root: remove /if/help/

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,34 +1,20 @@
 [bumpversion]
-current_version = 2024.12.3
+current_version = 2023.10.6
 tag = True
 commit = True
-parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize =
-	{major}.{minor}.{patch}-{rc_t}{rc_n}
-	{major}.{minor}.{patch}
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
+serialize = {major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
-[bumpversion:part:rc_t]
-values =
-	rc
-	final
-optional_value = final
-
 [bumpversion:file:pyproject.toml]
 
-[bumpversion:file:package.json]
-
 [bumpversion:file:docker-compose.yml]
 
 [bumpversion:file:schema.yml]
 
-[bumpversion:file:blueprints/schema.json]
-
 [bumpversion:file:authentik/__init__.py]
 
 [bumpversion:file:internal/constants/constants.go]
 
 [bumpversion:file:web/src/common/constants.ts]
-
-[bumpversion:file:lifecycle/aws/template.yaml]

.github/FUNDING.yml

@@ -1 +1 @@
-custom: https://goauthentik.io/pricing/
+github: [BeryJu]

.github/ISSUE_TEMPLATE/question.md

@@ -9,7 +9,7 @@ assignees: ""
 **Describe your question/**
 A clear and concise description of what you're trying to do.
 
-**Relevant info**
+**Relevant infos**
 i.e. Version of other software you're using, specifics of your setup
 
 **Screenshots**

.github/actions/comment-pr-instructions/action.yml

@@ -9,6 +9,9 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Generate config
+      id: ev
+      uses: ./.github/actions/docker-push-variables
     - name: Find Comment
       uses: peter-evans/find-comment@v2
       id: fc
@@ -35,6 +38,14 @@ runs:
             AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
             ```
 
