_permissions"
+        def_path_perm = f"#/$defs/{def_name_perm}"
+        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
         return {
             "type": "object",
             "required": ["model", "identifiers"],
@@ -135,6 +138,7 @@ class Command(BaseCommand):
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
+                "permissions": {"$ref": def_path_perm},
                 "attrs": {"$ref": def_path},
                 "identifiers": {"$ref": def_path},
             },
@@ -185,3 +189,20 @@ class Command(BaseCommand):
         if required:
             result["required"] = required
         return result
+
+    def model_permissions(self, model: type[Model]) -> dict:
+        perms = [x[0] for x in model._meta.permissions]
+        for action in model._meta.default_permissions:
+            perms.append(f"{action}_{model._meta.model_name}")
+        return {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": ["permission"],
+                "properties": {
+                    "permission": {"type": "string", "enum": perms},
+                    "user": {"type": "integer"},
+                    "role": {"type": "string"},
+                },
+            },
+        }

authentik/blueprints/tests/fixtures/rbac_object.yaml

@@ -0,0 +1,24 @@
+version: 1
+entries:
+  - model: authentik_core.user
+    id: user
+    identifiers:
+      username: "%(id)s"
+    attrs:
+      name: "%(id)s"
+  - model: authentik_rbac.role
+    id: role
+    identifiers:
+      name: "%(id)s"
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "%(id)s"
+    attrs:
+      designation: authentication
+      name: foo
+      title: foo
+    permissions:
+      - permission: view_flow
+        user: !KeyOf user
+      - permission: view_flow
+        role: !KeyOf role

authentik/blueprints/tests/fixtures/rbac_role.yaml

@@ -0,0 +1,8 @@
+version: 1
+entries:
+  - model: authentik_rbac.role
+    identifiers:
+      name: "%(id)s"
+    attrs:
+      permissions:
+        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/rbac_user.yaml

@@ -0,0 +1,9 @@
+version: 1
+entries:
+  - model: authentik_core.user
+    identifiers:
+      username: "%(id)s"
+    attrs:
+      name: "%(id)s"
+      permissions:
+        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/test_v1_rbac.py

@@ -0,0 +1,57 @@
+"""Test blueprints v1"""
+
+from django.test import TransactionTestCase
+from guardian.shortcuts import get_perms
+
+from authentik.blueprints.v1.importer import Importer
+from authentik.core.models import User
+from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
+from authentik.rbac.models import Role
+
+
+class TestBlueprintsV1RBAC(TransactionTestCase):
+    """Test Blueprints rbac attribute"""
+
+    def test_user_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        user = User.objects.filter(username=uid).first()
+        self.assertIsNotNone(user)
+        self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"]))
+
+    def test_role_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        role = Role.objects.filter(name=uid).first()
+        self.assertIsNotNone(role)
+        self.assertEqual(
+            list(role.group.permissions.all().values_list("codename", flat=True)),
+            ["view_blueprintinstance"],
+        )
+
+    def test_object_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        flow = Flow.objects.filter(slug=uid).first()
+        user = User.objects.filter(username=uid).first()
+        role = Role.objects.filter(name=uid).first()
+        self.assertIsNotNone(flow)
+        self.assertEqual(get_perms(user, flow), ["view_flow"])
+        self.assertEqual(get_perms(role.group, flow), ["view_flow"])

authentik/blueprints/v1/common.py

@@ -1,7 +1,7 @@
 """transfer common classes"""
 
 from collections import OrderedDict
-from collections.abc import Iterable, Mapping
+from collections.abc import Generator, Iterable, Mapping
 from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
@@ -58,6 +58,15 @@ class BlueprintEntryDesiredState(Enum):
     MUST_CREATED = "must_created"
 
 
+@dataclass
+class BlueprintEntryPermission:
+    """Describe object-level permissions"""
+
+    permission: Union[str, "YAMLTag"]
+    user: Union[int, "YAMLTag", None] = field(default=None)
+    role: Union[str, "YAMLTag", None] = field(default=None)
+
+
 @dataclass
 class BlueprintEntry:
     """Single entry of a blueprint"""
@@ -69,6 +78,7 @@ class BlueprintEntry:
     conditions: list[Any] = field(default_factory=list)
     identifiers: dict[str, Any] = field(default_factory=dict)
     attrs: dict[str, Any] | None = field(default_factory=dict)
+    permissions: list[BlueprintEntryPermission] = field(default_factory=list)
 
     id: str | None = None
 
@@ -150,6 +160,17 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
+    def get_permissions(
+        self, blueprint: "Blueprint"
+    ) -> Generator[BlueprintEntryPermission, None, None]:
+        """Get permissions of this entry, with all yaml tags resolved"""
+        for perm in self.permissions:
+            yield BlueprintEntryPermission(
+                permission=self.tag_resolver(perm.permission, blueprint),
+                user=self.tag_resolver(perm.user, blueprint),
+                role=self.tag_resolver(perm.role, blueprint),
+            )
+
     def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
         """Check all conditions of this entry match (evaluate to True)"""
         return all(self.tag_resolver(self.conditions, blueprint))
@@ -307,7 +328,10 @@ class Find(YAMLTag):
         else:
             model_name = self.model_name
 
-        model_class = apps.get_model(*model_name.split("."))
+        try:
+            model_class = apps.get_model(*model_name.split("."))
+        except LookupError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
 
         query = Q()
         for cond in self.conditions:

authentik/blueprints/v1/importer.py

@@ -16,6 +16,7 @@ from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from guardian.models import UserObjectPermission
+from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
@@ -32,9 +33,11 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
 from authentik.core.models import (
     AuthenticatedSession,
+    GroupSourceConnection,
     PropertyMapping,
     Provider,
     Source,
+    User,
     UserSourceConnection,
 )
 from authentik.enterprise.license import LicenseKey
@@ -54,11 +57,13 @@ from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
+from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
@@ -87,6 +92,7 @@ def excluded_models() -> list[type[Model]]:
         Source,
         PropertyMapping,
         UserSourceConnection,
+        GroupSourceConnection,
         Stage,
         OutpostServiceConnection,
         Policy,
@@ -136,6 +142,16 @@ def transaction_rollback():
         pass
 
 
+def rbac_models() -> dict:
+    models = {}
+    for app in get_apps():
+        for model in app.get_models():
+            if not is_model_allowed(model):
+                continue
+            models[model._meta.model_name] = app.label
+    return models
+
+
 class Importer:
     """Import Blueprint from raw dict or YAML/JSON"""
 
@@ -154,7 +170,10 @@ class Importer:
 
     def default_context(self):
         """Default context"""
-        return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()}
+        return {
+            "goauthentik.io/enterprise/licensed": LicenseKey.get_total().status().is_valid,
+            "goauthentik.io/rbac/models": rbac_models(),
+        }
 
     @staticmethod
     def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
@@ -214,14 +233,17 @@ class Importer:
 
         return main_query | sub_query
 
-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:  # noqa: PLR0915
         """Validate a single entry"""
         if not entry.check_all_conditions_match(self._import):
             self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
             return None
 
         model_app_label, model_name = entry.get_model(self._import).split(".")
-        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
+        try:
+            model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
+        except LookupError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
         # Don't use isinstance since we don't want to check for inheritance
         if not is_model_allowed(model):
             raise EntryInvalidError.from_entry(f"Model {model} not allowed", entry)
@@ -296,10 +318,7 @@ class Importer:
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
-            raise EntryInvalidError.from_entry(
-                exc,
-                entry,
-            ) from exc
+            raise EntryInvalidError.from_entry(exc, entry) from exc
         always_merger.merge(full_data, updated_identifiers)
         serializer_kwargs["data"] = full_data
 
@@ -320,6 +339,15 @@ class Importer:
             ) from exc
         return serializer
 
+    def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
+        """Apply object-level permissions for an entry"""
+        for perm in entry.get_permissions(self._import):
+            if perm.user is not None:
+                assign_perm(perm.permission, User.objects.get(pk=perm.user), instance)
+            if perm.role is not None:
+                role = Role.objects.get(pk=perm.role)
+                role.assign_permission(perm.permission, obj=instance)
+
     def apply(self) -> bool:
         """Apply (create/update) models yaml, in database transaction"""
         try:
@@ -384,6 +412,7 @@ class Importer:
                 if "pk" in entry.identifiers:
                     self.__pk_map[entry.identifiers["pk"]] = instance.pk
                 entry._state = BlueprintEntryState(instance)
+                self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
                 if instance.pk:

authentik/brands/api.py

@@ -11,21 +11,20 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.tenants.utils import get_current_tenant
 
 
 class FooterLinkSerializer(PassiveSerializer):
     """Links returned in Config API"""
 
-    href = CharField(read_only=True)
+    href = CharField(read_only=True, allow_null=True)
     name = CharField(read_only=True)
 
 
@@ -56,6 +55,7 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
+            "default_application",
             "web_certificate",
             "attributes",
         ]

authentik/brands/apps.py

@@ -9,3 +9,6 @@ class AuthentikBrandsConfig(AppConfig):
     name = "authentik.brands"
     label = "authentik_brands"
     verbose_name = "authentik Brands"
+    mountpoints = {
+        "authentik.brands.urls_root": "",
+    }

authentik/brands/migrations/0007_brand_default_application.py

@@ -0,0 +1,26 @@
+# Generated by Django 5.0.6 on 2024-07-04 20:32
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0006_brand_authentik_b_domain_b9b24a_idx_and_more"),
+        ("authentik_core", "0035_alter_group_options_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="default_application",
+            field=models.ForeignKey(
+                default=None,
+                help_text="When set, external users will be redirected to this application after authenticating.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.application",
+            ),
+        ),
+    ]

authentik/brands/models.py

@@ -3,6 +3,7 @@
 from uuid import uuid4
 
 from django.db import models
+from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@@ -51,6 +52,16 @@ class Brand(SerializerModel):
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
 
+    default_application = models.ForeignKey(
+        "authentik_core.Application",
+        null=True,
+        default=None,
+        on_delete=models.SET_DEFAULT,
+        help_text=_(
+            "When set, external users will be redirected to this application after authenticating."
+        ),
+    )
+
     web_certificate = models.ForeignKey(
         CertificateKeyPair,
         null=True,
@@ -88,3 +99,13 @@ class Brand(SerializerModel):
             models.Index(fields=["domain"]),
             models.Index(fields=["default"]),
         ]
+
+
+class WebfingerProvider(models.Model):
+    """Provider which supports webfinger discovery"""
+
+    class Meta:
+        abstract = True
+
+    def webfinger(self, resource: str, request: HttpRequest) -> dict:
+        raise NotImplementedError()

authentik/brands/tests.py

@@ -5,7 +5,11 @@ from rest_framework.test import APITestCase
 
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
+from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.saml.models import SAMLProvider
 
 
 class TestBrands(APITestCase):
@@ -75,3 +79,45 @@ class TestBrands(APITestCase):
             reverse("authentik_api:brand-list"), data={"domain": "bar", "default": True}
         )
         self.assertEqual(response.status_code, 400)
+
+    def test_webfinger_no_app(self):
+        """Test Webfinger"""
+        create_test_brand()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
+        )
+
+    def test_webfinger_not_supported(self):
+        """Test Webfinger"""
+        brand = create_test_brand()
+        provider = SAMLProvider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        brand.default_application = app
+        brand.save()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
+        )
+
+    def test_webfinger_oidc(self):
+        """Test Webfinger"""
+        brand = create_test_brand()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        brand.default_application = app
+        brand.save()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(),
+            {
+                "links": [
+                    {
+                        "href": f"http://testserver/application/o/{app.slug}/",
+                        "rel": "http://openid.net/specs/connect/1.0/issuer",
+                    }
+                ],
+                "subject": None,
+            },
+        )

authentik/brands/urls_root.py

@@ -0,0 +1,9 @@
+"""authentik brand root URLs"""
+
+from django.urls import path
+
+from authentik.brands.views.webfinger import WebFingerView
+
+urlpatterns = [
+    path(".well-known/webfinger", WebFingerView.as_view(), name="webfinger"),
+]

authentik/brands/utils.py

@@ -5,7 +5,7 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk.hub import Hub
+from sentry_sdk import get_current_span
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
@@ -33,7 +33,7 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
     trace = ""
-    span = Hub.current.scope.span
+    span = get_current_span()
     if span:
         trace = span.to_traceparent()
     return {

authentik/brands/views/webfinger.py

@@ -0,0 +1,29 @@
+from typing import Any
+
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.views import View
+
+from authentik.brands.models import Brand, WebfingerProvider
+from authentik.core.models import Application
+
+
+class WebFingerView(View):
+    """Webfinger endpoint"""
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        brand: Brand = request.brand
+        if not brand.default_application:
+            return JsonResponse({})
+        application: Application = brand.default_application
+        provider = application.get_provider()
+        if not provider or not isinstance(provider, WebfingerProvider):
+            return JsonResponse({})
+        webfinger_data = provider.webfinger(request.GET.get("resource"), request)
+        return JsonResponse(webfinger_data)
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        response = super().dispatch(request, *args, **kwargs)
+        # RFC7033 spec
+        response["Access-Control-Allow-Origin"] = "*"
+        response["Content-Type"] = "application/jrd+json"
+        return response

authentik/core/api/applications.py

@@ -17,7 +17,6 @@ from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodFiel
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
@@ -26,6 +25,7 @@ from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
@@ -103,7 +103,12 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
-    queryset = Application.objects.all().prefetch_related("provider")
+    queryset = (
+        Application.objects.all()
+        .with_provider()
+        .prefetch_related("policies")
+        .prefetch_related("backchannel_providers")
+    )
     serializer_class = ApplicationSerializer
     search_fields = [
         "name",
@@ -147,6 +152,15 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 applications.append(application)
         return applications
 