+            For arm64, use these values:
+
+            ```shell
+            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
+            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
+            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            ```
+
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
           <details>
@@ -46,10 +57,20 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}
+            ```
+
+            For arm64, use these values:
+
+            ```yaml
+            authentik:
+                outposts:
+                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}-arm64
             ```
 
             Afterwards, run the upgrade commands from the latest release notes.

.github/actions/docker-push-variables/action.yml

@@ -1,67 +1,64 @@
----
 name: "Prepare docker environment variables"
 description: "Prepare docker environment variables"
 
-inputs:
-  image-name:
-    required: true
-    description: "Docker image prefix"
-  image-arch:
-    required: false
-    description: "Docker image arch"
-  release:
-    required: true
-    description: "True if this is a release build, false if this is a dev/PR build"
-
 outputs:
-  shouldPush:
-    description: "Whether to push the image or not"
-    value: ${{ steps.ev.outputs.shouldPush }}
-
+  shouldBuild:
+    description: "Whether to build image or not"
+    value: ${{ steps.ev.outputs.shouldBuild }}
+  branchName:
+    description: "Branch name"
+    value: ${{ steps.ev.outputs.branchName }}
+  branchNameContainer:
+    description: "Branch name (for containers)"
+    value: ${{ steps.ev.outputs.branchNameContainer }}
+  timestamp:
+    description: "Timestamp"
+    value: ${{ steps.ev.outputs.timestamp }}
   sha:
     description: "sha"
     value: ${{ steps.ev.outputs.sha }}
-
+  shortHash:
+    description: "shortHash"
+    value: ${{ steps.ev.outputs.shortHash }}
   version:
-    description: "Version"
+    description: "version"
     value: ${{ steps.ev.outputs.version }}
-  prerelease:
-    description: "Prerelease"
-    value: ${{ steps.ev.outputs.prerelease }}
-
-  imageTags:
-    description: "Docker image tags"
-    value: ${{ steps.ev.outputs.imageTags }}
-  imageTagsJSON:
-    description: "Docker image tags, as a JSON array"
-    value: ${{ steps.ev.outputs.imageTagsJSON }}
-  attestImageNames:
-    description: "Docker image names used for attestation"
-    value: ${{ steps.ev.outputs.attestImageNames }}
-  cacheTo:
-    description: "cache-to value for the docker build step"
-    value: ${{ steps.ev.outputs.cacheTo }}
-  imageMainTag:
-    description: "Docker image main tag"
-    value: ${{ steps.ev.outputs.imageMainTag }}
-  imageMainName:
-    description: "Docker image main name"
-    value: ${{ steps.ev.outputs.imageMainName }}
-  imageBuildArgs:
-    description: "Docker image build args"
-    value: ${{ steps.ev.outputs.imageBuildArgs }}
+  versionFamily:
+    description: "versionFamily"
+    value: ${{ steps.ev.outputs.versionFamily }}
 
 runs:
   using: "composite"
   steps:
     - name: Generate config
       id: ev
-      shell: bash
-      env:
-        IMAGE_NAME: ${{ inputs.image-name }}
-        IMAGE_ARCH: ${{ inputs.image-arch }}
-        RELEASE: ${{ inputs.release }}
-        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        REF: ${{ github.ref }}
+      shell: python
       run: |
-        python3 ${{ github.action_path }}/push_vars.py
+        """Helper script to get the actual branch name, docker safe"""
+        import configparser
+        import os
+        from time import time
+
+        parser = configparser.ConfigParser()
+        parser.read(".bumpversion.cfg")
+
+        branch_name = os.environ["GITHUB_REF"]
+        if os.environ.get("GITHUB_HEAD_REF", "") != "":
+            branch_name = os.environ["GITHUB_HEAD_REF"]
+
+        should_build = str(os.environ.get("DOCKER_USERNAME", "") != "").lower()
+        version = parser.get("bumpversion", "current_version")
+        version_family = ".".join(version.split(".")[:-1])
+        safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
+
+        sha = os.environ["GITHUB_SHA"] if not "${{ github.event.pull_request.head.sha }}" else "${{ github.event.pull_request.head.sha }}"
+
+        with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
+            print("branchName=%s" % branch_name, file=_output)
+            print("branchNameContainer=%s" % safe_branch_name, file=_output)
+            print("timestamp=%s" % int(time()), file=_output)
+            print("sha=%s" % sha, file=_output)
+            print("shortHash=%s" % sha[:7], file=_output)
+            print("shouldBuild=%s" % should_build, file=_output)
+            print("version=%s" % version, file=_output)
+            print("versionFamily=%s" % version_family, file=_output)

.github/actions/docker-push-variables/push_vars.py

@@ -1,101 +0,0 @@
-"""Helper script to get the actual branch name, docker safe"""
-
-import configparser
-import os
-from json import dumps
-from time import time
-
-parser = configparser.ConfigParser()
-parser.read(".bumpversion.cfg")
-
-# Decide if we should push the image or not
-should_push = True
-if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
-    # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
-    should_push = False
-if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
-    # Don't push on the internal repo
-    should_push = False
-
-branch_name = os.environ["GITHUB_REF"]
-if os.environ.get("GITHUB_HEAD_REF", "") != "":
-    branch_name = os.environ["GITHUB_HEAD_REF"]
-safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-").replace("'", "-")
-
-image_names = os.getenv("IMAGE_NAME").split(",")
-image_arch = os.getenv("IMAGE_ARCH") or None
-
-is_pull_request = bool(os.getenv("PR_HEAD_SHA"))
-is_release = "dev" not in image_names[0]
-
-sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")
-
-# 2042.1.0 or 2042.1.0-rc1
-version = parser.get("bumpversion", "current_version")
-# 2042.1
-version_family = ".".join(version.split("-", 1)[0].split(".")[:-1])
-prerelease = "-" in version
-
-image_tags = []
-if is_release:
-    for name in image_names:
-        image_tags += [
-            f"{name}:{version}",
-        ]
-        if not prerelease:
-            image_tags += [
-                f"{name}:latest",
-                f"{name}:{version_family}",
-            ]
-else:
-    suffix = ""
-    if image_arch:
-        suffix = f"-{image_arch}"
-    for name in image_names:
-        image_tags += [
-            f"{name}:gh-{sha}{suffix}",  # Used for ArgoCD and PR comments
-            f"{name}:gh-{safe_branch_name}{suffix}",  # For convenience
-            f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
-        ]
-
-image_main_tag = image_tags[0].split(":")[-1]
-
-
-def get_attest_image_names(image_with_tags: list[str]):
-    """Attestation only for GHCR"""
-    image_tags = []
-    for image_name in set(name.split(":")[0] for name in image_with_tags):
-        if not image_name.startswith("ghcr.io"):
-            continue
-        image_tags.append(image_name)
-    return ",".join(set(image_tags))
-
-
-# Generate `cache-to` param
-cache_to = ""
-if should_push:
-    _cache_tag = "buildcache"
-    if image_arch:
-        _cache_tag += f"-{image_arch}"
-    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
-
-
-image_build_args = []
-if os.getenv("RELEASE", "false").lower() == "true":
-    image_build_args = [f"VERSION={os.getenv('REF')}"]
-else:
-    image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args = "\n".join(image_build_args)
-
-with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldPush={str(should_push).lower()}", file=_output)
-    print(f"sha={sha}", file=_output)
-    print(f"version={version}", file=_output)
-    print(f"prerelease={prerelease}", file=_output)
-    print(f"imageTags={','.join(image_tags)}", file=_output)
-    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
-    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
-    print(f"imageMainTag={image_main_tag}", file=_output)
-    print(f"imageMainName={image_tags[0]}", file=_output)
-    print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args}", file=_output)

.github/actions/docker-push-variables/test.sh

@@ -1,18 +0,0 @@
-#!/bin/bash -x
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-# Non-pushing PR
-GITHUB_OUTPUT=/dev/stdout \
-    GITHUB_REF=ref \
-    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    python $SCRIPT_DIR/push_vars.py
-
-# Pushing PR/main
-GITHUB_OUTPUT=/dev/stdout \
-    GITHUB_REF=ref \
-    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    DOCKER_USERNAME=foo \
-    python $SCRIPT_DIR/push_vars.py

.github/actions/setup/action.yml

@@ -14,28 +14,28 @@ runs:
       run: |
         pipx install poetry || true
         sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
     - name: Setup python and restore poetry
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v4
       with:
         python-version-file: "pyproject.toml"
         cache: "poetry"
     - name: Setup node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v3
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
     - name: Setup go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v4
       with:
         go-version-file: "go.mod"
     - name: Setup dependencies
       shell: bash
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
+        docker-compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry install
         cd web && npm ci
     - name: Generate config
       shell: poetry run python {0}

.github/actions/setup/docker-compose.yml

@@ -1,3 +1,5 @@
+version: "3.7"
+
 services:
   postgresql:
     image: docker.io/library/postgres:${PSQL_TAG:-16}

.github/codespell-words.txt

@@ -3,5 +3,3 @@ keypairs
 hass
 warmup
 ontext
-singed
-assertIn

.github/dependabot.yml

@@ -21,9 +21,7 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: npm
-    directories:
-      - "/web"
-      - "/web/sfe"
+    directory: "/web"
     schedule:
       interval: daily
       time: "04:00"
@@ -32,6 +30,7 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
+    # TODO: deduplicate these groups
     groups:
       sentry:
         patterns:
@@ -43,11 +42,9 @@ updates:
           - "babel-*"
       eslint:
         patterns:
-          - "@eslint/*"
           - "@typescript-eslint/*"
-          - "eslint-*"
           - "eslint"
-          - "typescript-eslint"
+          - "eslint-*"
       storybook:
         patterns:
           - "@storybook/*"
@@ -55,16 +52,38 @@ updates:
       esbuild:
         patterns:
           - "@esbuild/*"
-          - "esbuild*"
-      rollup:
+  - package-ecosystem: npm
+    directory: "/tests/wdio"
+    schedule:
+      interval: daily
+      time: "04:00"
+    labels:
+      - dependencies
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "web:"
+    # TODO: deduplicate these groups
+    groups:
+      sentry:
         patterns:
-          - "@rollup/*"
-          - "rollup-*"
-          - "rollup*"
-      swc:
+          - "@sentry/*"
+          - "@spotlightjs/*"
+      babel:
         patterns:
-          - "@swc/*"
-          - "swc-*"
+          - "@babel/*"
+          - "babel-*"
+      eslint:
+        patterns:
+          - "@typescript-eslint/*"
+          - "eslint"
+          - "eslint-*"
+      storybook:
+        patterns:
+          - "@storybook/*"
+          - "*storybook*"
+      esbuild:
+        patterns:
+          - "@esbuild/*"
       wdio:
         patterns:
           - "@wdio/*"
@@ -82,16 +101,6 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
-  - package-ecosystem: npm
-    directory: "/lifecycle/aws"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "lifecycle/aws:"
-    labels:
-      - dependencies
   - package-ecosystem: pip
     directory: "/"
     schedule:

.github/pull_request_template.md

@@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.
 
-Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
 -->
 
 ## Details
@@ -27,6 +27,7 @@ If an API change has been made
 If changes to the frontend have been made
 
 -   [ ] The code has been formatted (`make web`)
+-   [ ] The translation files have been updated (`make i18n-extract`)
 
 If applicable
 

.github/workflows/_reusable-docker-build-single.yaml

@@ -1,96 +0,0 @@
-# Re-usable workflow for a single-architecture build
-name: Single-arch Container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      image_arch:
-        required: true
-        type: string
-      runs-on:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: false
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs:
-      image-digest:
-        value: ${{ jobs.build.outputs.image-digest }}
-
-jobs:
-  build:
-    name: Build ${{ inputs.image_arch }}
-    runs-on: ${{ inputs.runs-on }}
-    outputs:
-      image-digest: ${{ steps.push.outputs.digest }}
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.4.0
-      - uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-          image-arch: ${{ inputs.image_arch }}
-          release: ${{ inputs.release }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        if: ${{ inputs.release }}
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: generate ts client
-        if: ${{ !inputs.release }}
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            ${{ steps.ev.outputs.imageBuildArgs }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/${{ inputs.image_arch }}
-          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
-          cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true

.github/workflows/_reusable-docker-build.yaml

@@ -1,104 +0,0 @@
-# Re-usable workflow for a multi-architecture build
-name: Multi-arch container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: true
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs: {}
-
-jobs:
-  build-server-amd64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: amd64
-      runs-on: ubuntu-latest
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  build-server-arm64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: arm64
-      runs-on: ubuntu-22.04-arm
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  get-tags:
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-amd64
-      - build-server-arm64
-    outputs:
-      tags: ${{ steps.ev.outputs.imageTagsJSON }}
-      shouldPush: ${{ steps.ev.outputs.shouldPush }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-  merge-server:
-    runs-on: ubuntu-latest
-    if: ${{ needs.get-tags.outputs.shouldPush == 'true' }}
-    needs:
-      - get-tags
-      - build-server-amd64
-      - build-server-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@v2
-        id: build
-        with:
-          tags: ${{ matrix.tag }}
-          sources: |
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true

.github/workflows/api-py-publish.yml

@@ -1,66 +0,0 @@
-name: authentik-api-py-publish
-on:
-  push:
-    branches: [main]
-    paths:
-      - "schema.yml"
-  workflow_dispatch:
-jobs:
-  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Install poetry & deps
-        shell: bash
-        run: |
-          pipx install poetry || true
-          sudo apt-get update
-          sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
-      - name: Setup python and restore poetry
-        uses: actions/setup-python@v5
-        with:
-          python-version-file: "pyproject.toml"
-          cache: "poetry"
-      - name: Generate API Client
-        run: make gen-client-py
-      - name: Publish package
-        working-directory: gen-py-api/
-        run: |
-          poetry build
-      - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          packages-dir: gen-py-api/dist/
-      # We can't easily upgrade the API client being used due to poetry being poetry
-      # so we'll have to rely on dependabot
-      # - name: Upgrade /
-      #   run: |
-      #     export VERSION=$(cd gen-py-api && poetry version -s)
-      #     poetry add "authentik_client=$VERSION" --allow-prereleases --lock
-      # - uses: peter-evans/create-pull-request@v6
-      #   id: cpr
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     branch: update-root-api-client
-      #     commit-message: "root: bump API Client version"
-      #     title: "root: bump API Client version"
-      #     body: "root: bump API Client version"
-      #     delete-branch: true
-      #     signoff: true
-      #     # ID from https://api.github.com/users/authentik-automation[bot]
-      #     author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-      # - uses: peter-evans/enable-pull-request-automerge@v3
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-      #     merge-method: squash

.github/workflows/ci-aws-cfn.yml

@@ -1,46 +0,0 @@
-name: authentik-ci-aws-cfn
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-changes-applied:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: lifecycle/aws/package.json
-          cache: "npm"
-          cache-dependency-path: lifecycle/aws/package-lock.json
-      - working-directory: lifecycle/aws/
-        run: |
-          npm ci
-      - name: Check changes have been applied
-        run: |
-          poetry run make aws-cfn
-          git diff --exit-code
-  ci-aws-cfn-mark:
-    if: always()
-    needs:
-      - check-changes-applied
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}

.github/workflows/ci-main-daily.yml

@@ -1,28 +0,0 @@
----
-name: authentik-ci-main-daily
-
-on:
-  workflow_dispatch:
-  schedule:
-    # Every night at 3am
-    - cron: "0 3 * * *"
-
-jobs:
-  test-container:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-          - docs
-          - version-2024-12
-          - version-2024-10
-    steps:
-      - uses: actions/checkout@v4
-      - run: |
-          current="$(pwd)"
-          dir="/tmp/authentik/${{ matrix.version }}"
-          mkdir -p $dir
-          cd $dir
-          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
-          ${current}/scripts/test_docker.sh

.github/workflows/ci-main.yml

@@ -1,4 +1,3 @@
----
 name: authentik-ci-main
 
 on:
@@ -7,6 +6,8 @@ on:
       - main
       - next
       - version-*
+    paths-ignore:
+      - website
   pull_request:
     branches:
       - main
@@ -26,7 +27,10 @@ jobs:
           - bandit
           - black
           - codespell
+          - isort
           - pending-migrations
+          - pylint
+          - pyright
           - ruff
     runs-on: ubuntu-latest
     steps:
@@ -43,26 +47,16 @@ jobs:
         uses: ./.github/actions/setup
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
-  test-make-seed:
-    runs-on: ubuntu-latest
-    steps:
-      - id: seed
-        run: |
-          echo "seed=$(printf "%d\n" "0x$(openssl rand -hex 4)")" >> "$GITHUB_OUTPUT"
-    outputs:
-      seed: ${{ steps.seed.outputs.seed }}
   test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    timeout-minutes: 20
-    needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
+          - 12-alpine
           - 15-alpine
           - 16-alpine
-        run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v4
         with:
@@ -75,7 +69,7 @@ jobs:
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
+          git checkout version/$(python -c "from authentik import __version__; print(__version__)")
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
       - name: Setup authentik env (stable)
@@ -104,23 +98,19 @@ jobs:
         env:
           # Test in the main database that we just migrated from the previous stable version
           AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
-          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
-          CI_RUN_ID: ${{ matrix.run_id }}
-          CI_TOTAL_RUNS: "5"
         run: |
-          poetry run make ci-test
+          poetry run make test
   test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-unittest - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    timeout-minutes: 20
-    needs: test-make-seed
+    timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
         psql:
+          - 12-alpine
           - 15-alpine
           - 16-alpine
-        run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v4
       - name: Setup authentik env
@@ -128,23 +118,13 @@ jobs:
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run unittest
-        env:
-          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
-          CI_RUN_ID: ${{ matrix.run_id }}
-          CI_TOTAL_RUNS: "5"
         run: |
-          poetry run make ci-test
+          poetry run make test
+          poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v3
         with:
           flags: unit
-          token: ${{ secrets.CODECOV_TOKEN }}
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: unit
-          file: unittest.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
   test-integration:
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -153,22 +133,15 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.12.0
+        uses: helm/kind-action@v1.8.0
       - name: run integration
         run: |
           poetry run coverage run manage.py test tests/integration
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v3
         with:
           flags: integration
-          token: ${{ secrets.CODECOV_TOKEN }}
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: integration
-          file: unittest.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
   test-e2e:
     name: test-e2e (${{ matrix.job.name }})
     runs-on: ubuntu-latest
@@ -189,8 +162,6 @@ jobs:
             glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
           - name: radius
             glob: tests/e2e/test_provider_radius*
-          - name: scim
-            glob: tests/e2e/test_source_scim*
           - name: flows
             glob: tests/e2e/test_flows*
     steps:
@@ -199,7 +170,7 @@ jobs:
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
+          docker-compose -f tests/e2e/docker-compose.yml up -d
       - id: cache-web
         uses: actions/cache@v4
         with:
@@ -217,18 +188,10 @@ jobs:
           poetry run coverage run manage.py test ${{ matrix.job.glob }}
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v3
         with:
           flags: e2e
-          token: ${{ secrets.CODECOV_TOKEN }}
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: e2e
-          file: unittest.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
-    if: always()
     needs:
       - lint
       - test-migrations
@@ -238,25 +201,106 @@ jobs:
       - test-e2e
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   build:
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     needs: ci-core-mark
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
-    with:
-      image_name: ghcr.io/goauthentik/dev-server
-      release: false
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      - name: Login to Container Registry
+        uses: docker/login-action@v3
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: generate ts client
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          tags: |
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.sha }}
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
+          build-args: |
+            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+            VERSION=${{ steps.ev.outputs.version }}
+            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+  build-arm64:
+    needs: ci-core-mark
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      - name: Login to Container Registry
+        uses: docker/login-action@v3
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: generate ts client
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          tags: |
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-arm64
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.sha }}-arm64
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}-arm64
+          build-args: |
+            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+            VERSION=${{ steps.ev.outputs.version }}
+            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
+          platforms: linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
   pr-comment:
     needs:
       - build
+      - build-arm64
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request' }}
     permissions:
@@ -272,10 +316,7 @@ jobs:
         id: ev
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
-          tag: ${{ steps.ev.outputs.imageMainTag }}
+          tag: gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}

.github/workflows/ci-outpost.yml

@@ -1,4 +1,3 @@
----
 name: authentik-ci-outpost
 
 on:
@@ -29,9 +28,9 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v3
         with:
-          version: latest
+          version: v1.54.2
           args: --timeout 5000s --verbose
           skip-cache: true
   test-unittest:
@@ -49,15 +48,12 @@ jobs:
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
   ci-outpost-mark:
-    if: always()
     needs:
       - lint-golint
       - test-unittest
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   build-container:
     timeout-minutes: 120
     needs:
@@ -72,17 +68,14 @@ jobs:
           - rac
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -90,11 +83,9 @@ jobs:
         id: ev
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         uses: docker/login-action@v3
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -102,25 +93,21 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
         with:
-          tags: ${{ steps.ev.outputs.imageTags }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          tags: |
+            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchNameContainer }}
+            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.sha }}
           file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+            VERSION=${{ steps.ev.outputs.version }}
+            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
           platforms: linux/amd64,linux/arm64
           context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
   build-binary:
     timeout-minutes: 120
     needs:

.github/workflows/ci-web.yml

@@ -12,23 +12,14 @@ on:
       - version-*
 
 jobs:
-  lint:
+  lint-eslint:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
         project:
           - web
-        include:
-          - command: tsc
-            project: web
-          - command: lit-analyse
-            project: web
+          - tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -37,14 +28,83 @@ jobs:
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
+        run: npm ci
       - name: Generate API
         run: make gen-client-ts
-      - name: Lint
+      - name: Eslint
         working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+        run: npm run lint
+  lint-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: TSC
+        working-directory: web/
+        run: npm run tsc
+  lint-prettier:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - web
+          - tests/wdio
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: ${{ matrix.project }}/package.json
+          cache: "npm"
+          cache-dependency-path: ${{ matrix.project }}/package-lock.json
+      - working-directory: ${{ matrix.project }}/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: prettier
+        working-directory: ${{ matrix.project }}/
+        run: npm run prettier-check
+  lint-lit-analyse:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: |
+          npm ci
+          # lit-analyse doesn't understand path rewrites, so make it
+          # belive it's an actual module
+          cd node_modules/@goauthentik
+          ln -s ../../src/ web
+      - name: Generate API
+        run: make gen-client-ts
+      - name: lit-analyse
+        working-directory: web/
+        run: npm run lit-analyse
+  ci-web-mark:
+    needs:
+      - lint-eslint
+      - lint-prettier
+      - lint-lit-analyse
+      - lint-build
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark
   build:
+    needs:
+      - ci-web-mark
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -60,31 +120,3 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
-  ci-web-mark:
-    if: always()
-    needs:
-      - build
-      - lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
-  test:
-    needs:
-      - ci-web-mark
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: test
-        working-directory: web/
-        run: npm run test || exit 0

.github/workflows/ci-website.yml

@@ -12,21 +12,20 @@ on:
       - version-*
 
 jobs:
-  lint:
+  lint-prettier:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint:lockfile
-          - prettier-check
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
       - working-directory: website/
         run: npm ci
-      - name: Lint
+      - name: prettier
         working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: npm run prettier-check
   test:
     runs-on: ubuntu-latest
     steps:
@@ -49,6 +48,7 @@ jobs:
       matrix:
         job:
           - build
+          - build-docs-only
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -62,13 +62,10 @@ jobs:
         working-directory: website/
         run: npm run ${{ matrix.job }}
   ci-website-mark:
-    if: always()
     needs:
-      - lint
+      - lint-prettier
       - test
       - build
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark

.github/workflows/gen-update-webauthn-mds.yml

@@ -1,44 +0,0 @@
-name: authentik-gen-update-webauthn-mds
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '30 1 1,15 * *'
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - run: poetry run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v7
-        id: cpr
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          branch: update-fido-mds-client
-          commit-message: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
-          title: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
-          body: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
-          delete-branch: true
-          signoff: true
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-      - uses: peter-evans/enable-pull-request-automerge@v3
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-          merge-method: squash

.github/workflows/ghcr-retention.yml

@@ -7,7 +7,6 @@ on:
 
 jobs:
   clean-ghcr:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     name: Delete old unused container images
     runs-on: ubuntu-latest
     steps:

.github/workflows/image-compress.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           githubToken: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@v5
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:

.github/workflows/publish-source-docs.yml

@@ -12,7 +12,6 @@ env:
 
 jobs:
   publish-source-docs:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:

.github/workflows/release-next-branch.yml

@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   update-next:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production
     steps:

.github/workflows/release-publish.yml

@@ -1,4 +1,3 @@
----
 name: authentik-on-release
 
 on:
@@ -7,27 +6,58 @@ on:
 
 jobs:
   build-server:
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
+    runs-on: ubuntu-latest
     permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    with:
-      image_name: ghcr.io/goauthentik/server,beryju/authentik
-      release: true
-      registry_dockerhub: true
-      registry_ghcr: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+      - name: Docker Login Registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: Build Docker Image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: ${{ github.event_name == 'release' }}
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          tags: |
+            beryju/authentik:${{ steps.ev.outputs.version }},
+            beryju/authentik:${{ steps.ev.outputs.versionFamily }},
+            beryju/authentik:latest,
+            ghcr.io/goauthentik/server:${{ steps.ev.outputs.version }},
+            ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }},
+            ghcr.io/goauthentik/server:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            VERSION=${{ steps.ev.outputs.version }}
+            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -42,16 +72,12 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
       - name: make empty clients
         run: |
           mkdir -p ./gen-ts-api
@@ -68,22 +94,22 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
+        uses: docker/build-push-action@v5
         with:
-          push: true
-          build-args: |
-            VERSION=${{ github.ref }}
-          tags: ${{ steps.ev.outputs.imageTags }}
+          push: ${{ github.event_name == 'release' }}
+          tags: |
+            beryju/authentik-${{ matrix.type }}:${{ steps.ev.outputs.version }},
+            beryju/authentik-${{ matrix.type }}:${{ steps.ev.outputs.versionFamily }},
+            beryju/authentik-${{ matrix.type }}:latest,
+            ghcr.io/goauthentik/${{ matrix.type }}:${{ steps.ev.outputs.version }},
+            ghcr.io/goauthentik/${{ matrix.type }}:${{ steps.ev.outputs.versionFamily }},
+            ghcr.io/goauthentik/${{ matrix.type }}:latest
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          build-args: |
+            VERSION=${{ steps.ev.outputs.version }}
+            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -128,27 +154,6 @@ jobs:
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           tag: ${{ github.ref }}
-  upload-aws-cfn-template:
-    permissions:
-      # Needed for AWS login
-      id-token: write
-      contents: read
-    needs:
-      - build-server
-      - build-outpost
-    env:
-      AWS_REGION: eu-central-1
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Upload template
-        run: |
-          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
   test-release:
     needs:
       - build-server
@@ -159,12 +164,12 @@ jobs:
       - uses: actions/checkout@v4
       - name: Run test suite in final docker images
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
-          docker compose pull -q
-          docker compose up --no-start
-          docker compose start postgresql redis
-          docker compose run -u root server test-all
+          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+          docker-compose pull -q
+          docker-compose up --no-start
+          docker-compose start postgresql redis
+          docker-compose run -u root server test-all
   sentry-release:
     needs:
       - build-server
@@ -176,18 +181,15 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
         run: |
-          docker pull ${{ steps.ev.outputs.imageMainName }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
+          docker pull ghcr.io/goauthentik/server:latest
+          container=$(docker container create ghcr.io/goauthentik/server:latest)
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1
         continue-on-error: true
+        if: ${{ github.event_name == 'release' }}
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: authentik-security-inc

.github/workflows/release-tag.yml

@@ -1,4 +1,3 @@
----
 name: authentik-on-tag
 
 on:
@@ -14,19 +13,28 @@ jobs:
       - uses: actions/checkout@v4
       - name: Pre-release test
         run: |
-          make test-docker
+          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+          docker buildx install
+          mkdir -p ./gen-ts-api
+          docker build -t testing:latest .
+          echo "AUTHENTIK_IMAGE=testing" >> .env
+          echo "AUTHENTIK_TAG=latest" >> .env
+          docker-compose up --no-start
+          docker-compose start postgresql redis
+          docker-compose run -u root server test-all
       - id: generate_token
         uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      - name: Extract version number
+        id: get_version
+        uses: actions/github-script@v7
         with:
-          image-name: ghcr.io/goauthentik/server
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
       - name: Create Release
         id: create_release
         uses: actions/create-release@v1.1.4
@@ -34,6 +42,6 @@ jobs:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
         with:
           tag_name: ${{ github.ref }}
-          release_name: Release ${{ steps.ev.outputs.version }}
+          release_name: Release ${{ steps.get_version.outputs.result }}
           draft: true
-          prerelease: ${{ steps.ev.outputs.prerelease == 'true' }}
+          prerelease: false

.github/workflows/repo-mirror.yml

@@ -1,21 +0,0 @@
-name: "authentik-repo-mirror"
-