+    def _filter_applications_with_launch_url(
+        self, pagined_apps: Iterator[Application]
+    ) -> list[Application]:
+        applications = []
+        for app in pagined_apps:
+            if app.get_launch_url():
+                applications.append(app)
+        return applications
+
     @extend_schema(
         parameters=[
             OpenApiParameter(
@@ -204,6 +218,11 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.INT,
             ),
+            OpenApiParameter(
+                name="only_with_launch_url",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            ),
         ]
     )
     def list(self, request: Request) -> Response:
@@ -216,6 +235,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
+        only_with_launch_url = str(
+            request.query_params.get("only_with_launch_url", "false")
+        ).lower()
+
         queryset = self._filter_queryset_for_list(self.get_queryset())
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
@@ -251,6 +274,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     allowed_applications,
                     timeout=86400,
                 )
+
+        if only_with_launch_url == "true":
+            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
+
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/core/api/authenticated_sessions.py

@@ -8,12 +8,12 @@ from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict

authentik/core/api/devices.py

@@ -2,7 +2,13 @@
 
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from rest_framework.fields import BooleanField, CharField, IntegerField, SerializerMethodField
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    DateTimeField,
+    IntegerField,
+    SerializerMethodField,
+)
 from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -20,6 +26,9 @@ class DeviceSerializer(MetaNameSerializer):
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
+    created = DateTimeField(read_only=True)
+    last_updated = DateTimeField(read_only=True)
+    last_used = DateTimeField(read_only=True, allow_null=True)
 
     def get_type(self, instance: Device) -> str:
         """Get type of device"""

authentik/core/api/groups.py

@@ -17,12 +17,12 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
+from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required

authentik/core/api/property_mappings.py

@@ -2,17 +2,23 @@
 
 from json import dumps
 
+from django_filters.filters import AllValuesMultipleFilter, BooleanFilter
+from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    extend_schema_field,
+)
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.fields import BooleanField, CharField
+from rest_framework.fields import BooleanField, CharField, SerializerMethodField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.blueprints.api import ManagedSerializer
@@ -20,6 +26,7 @@ from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
     MetaNameSerializer,
+    ModelSerializer,
     PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
@@ -67,6 +74,18 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri
         ]
 
 
+class PropertyMappingFilterSet(FilterSet):
+    """Filter for PropertyMapping"""
+
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
+
+    managed__isnull = BooleanFilter(field_name="managed", lookup_expr="isnull")
+
+    class Meta:
+        model = PropertyMapping
+        fields = ["name", "managed"]
+
+
 class PropertyMappingViewSet(
     TypesMixin,
     mixins.RetrieveModelMixin,
@@ -87,11 +106,9 @@ class PropertyMappingViewSet(
 
     queryset = PropertyMapping.objects.select_subclasses()
     serializer_class = PropertyMappingSerializer
-    search_fields = [
-        "name",
-    ]
-    filterset_fields = {"managed": ["isnull"]}
+    filterset_class = PropertyMappingFilterSet
     ordering = ["name"]
+    search_fields = ["name"]
 
     @permission_required("authentik_core.view_propertymapping")
     @extend_schema(

authentik/core/api/providers.py

@@ -6,13 +6,12 @@ from django.utils.translation import gettext_lazy as _
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from rest_framework import mixins
-from rest_framework.fields import ReadOnlyField
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
+from rest_framework.fields import ReadOnlyField, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import Provider
 
 

authentik/core/api/sources.py

@@ -11,7 +11,6 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
@@ -19,8 +18,8 @@ from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer
-from authentik.core.models import Source, UserSourceConnection
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
     FilePathSerializer,
@@ -61,6 +60,8 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "enabled",
             "authentication_flow",
             "enrollment_flow",
+            "user_property_mappings",
+            "group_property_mappings",
             "component",
             "verbose_name",
             "verbose_name_plural",
@@ -189,6 +190,47 @@ class UserSourceConnectionViewSet(
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
     permission_classes = [OwnerSuperuserPermissions]
-    filterset_fields = ["user"]
+    filterset_fields = ["user", "source__slug"]
+    search_fields = ["source__slug"]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-    ordering = ["pk"]
+    ordering = ["source__slug", "pk"]
+
+
+class GroupSourceConnectionSerializer(SourceSerializer):
+    """Group Source Connection Serializer"""
+
+    source = SourceSerializer(read_only=True)
+
+    class Meta:
+        model = GroupSourceConnection
+        fields = [
+            "pk",
+            "group",
+            "source",
+            "identifier",
+            "created",
+        ]
+        extra_kwargs = {
+            "group": {"read_only": True},
+            "identifier": {"read_only": True},
+            "created": {"read_only": True},
+        }
+
+
+class GroupSourceConnectionViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.UpdateModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """Group-source connection Viewset"""
+
+    queryset = GroupSourceConnection.objects.all()
+    serializer_class = GroupSourceConnectionSerializer
+    permission_classes = [OwnerSuperuserPermissions]
+    filterset_fields = ["group", "source__slug"]
+    search_fields = ["source__slug"]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    ordering = ["source__slug", "pk"]

authentik/core/api/tokens.py

@@ -12,7 +12,6 @@ from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import OwnerSuperuserPermissions
@@ -20,7 +19,7 @@ from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
@@ -45,6 +44,13 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["key"] = CharField(required=False)
 
+    def validate_user(self, user: User):
+        """Ensure user of token cannot be changed"""
+        if self.instance and self.instance.user_id:
+            if user.pk != self.instance.user_id:
+                raise ValidationError("User cannot be changed")
+        return user
+
     def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
         """Ensure only API or App password tokens are created."""
         request: Request = self.context.get("request")

authentik/core/api/used_by.py

@@ -14,6 +14,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 
 from authentik.core.api.utils import PassiveSerializer
+from authentik.rbac.filters import ObjectFilter
 
 
 class DeleteAction(Enum):
@@ -53,7 +54,7 @@ class UsedByMixin:
     @extend_schema(
         responses={200: UsedBySerializer(many=True)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def used_by(self, request: Request, *args, **kwargs) -> Response:
         """Get a list of all objects that use this object"""
         model: Model = self.get_object()

authentik/core/api/users.py

@@ -5,6 +5,7 @@ from json import loads
 from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
+from django.contrib.auth.models import Permission
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
@@ -33,16 +34,21 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    ChoiceField,
+    DateTimeField,
+    IntegerField,
+    ListField,
+    SerializerMethodField,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
-    BooleanField,
-    DateTimeField,
     ListSerializer,
-    ModelSerializer,
     PrimaryKeyRelatedField,
-    ValidationError,
 )
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
@@ -52,7 +58,12 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
+from authentik.core.api.utils import (
+    JSONDictField,
+    LinkSerializer,
+    ModelSerializer,
+    PassiveSerializer,
+)
 from authentik.core.middleware import (
     SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
     SESSION_KEY_IMPERSONATE_USER,
@@ -74,6 +85,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
+from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -137,12 +149,19 @@ class UserSerializer(ModelSerializer):
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["password"] = CharField(required=False, allow_null=True)
+            self.fields["permissions"] = ListField(
+                required=False, child=ChoiceField(choices=get_permission_choices())
+            )
 
     def create(self, validated_data: dict) -> User:
         """If this serializer is used in the blueprint context, we allow for
         directly setting a password. However should be done via the `set_password`
         method instead of directly setting it like rest_framework."""
         password = validated_data.pop("password", None)
+        permissions = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        )
+        validated_data["user_permissions"] = permissions
         instance: User = super().create(validated_data)
         self._set_password(instance, password)
         return instance
@@ -151,6 +170,10 @@ class UserSerializer(ModelSerializer):
         """Same as `create` above, set the password directly if we're in a blueprint
         context"""
         password = validated_data.pop("password", None)
+        permissions = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        )
+        validated_data["user_permissions"] = permissions
         instance = super().update(instance, validated_data)
         self._set_password(instance, password)
         return instance

authentik/core/api/utils.py

@@ -12,9 +12,12 @@ from rest_framework.fields import (
     JSONField,
     SerializerMethodField,
 )
+from rest_framework.serializers import ModelSerializer as BaseModelSerializer
 from rest_framework.serializers import (
     Serializer,
     ValidationError,
+    model_meta,
+    raise_errors_on_nested_writes,
 )
 
 
@@ -25,6 +28,39 @@ def is_dict(value: Any):
     raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
 
 
+class ModelSerializer(BaseModelSerializer):
+
+    def update(self, instance: Model, validated_data):
+        raise_errors_on_nested_writes("update", self, validated_data)
+        info = model_meta.get_field_info(instance)
+
+        # Simply set each attribute on the instance, and then save it.
+        # Note that unlike `.create()` we don't need to treat many-to-many
+        # relationships as being a special case. During updates we already
+        # have an instance pk for the relationships to be associated with.
+        m2m_fields = []
+        for attr, value in validated_data.items():
+            if attr in info.relations and info.relations[attr].to_many:
+                m2m_fields.append((attr, value))
+            else:
+                setattr(instance, attr, value)
+
+        instance.save()
+
+        # Note that many-to-many fields are set after updating instance.
+        # Setting m2m fields triggers signals which could potentially change
+        # updated instance and we do not want it to collide with .update()
+        for attr, value in m2m_fields:
+            field = getattr(instance, attr)
+            # We can't check for inheritance here as m2m managers are generated dynamically
+            if field.__class__.__name__ == "RelatedManager":
+                field.set(value, bulk=False)
+            else:
+                field.set(value)
+
+        return instance
+
+
 class JSONDictField(JSONField):
     """JSON Field which only allows dictionaries"""
 

authentik/core/expression/evaluator.py

@@ -76,8 +76,11 @@ class PropertyMappingEvaluator(BaseEvaluator):
         )
         if "request" in self._context:
             req: PolicyRequest = self._context["request"]
-            event.from_http(req.http_request, req.user)
-            return
+            if req.http_request:
+                event.from_http(req.http_request, req.user)
+                return
+            elif req.user:
+                event.set_user(req.user)
         event.save()
 
     def evaluate(self, *args, **kwargs) -> Any:

authentik/core/expression/exceptions.py

@@ -1,5 +1,6 @@
 """authentik core exceptions"""
 
+from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.sentry import SentryIgnoredException
 
 
@@ -12,7 +13,7 @@ class PropertyMappingExpressionException(SentryIgnoredException):
         self.mapping = mapping
 
 
-class SkipObjectException(PropertyMappingExpressionException):
+class SkipObjectException(ControlFlowException):
     """Exception which can be raised in a property mapping to skip syncing an object.
     Only applies to Property mappings which sync objects, and not on mappings which transitively
     apply to a single user"""

authentik/core/management/commands/change_user_type.py

@@ -0,0 +1,28 @@
+"""Change user type"""
+
+from authentik.core.models import User, UserTypes
+from authentik.tenants.management import TenantCommand
+
+
+class Command(TenantCommand):
+    """Change user type"""
+
+    def add_arguments(self, parser):
+        parser.add_argument("--type", type=str, required=True)
+        parser.add_argument("--all", action="store_true")
+        parser.add_argument("usernames", nargs="+", type=str)
+
+    def handle_per_tenant(self, **options):
+        new_type = UserTypes(options["type"])
+        qs = (
+            User.objects.exclude_anonymous()
+            .exclude(type=UserTypes.SERVICE_ACCOUNT)
+            .exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
+        )
+        if options["usernames"] and options["all"]:
+            self.stderr.write("--all and usernames specified, only one can be specified")
+            return
+        if options["usernames"] and not options["all"]:
+            qs = qs.filter(username__in=options["usernames"])
+        updated = qs.update(type=new_type)
+        self.stdout.write(f"Updated {updated} users.")

authentik/core/migrations/0029_provider_backchannel_applications_and_more.py

@@ -7,12 +7,13 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
     from authentik.providers.ldap.models import LDAPProvider
     from authentik.providers.scim.models import SCIMProvider
 
     for model in [LDAPProvider, SCIMProvider]:
         try:
-            for obj in model.objects.only("is_backchannel"):
+            for obj in model.objects.using(db_alias).only("is_backchannel"):
                 obj.is_backchannel = True
                 obj.save()
         except (DatabaseError, InternalError, ProgrammingError):

authentik/core/migrations/0036_source_group_property_mappings_and_more.py

@@ -0,0 +1,43 @@
+# Generated by Django 5.0.2 on 2024-02-29 11:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0035_alter_group_options_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="group_property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_grouppropertymappings_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+        migrations.AddField(
+            model_name="source",
+            name="user_property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_userpropertymappings_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="source",
+            name="property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+    ]

authentik/core/migrations/0037_remove_source_property_mappings.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.2 on 2024-02-29 11:21
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_ldap", "0005_remove_ldappropertymapping_object_field_and_more"),
+        ("authentik_core", "0036_source_group_property_mappings_and_more"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="source",
+            name="property_mappings",
+        ),
+    ]

authentik/core/migrations/0038_source_authentik_c_enabled_d72365_idx.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.0.7 on 2024-07-22 13:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0037_remove_source_property_mappings"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="source",
+            index=models.Index(fields=["enabled"], name="authentik_c_enabled_d72365_idx"),
+        ),
+    ]

authentik/core/migrations/0039_source_group_matching_mode_alter_group_name_and_more.py

@@ -0,0 +1,67 @@
+# Generated by Django 5.0.7 on 2024-08-01 18:52
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0038_source_authentik_c_enabled_d72365_idx"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="group_matching_mode",
+            field=models.TextField(
+                choices=[
+                    ("identifier", "Use the source-specific identifier"),
+                    (
+                        "name_link",
+                        "Link to a group with identical name. Can have security implications when a group name is used with another source.",
+                    ),
+                    (
+                        "name_deny",
+                        "Use the group name, but deny enrollment when the name already exists.",
+                    ),
+                ],
+                default="identifier",
+                help_text="How the source determines if an existing group should be used or a new group created.",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="group",
+            name="name",
+            field=models.TextField(verbose_name="name"),
+        ),
+        migrations.CreateModel(
+            name="GroupSourceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                ("identifier", models.TextField()),
+                (
+                    "group",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
+                    ),
+                ),
+                (
+                    "source",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.source"
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("group", "source")},
+            },
+        ),
+    ]

authentik/core/models.py

@@ -11,6 +11,7 @@ from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
 from django.db.models import Q, QuerySet, options
+from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
@@ -26,7 +27,9 @@ from authentik.blueprints.models import ManagedModel
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
+from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
+from authentik.lib.merge import MERGE_LIST_UNIQUE
 from authentik.lib.models import (
     CreatedUpdatedModel,
     DomainlessFormattedURLValidator,
@@ -99,6 +102,38 @@ class UserTypes(models.TextChoices):
     INTERNAL_SERVICE_ACCOUNT = "internal_service_account"
 
 
+class AttributesMixin(models.Model):
+    """Adds an attributes property to a model"""
+
+    attributes = models.JSONField(default=dict, blank=True)
+
+    class Meta:
+        abstract = True
+
+    def update_attributes(self, properties: dict[str, Any]):
+        """Update fields and attributes, but correctly by merging dicts"""
+        for key, value in properties.items():
+            if key == "attributes":
+                continue
+            setattr(self, key, value)
+        final_attributes = {}
+        MERGE_LIST_UNIQUE.merge(final_attributes, self.attributes)
+        MERGE_LIST_UNIQUE.merge(final_attributes, properties.get("attributes", {}))
+        self.attributes = final_attributes
+        self.save()
+
+    @classmethod
+    def update_or_create_attributes(
+        cls, query: dict[str, Any], properties: dict[str, Any]
+    ) -> tuple[models.Model, bool]:
+        """Same as django's update_or_create but correctly updates attributes by merging dicts"""
+        instance = cls.objects.filter(**query).first()
+        if not instance:
+            return cls.objects.create(**properties), True
+        instance.update_attributes(properties)
+        return instance, False
+
+
 class GroupQuerySet(CTEQuerySet):
     def with_children_recursive(self):
         """Recursively get all groups that have the current queryset as parents
@@ -133,12 +168,12 @@ class GroupQuerySet(CTEQuerySet):
         return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
 
 
-class Group(SerializerModel):
+class Group(SerializerModel, AttributesMixin):
     """Group model which supports a basic hierarchy and has attributes"""
 
     group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    name = models.CharField(_("name"), max_length=80)
+    name = models.TextField(_("name"))
     is_superuser = models.BooleanField(
         default=False, help_text=_("Users added to this group will be superusers.")
     )
@@ -153,10 +188,27 @@ class Group(SerializerModel):
         on_delete=models.SET_NULL,
         related_name="children",
     )
-    attributes = models.JSONField(default=dict, blank=True)
 
     objects = GroupQuerySet.as_manager()
 
+    class Meta:
+        unique_together = (
+            (
+                "name",
+                "parent",
+            ),
+        )
+        indexes = [models.Index(fields=["name"])]
+        verbose_name = _("Group")
+        verbose_name_plural = _("Groups")
+        permissions = [
+            ("add_user_to_group", _("Add user to group")),
+            ("remove_user_from_group", _("Remove user from group")),
+        ]
+
+    def __str__(self):
+        return f"Group {self.name}"
+
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.groups import GroupSerializer
@@ -181,24 +233,6 @@ class Group(SerializerModel):
             qs = Group.objects.filter(group_uuid=self.group_uuid)
         return qs.with_children_recursive()
 
-    def __str__(self):
-        return f"Group {self.name}"
-
-    class Meta:
-        unique_together = (
-            (
-                "name",
-                "parent",
-            ),
-        )
-        indexes = [models.Index(fields=["name"])]
-        verbose_name = _("Group")
-        verbose_name_plural = _("Groups")
-        permissions = [
-            ("add_user_to_group", _("Add user to group")),
-            ("remove_user_from_group", _("Remove user from group")),
-        ]
-
 
 class UserQuerySet(models.QuerySet):
     """User queryset"""
@@ -224,7 +258,7 @@ class UserManager(DjangoUserManager):
         return self.get_queryset().exclude_anonymous()
 
 
-class User(SerializerModel, GuardianUserMixin, AbstractUser):
+class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
     """authentik User model, based on django's contrib auth user model."""
 
     uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
@@ -236,10 +270,30 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
     ak_groups = models.ManyToManyField("Group", related_name="users")
     password_change_date = models.DateTimeField(auto_now_add=True)
 
-    attributes = models.JSONField(default=dict, blank=True)
-
     objects = UserManager()
 
+    class Meta:
+        verbose_name = _("User")
+        verbose_name_plural = _("Users")
+        permissions = [
+            ("reset_user_password", _("Reset Password")),
+            ("impersonate", _("Can impersonate other users")),
+            ("assign_user_permissions", _("Can assign permissions to users")),
+            ("unassign_user_permissions", _("Can unassign permissions from users")),
+            ("preview_user", _("Can preview user data sent to providers")),
+            ("view_user_applications", _("View applications the user has access to")),
+        ]
+        indexes = [
+            models.Index(fields=["last_login"]),
+            models.Index(fields=["password_change_date"]),
+            models.Index(fields=["uuid"]),
+            models.Index(fields=["path"]),
+            models.Index(fields=["type"]),
+        ]
+
+    def __str__(self):
+        return self.username
+
     @staticmethod
     def default_path() -> str:
         """Get the default user path"""
@@ -321,25 +375,6 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         """Get avatar, depending on authentik.avatar setting"""
         return get_avatar(self)
 
-    class Meta:
-        verbose_name = _("User")
-        verbose_name_plural = _("Users")
-        permissions = [
-            ("reset_user_password", _("Reset Password")),
-            ("impersonate", _("Can impersonate other users")),
-            ("assign_user_permissions", _("Can assign permissions to users")),
-            ("unassign_user_permissions", _("Can unassign permissions from users")),
-            ("preview_user", _("Can preview user data sent to providers")),
-            ("view_user_applications", _("View applications the user has access to")),
-        ]
-        indexes = [
-            models.Index(fields=["last_login"]),
-            models.Index(fields=["password_change_date"]),
-            models.Index(fields=["uuid"]),
-            models.Index(fields=["path"]),
-            models.Index(fields=["type"]),
-        ]
-
 
 class Provider(SerializerModel):
     """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
@@ -427,6 +462,16 @@ class BackchannelProvider(Provider):
         abstract = True
 
 
+class ApplicationQuerySet(QuerySet):
+    def with_provider(self) -> "QuerySet[Application]":
+        qs = self.select_related("provider")
+        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
+            if LOOKUP_SEP in subclass:
+                continue
+            qs = qs.select_related(f"provider__{subclass}")
+        return qs
+
+
 class Application(SerializerModel, PolicyBindingModel):
     """Every Application which uses authentik for authentication/identification/authorization
     needs an Application record. Other authentication types can subclass this Model to
@@ -458,6 +503,8 @@ class Application(SerializerModel, PolicyBindingModel):
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
 
+    objects = ApplicationQuerySet.as_manager()
+
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.applications import ApplicationSerializer
@@ -494,16 +541,19 @@ class Application(SerializerModel, PolicyBindingModel):
         return url
 
     def get_provider(self) -> Provider | None:
-        """Get casted provider instance"""
+        """Get casted provider instance. Needs Application queryset with_provider"""
         if not self.provider:
             return None
-        # if the Application class has been cache, self.provider is set
-        # but doing a direct query lookup will fail.
-        # In that case, just return None
-        try:
-            return Provider.objects.get_subclass(pk=self.provider.pk)
-        except Provider.DoesNotExist:
-            return None
+
+        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
+            # We don't care about recursion, skip nested models
+            if LOOKUP_SEP in subclass:
+                continue
+            try:
+                return getattr(self.provider, subclass)
+            except AttributeError:
+                pass
+        return None
 
     def __str__(self):
         return str(self.name)
@@ -533,6 +583,19 @@ class SourceUserMatchingModes(models.TextChoices):
     )
 
 
+class SourceGroupMatchingModes(models.TextChoices):
+    """Different modes a source can handle new/returning groups"""
+
+    IDENTIFIER = "identifier", _("Use the source-specific identifier")
+    NAME_LINK = "name_link", _(
+        "Link to a group with identical name. Can have security implications "
+        "when a group name is used with another source."
+    )
+    NAME_DENY = "name_deny", _(
+        "Use the group name, but deny enrollment when the name already exists."
+    )
+
+
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
 