-on: [push, delete]
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: pixta-dev/repository-mirroring-action@v1
-        with:
-          target_repo_url:
-            git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key:
-            ${{ secrets.GH_MIRROR_KEY }}
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-stale.yml

@@ -1,8 +1,8 @@
-name: "authentik-repo-stale"
+name: 'authentik-repo-stale'
 
 on:
   schedule:
-    - cron: "30 1 * * *"
+    - cron: '30 1 * * *'
   workflow_dispatch:
 
 permissions:
@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   stale:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
@@ -24,8 +23,8 @@ jobs:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60
           days-before-close: 7
-          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
-          stale-issue-label: status/stale
+          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question
+          stale-issue-label: wontfix
           stale-issue-message: >
             This issue has been automatically marked as stale because it has not had
             recent activity. It will be closed if no further activity occurs. Thank you

.github/workflows/translation-advice.yml

@@ -19,14 +19,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Find Comment
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@v2
         id: fc
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: "github-actions[bot]"
           body-includes: authentik translations instructions
       - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@v3
         with:
           comment-id: ${{ steps.fc.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}

.github/workflows/translation-compile.yml

@@ -1,8 +1,9 @@
----
-name: authentik-backend-translate-extract-compile
+name: authentik-backend-translate-compile
 on:
-  schedule:
-    - cron: "0 0 * * *" # every day at midnight
+  push:
+    branches: [main]
+    paths:
+      - "locale/**"
   workflow_dispatch:
 
 env:
@@ -24,20 +25,16 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: run extract
-        run: |
-          poetry run make i18n-extract
       - name: run compile
-        run: |
-          poetry run ak compilemessages
-          make web-check-compile
+        run: poetry run ak compilemessages
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@v5
+        id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
-          branch: extract-compile-backend-translation
-          commit-message: "core, web: update translations"
-          title: "core, web: update translations"
-          body: "core, web: update translations"
+          branch: compile-backend-translation
+          commit-message: "core: compile backend translations"
+          title: "core: compile backend translations"
+          body: "core: compile backend translations"
           delete-branch: true
           signoff: true

.github/workflows/web-api-publish.yml

@@ -1,4 +1,4 @@
-name: authentik-api-ts-publish
+name: authentik-web-api-publish
 on:
   push:
     branches: [main]
@@ -7,7 +7,6 @@ on:
   workflow_dispatch:
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
@@ -32,16 +31,11 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
-        working-directory: web
+        working-directory: web/
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/packages/sfe
-        working-directory: web/packages/sfe
-        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@v5
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.gitignore

@@ -209,6 +209,3 @@ source_docs/
 
 ### Golang ###
 /vendor/
-
-### Docker ###
-docker-compose.override.yml

.vscode/extensions.json

@@ -2,7 +2,6 @@
     "recommendations": [
         "bashmish.es6-string-css",
         "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
-        "charliermarsh.ruff",
         "dbaeumer.vscode-eslint",
         "EditorConfig.EditorConfig",
         "esbenp.prettier-vscode",
@@ -11,10 +10,11 @@
         "Gruntfuggly.todo-tree",
         "mechatroner.rainbow-csv",
         "ms-python.black-formatter",
-        "ms-python.black-formatter",
-        "ms-python.debugpy",
+        "ms-python.isort",
+        "ms-python.pylint",
         "ms-python.python",
         "ms-python.vscode-pylance",
+        "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
         "unifiedjs.vscode-mdx",

.vscode/launch.json

@@ -2,76 +2,26 @@
     "version": "0.2.0",
     "configurations": [
         {
-            "name": "Debug: Attach Server Core",
-            "type": "debugpy",
+            "name": "Python: PDB attach Server",
+            "type": "python",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 9901
+                "port": 6800
             },
-            "pathMappings": [
-                {
-                    "localRoot": "${workspaceFolder}",
-                    "remoteRoot": "."
-                }
-            ],
+            "justMyCode": true,
             "django": true
         },
         {
-            "name": "Debug: Attach Worker",
-            "type": "debugpy",
+            "name": "Python: PDB attach Worker",
+            "type": "python",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 9901
+                "port": 6900
             },
-            "pathMappings": [
-                {
-                    "localRoot": "${workspaceFolder}",
-                    "remoteRoot": "."
-                }
-            ],
+            "justMyCode": true,
             "django": true
         },
-        {
-            "name": "Debug: Start Server Router",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/server",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start LDAP Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/ldap",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start Proxy Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/proxy",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start RAC Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/rac",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start Radius Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/radius",
-            "cwd": "${workspaceFolder}"
-        }
     ]
 }

.vscode/settings.json

@@ -4,37 +4,33 @@
         "asgi",
         "authentik",
         "authn",
-        "entra",
         "goauthentik",
-        "jwe",
         "jwks",
-        "kubernetes",
         "oidc",
         "openid",
-        "passwordless",
         "plex",
         "saml",
-        "scim",
-        "slo",
-        "sso",
         "totp",
+        "webauthn",
         "traefik",
-        "webauthn"
+        "passwordless",
+        "kubernetes",
+        "sso",
+        "slo",
+        "scim",
     ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
-        "!Condition sequence",
-        "!Context scalar",
-        "!Enumerate sequence",
-        "!Env scalar",
         "!Find sequence",
-        "!Format sequence",
-        "!If sequence",
-        "!Index scalar",
         "!KeyOf scalar",
-        "!Value scalar",
-        "!AtIndex scalar"
+        "!Context scalar",
+        "!Context sequence",
+        "!Format sequence",
+        "!Condition sequence",
+        "!Env sequence",
+        "!Env scalar",
+        "!If sequence"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
@@ -51,7 +47,9 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": ["-count=1"],
+    "go.testFlags": [
+        "-count=1"
+    ],
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

.vscode/tasks.json

@@ -2,67 +2,85 @@
     "version": "2.0.0",
     "tasks": [
         {
-            "label": "authentik/core: make",
+            "label": "authentik[core]: format & test",
             "command": "poetry",
-            "args": ["run", "make", "lint-fix", "lint"],
-            "presentation": {
-                "panel": "new"
-            },
-            "group": "test"
+            "args": [
+                "run",
+                "make"
+            ],
+            "group": "build",
         },
         {
-            "label": "authentik/core: run",
+            "label": "authentik[core]: run",
             "command": "poetry",
-            "args": ["run", "ak", "server"],
+            "args": [
+                "run",
+                "make",
+                "run",
+            ],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
-            "label": "authentik/web: make",
+            "label": "authentik[web]: format",
             "command": "make",
             "args": ["web"],
-            "group": "build"
+            "group": "build",
         },
         {
-            "label": "authentik/web: watch",
+            "label": "authentik[web]: watch",
             "command": "make",
             "args": ["web-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
             "label": "authentik: install",
             "command": "make",
-            "args": ["install", "-j4"],
-            "group": "build"
+            "args": ["install"],
+            "group": "build",
         },
         {
-            "label": "authentik/website: make",
+            "label": "authentik: i18n-extract",
+            "command": "poetry",
+            "args": [
+                "run",
+                "make",
+                "i18n-extract"
+            ],
+            "group": "build",
+        },
+        {
+            "label": "authentik[website]: format",
             "command": "make",
             "args": ["website"],
-            "group": "build"
+            "group": "build",
         },
         {
-            "label": "authentik/website: watch",
+            "label": "authentik[website]: watch",
             "command": "make",
             "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
-            "label": "authentik/api: generate",
+            "label": "authentik[api]: generate",
             "command": "poetry",
-            "args": ["run", "make", "gen"],
+            "args": [
+                "run",
+                "make",
+                "gen"
+            ],
             "group": "build"
-        }
+        },
     ]
 }

CODEOWNERS

@@ -11,27 +11,16 @@ scripts/                        @goauthentik/backend
 tests/                          @goauthentik/backend
 pyproject.toml                  @goauthentik/backend
 poetry.lock                     @goauthentik/backend
-go.mod                          @goauthentik/backend
-go.sum                          @goauthentik/backend
 # Infrastructure
 .github/                        @goauthentik/infrastructure
-lifecycle/aws/                  @goauthentik/infrastructure
 Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
 docker-compose.yml              @goauthentik/infrastructure
-Makefile                        @goauthentik/infrastructure
-.editorconfig                   @goauthentik/infrastructure
-CODEOWNERS                      @goauthentik/infrastructure
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
-# Locale
-locale/                         @goauthentik/backend @goauthentik/frontend
-web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
-CODE_OF_CONDUCT.md              @goauthentik/docs
 # Security
-SECURITY.md                     @goauthentik/security @goauthentik/docs
-website/docs/security/          @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security

CONTRIBUTING.md

@@ -1 +1 @@
-website/docs/developer-docs/index.md
+website/developer-docs/index.md

Dockerfile

@@ -1,49 +1,25 @@
 # syntax=docker/dockerfile:1
 
-# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
+# Stage 1: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder
 
 ENV NODE_ENV=production
 
-WORKDIR /work/website
-
-RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
-    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
-
-COPY ./website /work/website/
-COPY ./blueprints /work/blueprints/
-COPY ./schema.yml /work/
-COPY ./SECURITY.md /work/
-
-RUN npm run build-bundled
-
-# Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
-
-ARG GIT_BUILD_HASH
-ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
-ENV NODE_ENV=production
-
 WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
-    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
-COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 
 RUN npm run build
 
-# Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder
+# Stage 2: Build go proxy
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.6-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -54,11 +30,6 @@ ARG GOARCH=$TARGETARCH
 
 WORKDIR /go/src/goauthentik.io
 
-RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
-    dpkg --add-architecture arm64 && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends crossbuild-essential-arm64 gcc-aarch64-linux-gnu
-
 RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
     --mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \
     --mount=type=cache,target=/go/pkg/mod \
@@ -73,17 +44,17 @@ COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
 
+ENV CGO_ENABLED=0
+
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
-    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
-    go build -o /go/authentik ./cmd/server
+    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
-# Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+# Stage 3: MaxMind GeoIP
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.1 as geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
-ENV GEOIPUPDATE_VERBOSE="1"
+ENV GEOIPUPDATE_VERBOSE="true"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
 ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 
@@ -93,11 +64,8 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     mkdir -p /usr/share/GeoIP && \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
-# Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps
-
-ARG TARGETARCH
-ARG TARGETVARIANT
+# Stage 4: Python dependencies
+FROM docker.io/python:3.12.1-slim-bookworm AS python-deps
 
 WORKDIR /ak-root/poetry
 
@@ -110,57 +78,38 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev
 
 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
     --mount=type=cache,target=/root/.cache/pip \
     --mount=type=cache,target=/root/.cache/pypoetry \
-    pip install --no-cache cffi && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential libffi-dev \
-        # Required for cryptography
-        curl pkg-config \
-        # Required for lxml
-        libxslt-dev zlib1g-dev \
-        # Required for xmlsec
-        libltdl-dev \
-        # Required for kadmin
-        sccache clang && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
-    . "$HOME/.cargo/env" && \
     python -m venv /ak-root/venv/ && \
-    bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip poetry && \
-    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
-    poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip uninstall cryptography -y && \
-    poetry install --only=main --no-ansi --no-interaction --no-root"
+    pip3 install --upgrade pip && \
+    pip3 install poetry && \
+    poetry install --only=main --no-ansi --no-interaction
 
-# Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image
+# Stage 5: Run
+FROM docker.io/python:3.12.1-slim-bookworm AS final-image
 
-ARG VERSION
 ARG GIT_BUILD_HASH
+ARG VERSION
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.url=https://goauthentik.io
-LABEL org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info."
-LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
-LABEL org.opencontainers.image.version=${VERSION}
-LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
+LABEL org.opencontainers.image.url https://goauthentik.io
+LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
+LABEL org.opencontainers.image.source https://github.com/goauthentik/authentik
+LABEL org.opencontainers.image.version ${VERSION}
+LABEL org.opencontainers.image.revision ${GIT_BUILD_HASH}
 
 WORKDIR /
 
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
-    apt-get upgrade -y && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
+    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 ca-certificates && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
-    pip3 install --no-cache-dir --upgrade pip && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
@@ -178,12 +127,10 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
-COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000
@@ -193,8 +140,7 @@ ENV TMPDIR=/dev/shm/ \
     PYTHONUNBUFFERED=1 \
     PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
     VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false \
-    GOFIPS=1
+    POETRY_VIRTUALENVS_CREATE=false
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
 

Makefile

@@ -5,15 +5,9 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github
-GO_SOURCES = cmd internal
-WEB_SOURCES = web/src web/packages
+PY_SOURCES = authentik tests scripts lifecycle
 DOCKER_IMAGE ?= "authentik:test"
 
-GEN_API_TS = "gen-ts-api"
-GEN_API_PY = "gen-py-api"
-GEN_API_GO = "gen-go-api"
-
 pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
 pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
@@ -21,14 +15,13 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
-		-S '**/node_modules/**' \
-		-S '**/dist/**' \
-		$(PY_SOURCES) \
-		$(GO_SOURCES) \
-		$(WEB_SOURCES) \
+		authentik \
+		internal \
+		cmd \
+		web/src \
 		website/src \
 		website/blog \
+		website/developer-docs \
 		website/docs \
 		website/integrations \
 		website/src
@@ -45,48 +38,45 @@ help:  ## Show this help
 		sort
 	@echo ""
 
-go-test:
+test-go:
 	go test -timeout 0 -v -race -cover ./...
 
+test-docker:  ## Run all tests in a docker-compose
+	echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+	docker-compose pull -q
+	docker-compose up --no-start
+	docker-compose start postgresql redis
+	docker-compose run -u root server test-all
+	rm -f .env
+
 test: ## Run the server tests and produce a coverage report (locally)
 	coverage run manage.py test --keepdb authentik
 	coverage html
 	coverage report
 
-lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+	isort $(PY_SOURCES)
 	black $(PY_SOURCES)
-	ruff check --fix $(PY_SOURCES)
-
-lint-codespell:  ## Reports spelling errors.
+	ruff --fix $(PY_SOURCES)
 	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
-	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
+	bandit -r $(PY_SOURCES) -x node_modules
+	./web/node_modules/.bin/pyright $(PY_SOURCES)
+	pylint $(PY_SOURCES)
 	golangci-lint run -v
 
-core-install:
-	poetry install
-
 migrate: ## Run the Authentik Django server's migrations
 	python -m lifecycle.migrate
 
-i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
+i18n-extract: i18n-extract-core web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
-aws-cfn:
-	cd lifecycle/aws && npm run aws-cfn
+i18n-extract-core:
+	ak makemessages --ignore web --ignore internal --ignore web --ignore web-api --ignore website -l en
 
-core-i18n-extract:
-	ak makemessages \
-		--add-location file \
-		--no-obsolete \
-		--ignore web \
-		--ignore internal \
-		--ignore ${GEN_API_TS} \
-		--ignore ${GEN_API_GO} \
-		--ignore website \
-		-l en
-
-install: web-install website-install core-install  ## Install all requires dependencies for `web`, `website` and `core`
+install: web-install website-install  ## Install all requires dependencies for `web`, `website` and `core`
+	poetry install
 
 dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
@@ -104,14 +94,8 @@ dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik
 #########################
 
 gen-build:  ## Extract the schema from the database
-	AUTHENTIK_DEBUG=true \
-		AUTHENTIK_TENANTS__ENABLED=true \
-		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		ak make_blueprint_schema > blueprints/schema.json
-	AUTHENTIK_DEBUG=true \
-		AUTHENTIK_TENANTS__ENABLED=true \
-		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		ak spectacular --file schema.yml
+	AUTHENTIK_DEBUG=true ak make_blueprint_schema > blueprints/schema.json
+	AUTHENTIK_DEBUG=true ak spectacular --file schema.yml
 
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -122,7 +106,7 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-diff:2.1.0-beta.8 \
+		docker.io/openapitools/openapi-diff:2.1.0-beta.6 \
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
@@ -130,69 +114,48 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
-gen-clean-ts:  ## Remove generated API client for Typescript
-	rm -rf ./${GEN_API_TS}/
-	rm -rf ./web/node_modules/@goauthentik/api/
+gen-clean:
+	rm -rf gen-go-api/
+	rm -rf gen-ts-api/
+	rm -rf web/node_modules/@goauthentik/api/
 
-gen-clean-go:  ## Remove generated API client for Go
-	rm -rf ./${GEN_API_GO}/
-
-gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ./${GEN_API_PY}/
-
-gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
-
-gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
+gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
-		-o /local/${GEN_API_TS} \
+		-o /local/gen-ts-api \
 		-c /local/scripts/api-ts-config.yaml \
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 	mkdir -p web/node_modules/@goauthentik/api
-	cd ./${GEN_API_TS} && npm i
-	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
+	cd gen-ts-api && npm i
+	\cp -rfv gen-ts-api/* web/node_modules/@goauthentik/api
 
-gen-client-py: gen-clean-py ## Build and install the authentik API for Python
+gen-client-go:  ## Build and install the authentik API for Golang
+	mkdir -p ./gen-go-api ./gen-go-api/templates
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./gen-go-api/config.yaml
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./gen-go-api/templates/README.mustache
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./gen-go-api/templates/go.mod.mustache
+	cp schema.yml ./gen-go-api/
 	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
-		-i /local/schema.yml \
-		-g python \
-		-o /local/${GEN_API_PY} \
-		-c /local/scripts/api-py-config.yaml \
-		--additional-properties=packageVersion=${NPM_VERSION} \
-		--git-repo-id authentik \
-		--git-user-id goauthentik
-	pip install ./${GEN_API_PY}
-
-gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
-	cp schema.yml ./${GEN_API_GO}/
-	docker run \
-		--rm -v ${PWD}/${GEN_API_GO}:/local \
+		--rm -v ${PWD}/gen-go-api:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/ \
 		-c /local/config.yaml
-	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
-	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
+	go mod edit -replace goauthentik.io/api/v3=./gen-go-api
+	rm -rf ./gen-go-api/config.yaml ./gen-go-api/templates/
 
 gen-dev-config:  ## Generate a local development config file
 	python -m scripts.generate_config
 
-gen: gen-build gen-client-ts
+gen: gen-build gen-clean gen-client-ts
 
 #########################
 ## Web
@@ -201,14 +164,11 @@ gen: gen-build gen-client-ts
 web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build
 
-web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
+web: web-lint-fix web-lint web-check-compile web-i18n-extract  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci
 
-web-test: ## Run tests for the Authentik UI
-	cd web && npm run test
-
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
 	rm -rf web/dist/
 	mkdir web/dist/
@@ -240,7 +200,7 @@ website: website-lint-fix website-build  ## Automatically fix formatting issues
 website-install:
 	cd website && npm ci
 
-website-lint-fix: lint-codespell
+website-lint-fix:
 	cd website && npm run prettier
 
 website-build:
@@ -254,12 +214,8 @@ website-watch:  ## Build and watch the documentation website, updating automatic
 #########################
 
 docker:  ## Build a docker image of the current source tree
-	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 
-test-docker:
-	BUILD=true ./scripts/test_docker.sh
-
 #########################
 ## CI
 #########################
@@ -270,6 +226,9 @@ ci--meta-debug:
 	python -V
 	node --version
 
+ci-pylint: ci--meta-debug
+	pylint $(PY_SOURCES)
+
 ci-black: ci--meta-debug
 	black --check $(PY_SOURCES)
 
@@ -279,13 +238,14 @@ ci-ruff: ci--meta-debug
 ci-codespell: ci--meta-debug
 	codespell $(CODESPELL_ARGS) -s
 
+ci-isort: ci--meta-debug
+	isort --check $(PY_SOURCES)
+
 ci-bandit: ci--meta-debug
 	bandit -r $(PY_SOURCES)
 
+ci-pyright: ci--meta-debug
+	./web/node_modules/.bin/pyright $(PY_SOURCES)
+
 ci-pending-migrations: ci--meta-debug
 	ak makemigrations --check
-
-ci-test: ci--meta-debug
-	coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	coverage report
-	coverage xml

README.md

@@ -15,9 +15,7 @@
 
 ## What is authentik?
 
-authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols.
-
-Our [enterprise offer](https://goauthentik.io/pricing) can also be used as a self-hosted replacement for large-scale deployments of Okta/Auth0, Entra ID, Ping Identity, or other legacy IdPs for employees and B2B2C use.
+authentik is an open-source Identity Provider that emphasizes flexibility and versatility. It can be seamlessly integrated into existing environments to support new protocols. authentik is also a great solution for implementing sign-up, recovery, and other similar features in your application, saving you the hassle of dealing with them.
 
 ## Installation
 
@@ -27,14 +25,14 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 
 ## Screenshots
 
-| Light                                                       | Dark                                                       |
-| ----------------------------------------------------------- | ---------------------------------------------------------- |
-| ![](https://docs.goauthentik.io/img/screen_apps_light.jpg)  | ![](https://docs.goauthentik.io/img/screen_apps_dark.jpg)  |
-| ![](https://docs.goauthentik.io/img/screen_admin_light.jpg) | ![](https://docs.goauthentik.io/img/screen_admin_dark.jpg) |
+| Light                                                  | Dark                                                  |
+| ------------------------------------------------------ | ----------------------------------------------------- |
+| ![](https://goauthentik.io/img/screen_apps_light.jpg)  | ![](https://goauthentik.io/img/screen_apps_dark.jpg)  |
+| ![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) |
 
 ## Development
 
-See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
+See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
 
 ## Security
 

SECURITY.md

@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 
 ## Independent audits and pentests
 
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
 
 ## What authentik classifies as a CVE
 
@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version   | Supported |
-| --------- | --------- |
-| 2024.10.x | ✅        |
-| 2024.12.x | ✅        |
+| Version | Supported |
+| --- | --- |
+| 2023.6.x | ✅ |
+| 2023.8.x | ✅ |
 
 ## Reporting a Vulnerability
 
@@ -31,12 +31,12 @@ To report a vulnerability, send an email to [security@goauthentik.io](mailto:se
 
 authentik reserves the right to reclassify CVSS as necessary. To determine severity, we will use the CVSS calculator from NVD (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The calculated CVSS score will then be translated into one of the following categories:
 
-| Score      | Severity |
-| ---------- | -------- |
-| 0.0        | None     |
-| 0.1 – 3.9  | Low      |
-| 4.0 – 6.9  | Medium   |
-| 7.0 – 8.9  | High     |
+| Score | Severity |
+| --- | --- |
+| 0.0 | None |
+| 0.1 – 3.9 | Low |
+| 4.0 – 6.9 | Medium |
+| 7.0 – 8.9 | High |
 | 9.0 – 10.0 | Critical |
 
 ## Disclosure process

authentik/__init__.py

@@ -1,12 +1,12 @@
 """authentik root module"""
-
 from os import environ
+from typing import Optional
 
-__version__ = "2024.12.3"
+__version__ = "2023.10.6"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 
-def get_build_hash(fallback: str | None = None) -> str:
+def get_build_hash(fallback: Optional[str] = None) -> str:
     """Get build hash"""
     build_hash = environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
     return fallback if build_hash == "" and fallback else build_hash
@@ -16,5 +16,5 @@ def get_full_version() -> str:
     """Get full version, with build hash appended"""
     version = __version__
     if (build_hash := get_build_hash()) != "":
-        return f"{version}+{build_hash}"
+        version += "." + build_hash
     return version

authentik/admin/api/meta.py

@@ -1,5 +1,4 @@
 """Meta API"""
-
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import CharField
 from rest_framework.permissions import IsAuthenticated

authentik/admin/api/metrics.py

@@ -1,5 +1,4 @@
 """authentik administration metrics"""
-
 from datetime import timedelta
 
 from django.db.models.functions import ExtractHour

authentik/admin/api/system.py

@@ -1,25 +1,18 @@
 """authentik administration overview"""
-
 import platform
 from datetime import datetime
-from ssl import OPENSSL_VERSION
 from sys import version as python_version
 from typing import TypedDict
 
-from cryptography.hazmat.backends.openssl.backend import backend
-from django.conf import settings
 from django.utils.timezone import now
-from django.views.debug import SafeExceptionReporterFilter
 from drf_spectacular.utils import extend_schema
+from gunicorn import version_info as gunicorn_version
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
-from authentik.enterprise.license import LicenseKey
-from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
@@ -30,13 +23,11 @@ class RuntimeDict(TypedDict):
     """Runtime information"""
 
     python_version: str
+    gunicorn_version: str
     environment: str
     architecture: str
     platform: str
     uname: str
-    openssl_version: str
-    openssl_fips_enabled: bool | None
-    authentik_version: str
 
 
 class SystemInfoSerializer(PassiveSerializer):
@@ -46,24 +37,17 @@ class SystemInfoSerializer(PassiveSerializer):
     http_host = SerializerMethodField()
     http_is_secure = SerializerMethodField()
     runtime = SerializerMethodField()
-    brand = SerializerMethodField()
+    tenant = SerializerMethodField()
     server_time = SerializerMethodField()
-    embedded_outpost_disabled = SerializerMethodField()
     embedded_outpost_host = SerializerMethodField()
 
     def get_http_headers(self, request: Request) -> dict[str, str]:
         """Get HTTP Request headers"""
         headers = {}
-        raw_session = request._request.COOKIES.get(settings.SESSION_COOKIE_NAME)
         for key, value in request.META.items():
             if not isinstance(value, str):
                 continue
-            actual_value = value
-            if raw_session in actual_value:
-                actual_value = actual_value.replace(
-                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
-                )
-            headers[key] = actual_value
+            headers[key] = value
         return headers
 
     def get_http_host(self, request: Request) -> str:
@@ -77,30 +61,22 @@ class SystemInfoSerializer(PassiveSerializer):
     def get_runtime(self, request: Request) -> RuntimeDict:
         """Get versions"""
         return {
-            "architecture": platform.machine(),
-            "authentik_version": get_full_version(),
-            "environment": get_env(),
-            "openssl_fips_enabled": (
-                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
-            ),
-            "openssl_version": OPENSSL_VERSION,
-            "platform": platform.platform(),
             "python_version": python_version,
+            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
+            "environment": get_env(),
+            "architecture": platform.machine(),
+            "platform": platform.platform(),
             "uname": " ".join(platform.uname()),
         }
 
-    def get_brand(self, request: Request) -> str:
-        """Currently active brand"""
-        return str(request._request.brand)
+    def get_tenant(self, request: Request) -> str:
+        """Currently active tenant"""
+        return str(request._request.tenant)
 
     def get_server_time(self, request: Request) -> datetime:
         """Current server time"""
         return now()
 
-    def get_embedded_outpost_disabled(self, request: Request) -> bool:
-        """Whether the embedded outpost is disabled"""
-        return CONFIG.get_bool("outposts.disable_embedded_outpost", False)
-
     def get_embedded_outpost_host(self, request: Request) -> str:
         """Get the FQDN configured on the embedded outpost"""
         outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)

authentik/admin/api/tasks.py

@@ -0,0 +1,134 @@
+"""Tasks API"""
+from importlib import import_module
+
+from django.contrib import messages
+from django.http.response import Http404
+from django.utils.translation import gettext_lazy as _
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from rest_framework.decorators import action
+from rest_framework.fields import (
+    CharField,
+    ChoiceField,
+    DateTimeField,
+    ListField,
+    SerializerMethodField,
+)
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.viewsets import ViewSet
+from structlog.stdlib import get_logger
+
+from authentik.api.decorators import permission_required
+from authentik.core.api.utils import PassiveSerializer
+from authentik.events.monitored_tasks import TaskInfo, TaskResultStatus
+from authentik.rbac.permissions import HasPermission
+
+LOGGER = get_logger()
+
+
+class TaskSerializer(PassiveSerializer):
+    """Serialize TaskInfo and TaskResult"""
+
+    task_name = CharField()
+    task_description = CharField()
+    task_finish_timestamp = DateTimeField(source="finish_time")
+    task_duration = SerializerMethodField()
+
+    status = ChoiceField(
+        source="result.status.name",
+        choices=[(x.name, x.name) for x in TaskResultStatus],
+    )
+    messages = ListField(source="result.messages")
+
+    def get_task_duration(self, instance: TaskInfo) -> int:
+        """Get the duration a task took to run"""
+        return max(instance.finish_timestamp - instance.start_timestamp, 0)
+
+    def to_representation(self, instance: TaskInfo):
+        """When a new version of authentik adds fields to TaskInfo,
+        the API will fail with an AttributeError, as the classes
+        are pickled in cache. In that case, just delete the info"""
+        try:
+            return super().to_representation(instance)
+        # pylint: disable=broad-except
+        except Exception:  # pragma: no cover
+            if isinstance(self.instance, list):
+                for inst in self.instance:
+                    inst.delete()
+            else:
+                self.instance.delete()
+            return {}
+
+
+class TaskViewSet(ViewSet):
+    """Read-only view set that returns all background tasks"""
+
+    permission_classes = [HasPermission("authentik_rbac.view_system_tasks")]
+    serializer_class = TaskSerializer
+
+    @extend_schema(
+        responses={
+            200: TaskSerializer(many=False),
+            404: OpenApiResponse(description="Task not found"),
+        },
+        parameters=[
+            OpenApiParameter(
+                "id",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.PATH,
+                required=True,
+            ),
+        ],
+    )
+    def retrieve(self, request: Request, pk=None) -> Response:
+        """Get a single system task"""
+        task = TaskInfo.by_name(pk)
+        if not task:
+            raise Http404
+        return Response(TaskSerializer(task, many=False).data)
+
+    @extend_schema(responses={200: TaskSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """List system tasks"""
+        tasks = sorted(TaskInfo.all().values(), key=lambda task: task.task_name)
+        return Response(TaskSerializer(tasks, many=True).data)
+
+    @permission_required(None, ["authentik_rbac.run_system_tasks"])
+    @extend_schema(
+        request=OpenApiTypes.NONE,
+        responses={
+            204: OpenApiResponse(description="Task retried successfully"),
+            404: OpenApiResponse(description="Task not found"),
+            500: OpenApiResponse(description="Failed to retry task"),
+        },
+        parameters=[
+            OpenApiParameter(
+                "id",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.PATH,
+                required=True,
+            ),
+        ],
+    )
+    @action(detail=True, methods=["post"])
+    def retry(self, request: Request, pk=None) -> Response:
+        """Retry task"""
+        task = TaskInfo.by_name(pk)
+        if not task:
+            raise Http404
+        try:
+            task_module = import_module(task.task_call_module)
+            task_func = getattr(task_module, task.task_call_func)
+            LOGGER.debug("Running task", task=task_func)
+            task_func.delay(*task.task_call_args, **task.task_call_kwargs)
+            messages.success(
+                self.request,