@@ -542,7 +605,12 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")
 
     enabled = models.BooleanField(default=True)
-    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
+    user_property_mappings = models.ManyToManyField(
+        "PropertyMapping", default=None, blank=True, related_name="source_userpropertymappings_set"
+    )
+    group_property_mappings = models.ManyToManyField(
+        "PropertyMapping", default=None, blank=True, related_name="source_grouppropertymappings_set"
+    )
     icon = models.FileField(
         upload_to="source-icons/",
         default=None,
@@ -577,6 +645,14 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
             "a new user enrolled."
         ),
     )
+    group_matching_mode = models.TextField(
+        choices=SourceGroupMatchingModes.choices,
+        default=SourceGroupMatchingModes.IDENTIFIER,
+        help_text=_(
+            "How the source determines if an existing group should be used or "
+            "a new group created."
+        ),
+    )
 
     objects = InheritanceManager()
 
@@ -606,6 +682,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         """Return component used to edit this object"""
         raise NotImplementedError
 
+    @property
+    def property_mapping_type(self) -> "type[PropertyMapping]":
+        """Return property mapping type used by this object"""
+        raise NotImplementedError
+
     def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
         """If source uses a http-based flow, return UI Information about the login
         button. If source doesn't use http-based flow, return None."""
@@ -616,6 +697,14 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         user settings are available, or UserSettingSerializer."""
         return None
 
+    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a user to build final properties upon."""
+        raise NotImplementedError
+
+    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a group to build final properties upon."""
+        raise NotImplementedError
+
     def __str__(self):
         return str(self.name)
 
@@ -631,6 +720,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                     "name",
                 ]
             ),
+            models.Index(
+                fields=[
+                    "enabled",
+                ]
+            ),
         ]
 
 
@@ -654,6 +748,27 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         unique_together = (("user", "source"),)
 
 
+class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
+    """Connection between Group and Source."""
+
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    source = models.ForeignKey(Source, on_delete=models.CASCADE)
+    identifier = models.TextField()
+
+    objects = InheritanceManager()
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        """Get serializer for this model"""
+        raise NotImplementedError
+
+    def __str__(self) -> str:
+        return f"Group-source connection (group={self.group_id}, source={self.source_id})"
+
+    class Meta:
+        unique_together = (("group", "source"),)
+
+
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 
@@ -783,6 +898,8 @@ class PropertyMapping(SerializerModel, ManagedModel):
         evaluator = PropertyMappingEvaluator(self, user, request, **kwargs)
         try:
             return evaluator.evaluate(self.expression)
+        except ControlFlowException as exc:
+            raise exc
         except Exception as exc:
             raise PropertyMappingExpressionException(self, exc) from exc
 

authentik/core/signals.py

@@ -52,6 +52,8 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
 @receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
     """Delete AuthenticatedSession if it exists"""
+    if not request.session or not request.session.session_key:
+        return
     AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
 
 

authentik/core/sources/flow_manager.py

@@ -4,7 +4,7 @@ from enum import Enum
 from typing import Any
 
 from django.contrib import messages
-from django.db import IntegrityError
+from django.db import IntegrityError, transaction
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
@@ -12,8 +12,20 @@ from django.urls import reverse
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
-from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
-from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostSourceStage
+from authentik.core.models import (
+    Group,
+    GroupSourceConnection,
+    Source,
+    SourceGroupMatchingModes,
+    SourceUserMatchingModes,
+    User,
+    UserSourceConnection,
+)
+from authentik.core.sources.mapper import SourceMapper
+from authentik.core.sources.stage import (
+    PLAN_CONTEXT_SOURCES_CONNECTION,
+    PostSourceStage,
+)
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
@@ -36,7 +48,10 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
+LOGGER = get_logger()
+
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
+PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 
 
 class Action(Enum):
@@ -70,48 +85,69 @@ class SourceFlowManager:
     or deny the request."""
 
     source: Source
+    mapper: SourceMapper
     request: HttpRequest
 
     identifier: str
 
-    connection_type: type[UserSourceConnection] = UserSourceConnection
+    user_connection_type: type[UserSourceConnection] = UserSourceConnection
+    group_connection_type: type[GroupSourceConnection] = GroupSourceConnection
 
-    enroll_info: dict[str, Any]
+    user_info: dict[str, Any]
     policy_context: dict[str, Any]
+    user_properties: dict[str, Any | dict[str, Any]]
+    groups_properties: dict[str, dict[str, Any | dict[str, Any]]]
 
     def __init__(
         self,
         source: Source,
         request: HttpRequest,
         identifier: str,
-        enroll_info: dict[str, Any],
+        user_info: dict[str, Any],
+        policy_context: dict[str, Any],
     ) -> None:
         self.source = source
+        self.mapper = SourceMapper(self.source)
         self.request = request
         self.identifier = identifier
-        self.enroll_info = enroll_info
+        self.user_info = user_info
         self._logger = get_logger().bind(source=source, identifier=identifier)
-        self.policy_context = {}
+        self.policy_context = policy_context
+
+        self.user_properties = self.mapper.build_object_properties(
+            object_type=User, request=request, user=None, **self.user_info
+        )
+        self.groups_properties = {
+            group_id: self.mapper.build_object_properties(
+                object_type=Group,
+                request=request,
+                user=None,
+                group_id=group_id,
+                **self.user_info,
+            )
+            for group_id in self.user_properties.setdefault("groups", [])
+        }
+        del self.user_properties["groups"]
 
     def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
         """decide which action should be taken"""
-        new_connection = self.connection_type(source=self.source, identifier=self.identifier)
+        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
         # When request is authenticated, always link
         if self.request.user.is_authenticated:
             new_connection.user = self.request.user
-            new_connection = self.update_connection(new_connection, **kwargs)
+            new_connection = self.update_user_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
 
-        existing_connections = self.connection_type.objects.filter(
+        existing_connections = self.user_connection_type.objects.filter(
             source=self.source, identifier=self.identifier
         )
         if existing_connections.exists():
             connection = existing_connections.first()
-            return Action.AUTH, self.update_connection(connection, **kwargs)
+            return Action.AUTH, self.update_user_connection(connection, **kwargs)
         # No connection exists, but we match on identifier, so enroll
         if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
             # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
 
         # Check for existing users with matching attributes
         query = Q()
@@ -120,24 +156,24 @@ class SourceFlowManager:
             SourceUserMatchingModes.EMAIL_LINK,
             SourceUserMatchingModes.EMAIL_DENY,
         ]:
-            if not self.enroll_info.get("email", None):
-                self._logger.warning("Refusing to use none email", source=self.source)
+            if not self.user_properties.get("email", None):
+                self._logger.warning("Refusing to use none email")
                 return Action.DENY, None
-            query = Q(email__exact=self.enroll_info.get("email", None))
+            query = Q(email__exact=self.user_properties.get("email", None))
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.USERNAME_LINK,
             SourceUserMatchingModes.USERNAME_DENY,
         ]:
-            if not self.enroll_info.get("username", None):
-                self._logger.warning("Refusing to use none username", source=self.source)
+            if not self.user_properties.get("username", None):
+                self._logger.warning("Refusing to use none username")
                 return Action.DENY, None
-            query = Q(username__exact=self.enroll_info.get("username", None))
+            query = Q(username__exact=self.user_properties.get("username", None))
         self._logger.debug("trying to link with existing user", query=query)
         matching_users = User.objects.filter(query)
         # No matching users, always enroll
         if not matching_users.exists():
             self._logger.debug("no matching users found, enrolling")
-            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
 
         user = matching_users.first()
         if self.source.user_matching_mode in [
@@ -145,7 +181,7 @@ class SourceFlowManager:
             SourceUserMatchingModes.USERNAME_LINK,
         ]:
             new_connection.user = user
-            new_connection = self.update_connection(new_connection, **kwargs)
+            new_connection = self.update_user_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.EMAIL_DENY,
@@ -156,10 +192,10 @@ class SourceFlowManager:
         # Should never get here as default enroll case is returned above.
         return Action.DENY, None  # pragma: no cover
 
-    def update_connection(
+    def update_user_connection(
         self, connection: UserSourceConnection, **kwargs
     ) -> UserSourceConnection:  # pragma: no cover
-        """Optionally make changes to the connection after it is looked up/created."""
+        """Optionally make changes to the user connection after it is looked up/created."""
         return connection
 
     def get_flow(self, **kwargs) -> HttpResponse:
@@ -212,28 +248,34 @@ class SourceFlowManager:
 
     def _prepare_flow(
         self,
-        flow: Flow,
+        flow: Flow | None,
         connection: UserSourceConnection,
         stages: list[StageView] | None = None,
-        **kwargs,
+        **flow_context,
     ) -> HttpResponse:
         """Prepare Authentication Plan, redirect user FlowExecutor"""
-        kwargs.update(
+        # Ensure redirect is carried through when user was trying to
+        # authorize application
+        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:if-user"
+        )
+        flow_context.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
                 PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
                 PLAN_CONTEXT_SOURCES_CONNECTION: connection,
+                PLAN_CONTEXT_SOURCE_GROUPS: self.groups_properties,
             }
         )
-        kwargs.update(self.policy_context)
+        flow_context.update(self.policy_context)
         if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
             token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
             self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
             plan = token.plan
             plan.context[PLAN_CONTEXT_IS_RESTORED] = token
-            plan.context.update(kwargs)
+            plan.context.update(flow_context)
             for stage in self.get_stages_to_append(flow):
                 plan.append_stage(stage)
             if stages:
@@ -252,8 +294,8 @@ class SourceFlowManager:
         final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
             NEXT_ARG_NAME, "authentik_core:if-user"
         )
-        if PLAN_CONTEXT_REDIRECT not in kwargs:
-            kwargs[PLAN_CONTEXT_REDIRECT] = final_redirect
+        if PLAN_CONTEXT_REDIRECT not in flow_context:
+            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
 
         if not flow:
             return bad_request_message(
@@ -265,9 +307,12 @@ class SourceFlowManager:
         # We append some stages so the initial flow we get might be empty
         planner.allow_empty_flows = True
         planner.use_cache = False
-        plan = planner.plan(self.request, kwargs)
+        plan = planner.plan(self.request, flow_context)
         for stage in self.get_stages_to_append(flow):
             plan.append_stage(stage)
+        plan.append_stage(
+            in_memory_stage(GroupUpdateStage, group_connection_type=self.group_connection_type)
+        )
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
@@ -309,7 +354,9 @@ class SourceFlowManager:
         # When request isn't authenticated we jump straight to auth
         if not self.request.user.is_authenticated:
             return self.handle_auth(connection)
-        # Connection has already been saved
+        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+            return self._prepare_flow(None, connection)
+        connection.save()
         Event.new(
             EventAction.SOURCE_LINKED,
             message="Linked Source",
@@ -352,7 +399,123 @@ class SourceFlowManager:
                 )
             ],
             **{
-                PLAN_CONTEXT_PROMPT: delete_none_values(self.enroll_info),
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
                 PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
             },
         )
+
+
+class GroupUpdateStage(StageView):
+    """Dynamically injected stage which updates the user after enrollment/authentication."""
+
+    def get_action(
+        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, GroupSourceConnection | None]:
+        """decide which action should be taken"""
+        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
+
+        existing_connections = self.group_connection_type.objects.filter(
+            source=self.source, identifier=group_id
+        )
+        if existing_connections.exists():
+            return Action.LINK, existing_connections.first()
+        # No connection exists, but we match on identifier, so enroll
+        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
+            # We don't save the connection here cause it doesn't have a user assigned yet
+            return Action.ENROLL, new_connection
+
+        # Check for existing groups with matching attributes
+        query = Q()
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_LINK,
+            SourceGroupMatchingModes.NAME_DENY,
+        ]:
+            if not group_properties.get("name", None):
+                LOGGER.warning(
+                    "Refusing to use none group name", source=self.source, group_id=group_id
+                )
+                return Action.DENY, None
+            query = Q(name__exact=group_properties.get("name"))
+        LOGGER.debug(
+            "trying to link with existing group", source=self.source, query=query, group_id=group_id
+        )
+        matching_groups = Group.objects.filter(query)
+        # No matching groups, always enroll
+        if not matching_groups.exists():
+            LOGGER.debug(
+                "no matching groups found, enrolling", source=self.source, group_id=group_id
+            )
+            return Action.ENROLL, new_connection
+
+        group = matching_groups.first()
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_LINK,
+        ]:
+            new_connection.group = group
+            return Action.LINK, new_connection
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_DENY,
+        ]:
+            LOGGER.info(
+                "denying source because group exists",
+                source=self.source,
+                group=group,
+                group_id=group_id,
+            )
+            return Action.DENY, None
+        # Should never get here as default enroll case is returned above.
+        return Action.DENY, None  # pragma: no cover
+
+    def handle_group(
+        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
+    ) -> Group | None:
+        action, connection = self.get_action(group_id, group_properties)
+        if action == Action.ENROLL:
+            group = Group.objects.create(**group_properties)
+            connection.group = group
+            connection.save()
+            return group
+        elif action == Action.LINK:
+            group = connection.group
+            group.update_attributes(group_properties)
+            connection.save()
+            return group
+
+        return None
+
+    def handle_groups(self) -> bool:
+        self.source: Source = self.executor.plan.context[PLAN_CONTEXT_SOURCE]
+        self.user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+        self.group_connection_type: GroupSourceConnection = (
+            self.executor.current_stage.group_connection_type
+        )
+
+        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
+            PLAN_CONTEXT_SOURCE_GROUPS
+        ]
+        groups: list[Group] = []
+
+        for group_id, group_properties in raw_groups.items():
+            group = self.handle_group(group_id, group_properties)
+            if not group:
+                return False
+            groups.append(group)
+
+        with transaction.atomic():
+            self.user.ak_groups.remove(
+                *self.user.ak_groups.filter(groupsourceconnection__source=self.source)
+            )
+            self.user.ak_groups.add(*groups)
+
+        return True
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Stage used after the user has been enrolled to sync their groups from source data"""
+        if self.handle_groups():
+            return self.executor.stage_ok()
+        else:
+            return self.executor.stage_invalid("Failed to update groups. Please try again later.")
+
+    def post(self, request: HttpRequest) -> HttpResponse:
+        """Wrapper for post requests"""
+        return self.get(request)

authentik/core/sources/mapper.py

@@ -0,0 +1,103 @@
+from typing import Any
+
+from django.http import HttpRequest
+from structlog.stdlib import get_logger
+
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.models import Group, PropertyMapping, Source, User
+from authentik.events.models import Event, EventAction
+from authentik.lib.merge import MERGE_LIST_UNIQUE
+from authentik.lib.sync.mapper import PropertyMappingManager
+from authentik.policies.utils import delete_none_values
+
+LOGGER = get_logger()
+
+
+class SourceMapper:
+    def __init__(self, source: Source):
+        self.source = source
+
+    def get_manager(
+        self, object_type: type[User | Group], context_keys: list[str]
+    ) -> PropertyMappingManager:
+        """Get property mapping manager for this source."""
+
+        qs = PropertyMapping.objects.none()
+        if object_type == User:
+            qs = self.source.user_property_mappings.all().select_subclasses()
+        elif object_type == Group:
+            qs = self.source.group_property_mappings.all().select_subclasses()
+        qs = qs.order_by("name")
+        return PropertyMappingManager(
+            qs,
+            self.source.property_mapping_type,
+            ["source", "properties"] + context_keys,
+        )
+
+    def get_base_properties(
+        self, object_type: type[User | Group], **kwargs
+    ) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a user or a group to build final properties upon."""
+        if object_type == User:
+            properties = self.source.get_base_user_properties(**kwargs)
+            properties.setdefault("path", self.source.get_user_path())
+            return properties
+        if object_type == Group:
+            return self.source.get_base_group_properties(**kwargs)
+        return {}
+
+    def build_object_properties(
+        self,
+        object_type: type[User | Group],
+        manager: "PropertyMappingManager | None" = None,
+        user: User | None = None,
+        request: HttpRequest | None = None,
+        **kwargs,
+    ) -> dict[str, Any | dict[str, Any]]:
+        """Build a user or group properties from the source configured property mappings."""
+
+        properties = self.get_base_properties(object_type, **kwargs)
+        if "attributes" not in properties:
+            properties["attributes"] = {}
+
+        if not manager:
+            manager = self.get_manager(object_type, list(kwargs.keys()))
+        evaluations = manager.iter_eval(
+            user=user,
+            request=request,
+            return_mapping=True,
+            source=self.source,
+            properties=properties,
+            **kwargs,
+        )
+        while True:
+            try:
+                value, mapping = next(evaluations)
+            except StopIteration:
+                break
+            except PropertyMappingExpressionException as exc:
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message=f"Failed to evaluate property mapping: '{exc.mapping.name}'",
+                    source=self,
+                    mapping=exc.mapping,
+                ).save()
+                LOGGER.warning(
+                    "Mapping failed to evaluate",
+                    exc=exc,
+                    source=self,
+                    mapping=exc.mapping,
+                )
+                raise exc
+
+            if not value or not isinstance(value, dict):
+                LOGGER.debug(
+                    "Mapping evaluated to None or is not a dict. Skipping",
+                    source=self,
+                    mapping=mapping,
+                )
+                continue
+
+            MERGE_LIST_UNIQUE.merge(properties, value)
+
+        return delete_none_values(properties)

authentik/core/templates/base/header_js.html

@@ -10,7 +10,7 @@
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
     };
-    window.addEventListener("DOMContentLoaded", () => {
+    window.addEventListener("DOMContentLoaded", function () {
         {% for message in messages %}
         window.dispatchEvent(
             new CustomEvent("ak-message", {

authentik/core/templates/base/skeleton.html

@@ -1,9 +1,10 @@
 {% load static %}
 {% load i18n %}
+{% load authentik_core %}
 
 <!DOCTYPE html>
 
-<html lang="en">
+<html>
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@@ -14,8 +15,8 @@
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
-        <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
+        {% versioned_script "dist/poly-%v.js" %}
+        {% versioned_script "dist/standalone/loading/index-%v.js" %}
         {% block head %}
         {% endblock %}
         <meta name="sentry-trace" content="{{ sentry_trace }}" />

authentik/core/templates/if/admin.html

@@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
 
-{% load static %}
+{% load authentik_core %}
 
 {% block head %}
-<script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/admin/AdminInterface-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}

authentik/core/templates/if/user.html

@@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
 
-{% load static %}
+{% load authentik_core %}
 
 {% block head %}
-<script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/user/UserInterface-%v.js" %}
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}

authentik/core/templates/login/base_full.html

@@ -71,9 +71,9 @@
                 </li>
                 {% endfor %}
                 <li>
-                    <a href="https://goauthentik.io?utm_source=authentik">
+                    <span>
                         {% trans 'Powered by authentik' %}
-                    </a>
+                    </span>
                 </li>
             </ul>
         </footer>

authentik/core/templatetags/authentik_core.py

@@ -0,0 +1,21 @@
+"""authentik core tags"""
+
+from django import template
+from django.templatetags.static import static as static_loader
+from django.utils.safestring import mark_safe
+
+from authentik import get_full_version
+
+register = template.Library()
+
+
+@register.simple_tag()
+def versioned_script(path: str) -> str:
+    """Wrapper around {% static %} tag that supports setting the version"""
+    returned_lines = [
+        (
+            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
+            '" type="module"></script>'
+        ),
+    ]
+    return mark_safe("".join(returned_lines))  # nosec

authentik/core/tests/test_property_mapping.py

@@ -3,7 +3,10 @@
 from django.test import RequestFactory, TestCase
 from guardian.shortcuts import get_anonymous_user
 
-from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.expression.exceptions import (
+    PropertyMappingExpressionException,
+    SkipObjectException,
+)
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
@@ -42,6 +45,17 @@ class TestPropertyMappings(TestCase):
         self.assertTrue(events.exists())
         self.assertEqual(len(events), 1)
 
+    def test_expression_skip(self):
+        """Test expression error"""
+        expr = "raise SkipObject"
+        mapping = PropertyMapping.objects.create(name=generate_id(), expression=expr)
+        with self.assertRaises(SkipObjectException):
+            mapping.evaluate(None, None)
+        events = Event.objects.filter(
+            action=EventAction.PROPERTY_MAPPING_EXCEPTION, context__expression=expr
+        )
+        self.assertFalse(events.exists())
+
     def test_expression_error_extended(self):
         """Test expression error (with user and http request"""
         expr = "return aaa"

authentik/core/tests/test_source_flow_manager.py

@@ -38,7 +38,9 @@ class TestSourceFlowManager(TestCase):
     def test_unauthenticated_enroll(self):
         """Test un-authenticated user enrolling"""
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
         response = flow_manager.get_flow()
@@ -52,7 +54,9 @@ class TestSourceFlowManager(TestCase):
             user=get_anonymous_user(), source=self.source, identifier=self.identifier
         )
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.AUTH)
         response = flow_manager.get_flow()
@@ -64,7 +68,9 @@ class TestSourceFlowManager(TestCase):
         """Test authenticated user linking"""
         user = User.objects.create(username="foo", email="foo@bar.baz")
         request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -77,7 +83,9 @@ class TestSourceFlowManager(TestCase):
 
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
-        flow_manager = OAuthSourceFlowManager(self.source, get_request("/"), self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/"), self.identifier, {"info": {}}, {}
+        )
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -90,7 +98,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without email, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -100,7 +108,12 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"email": "foo@bar.baz"},
+            {
+                "info": {
+                    "email": "foo@bar.baz",
+                },
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -113,7 +126,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without username, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -123,7 +136,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -140,8 +156,11 @@ class TestSourceFlowManager(TestCase):
             get_request("/", user=AnonymousUser()),
             self.identifier,
             {
-                "username": "bar",
+                "info": {
+                    "username": "bar",
+                },
             },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -151,7 +170,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -165,7 +187,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -191,7 +216,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)

authentik/core/tests/test_source_flow_manager_group_update_stage.py

@@ -0,0 +1,237 @@
+"""Test Source flow_manager group update stage"""
+
+from django.test import RequestFactory
+
+from authentik.core.models import Group, SourceGroupMatchingModes
+from authentik.core.sources.flow_manager import PLAN_CONTEXT_SOURCE_GROUPS, GroupUpdateStage
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.models import in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE, FlowPlan
+from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import FlowExecutorView
+from authentik.lib.generators import generate_id
+from authentik.sources.oauth.models import GroupOAuthSourceConnection, OAuthSource
+
+
+class TestSourceFlowManager(FlowTestCase):
+    """Test Source flow_manager group update stage"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+        self.authentication_flow = create_test_flow()
+        self.enrollment_flow = create_test_flow()
+        self.source: OAuthSource = OAuthSource.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            authentication_flow=self.authentication_flow,
+            enrollment_flow=self.enrollment_flow,
+        )
+        self.identifier = generate_id()
+        self.user = create_test_admin_user()
+
+    def test_nonexistant_group(self):
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_nonexistant_group_name_link(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_existant_group_name_link(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+        group = Group.objects.create(name="group 1")
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
+        )
+
+    def test_nonexistant_group_name_deny(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
+        self.source.save()
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_existant_group_name_deny(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
+        self.source.save()
+        group = Group.objects.create(name="group 1")
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertFalse(stage.handle_groups())
+        self.assertFalse(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertFalse(
+            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
+        )
+
+    def test_group_updates(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+
+        other_group = Group.objects.create(name="other group")
+        old_group = Group.objects.create(name="old group")
+        new_group = Group.objects.create(name="new group")
+        self.user.ak_groups.set([other_group, old_group])
+        GroupOAuthSourceConnection.objects.create(
+            group=old_group, source=self.source, identifier=old_group.name
+        )
+        GroupOAuthSourceConnection.objects.create(
+            group=new_group, source=self.source, identifier=new_group.name
+        )
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "new group": {
+                                "name": "new group",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertFalse(self.user.ak_groups.filter(name="old group").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="other group").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="new group").exists())
+        self.assertEqual(self.user.ak_groups.count(), 2)

authentik/core/tests/test_source_property_mappings.py

@@ -0,0 +1,72 @@
+"""Test Source Property mappings"""
+
+from django.test import TestCase
+
+from authentik.core.models import Group, PropertyMapping, Source, User
+from authentik.core.sources.mapper import SourceMapper
+from authentik.lib.generators import generate_id
+
+
+class ProxySource(Source):
+    @property
+    def property_mapping_type(self):
+        return PropertyMapping
+
+    def get_base_user_properties(self, **kwargs):
+        return {
+            "username": kwargs.get("username", None),
+            "email": kwargs.get("email", "default@authentik"),
+        }
+
+    def get_base_group_properties(self, **kwargs):
+        return {"name": kwargs.get("name", None)}
+
+    class Meta:
+        proxy = True
+
+
+class TestSourcePropertyMappings(TestCase):
+    """Test Source PropertyMappings"""
+
+    def test_base_properties(self):
+        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
+        mapper = SourceMapper(source)
+
+        user_base_properties = mapper.get_base_properties(User, username="test1")
+        self.assertEqual(
+            user_base_properties,
+            {
+                "username": "test1",
+                "email": "default@authentik",
+                "path": f"goauthentik.io/sources/{source.slug}",
+            },
+        )
+
+        group_base_properties = mapper.get_base_properties(Group)
+        self.assertEqual(group_base_properties, {"name": None})
+
+    def test_build_properties(self):
+        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
+        mapper = SourceMapper(source)
+
+        source.user_property_mappings.add(
+            PropertyMapping.objects.create(
+                name=generate_id(),
+                expression="""
+                    return {"username": data.get("username", None), "email": None}
+                """,
+            )
+        )
+
+        properties = mapper.build_object_properties(
+            object_type=User, user=None, request=None, username="test1", data={"username": "test2"}
+        )
+
+        self.assertEqual(
+            properties,
+            {
+                "username": "test2",
+                "path": f"goauthentik.io/sources/{source.slug}",
+                "attributes": {},
+            },
+        )

authentik/core/tests/test_token_api.py

@@ -13,9 +13,8 @@ from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
     Token,
     TokenIntents,
-    User,
 )
-from authentik.core.tests.utils import create_test_admin_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
 from authentik.lib.generators import generate_id
 