+                _("Successfully re-scheduled Task %(name)s!" % {"name": task.task_name}),
+            )
+            return Response(status=204)
+        except (ImportError, AttributeError):  # pragma: no cover
+            LOGGER.warning("Failed to run task, remove state", task=task)
+            # if we get an import error, the module path has probably changed
+            task.delete()
+            return Response(status=500)

authentik/admin/api/version.py

@@ -1,5 +1,4 @@
 """authentik administration overview"""
-
 from django.core.cache import cache
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
@@ -10,9 +9,8 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from authentik import __version__, get_build_hash
-from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
+from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
-from authentik.outposts.models import Outpost
 
 
 class VersionSerializer(PassiveSerializer):
@@ -20,10 +18,8 @@ class VersionSerializer(PassiveSerializer):
 
     version_current = SerializerMethodField()
     version_latest = SerializerMethodField()
-    version_latest_valid = SerializerMethodField()
     build_hash = SerializerMethodField()
     outdated = SerializerMethodField()
-    outpost_outdated = SerializerMethodField()
 
     def get_build_hash(self, _) -> str:
         """Get build hash, if version is not latest or released"""
@@ -41,23 +37,10 @@ class VersionSerializer(PassiveSerializer):
             return __version__
         return version_in_cache
 
-    def get_version_latest_valid(self, _) -> bool:
-        """Check if latest version is valid"""
-        return cache.get(VERSION_CACHE_KEY) != VERSION_NULL
-
     def get_outdated(self, instance) -> bool:
         """Check if we're running the latest version"""
         return parse(self.get_version_current(instance)) < parse(self.get_version_latest(instance))
 
-    def get_outpost_outdated(self, _) -> bool:
-        """Check if any outpost is outdated/has a version mismatch"""
-        any_outdated = False
-        for outpost in Outpost.objects.all():
-            for state in outpost.state:
-                if state.version_outdated:
-                    any_outdated = True
-        return any_outdated
-
 
 class VersionView(APIView):
     """Get running and latest version."""

authentik/admin/api/version_history.py

@@ -1,33 +0,0 @@
-from rest_framework.permissions import IsAdminUser
-from rest_framework.viewsets import ReadOnlyModelViewSet
-
-from authentik.admin.models import VersionHistory
-from authentik.core.api.utils import ModelSerializer
-
-
-class VersionHistorySerializer(ModelSerializer):
-    """VersionHistory Serializer"""
-
-    class Meta:
-        model = VersionHistory
-        fields = [
-            "id",
-            "timestamp",
-            "version",
-            "build",
-        ]
-
-
-class VersionHistoryViewSet(ReadOnlyModelViewSet):
-    """VersionHistory Viewset"""
-
-    queryset = VersionHistory.objects.all()
-    serializer_class = VersionHistorySerializer
-    permission_classes = [IsAdminUser]
-    filterset_fields = [
-        "version",
-        "build",
-    ]
-    search_fields = ["version", "build"]
-    ordering = ["-timestamp"]
-    pagination_class = None

authentik/admin/api/workers.py

@@ -1,16 +1,11 @@
 """authentik administration overview"""
-
-from socket import gethostname
-
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
-from packaging.version import parse
-from rest_framework.fields import BooleanField, CharField
+from rest_framework.fields import IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik import get_full_version
 from authentik.rbac.permissions import HasPermission
 from authentik.root.celery import CELERY_APP
 
@@ -20,38 +15,11 @@ class WorkerView(APIView):
 
     permission_classes = [HasPermission("authentik_rbac.view_system_info")]
 
-    @extend_schema(
-        responses=inline_serializer(
-            "Worker",
-            fields={
-                "worker_id": CharField(),
-                "version": CharField(),
-                "version_matching": BooleanField(),
-            },
-            many=True,
-        )
-    )
+    @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
     def get(self, request: Request) -> Response:
         """Get currently connected worker count."""
-        raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
-        our_version = parse(get_full_version())
-        response = []
-        for worker in raw:
-            key = list(worker.keys())[0]
-            version = worker[key].get("version")
-            version_matching = False
-            if version:
-                version_matching = parse(version) == our_version
-            response.append(
-                {"worker_id": key, "version": version, "version_matching": version_matching}
-            )
+        count = len(CELERY_APP.control.ping(timeout=0.5))
         # In debug we run with `task_always_eager`, so tasks are ran on the main process
         if settings.DEBUG:  # pragma: no cover
-            response.append(
-                {
-                    "worker_id": f"authentik-debug@{gethostname()}",
-                    "version": get_full_version(),
-                    "version_matching": True,
-                }
-            )
-        return Response(response)
+            count += 1
+        return Response({"count": count})

authentik/admin/apps.py

@@ -1,10 +1,10 @@
 """authentik admin app config"""
-
-from prometheus_client import Info
+from prometheus_client import Gauge, Info
 
 from authentik.blueprints.apps import ManagedAppConfig
 
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
+GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 
 
 class AuthentikAdminConfig(ManagedAppConfig):
@@ -14,3 +14,7 @@ class AuthentikAdminConfig(ManagedAppConfig):
     label = "authentik_admin"
     verbose_name = "authentik Admin"
     default = True
+
+    def reconcile_load_admin_signals(self):
+        """Load admin signals"""
+        self.import_module("authentik.admin.signals")

authentik/admin/models.py

@@ -1,22 +0,0 @@
-"""authentik admin models"""
-
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-
-
-class VersionHistory(models.Model):
-    id = models.BigAutoField(primary_key=True)
-    timestamp = models.DateTimeField()
-    version = models.TextField()
-    build = models.TextField()
-
-    class Meta:
-        managed = False
-        db_table = "authentik_version_history"
-        ordering = ("-timestamp",)
-        verbose_name = _("Version history")
-        verbose_name_plural = _("Version history")
-        default_permissions = []
-
-    def __str__(self):
-        return f"{self.version}.{self.build} ({self.timestamp})"

authentik/admin/settings.py

@@ -1,5 +1,4 @@
 """authentik admin settings"""
-
 from celery.schedules import crontab
 
 from authentik.lib.utils.time import fqdn_rand

authentik/admin/signals.py

@@ -1,35 +1,21 @@
 """admin signals"""
-
 from django.dispatch import receiver
-from packaging.version import parse
-from prometheus_client import Gauge
 
-from authentik import get_full_version
+from authentik.admin.api.tasks import TaskInfo
+from authentik.admin.apps import GAUGE_WORKERS
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set
 
-GAUGE_WORKERS = Gauge(
-    "authentik_admin_workers",
-    "Currently connected workers, their versions and if they are the same version as authentik",
-    ["version", "version_matched"],
-)
-
-
-_version = parse(get_full_version())
-
 
 @receiver(monitoring_set)
 def monitoring_set_workers(sender, **kwargs):
     """Set worker gauge"""
-    raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
-    worker_version_count = {}
-    for worker in raw:
-        key = list(worker.keys())[0]
-        version = worker[key].get("version")
-        version_matching = False
-        if version:
-            version_matching = parse(version) == _version
-        worker_version_count.setdefault(version, {"count": 0, "matching": version_matching})
-        worker_version_count[version]["count"] += 1
-    for version, stats in worker_version_count.items():
-        GAUGE_WORKERS.labels(version, stats["matching"]).set(stats["count"])
+    count = len(CELERY_APP.control.ping(timeout=0.5))
+    GAUGE_WORKERS.set(count)
+
+
+@receiver(monitoring_set)
+def monitoring_set_tasks(sender, **kwargs):
+    """Set task gauges"""
+    for task in TaskInfo.all().values():
+        task.update_metrics()

authentik/admin/tasks.py

@@ -1,8 +1,9 @@
 """authentik admin tasks"""
+import re
 
 from django.core.cache import cache
+from django.core.validators import URLValidator
 from django.db import DatabaseError, InternalError, ProgrammingError
-from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger
@@ -10,15 +11,21 @@ from structlog.stdlib import get_logger
 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
 from authentik.events.models import Event, EventAction, Notification
-from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
+from authentik.events.monitored_tasks import (
+    MonitoredTask,
+    TaskResult,
+    TaskResultStatus,
+    prefill_task,
+)
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
-VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
+# Chop of the first ^ because we want to search the entire string
+URL_FINDER = URLValidator.regex.pattern[1:]
 LOCAL_VERSION = parse(__version__)
 
 
@@ -47,13 +54,13 @@ def clear_update_notifications():
             notification.delete()
 
 
-@CELERY_APP.task(bind=True, base=SystemTask)
+@CELERY_APP.task(bind=True, base=MonitoredTask)
 @prefill_task
-def update_latest_version(self: SystemTask):
+def update_latest_version(self: MonitoredTask):
     """Update latest version info"""
     if CONFIG.get_bool("disable_update_check"):
-        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        self.set_status(TaskStatus.WARNING, "Version check disabled.")
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
+        self.set_status(TaskResult(TaskResultStatus.WARNING, messages=["Version check disabled."]))
         return
     try:
         response = get_http_session().get(
@@ -63,7 +70,9 @@ def update_latest_version(self: SystemTask):
         data = response.json()
         upstream_version = data.get("stable", {}).get("version")
         cache.set(VERSION_CACHE_KEY, upstream_version, VERSION_CACHE_TIMEOUT)
-        self.set_status(TaskStatus.SUCCESSFUL, "Successfully updated latest Version")
+        self.set_status(
+            TaskResult(TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"])
+        )
         _set_prom_info()
         # Check if upstream version is newer than what we're running,
         # and if no event exists yet, create one.
@@ -74,19 +83,13 @@ def update_latest_version(self: SystemTask):
                 context__new_version=upstream_version,
             ).exists():
                 return
-            Event.new(
-                EventAction.UPDATE_AVAILABLE,
-                message=_(
-                    "New version {version} available!".format(
-                        version=upstream_version,
-                    )
-                ),
-                new_version=upstream_version,
-                changelog=data.get("stable", {}).get("changelog_url"),
-            ).save()
+            event_dict = {"new_version": upstream_version}
+            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
+                event_dict["message"] = f"Changelog: {match.group()}"
+            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
     except (RequestException, IndexError) as exc:
-        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        self.set_error(exc)
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
+        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
 
 
 _set_prom_info()

authentik/admin/tests/test_api.py

@@ -1,5 +1,4 @@
 """test admin api"""
-
 from json import loads
 
 from django.test import TestCase
@@ -8,6 +7,8 @@ from django.urls import reverse
 from authentik import __version__
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group, User
+from authentik.core.tasks import clean_expired_models
+from authentik.events.monitored_tasks import TaskResultStatus
 from authentik.lib.generators import generate_id
 
 
@@ -22,6 +23,53 @@ class TestAdminAPI(TestCase):
         self.group.save()
         self.client.force_login(self.user)
 
+    def test_tasks(self):
+        """Test Task API"""
+        clean_expired_models.delay()
+        response = self.client.get(reverse("authentik_api:admin_system_tasks-list"))
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertTrue(any(task["task_name"] == "clean_expired_models" for task in body))
+
+    def test_tasks_single(self):
+        """Test Task API (read single)"""
+        clean_expired_models.delay()
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin_system_tasks-detail",
+                kwargs={"pk": "clean_expired_models"},
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertEqual(body["status"], TaskResultStatus.SUCCESSFUL.name)
+        self.assertEqual(body["task_name"], "clean_expired_models")
+        response = self.client.get(
+            reverse("authentik_api:admin_system_tasks-detail", kwargs={"pk": "qwerqwer"})
+        )
+        self.assertEqual(response.status_code, 404)
+
+    def test_tasks_retry(self):
+        """Test Task API (retry)"""
+        clean_expired_models.delay()
+        response = self.client.post(
+            reverse(
+                "authentik_api:admin_system_tasks-retry",
+                kwargs={"pk": "clean_expired_models"},
+            )
+        )
+        self.assertEqual(response.status_code, 204)
+
+    def test_tasks_retry_404(self):
+        """Test Task API (retry, 404)"""
+        response = self.client.post(
+            reverse(
+                "authentik_api:admin_system_tasks-retry",
+                kwargs={"pk": "qwerqewrqrqewrqewr"},
+            )
+        )
+        self.assertEqual(response.status_code, 404)
+
     def test_version(self):
         """Test Version API"""
         response = self.client.get(reverse("authentik_api:admin_version"))
@@ -34,7 +82,7 @@ class TestAdminAPI(TestCase):
         response = self.client.get(reverse("authentik_api:admin_workers"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
-        self.assertEqual(len(body), 0)
+        self.assertEqual(body["count"], 0)
 
     def test_metrics(self):
         """Test metrics API"""

authentik/admin/tests/test_tasks.py

@@ -1,5 +1,4 @@
 """test admin tasks"""
-
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker
@@ -17,7 +16,6 @@ RESPONSE_VALID = {
     "stable": {
         "version": "99999999.9999999",
         "changelog": "See https://goauthentik.io/test",
-        "changelog_url": "https://goauthentik.io/test",
         "reason": "bugfix",
     },
 }
@@ -36,7 +34,7 @@ class TestAdminTasks(TestCase):
                 Event.objects.filter(
                     action=EventAction.UPDATE_AVAILABLE,
                     context__new_version="99999999.9999999",
-                    context__message="New version 99999999.9999999 available!",
+                    context__message="Changelog: https://goauthentik.io/test",
                 ).exists()
             )
             # test that a consecutive check doesn't create a duplicate event
@@ -46,7 +44,7 @@ class TestAdminTasks(TestCase):
                     Event.objects.filter(
                         action=EventAction.UPDATE_AVAILABLE,
                         context__new_version="99999999.9999999",
-                        context__message="New version 99999999.9999999 available!",
+                        context__message="Changelog: https://goauthentik.io/test",
                     )
                 ),
                 1,

authentik/admin/urls.py

@@ -1,15 +1,15 @@
 """API URLs"""
-
 from django.urls import path
 
 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
+from authentik.admin.api.tasks import TaskViewSet
 from authentik.admin.api.version import VersionView
-from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.admin.api.workers import WorkerView
 
 api_urlpatterns = [
+    ("admin/system_tasks", TaskViewSet, "admin_system_tasks"),
     ("admin/apps", AppsViewSet, "apps"),
     ("admin/models", ModelViewSet, "models"),
     path(
@@ -18,7 +18,6 @@ api_urlpatterns = [
         name="admin_metrics",
     ),
     path("admin/version/", VersionView.as_view(), name="admin_version"),
-    ("admin/version/history", VersionHistoryViewSet, "version_history"),
     path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
     path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]

authentik/api/apps.py

@@ -10,3 +10,26 @@ class AuthentikAPIConfig(AppConfig):
     label = "authentik_api"
     mountpoint = "api/"
     verbose_name = "authentik API"
+
+    def ready(self) -> None:
+        from drf_spectacular.extensions import OpenApiAuthenticationExtension
+
+        from authentik.api.authentication import TokenAuthentication
+
+        # Class is defined here as it needs to be created early enough that drf-spectacular will
+        # find it, but also won't cause any import issues
+        # pylint: disable=unused-variable
+        class TokenSchema(OpenApiAuthenticationExtension):
+            """Auth schema"""
+
+            target_class = TokenAuthentication
+            name = "authentik"
+
+            def get_security_definition(self, auto_schema):
+                """Auth schema"""
+                return {
+                    "type": "apiKey",
+                    "in": "header",
+                    "name": "Authorization",
+                    "scheme": "bearer",
+                }

authentik/api/authentication.py

@@ -1,10 +1,8 @@
 """API Authentication"""
-
 from hmac import compare_digest
-from typing import Any
+from typing import Any, Optional
 
 from django.conf import settings
-from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
@@ -18,7 +16,7 @@ from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 LOGGER = get_logger()
 
 
-def validate_auth(header: bytes) -> str | None:
+def validate_auth(header: bytes) -> Optional[str]:
     """Validate that the header is in a correct format,
     returns type and credentials"""
     auth_credentials = header.decode().strip()
@@ -33,7 +31,7 @@ def validate_auth(header: bytes) -> str | None:
     return auth_credentials
 
 
-def bearer_auth(raw_header: bytes) -> User | None:
+def bearer_auth(raw_header: bytes) -> Optional[User]:
     """raw_header in the Format of `Bearer ....`"""
     user = auth_user_lookup(raw_header)
     if not user:
@@ -43,7 +41,7 @@ def bearer_auth(raw_header: bytes) -> User | None:
     return user
 
 
-def auth_user_lookup(raw_header: bytes) -> User | None:
+def auth_user_lookup(raw_header: bytes) -> Optional[User]:
     """raw_header in the Format of `Bearer ....`"""
     from authentik.providers.oauth2.models import AccessToken
 
@@ -76,7 +74,7 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
     raise AuthenticationFailed("Token invalid/expired")
 
 
-def token_secret_key(value: str) -> User | None:
+def token_secret_key(value: str) -> Optional[User]:
     """Check if the token is the secret key
     and return the service account for the managed outpost"""
     from authentik.outposts.apps import MANAGED_OUTPOST
@@ -103,14 +101,3 @@ class TokenAuthentication(BaseAuthentication):
             return None
 
         return (user, None)  # pragma: no cover
-
-
-class TokenSchema(OpenApiAuthenticationExtension):
-    """Auth schema"""
-
-    target_class = TokenAuthentication
-    name = "authentik"
-
-    def get_security_definition(self, auto_schema):
-        """Auth schema"""
-        return {"type": "http", "scheme": "bearer"}

authentik/api/authorization.py

@@ -0,0 +1,66 @@
+"""API Authorization"""
+from django.conf import settings
+from django.db.models import Model
+from django.db.models.query import QuerySet
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.authentication import get_authorization_header
+from rest_framework.filters import BaseFilterBackend
+from rest_framework.permissions import BasePermission
+from rest_framework.request import Request
+
+from authentik.api.authentication import validate_auth
+from authentik.rbac.filters import ObjectFilter
+
+
+class OwnerFilter(BaseFilterBackend):
+    """Filter objects by their owner"""
+
+    owner_key = "user"
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        if request.user.is_superuser:
+            return queryset
+        return queryset.filter(**{self.owner_key: request.user})
+
+
+class SecretKeyFilter(DjangoFilterBackend):
+    """Allow access to all objects when authenticated with secret key as token.
+
+    Replaces both DjangoFilterBackend and ObjectFilter"""
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        auth_header = get_authorization_header(request)
+        token = validate_auth(auth_header)
+        if token and token == settings.SECRET_KEY:
+            return queryset
+        queryset = ObjectFilter().filter_queryset(request, queryset, view)
+        return super().filter_queryset(request, queryset, view)
+
+
+class OwnerPermissions(BasePermission):
+    """Authorize requests by an object's owner matching the requesting user"""
+
+    owner_key = "user"
+
+    def has_permission(self, request: Request, view) -> bool:
+        """If the user is authenticated, we allow all requests here. For listing, the
+        object-level permissions are done by the filter backend"""
+        return request.user.is_authenticated
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        """Check if the object's owner matches the currently logged in user"""
+        if not hasattr(obj, self.owner_key):
+            return False
+        owner = getattr(obj, self.owner_key)
+        if owner != request.user:
+            return False
+        return True
+
+
+class OwnerSuperuserPermissions(OwnerPermissions):
+    """Similar to OwnerPermissions, except always allow access for superusers"""
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        if request.user.is_superuser:
+            return True
+        return super().has_object_permission(request, view, obj)

authentik/api/decorators.py

@@ -1,7 +1,6 @@
 """API Decorators"""
-
-from collections.abc import Callable
 from functools import wraps
+from typing import Callable, Optional
 
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -11,26 +10,21 @@ from structlog.stdlib import get_logger
 LOGGER = get_logger()
 
 
-def permission_required(obj_perm: str | None = None, global_perms: list[str] | None = None):
+def permission_required(obj_perm: Optional[str] = None, global_perms: Optional[list[str]] = None):
     """Check permissions for a single custom action"""
 
-    def _check_obj_perm(self: ModelViewSet, request: Request):
-        # Check obj_perm both globally and on the specific object
-        # Having the global permission has higher priority
-        if request.user.has_perm(obj_perm):
-            return
-        obj = self.get_object()
-        if not request.user.has_perm(obj_perm, obj):
-            LOGGER.debug("denying access for object", user=request.user, perm=obj_perm, obj=obj)
-            self.permission_denied(request)
-
-    def wrapper_outer(func: Callable):
+    def wrapper_outter(func: Callable):
         """Check permissions for a single custom action"""
 
         @wraps(func)
         def wrapper(self: ModelViewSet, request: Request, *args, **kwargs) -> Response:
             if obj_perm:
-                _check_obj_perm(self, request)
+                obj = self.get_object()
+                if not request.user.has_perm(obj_perm, obj):
+                    LOGGER.debug(
+                        "denying access for object", user=request.user, perm=obj_perm, obj=obj
+                    )
+                    return self.permission_denied(request)
             if global_perms:
                 for other_perm in global_perms:
                     if not request.user.has_perm(other_perm):
@@ -40,4 +34,4 @@ def permission_required(obj_perm: str | None = None, global_perms: list[str] | N
 
         return wrapper
 
-    return wrapper_outer
+    return wrapper_outter

authentik/api/pagination.py

@@ -1,5 +1,4 @@
 """Pagination which includes total pages and current page"""
-
 from rest_framework import pagination
 from rest_framework.response import Response
 

authentik/api/schema.py

@@ -1,5 +1,4 @@
 """Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
@@ -12,7 +11,6 @@ from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
 
-from authentik.api.apps import AuthentikAPIConfig
 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
 
 
@@ -102,12 +100,3 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
             comp = result["components"]["schemas"][component]
             comp["additionalProperties"] = {}
     return result
-
-
-def preprocess_schema_exclude_non_api(endpoints, **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]

authentik/api/templates/api/browser.html

@@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}
 
-{% load authentik_core %}
+{% load static %}
 
 {% block title %}
-API Browser - {{ brand.branding_title }}
+API Browser - {{ tenant.branding_title }}
 {% endblock %}
 
 {% block head %}
-<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
+<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

authentik/api/tests/test_auth.py

@@ -1,5 +1,4 @@
 """Test API Authentication"""
-
 import json
 from base64 import b64encode
 
@@ -25,17 +24,17 @@ class TestAPIAuth(TestCase):
     def test_invalid_type(self):
         """Test invalid type"""
         with self.assertRaises(AuthenticationFailed):
-            bearer_auth(b"foo bar")
+            bearer_auth("foo bar".encode())
 
     def test_invalid_empty(self):
         """Test invalid type"""
-        self.assertIsNone(bearer_auth(b"Bearer "))
-        self.assertIsNone(bearer_auth(b""))
+        self.assertIsNone(bearer_auth("Bearer ".encode()))
+        self.assertIsNone(bearer_auth("".encode()))
 
     def test_invalid_no_token(self):
         """Test invalid with no token"""
         with self.assertRaises(AuthenticationFailed):
-            auth = b64encode(b":abc").decode()
+            auth = b64encode(":abc".encode()).decode()
             self.assertIsNone(bearer_auth(f"Basic :{auth}".encode()))
 
     def test_bearer_valid(self):

authentik/api/tests/test_config.py

@@ -1,5 +1,4 @@
 """Test config API"""
-
 from json import loads
 
 from django.urls import reverse

authentik/api/tests/test_decorators.py

@@ -0,0 +1,34 @@
+"""test decorators api"""
+from django.urls import reverse
+from guardian.shortcuts import assign_perm
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application, User
+from authentik.lib.generators import generate_id
+
+
+class TestAPIDecorators(APITestCase):
+    """test decorators api"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = User.objects.create(username="test-user")
+
+    def test_obj_perm_denied(self):
+        """Test object perm denied"""
+        self.client.force_login(self.user)
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
+        self.assertEqual(response.status_code, 403)
+
+    def test_other_perm_denied(self):
+        """Test other perm denied"""
+        self.client.force_login(self.user)
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        assign_perm("authentik_core.view_application", self.user, app)
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
+        self.assertEqual(response.status_code, 403)

authentik/api/tests/test_schema.py

@@ -1,5 +1,4 @@
 """Schema generation tests"""
-
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import safe_load

authentik/api/tests/test_viewsets.py

@@ -1,6 +1,5 @@
 """authentik API Modelviewset tests"""
-
-from collections.abc import Callable
+from typing import Callable
 
 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
@@ -26,6 +25,6 @@ def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
 
 
 for _, viewset, _ in router.registry:
-    if not issubclass(viewset, ModelViewSet | ReadOnlyModelViewSet):
+    if not issubclass(viewset, (ModelViewSet, ReadOnlyModelViewSet)):
         continue
     setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))

authentik/api/urls.py

@@ -1,5 +1,4 @@
 """authentik api urls"""
-
 from django.urls import include, path
 
 from authentik.api.v3.urls import urlpatterns as v3_urls

authentik/api/v3/config.py

@@ -1,5 +1,4 @@
 """core Configs API"""
-
 from pathlib import Path
 
 from django.conf import settings
@@ -68,16 +67,12 @@ class ConfigView(APIView):
         """Get all capabilities this server instance supports"""
         caps = []
         deb_test = settings.DEBUG or settings.TEST
-        if (
-            CONFIG.get("storage.media.backend", "file") == "s3"
-            or Path(settings.STORAGES["default"]["OPTIONS"]["location"]).is_mount()
-            or deb_test
-        ):
+        if Path(settings.MEDIA_ROOT).is_mount() or deb_test:
             caps.append(Capabilities.CAN_SAVE_MEDIA)
         for processor in get_context_processors():
             if cap := processor.capability():
                 caps.append(cap)
-        if self.request.tenant.impersonation:
+        if CONFIG.get_bool("impersonation"):
             caps.append(Capabilities.CAN_IMPERSONATE)
         if settings.DEBUG:  # pragma: no cover
             caps.append(Capabilities.CAN_DEBUG)

authentik/api/v3/urls.py

@@ -1,5 +1,4 @@
 """api v3 urls"""
-
 from importlib import import_module
 
 from django.urls import path
@@ -33,7 +32,7 @@ for _authentik_app in get_apps():
             app_name=_authentik_app.name,
         )
         continue
-    urls: list = api_urls.api_urlpatterns
+    urls: list = getattr(api_urls, "api_urlpatterns")
     for url in urls:
         if isinstance(url, URLPattern):
             _other_urls.append(url)

authentik/api/views.py

@@ -1,5 +1,4 @@
 """General API Views"""
-
 from typing import Any
 
 from django.urls import reverse

authentik/blueprints/api.py

@@ -1,5 +1,4 @@
 """Serializer mixin for managed models"""
-
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
@@ -10,13 +9,13 @@ from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.decorators import permission_required
 from authentik.blueprints.models import BlueprintInstance
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, PassiveSerializer
-from authentik.rbac.decorators import permission_required
 
 
 class ManagedSerializer:
@@ -51,12 +50,8 @@ class BlueprintInstanceSerializer(ModelSerializer):
         context = self.instance.context if self.instance else {}
         valid, logs = Importer.from_string(content, context).validate()
         if not valid:
-            raise ValidationError(
-                [
-                    _("Failed to validate blueprint"),
-                    *[f"- {x.event}" for x in logs],
-                ]
-            )
+            text_logs = "\n".join([x["event"] for x in logs])
+            raise ValidationError(_("Failed to validate blueprint: %(logs)s" % {"logs": text_logs}))
         return content
 
     def validate(self, attrs: dict) -> dict:

authentik/blueprints/apps.py

@@ -1,6 +1,5 @@
 """authentik Blueprints app"""
 
-from collections.abc import Callable
 from importlib import import_module
 from inspect import ismethod
 
@@ -8,100 +7,40 @@ from django.apps import AppConfig
 from django.db import DatabaseError, InternalError, ProgrammingError
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.root.signals import startup
-
 
 class ManagedAppConfig(AppConfig):
     """Basic reconciliation logic for apps"""
 
-    logger: BoundLogger
-
-    RECONCILE_GLOBAL_CATEGORY: str = "global"
-    RECONCILE_TENANT_CATEGORY: str = "tenant"
+    _logger: BoundLogger
 
     def __init__(self, app_name: str, *args, **kwargs) -> None:
         super().__init__(app_name, *args, **kwargs)
-        self.logger = get_logger().bind(app_name=app_name)
+        self._logger = get_logger().bind(app_name=app_name)
 
     def ready(self) -> None:
-        self.import_related()
-        startup.connect(self._on_startup_callback, dispatch_uid=self.label)
+        self.reconcile()
         return super().ready()
 
-    def _on_startup_callback(self, sender, **_):
-        self._reconcile_global()
-        self._reconcile_tenant()
-
-    def import_related(self):
-        """Automatically import related modules which rely on just being imported
-        to register themselves (mainly django signals and celery tasks)"""
-
-        def import_relative(rel_module: str):
-            try:
-                module_name = f"{self.name}.{rel_module}"
-                import_module(module_name)
-                self.logger.info("Imported related module", module=module_name)
-            except ModuleNotFoundError:
-                pass
-
-        import_relative("checks")
-        import_relative("tasks")
-        import_relative("signals")
-
     def import_module(self, path: str):
         """Load module"""
         import_module(path)
 
-    def _reconcile(self, prefix: str) -> None:
+    def reconcile(self) -> None:
+        """reconcile ourselves"""
+        prefix = "reconcile_"
         for meth_name in dir(self):
             meth = getattr(self, meth_name)
             if not ismethod(meth):
                 continue
-            category = getattr(meth, "_authentik_managed_reconcile", None)
-            if category != prefix:
+            if not meth_name.startswith(prefix):
                 continue
             name = meth_name.replace(prefix, "")
             try:
-                self.logger.debug("Starting reconciler", name=name)
+                self._logger.debug("Starting reconciler", name=name)
                 meth()
-                self.logger.debug("Successfully reconciled", name=name)
+                self._logger.debug("Successfully reconciled", name=name)
             except (DatabaseError, ProgrammingError, InternalError) as exc:
-                self.logger.warning("Failed to run reconcile", name=name, exc=exc)
-
-    @staticmethod
-    def reconcile_tenant(func: Callable):
-        """Mark a function to be called on startup (for each tenant)"""
-        func._authentik_managed_reconcile = ManagedAppConfig.RECONCILE_TENANT_CATEGORY
-        return func
-
-    @staticmethod
-    def reconcile_global(func: Callable):
-        """Mark a function to be called on startup (globally)"""
-        func._authentik_managed_reconcile = ManagedAppConfig.RECONCILE_GLOBAL_CATEGORY
-        return func
-
-    def _reconcile_tenant(self) -> None:
-        """reconcile ourselves for tenanted methods"""
-        from authentik.tenants.models import Tenant
-
-        try:
-            tenants = list(Tenant.objects.filter(ready=True))
-        except (DatabaseError, ProgrammingError, InternalError) as exc:
-            self.logger.debug("Failed to get tenants to run reconcile", exc=exc)
-            return
-        for tenant in tenants:
-            with tenant:
-                self._reconcile(self.RECONCILE_TENANT_CATEGORY)
-
-    def _reconcile_global(self) -> None:
-        """
-        reconcile ourselves for global methods.
-        Used for signals, tasks, etc. Database queries should not be made in here.
-        """
-        from django_tenants.utils import get_public_schema_name, schema_context
-
-        with schema_context(get_public_schema_name()):
-            self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)
+                self._logger.warning("Failed to run reconcile", name=name, exc=exc)
 
 
 class AuthentikBlueprintsConfig(ManagedAppConfig):
@@ -112,13 +51,11 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
     verbose_name = "authentik Blueprints"
     default = True
 
-    @ManagedAppConfig.reconcile_global
-    def load_blueprints_v1_tasks(self):
+    def reconcile_load_blueprints_v1_tasks(self):
         """Load v1 tasks"""
         self.import_module("authentik.blueprints.v1.tasks")
 
-    @ManagedAppConfig.reconcile_tenant
-    def blueprints_discovery(self):
+    def reconcile_blueprints_discovery(self):
         """Run blueprint discovery"""
         from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
 

authentik/blueprints/management/commands/apply_blueprint.py

@@ -1,5 +1,4 @@
 """Apply blueprint from commandline"""
-
 from sys import exit as sys_exit
 
 from django.core.management.base import BaseCommand, no_translations
@@ -7,7 +6,6 @@ from structlog.stdlib import get_logger
 
 from authentik.blueprints.models import BlueprintInstance
 from authentik.blueprints.v1.importer import Importer
-from authentik.tenants.models import Tenant
 
 LOGGER = get_logger()
 
@@ -18,18 +16,14 @@ class Command(BaseCommand):
     @no_translations
     def handle(self, *args, **options):
         """Apply all blueprints in order, abort when one fails to import"""