 
@@ -24,7 +23,7 @@ class TestTokenAPI(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.user = User.objects.create(username="testuser")
+        self.user = create_test_user()
         self.admin = create_test_admin_user()
         self.client.force_login(self.user)
 
@@ -154,6 +153,24 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(token.expiring, True)
         self.assertNotEqual(token.expires.timestamp(), expires.timestamp())
 
+    def test_token_change_user(self):
+        """Test creating a token and then changing the user"""
+        ident = generate_id()
+        response = self.client.post(reverse("authentik_api:token-list"), {"identifier": ident})
+        self.assertEqual(response.status_code, 201)
+        token = Token.objects.get(identifier=ident)
+        self.assertEqual(token.user, self.user)
+        self.assertEqual(token.intent, TokenIntents.INTENT_API)
+        self.assertEqual(token.expiring, True)
+        self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
+        response = self.client.put(
+            reverse("authentik_api:token-detail", kwargs={"identifier": ident}),
+            data={"identifier": "user_token_poc_v3", "intent": "api", "user": self.admin.pk},
+        )
+        self.assertEqual(response.status_code, 400)
+        token.refresh_from_db()
+        self.assertEqual(token.user, self.user)
+
     def test_list(self):
         """Test Token List (Test normal authentication)"""
         Token.objects.all().delete()

authentik/core/urls.py

@@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
-from django.views.generic import RedirectView
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -18,10 +17,15 @@ from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSe
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
-from authentik.core.views import apps
+from authentik.core.views.apps import RedirectToAppLaunch
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import FlowInterfaceView, InterfaceView
+from authentik.core.views.interface import (
+    BrandDefaultRedirectView,
+    InterfaceView,
+    RootRedirectView,
+)
 from authentik.core.views.session import EndSessionView
+from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@@ -29,30 +33,30 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
     path(
         "",
-        login_required(
-            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
-        ),
+        login_required(RootRedirectView.as_view()),
         name="root-redirect",
     ),
     path(
-        # We have to use this format since everything else uses applications/o or applications/saml
+        # We have to use this format since everything else uses application/o or application/saml
         "application/launch/<slug:application_slug>/",
-        apps.RedirectToAppLaunch.as_view(),
+        RedirectToAppLaunch.as_view(),
         name="application-launch",
     ),
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/admin.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/user.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
         name="if-user",
     ),
     path(
         "if/flow/<slug:flow_slug>/",
+        # FIXME: move this url to the flows app...also will cause all
+        # of the reverse calls to be adjusted
         ensure_csrf_cookie(FlowInterfaceView.as_view()),
         name="if-flow",
     ),

authentik/core/views/apps.py

@@ -8,7 +8,6 @@ from django.views import View
 from authentik.core.models import Application
 from authentik.flows.challenge import (
     ChallengeResponse,
-    ChallengeTypes,
     HttpChallengeResponse,
     RedirectChallenge,
 )
@@ -74,7 +73,6 @@ class RedirectToAppStage(ChallengeStageView):
             raise Http404
         return RedirectChallenge(
             instance={
-                "type": ChallengeTypes.REDIRECT.value,
                 "to": launch,
             }
         )

authentik/core/views/interface.py

@@ -3,15 +3,42 @@
 from json import dumps
 from typing import Any
 
-from django.shortcuts import get_object_or_404
-from django.views.generic.base import TemplateView
+from django.http import HttpRequest
+from django.http.response import HttpResponse
+from django.shortcuts import redirect
+from django.utils.translation import gettext as _
+from django.views.generic.base import RedirectView, TemplateView
 from rest_framework.request import Request
 
 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
-from authentik.flows.models import Flow
+from authentik.brands.models import Brand
+from authentik.core.models import UserTypes
+from authentik.policies.denied import AccessDeniedResponse
+
+
+class RootRedirectView(RedirectView):
+    """Root redirect view, redirect to brand's default application if set"""
+
+    pattern_name = "authentik_core:if-user"
+    query_string = True
+
+    def redirect_to_app(self, request: HttpRequest):
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+        return None
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if redirect_response := RootRedirectView().redirect_to_app(request):
+            return redirect_response
+        return super().dispatch(request, *args, **kwargs)
 
 
 class InterfaceView(TemplateView):
@@ -27,12 +54,18 @@ class InterfaceView(TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class FlowInterfaceView(InterfaceView):
-    """Flow interface"""
+class BrandDefaultRedirectView(InterfaceView):
+    """By default redirect to default app"""
 
-    template_name = "if/flow.html"
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
-        kwargs["inspector"] = "inspector" in self.request.GET
-        return super().get_context_data(**kwargs)
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+            response = AccessDeniedResponse(self.request)
+            response.error_message = _("Interface can only be accessed by internal users.")
+            return response
+        return super().dispatch(request, *args, **kwargs)

authentik/crypto/api.py

@@ -24,18 +24,18 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
+from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
@@ -266,7 +266,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def view_certificate(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs certificate and log access"""
         certificate: CertificateKeyPair = self.get_object()
@@ -296,7 +296,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def view_private_key(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs private key and log access"""
         certificate: CertificateKeyPair = self.get_object()

authentik/crypto/builder.py

@@ -76,7 +76,7 @@ class CertificateBuilder:
             .subject_name(
                 x509.Name(
                     [
-                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name),
+                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name[:64]),
                         x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
                         x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"),
                     ]

authentik/crypto/tests.py

@@ -214,6 +214,46 @@ class TestCrypto(APITestCase):
         self.assertEqual(200, response.status_code)
         self.assertIn("Content-Disposition", response)
 
+    def test_certificate_download_denied(self):
+        """Test certificate export (download)"""
+        self.client.logout()
+        keypair = create_test_cert()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(403, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            ),
+            data={"download": True},
+        )
+        self.assertEqual(403, response.status_code)
+
+    def test_private_key_download_denied(self):
+        """Test private_key export (download)"""
+        self.client.logout()
+        keypair = create_test_cert()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(403, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            ),
+            data={"download": True},
+        )
+        self.assertEqual(403, response.status_code)
+
     def test_used_by(self):
         """Test used_by endpoint"""
         self.client.force_login(create_test_admin_user())
@@ -246,6 +286,26 @@ class TestCrypto(APITestCase):
             ],
         )
 
+    def test_used_by_denied(self):
+        """Test used_by endpoint"""
+        self.client.logout()
+        keypair = create_test_cert()
+        OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            client_secret=generate_key(),
+            authorization_flow=create_test_flow(),
+            redirect_uris="http://localhost",
+            signing_key=keypair,
+        )
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-used-by",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(403, response.status_code)
+
     def test_discovery(self):
         """Test certificate discovery"""
         name = generate_id()

authentik/enterprise/api.py

@@ -1,26 +1,24 @@
 """Enterprise API Views"""
 
-from dataclasses import asdict
 from datetime import timedelta
 
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import extend_schema, inline_serializer
+from drf_spectacular.utils import OpenApiParameter, extend_schema, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, IntegerField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
-from authentik.enterprise.models import License
+from authentik.enterprise.models import License, LicenseUsageStatus
 from authentik.rbac.decorators import permission_required
 from authentik.tenants.utils import get_unique_identifier
 
@@ -31,7 +29,7 @@ class EnterpriseRequiredMixin:
 
     def validate(self, attrs: dict) -> dict:
         """Check that a valid license exists"""
-        if not LicenseKey.cached_summary().has_license:
+        if LicenseKey.cached_summary().status != LicenseUsageStatus.UNLICENSED:
             raise ValidationError(_("Enterprise is required to create/update this object."))
         return super().validate(attrs)
 
@@ -88,7 +86,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         },
     )
     @action(detail=False, methods=["GET"])
-    def get_install_id(self, request: Request) -> Response:
+    def install_id(self, request: Request) -> Response:
         """Get install_id"""
         return Response(
             data={
@@ -101,12 +99,22 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         responses={
             200: LicenseSummarySerializer(),
         },
+        parameters=[
+            OpenApiParameter(
+                name="cached",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+                default=True,
+            )
+        ],
     )
     @action(detail=False, methods=["GET"], permission_classes=[IsAuthenticated])
     def summary(self, request: Request) -> Response:
         """Get the total license status"""
-        response = LicenseSummarySerializer(data=asdict(LicenseKey.cached_summary()))
-        response.is_valid(raise_exception=True)
+        summary = LicenseKey.cached_summary()
+        if request.query_params.get("cached", "true").lower() == "false":
+            summary = LicenseKey.get_total().summary()
+        response = LicenseSummarySerializer(instance=summary)
         return Response(response.data)
 
     @permission_required(None, ["authentik_enterprise.view_license"])
@@ -129,7 +137,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         forecast_for_months = 12
         response = LicenseForecastSerializer(
             data={
-                "internal_users": LicenseKey.get_default_user_count(),
+                "internal_users": LicenseKey.get_internal_user_count(),
                 "external_users": LicenseKey.get_external_user_count(),
                 "forecasted_internal_users": (internal_in_last_month * forecast_for_months),
                 "forecasted_external_users": (external_in_last_month * forecast_for_months),

authentik/enterprise/apps.py

@@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig):
         """Actual enterprise check, cached"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.cached_summary().valid
+        return LicenseKey.cached_summary().status

authentik/enterprise/license.py

@@ -3,24 +3,37 @@
 from base64 import b64decode
 from binascii import Error
 from dataclasses import asdict, dataclass, field
-from datetime import datetime, timedelta
+from datetime import UTC, datetime, timedelta
 from enum import Enum
 from functools import lru_cache
 from time import mktime
 
 from cryptography.exceptions import InvalidSignature
 from cryptography.x509 import Certificate, load_der_x509_certificate, load_pem_x509_certificate
-from dacite import from_dict
+from dacite import DaciteError, from_dict
 from django.core.cache import cache
 from django.db.models.query import QuerySet
 from django.utils.timezone import now
 from jwt import PyJWTError, decode, get_unverified_header
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import BooleanField, DateTimeField, IntegerField
+from rest_framework.fields import (
+    ChoiceField,
+    DateTimeField,
+    IntegerField,
+    ListField,
+)
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
-from authentik.enterprise.models import License, LicenseUsage
+from authentik.enterprise.models import (
+    THRESHOLD_READ_ONLY_WEEKS,
+    THRESHOLD_WARNING_ADMIN_WEEKS,
+    THRESHOLD_WARNING_EXPIRY_WEEKS,
+    THRESHOLD_WARNING_USER_WEEKS,
+    License,
+    LicenseUsage,
+    LicenseUsageStatus,
+)
 from authentik.tenants.utils import get_unique_identifier
 
 CACHE_KEY_ENTERPRISE_LICENSE = "goauthentik.io/enterprise/license"
@@ -42,6 +55,9 @@ def get_license_aud() -> str:
 class LicenseFlags(Enum):
     """License flags"""
 
+    TRIAL = "trial"
+    NON_PRODUCTION = "non_production"
+
 
 @dataclass
 class LicenseSummary:
@@ -49,12 +65,9 @@ class LicenseSummary:
 
     internal_users: int
     external_users: int
-    valid: bool
-    show_admin_warning: bool
-    show_user_warning: bool
-    read_only: bool
+    status: LicenseUsageStatus
     latest_valid: datetime
-    has_license: bool
+    license_flags: list[LicenseFlags]
 
 
 class LicenseSummarySerializer(PassiveSerializer):
@@ -62,12 +75,9 @@ class LicenseSummarySerializer(PassiveSerializer):
 
     internal_users = IntegerField(required=True)
     external_users = IntegerField(required=True)
-    valid = BooleanField()
-    show_admin_warning = BooleanField()
-    show_user_warning = BooleanField()
-    read_only = BooleanField()
+    status = ChoiceField(choices=LicenseUsageStatus.choices)
     latest_valid = DateTimeField()
-    has_license = BooleanField()
+    license_flags = ListField(child=ChoiceField(choices=tuple(x.value for x in LicenseFlags)))
 
 
 @dataclass
@@ -80,10 +90,10 @@ class LicenseKey:
     name: str
     internal_users: int = 0
     external_users: int = 0
-    flags: list[LicenseFlags] = field(default_factory=list)
+    license_flags: list[LicenseFlags] = field(default_factory=list)
 
     @staticmethod
-    def validate(jwt: str) -> "LicenseKey":
+    def validate(jwt: str, check_expiry=True) -> "LicenseKey":
         """Validate the license from a given JWT"""
         try:
             headers = get_unverified_header(jwt)
@@ -107,6 +117,7 @@ class LicenseKey:
                     our_cert.public_key(),
                     algorithms=["ES512"],
                     audience=get_license_aud(),
+                    options={"verify_exp": check_expiry},
                 ),
             )
         except PyJWTError:
@@ -116,17 +127,15 @@ class LicenseKey:
     @staticmethod
     def get_total() -> "LicenseKey":
         """Get a summarized version of all (not expired) licenses"""
-        active_licenses = License.objects.filter(expiry__gte=now())
         total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
-        for lic in active_licenses:
+        for lic in License.objects.all():
             total.internal_users += lic.internal_users
             total.external_users += lic.external_users
             exp_ts = int(mktime(lic.expiry.timetuple()))
             if total.exp == 0:
                 total.exp = exp_ts
-            if exp_ts <= total.exp:
-                total.exp = exp_ts
-            total.flags.extend(lic.status.flags)
+            total.exp = min(total.exp, exp_ts)
+            total.license_flags.extend(lic.status.license_flags)
         return total
 
     @staticmethod
@@ -135,7 +144,7 @@ class LicenseKey:
         return User.objects.all().exclude_anonymous().exclude(is_active=False)
 
     @staticmethod
-    def get_default_user_count():
+    def get_internal_user_count():
         """Get current default user count"""
         return LicenseKey.base_user_qs().filter(type=UserTypes.INTERNAL).count()
 
@@ -144,59 +153,73 @@ class LicenseKey:
         """Get current external user count"""
         return LicenseKey.base_user_qs().filter(type=UserTypes.EXTERNAL).count()
 
-    def is_valid(self) -> bool:
-        """Check if the given license body covers all users
+    def _last_valid_date(self):
+        last_valid_date = (
+            LicenseUsage.objects.order_by("-record_date")
+            .filter(status=LicenseUsageStatus.VALID)
+            .first()
+        )
+        if not last_valid_date:
+            return datetime.fromtimestamp(0, UTC)
+        return last_valid_date.record_date
 
-        Only checks the current count, no historical data is checked"""
-        default_users = self.get_default_user_count()
-        if default_users > self.internal_users:
-            return False
-        active_users = self.get_external_user_count()
-        if active_users > self.external_users:
-            return False
-        return True
+    def status(self) -> LicenseUsageStatus:
+        """Check if the given license body covers all users, and is valid."""
+        last_valid = self._last_valid_date()
+        if self.exp == 0 and not License.objects.exists():
+            return LicenseUsageStatus.UNLICENSED
+        _now = now()
+        # Check limit-exceeded based status
+        internal_users = self.get_internal_user_count()
+        external_users = self.get_external_user_count()
+        if internal_users > self.internal_users or external_users > self.external_users:
+            if last_valid < _now - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS):
+                return LicenseUsageStatus.READ_ONLY
+            if last_valid < _now - timedelta(weeks=THRESHOLD_WARNING_USER_WEEKS):
+                return LicenseUsageStatus.LIMIT_EXCEEDED_USER
+            if last_valid < _now - timedelta(weeks=THRESHOLD_WARNING_ADMIN_WEEKS):
+                return LicenseUsageStatus.LIMIT_EXCEEDED_ADMIN
+        # Check expiry based status
+        if datetime.fromtimestamp(self.exp, UTC) < _now:
+            if datetime.fromtimestamp(self.exp, UTC) < _now - timedelta(
+                weeks=THRESHOLD_READ_ONLY_WEEKS
+            ):
+                return LicenseUsageStatus.READ_ONLY
+            return LicenseUsageStatus.EXPIRED
+        # Expiry warning
+        if datetime.fromtimestamp(self.exp, UTC) <= _now + timedelta(
+            weeks=THRESHOLD_WARNING_EXPIRY_WEEKS
+        ):
+            return LicenseUsageStatus.EXPIRY_SOON
+        return LicenseUsageStatus.VALID
 
     def record_usage(self):
         """Capture the current validity status and metrics and save them"""
         threshold = now() - timedelta(hours=8)
-        if not LicenseUsage.objects.filter(record_date__gte=threshold).exists():
-            LicenseUsage.objects.create(
-                user_count=self.get_default_user_count(),
+        usage = (
+            LicenseUsage.objects.order_by("-record_date").filter(record_date__gte=threshold).first()
+        )
+        if not usage:
+            usage = LicenseUsage.objects.create(
+                internal_user_count=self.get_internal_user_count(),
                 external_user_count=self.get_external_user_count(),
-                within_limits=self.is_valid(),
+                status=self.status(),
             )
         summary = asdict(self.summary())
         # Also cache the latest summary for the middleware
         cache.set(CACHE_KEY_ENTERPRISE_LICENSE, summary, timeout=CACHE_EXPIRY_ENTERPRISE_LICENSE)
-        return summary
-
-    @staticmethod
-    def last_valid_date() -> datetime:
-        """Get the last date the license was valid"""
-        usage: LicenseUsage = (
-            LicenseUsage.filter_not_expired(within_limits=True).order_by("-record_date").first()
-        )
-        if not usage:
-            return now()
-        return usage.record_date
+        return usage
 
     def summary(self) -> LicenseSummary:
         """Summary of license status"""
-        has_license = License.objects.all().count() > 0
-        last_valid = LicenseKey.last_valid_date()
-        show_admin_warning = last_valid < now() - timedelta(weeks=2)
-        show_user_warning = last_valid < now() - timedelta(weeks=4)
-        read_only = last_valid < now() - timedelta(weeks=6)
+        status = self.status()
         latest_valid = datetime.fromtimestamp(self.exp)
         return LicenseSummary(
-            show_admin_warning=show_admin_warning and has_license,
-            show_user_warning=show_user_warning and has_license,
-            read_only=read_only and has_license,
             latest_valid=latest_valid,
             internal_users=self.internal_users,
             external_users=self.external_users,
-            valid=self.is_valid(),
-            has_license=has_license,
+            status=status,
+            license_flags=self.license_flags,
         )
 
     @staticmethod
@@ -205,4 +228,8 @@ class LicenseKey:
         summary = cache.get(CACHE_KEY_ENTERPRISE_LICENSE)
         if not summary:
             return LicenseKey.get_total().summary()
-        return from_dict(LicenseSummary, summary)
+        try:
+            return from_dict(LicenseSummary, summary)
+        except DaciteError:
+            cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
+            return LicenseKey.get_total().summary()

authentik/enterprise/middleware.py

@@ -8,6 +8,7 @@ from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
+from authentik.enterprise.models import LicenseUsageStatus
 from authentik.flows.views.executor import FlowExecutorView
 from authentik.lib.utils.reflection import class_to_path
 
@@ -43,7 +44,7 @@ class EnterpriseMiddleware:
         cached_status = LicenseKey.cached_summary()
         if not cached_status:
             return True
-        if cached_status.read_only:
+        if cached_status.status == LicenseUsageStatus.READ_ONLY:
             return False
         return True
 
@@ -53,10 +54,10 @@ class EnterpriseMiddleware:
         if request.method.lower() in ["get", "head", "options", "trace"]:
             return True
         # Always allow requests to manage licenses
-        if class_to_path(request.resolver_match.func) == class_to_path(LicenseViewSet):
+        if request.resolver_match._func_path == class_to_path(LicenseViewSet):
             return True
         # Flow executor is mounted as an API path but explicitly allowed
-        if class_to_path(request.resolver_match.func) == class_to_path(FlowExecutorView):
+        if request.resolver_match._func_path == class_to_path(FlowExecutorView):
             return True
         # Only apply these restrictions to the API
         if "authentik_api" not in request.resolver_match.app_names:

authentik/enterprise/migrations/0003_remove_licenseusage_within_limits_and_more.py

@@ -0,0 +1,68 @@
+# Generated by Django 5.0.8 on 2024-08-08 14:15
+
+from django.db import migrations, models
+from django.apps.registry import Apps
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_license_usage(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    LicenseUsage = apps.get_model("authentik_enterprise", "licenseusage")
+    db_alias = schema_editor.connection.alias
+
+    for usage in LicenseUsage.objects.using(db_alias).all():
+        usage.status = "valid" if usage.within_limits else "limit_exceeded_admin"
+        usage.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_enterprise", "0002_rename_users_license_internal_users_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="licenseusage",
+            name="status",
+            field=models.TextField(
+                choices=[
+                    ("unlicensed", "Unlicensed"),
+                    ("valid", "Valid"),
+                    ("expired", "Expired"),
+                    ("expiry_soon", "Expiry Soon"),
+                    ("limit_exceeded_admin", "Limit Exceeded Admin"),
+                    ("limit_exceeded_user", "Limit Exceeded User"),
+                    ("read_only", "Read Only"),
+                ],
+                default=None,
+                null=True,
+            ),
+            preserve_default=False,
+        ),
+        migrations.RunPython(migrate_license_usage),
+        migrations.RemoveField(
+            model_name="licenseusage",
+            name="within_limits",
+        ),
+        migrations.AlterField(
+            model_name="licenseusage",
+            name="status",
+            field=models.TextField(
+                choices=[
+                    ("unlicensed", "Unlicensed"),
+                    ("valid", "Valid"),
+                    ("expired", "Expired"),
+                    ("expiry_soon", "Expiry Soon"),
+                    ("limit_exceeded_admin", "Limit Exceeded Admin"),
+                    ("limit_exceeded_user", "Limit Exceeded User"),
+                    ("read_only", "Read Only"),
+                ],
+            ),
+            preserve_default=False,
+        ),
+        migrations.RenameField(
+            model_name="licenseusage",
+            old_name="user_count",
+            new_name="internal_user_count",
+        ),
+    ]

authentik/enterprise/models.py

@@ -17,6 +17,17 @@ if TYPE_CHECKING:
     from authentik.enterprise.license import LicenseKey
 
 
+def usage_expiry():
+    """Keep license usage records for 3 months"""
+    return now() + timedelta(days=30 * 3)
+
+
+THRESHOLD_WARNING_ADMIN_WEEKS = 2
+THRESHOLD_WARNING_USER_WEEKS = 4
+THRESHOLD_WARNING_EXPIRY_WEEKS = 2
+THRESHOLD_READ_ONLY_WEEKS = 6
+
+
 class License(SerializerModel):
     """An authentik enterprise license"""
 
@@ -39,7 +50,7 @@ class License(SerializerModel):
         """Get parsed license status"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.validate(self.key)
+        return LicenseKey.validate(self.key, check_expiry=False)
 
     class Meta:
         indexes = (HashIndex(fields=("key",)),)
@@ -47,9 +58,23 @@ class License(SerializerModel):
         verbose_name_plural = _("Licenses")
 
 
-def usage_expiry():
-    """Keep license usage records for 3 months"""
-    return now() + timedelta(days=30 * 3)
+class LicenseUsageStatus(models.TextChoices):
+    """License states an instance/tenant can be in"""
+
+    UNLICENSED = "unlicensed"
+    VALID = "valid"
+    EXPIRED = "expired"
+    EXPIRY_SOON = "expiry_soon"
+    # User limit exceeded, 2 week threshold, show message in admin interface
+    LIMIT_EXCEEDED_ADMIN = "limit_exceeded_admin"
+    # User limit exceeded, 4 week threshold, show message in user interface
+    LIMIT_EXCEEDED_USER = "limit_exceeded_user"
+    READ_ONLY = "read_only"
+
+    @property
+    def is_valid(self) -> bool:
+        """Quickly check if a license is valid"""
+        return self in [LicenseUsageStatus.VALID, LicenseUsageStatus.EXPIRY_SOON]
 
 
 class LicenseUsage(ExpiringModel):
@@ -59,9 +84,9 @@ class LicenseUsage(ExpiringModel):
 
     usage_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    user_count = models.BigIntegerField()
+    internal_user_count = models.BigIntegerField()
     external_user_count = models.BigIntegerField()
-    within_limits = models.BooleanField()
+    status = models.TextField(choices=LicenseUsageStatus.choices)
 
     record_date = models.DateTimeField(auto_now_add=True)
 

authentik/enterprise/policy.py

@@ -13,7 +13,7 @@ class EnterprisePolicyAccessView(PolicyAccessView):
 
     def check_license(self):
         """Check license"""
-        if not LicenseKey.get_total().is_valid():
+        if not LicenseKey.get_total().status().is_valid:
             return PolicyResult(False, _("Enterprise required to access this feature."))
         if self.request.user.type != UserTypes.INTERNAL:
             return PolicyResult(False, _("Feature only accessible for internal users."))

authentik/enterprise/providers/google_workspace/api/groups.py

@@ -1,12 +1,13 @@
 """GoogleWorkspaceProviderGroup API Views"""
 
 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserGroupSerializer
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
@@ -30,6 +31,7 @@ class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
 
 class GoogleWorkspaceProviderGroupViewSet(
     mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
     UsedByMixin,

authentik/enterprise/providers/google_workspace/api/providers.py

@@ -6,7 +6,10 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
-from authentik.enterprise.providers.google_workspace.tasks import google_workspace_sync
+from authentik.enterprise.providers.google_workspace.tasks import (
+    google_workspace_sync,
+    google_workspace_sync_objects,
+)
 from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin
 
 
@@ -52,3 +55,4 @@ class GoogleWorkspaceProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixi
     search_fields = ["name"]
     ordering = ["name"]
     sync_single_task = google_workspace_sync
+    sync_objects_task = google_workspace_sync_objects

authentik/enterprise/providers/google_workspace/api/users.py

@@ -1,12 +1,13 @@
 """GoogleWorkspaceProviderUser API Views"""
 
 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
@@ -30,6 +31,7 @@ class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
 
 class GoogleWorkspaceProviderUserViewSet(
     mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
     UsedByMixin,

authentik/enterprise/providers/google_workspace/clients/groups.py

@@ -214,3 +214,7 @@ class GoogleWorkspaceGroupClient(
             google_id=google_id,
             attributes=group,
         )
+
+    def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
+        group = self.directory_service.groups().get(connection.google_id)
+        connection.attributes = group

authentik/enterprise/providers/google_workspace/clients/users.py

@@ -119,3 +119,7 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
             google_id=email,
             attributes=user,
         )
+
+    def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
+        user = self.directory_service.users().get(connection.google_id)
+        connection.attributes = user

authentik/enterprise/providers/google_workspace/models.py

@@ -31,6 +31,58 @@ def default_scopes() -> list[str]:
     ]
 
 
+class GoogleWorkspaceProviderUser(SerializerModel):
+    """Mapping of a user and provider to a Google user ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    google_id = models.TextField()
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.google_workspace.api.users import (
+            GoogleWorkspaceProviderUserSerializer,
+        )
+
+        return GoogleWorkspaceProviderUserSerializer
+
+    class Meta:
+        verbose_name = _("Google Workspace Provider User")
+        verbose_name_plural = _("Google Workspace Provider Users")
+        unique_together = (("google_id", "user", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
+
+
+class GoogleWorkspaceProviderGroup(SerializerModel):
+    """Mapping of a group and provider to a Google group ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    google_id = models.TextField()
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.google_workspace.api.groups import (
+            GoogleWorkspaceProviderGroupSerializer,
+        )
+
+        return GoogleWorkspaceProviderGroupSerializer
+
+    class Meta:
+        verbose_name = _("Google Workspace Provider Group")
+        verbose_name_plural = _("Google Workspace Provider Groups")
+        unique_together = (("google_id", "group", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"
+
+
 class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
     """Sync users from authentik into Google Workspace."""
 
@@ -59,15 +111,16 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
     )
 
     def client_for_model(
-        self, model: type[User | Group]
+        self,
+        model: type[User | Group | GoogleWorkspaceProviderUser | GoogleWorkspaceProviderGroup],
     ) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
-        if issubclass(model, User):
+        if issubclass(model, User | GoogleWorkspaceProviderUser):
             from authentik.enterprise.providers.google_workspace.clients.users import (
                 GoogleWorkspaceUserClient,
             )
 
             return GoogleWorkspaceUserClient(self)
-        if issubclass(model, Group):
+        if issubclass(model, Group | GoogleWorkspaceProviderGroup):
             from authentik.enterprise.providers.google_workspace.clients.groups import (
                 GoogleWorkspaceGroupClient,
             )
@@ -128,7 +181,7 @@ class GoogleWorkspaceProviderMapping(PropertyMapping):
 
     @property
     def component(self) -> str:
-        return "ak-property-mapping-google-workspace-form"
+        return "ak-property-mapping-provider-google-workspace-form"
 
     @property
     def serializer(self) -> type[Serializer]:
@@ -144,55 +197,3 @@ class GoogleWorkspaceProviderMapping(PropertyMapping):
     class Meta:
         verbose_name = _("Google Workspace Provider Mapping")
         verbose_name_plural = _("Google Workspace Provider Mappings")
-
-
-class GoogleWorkspaceProviderUser(SerializerModel):
-    """Mapping of a user and provider to a Google user ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    google_id = models.TextField()
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-    provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.google_workspace.api.users import (
-            GoogleWorkspaceProviderUserSerializer,
-        )
-
-        return GoogleWorkspaceProviderUserSerializer
-
-    class Meta:
-        verbose_name = _("Google Workspace Provider User")
-        verbose_name_plural = _("Google Workspace Provider Users")
-        unique_together = (("google_id", "user", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
-
-
-class GoogleWorkspaceProviderGroup(SerializerModel):
-    """Mapping of a group and provider to a Google group ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    google_id = models.TextField()
-    group = models.ForeignKey(Group, on_delete=models.CASCADE)
-    provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.google_workspace.api.groups import (
-            GoogleWorkspaceProviderGroupSerializer,
-        )
-
-        return GoogleWorkspaceProviderGroupSerializer
-
-    class Meta:
-        verbose_name = _("Google Workspace Provider Group")
-        verbose_name_plural = _("Google Workspace Provider Groups")
-        unique_together = (("google_id", "group", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"

authentik/enterprise/providers/microsoft_entra/api/groups.py

@@ -1,12 +1,13 @@
 """MicrosoftEntraProviderGroup API Views"""
 
 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserGroupSerializer
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
@@ -30,6 +31,7 @@ class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
 
 class MicrosoftEntraProviderGroupViewSet(
     mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
     UsedByMixin,

authentik/enterprise/providers/microsoft_entra/api/providers.py

@@ -6,7 +6,10 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
-from authentik.enterprise.providers.microsoft_entra.tasks import microsoft_entra_sync
+from authentik.enterprise.providers.microsoft_entra.tasks import (
+    microsoft_entra_sync,
+    microsoft_entra_sync_objects,
+)
 from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin
 
 
@@ -50,3 +53,4 @@ class MicrosoftEntraProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixin
     search_fields = ["name"]
     ordering = ["name"]
     sync_single_task = microsoft_entra_sync
+    sync_objects_task = microsoft_entra_sync_objects

authentik/enterprise/providers/microsoft_entra/api/users.py

@@ -1,12 +1,13 @@
 """MicrosoftEntraProviderUser API Views"""
 
 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class MicrosoftEntraProviderUserSerializer(ModelSerializer):
@@ -29,6 +30,7 @@ class MicrosoftEntraProviderUserSerializer(ModelSerializer):
 
 
 class MicrosoftEntraProviderUserViewSet(
+    OutgoingSyncConnectionCreateMixin,
     mixins.CreateModelMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,

authentik/enterprise/providers/microsoft_entra/clients/groups.py

@@ -226,3 +226,7 @@ class MicrosoftEntraGroupClient(
             microsoft_id=group.id,
             attributes=self.entity_as_dict(group),
         )
+
+    def update_single_attribute(self, connection: MicrosoftEntraProviderGroup):
+        data = self._request(self.client.groups.by_group_id(connection.microsoft_id).get())
+        connection.attributes = self.entity_as_dict(data)

authentik/enterprise/providers/microsoft_entra/clients/users.py

@@ -66,6 +66,26 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
             microsoft_user.delete()
         return response
 
+    def get_select_fields(self) -> list[str]:
+        """All fields that should be selected when we fetch user data."""
+        # TODO: Make this customizable in the future
+        return [
+            # Default fields
+            "businessPhones",
+            "displayName",
+            "givenName",
+            "jobTitle",
+            "mail",
+            "mobilePhone",
+            "officeLocation",
+            "preferredLanguage",
+            "surname",
+            "userPrincipalName",
+            "id",
+            # Required for logging into M365 using authentik
+            "onPremisesImmutableId",
+        ]
+
     def create(self, user: User):
         """Create user from scratch and create a connection object"""
         microsoft_user = self.to_schema(user, None)
@@ -75,12 +95,12 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
                 response = self._request(self.client.users.post(microsoft_user))
             except ObjectExistsSyncException:
                 # user already exists in microsoft entra, so we can connect them manually
-                query_params = UsersRequestBuilder.UsersRequestBuilderGetQueryParameters()(
-                    filter=f"mail eq '{microsoft_user.mail}'",
-                )
                 request_configuration = (
                     UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-                        query_parameters=query_params,
+                        query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
+                            filter=f"mail eq '{microsoft_user.mail}'",
+                            select=self.get_select_fields(),
+                        ),
                     )
                 )
                 user_data = self._request(self.client.users.get(request_configuration))
@@ -99,7 +119,6 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
             except TransientSyncException as exc:
                 raise exc
             else:
-                print(self.entity_as_dict(response))
                 return MicrosoftEntraProviderUser.objects.create(
                     provider=self.provider,
                     user=user,
@@ -120,7 +139,12 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
 
     def discover(self):
         """Iterate through all users and connect them with authentik users if possible"""
-        users = self._request(self.client.users.get())
+        request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
+            query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
+                select=self.get_select_fields(),
+            ),
+        )
+        users = self._request(self.client.users.get(request_configuration))
         next_link = True
         while next_link:
             for user in users.value:
@@ -141,3 +165,14 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
             microsoft_id=user.id,
             attributes=self.entity_as_dict(user),
         )
+
+    def update_single_attribute(self, connection: MicrosoftEntraProviderUser):
+        request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
+            query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
+                select=self.get_select_fields(),
+            ),
+        )
+        data = self._request(
+            self.client.users.by_user_id(connection.microsoft_id).get(request_configuration)
+        )
+        connection.attributes = self.entity_as_dict(data)