-        for tenant in Tenant.objects.filter(ready=True):
-            with tenant:
-                for blueprint_path in options.get("blueprints", []):
-                    content = BlueprintInstance(path=blueprint_path).retrieve()
-                    importer = Importer.from_string(content)
-                    valid, logs = importer.validate()
-                    if not valid:
-                        self.stderr.write("Blueprint invalid")
-                        for log in logs:
-                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
-                        sys_exit(1)
-                    importer.apply()
+        for blueprint_path in options.get("blueprints", []):
+            content = BlueprintInstance(path=blueprint_path).retrieve()
+            importer = Importer.from_string(content)
+            valid, _ = importer.validate()
+            if not valid:
+                self.stderr.write("blueprint invalid")
+                sys_exit(1)
+            importer.apply()
 
     def add_arguments(self, parser):
         parser.add_argument("blueprints", nargs="+", type=str)

authentik/blueprints/management/commands/blueprint_shell.py

@@ -1,68 +0,0 @@
-"""Test and debug Blueprints"""
-
-import atexit
-import readline
-from pathlib import Path
-from pprint import pformat
-from sys import exit as sysexit
-from textwrap import indent
-
-from django.core.management.base import BaseCommand, no_translations
-from structlog.stdlib import get_logger
-from yaml import load
-
-from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
-from authentik.core.management.commands.shell import get_banner_text
-from authentik.lib.utils.errors import exception_to_string
-
-LOGGER = get_logger()
-
-
-class Command(BaseCommand):
-    """Test and debug Blueprints"""
-
-    lines = []
-
-    def __init__(self, *args, **kwargs) -> None:
-        super().__init__(*args, **kwargs)
-        histfolder = Path("~").expanduser() / Path(".local/share/authentik")
-        histfolder.mkdir(parents=True, exist_ok=True)
-        histfile = histfolder / Path("blueprint_shell_history")
-        readline.parse_and_bind("tab: complete")
-        readline.parse_and_bind("set editing-mode vi")
-
-        try:
-            readline.read_history_file(str(histfile))
-        except FileNotFoundError:
-            pass
-
-        atexit.register(readline.write_history_file, str(histfile))
-
-    @no_translations
-    def handle(self, *args, **options):
-        """Interactively debug blueprint files"""
-        self.stdout.write(get_banner_text("Blueprint shell"))
-        self.stdout.write("Type '.eval' to evaluate previously entered statement(s).")
-
-        def do_eval():
-            yaml_input = "\n".join([line for line in self.lines if line])
-            data = load(yaml_input, BlueprintLoader)
-            self.stdout.write(pformat(data))
-            self.lines = []
-
-        while True:
-            try:
-                line = input("> ")
-                if line == ".eval":
-                    do_eval()
-                else:
-                    self.lines.append(line)
-            except EntryInvalidError as exc:
-                self.stdout.write("Failed to evaluate expression:")
-                self.stdout.write(indent(exception_to_string(exc), prefix="  "))
-            except EOFError:
-                break
-            except KeyboardInterrupt:
-                self.stdout.write()
-                sysexit(0)
-        self.stdout.write()

authentik/blueprints/management/commands/export_blueprint.py

@@ -1,19 +1,17 @@
 """Export blueprint of current authentik install"""
-
-from django.core.management.base import no_translations
+from django.core.management.base import BaseCommand, no_translations
 from structlog.stdlib import get_logger
 
 from authentik.blueprints.v1.exporter import Exporter
-from authentik.tenants.management import TenantCommand
 
 LOGGER = get_logger()
 
 
-class Command(TenantCommand):
+class Command(BaseCommand):
     """Export blueprint of current authentik install"""
 
     @no_translations
-    def handle_per_tenant(self, *args, **options):
+    def handle(self, *args, **options):
         """Export blueprint of current authentik install"""
         exporter = Exporter()
         self.stdout.write(exporter.export_to_string())

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -1,17 +1,14 @@
 """Generate JSON Schema for blueprints"""
-
 from json import dumps
 from typing import Any
 
 from django.core.management.base import BaseCommand, no_translations
-from django.db.models import Model, fields
-from drf_jsonschema_serializer.convert import converter, field_to_converter
+from django.db.models import Model
+from drf_jsonschema_serializer.convert import field_to_converter
 from rest_framework.fields import Field, JSONField, UUIDField
-from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
-from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
@@ -20,23 +17,6 @@ from authentik.lib.models import SerializerModel
 LOGGER = get_logger()
 
 
-@converter
-class PrimaryKeyRelatedFieldConverter:
-    """Custom primary key field converter which is aware of non-integer based PKs
-
-    This is not an exhaustive fix for other non-int PKs, however in authentik we either
-    use UUIDs or ints"""
-
-    field_class = PrimaryKeyRelatedField
-
-    def convert(self, field: PrimaryKeyRelatedField):
-        model: Model = field.queryset.model
-        pk_field = model._meta.pk
-        if isinstance(pk_field, fields.UUIDField):
-            return {"type": "string", "format": "uuid"}
-        return {"type": "integer"}
-
-
 class Command(BaseCommand):
     """Generate JSON Schema for blueprints"""
 
@@ -48,7 +28,7 @@ class Command(BaseCommand):
             "$schema": "http://json-schema.org/draft-07/schema",
             "$id": "https://goauthentik.io/blueprints/schema.json",
             "type": "object",
-            "title": f"authentik {__version__} Blueprint schema",
+            "title": "authentik Blueprint schema",
             "required": ["version", "entries"],
             "properties": {
                 "version": {
@@ -113,20 +93,17 @@ class Command(BaseCommand):
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
             self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, model, serializer)
+                self.template_entry(model_path, serializer)
             )
 
-    def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict:
+    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
         """Template entry for a single model"""
         model_schema = self.to_jsonschema(serializer)
         model_schema["required"] = []
         def_name = f"model_{model_path}"
         def_path = f"#/$defs/{def_name}"
         self.schema["$defs"][def_name] = model_schema
-        def_name_perm = f"model_{model_path}_permissions"
-        def_path_perm = f"#/$defs/{def_name_perm}"
-        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        template = {
+        return {
             "type": "object",
             "required": ["model", "identifiers"],
             "properties": {
@@ -138,16 +115,10 @@ class Command(BaseCommand):
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
-                "permissions": {"$ref": def_path_perm},
                 "attrs": {"$ref": def_path},
                 "identifiers": {"$ref": def_path},
             },
         }
-        # Meta models don't require identifiers, as there's no matching database model to find
-        if issubclass(model, BaseMetaModel):
-            del template["properties"]["identifiers"]
-            template["required"].remove("identifiers")
-        return template
 
     def field_to_jsonschema(self, field: Field) -> dict:
         """Convert a single field to json schema"""
@@ -194,20 +165,3 @@ class Command(BaseCommand):
         if required:
             result["required"] = required
         return result
-
-    def model_permissions(self, model: type[Model]) -> dict:
-        perms = [x[0] for x in model._meta.permissions]
-        for action in model._meta.default_permissions:
-            perms.append(f"{action}_{model._meta.model_name}")
-        return {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": ["permission"],
-                "properties": {
-                    "permission": {"type": "string", "enum": perms},
-                    "user": {"type": "integer"},
-                    "role": {"type": "string"},
-                },
-            },
-        }

authentik/blueprints/migrations/0001_initial.py

@@ -14,7 +14,7 @@ from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_SYSTEM
 from authentik.lib.config import CONFIG
 
 
-def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
+def check_blueprint_v1_file(BlueprintInstance: type, path: Path):
     """Check if blueprint should be imported"""
     from authentik.blueprints.models import BlueprintInstanceStatus
     from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata
@@ -29,7 +29,7 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
         if version != 1:
             return
         blueprint_file.seek(0)
-    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    instance: BlueprintInstance = BlueprintInstance.objects.filter(path=path).first()
     rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
     meta = None
     if metadata:
@@ -37,7 +37,7 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
         if meta.labels.get(LABEL_AUTHENTIK_INSTANTIATE, "").lower() == "false":
             return
     if not instance:
-        BlueprintInstance.objects.using(db_alias).create(
+        instance = BlueprintInstance(
             name=meta.name if meta else str(rel_path),
             path=str(rel_path),
             context={},
@@ -47,6 +47,7 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
             last_applied_hash="",
             metadata=metadata or {},
         )
+        instance.save()
 
 
 def migration_blueprint_import(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@@ -55,7 +56,7 @@ def migration_blueprint_import(apps: Apps, schema_editor: BaseDatabaseSchemaEdit
 
     db_alias = schema_editor.connection.alias
     for file in glob(f"{CONFIG.get('blueprints_dir')}/**/*.yaml", recursive=True):
-        check_blueprint_v1_file(BlueprintInstance, db_alias, Path(file))
+        check_blueprint_v1_file(BlueprintInstance, Path(file))
 
     for blueprint in BlueprintInstance.objects.using(db_alias).all():
         # If we already have flows (and we should always run before flow migrations)

authentik/blueprints/models.py

@@ -1,5 +1,4 @@
 """blueprint models"""
-
 from pathlib import Path
 from uuid import uuid4
 
@@ -71,19 +70,6 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
     enabled = models.BooleanField(default=True)
     managed_models = ArrayField(models.TextField(), default=list)
 
-    class Meta:
-        verbose_name = _("Blueprint Instance")
-        verbose_name_plural = _("Blueprint Instances")
-        unique_together = (
-            (
-                "name",
-                "path",
-            ),
-        )
-
-    def __str__(self) -> str:
-        return f"Blueprint Instance {self.name}"
-
     def retrieve_oci(self) -> str:
         """Get blueprint from an OCI registry"""
         client = BlueprintOCIClient(self.path.replace(OCI_PREFIX, "https://"))
@@ -102,7 +88,7 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
                 raise BlueprintRetrievalFailed("Invalid blueprint path")
             with full_path.open("r", encoding="utf-8") as _file:
                 return _file.read()
-        except OSError as exc:
+        except (IOError, OSError) as exc:
             raise BlueprintRetrievalFailed(exc) from exc
 
     def retrieve(self) -> str:
@@ -118,3 +104,16 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
         from authentik.blueprints.api import BlueprintInstanceSerializer
 
         return BlueprintInstanceSerializer
+
+    def __str__(self) -> str:
+        return f"Blueprint Instance {self.name}"
+
+    class Meta:
+        verbose_name = _("Blueprint Instance")
+        verbose_name_plural = _("Blueprint Instances")
+        unique_together = (
+            (
+                "name",
+                "path",
+            ),
+        )

authentik/blueprints/settings.py

@@ -1,5 +1,4 @@
 """blueprint Settings"""
-
 from celery.schedules import crontab
 
 from authentik.lib.utils.time import fqdn_rand

authentik/blueprints/tests/__init__.py

@@ -1,7 +1,6 @@
 """Blueprint helpers"""
-
-from collections.abc import Callable
 from functools import wraps
+from typing import Callable
 
 from django.apps import apps
 
@@ -39,7 +38,7 @@ def reconcile_app(app_name: str):
         def wrapper(*args, **kwargs):
             config = apps.get_app_config(app_name)
             if isinstance(config, ManagedAppConfig):
-                config._on_startup_callback(None)
+                config.reconcile()
             return func(*args, **kwargs)
 
         return wrapper

authentik/blueprints/tests/fixtures/rbac_object.yaml

@@ -1,24 +0,0 @@
-version: 1
-entries:
-  - model: authentik_core.user
-    id: user
-    identifiers:
-      username: "%(id)s"
-    attrs:
-      name: "%(id)s"
-  - model: authentik_rbac.role
-    id: role
-    identifiers:
-      name: "%(id)s"
-  - model: authentik_flows.flow
-    identifiers:
-      slug: "%(id)s"
-    attrs:
-      designation: authentication
-      name: foo
-      title: foo
-    permissions:
-      - permission: view_flow
-        user: !KeyOf user
-      - permission: view_flow
-        role: !KeyOf role

authentik/blueprints/tests/fixtures/rbac_role.yaml

@@ -1,8 +0,0 @@
-version: 1
-entries:
-  - model: authentik_rbac.role
-    identifiers:
-      name: "%(id)s"
-    attrs:
-      permissions:
-        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/rbac_user.yaml

@@ -1,9 +0,0 @@
-version: 1
-entries:
-  - model: authentik_core.user
-    identifiers:
-      username: "%(id)s"
-    attrs:
-      name: "%(id)s"
-      permissions:
-        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/tags.yaml

@@ -146,10 +146,6 @@ entries:
                   ]
               ]
               nested_context: !Context context2
-              at_index_sequence: !AtIndex [!Context sequence, 0]
-              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
-              at_index_mapping: !AtIndex [!Context mapping, "key2"]
-              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
       identifiers:
           name: test
       conditions:

authentik/blueprints/tests/test_models.py

@@ -1,5 +1,4 @@
 """authentik managed models tests"""
-
 from django.test import TestCase
 
 from authentik.blueprints.models import BlueprintInstance, BlueprintRetrievalFailed

authentik/blueprints/tests/test_oci.py

@@ -1,5 +1,4 @@
 """Test blueprints OCI"""
-
 from django.test import TransactionTestCase
 from requests_mock import Mocker
 

authentik/blueprints/tests/test_packaged.py

@@ -1,23 +1,22 @@
 """test packaged blueprints"""
-
-from collections.abc import Callable
 from pathlib import Path
+from typing import Callable
 
 from django.test import TransactionTestCase
 
 from authentik.blueprints.models import BlueprintInstance
 from authentik.blueprints.tests import apply_blueprint
 from authentik.blueprints.v1.importer import Importer
-from authentik.brands.models import Brand
+from authentik.tenants.models import Tenant
 
 
 class TestPackaged(TransactionTestCase):
     """Empty class, test methods are added dynamically"""
 
-    @apply_blueprint("default/default-brand.yaml")
+    @apply_blueprint("default/default-tenant.yaml")
     def test_decorator_static(self):
         """Test @apply_blueprint decorator"""
-        self.assertTrue(Brand.objects.filter(domain="authentik-default").exists())
+        self.assertTrue(Tenant.objects.filter(domain="authentik-default").exists())
 
 
 def blueprint_tester(file_name: Path) -> Callable:
@@ -27,8 +26,7 @@ def blueprint_tester(file_name: Path) -> Callable:
         base = Path("blueprints/")
         rel_path = Path(file_name).relative_to(base)
         importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        validation, logs = importer.validate()
-        self.assertTrue(validation, logs)
+        self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
 
     return tester

authentik/blueprints/tests/test_serializer_models.py

@@ -1,6 +1,5 @@
 """authentik managed models tests"""
-
-from collections.abc import Callable
+from typing import Callable, Type
 
 from django.apps import apps
 from django.test import TestCase
@@ -14,7 +13,7 @@ class TestModels(TestCase):
     """Test Models"""
 
 
-def serializer_tester_factory(test_model: type[SerializerModel]) -> Callable:
+def serializer_tester_factory(test_model: Type[SerializerModel]) -> Callable:
     """Test serializer"""
 
     def tester(self: TestModels):

authentik/blueprints/tests/test_v1.py

@@ -1,5 +1,4 @@
 """Test blueprints v1"""
-
 from os import environ
 
 from django.test import TransactionTestCase
@@ -215,10 +214,6 @@ class TestBlueprintsV1(TransactionTestCase):
                     },
                     "nested_context": "context-nested-value",
                     "env_null": None,
-                    "at_index_sequence": "foo",
-                    "at_index_sequence_default": "non existent",
-                    "at_index_mapping": 2,
-                    "at_index_mapping_default": "non existent",
                 }
             ).exists()
         )

authentik/blueprints/tests/test_v1_api.py

@@ -1,5 +1,4 @@
 """Test blueprints v1 api"""
-
 from json import loads
 from tempfile import NamedTemporaryFile, mkdtemp
 
@@ -78,5 +77,5 @@ class TestBlueprintsV1API(APITestCase):
         self.assertEqual(res.status_code, 400)
         self.assertJSONEqual(
             res.content.decode(),
-            {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
+            {"content": ["Failed to validate blueprint: Invalid blueprint version"]},
         )

authentik/blueprints/tests/test_v1_conditional_fields.py

@@ -1,5 +1,4 @@
 """Test blueprints v1"""
-
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer

authentik/blueprints/tests/test_v1_conditions.py

@@ -1,5 +1,4 @@
 """Test blueprints v1"""
-
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer

authentik/blueprints/tests/test_v1_rbac.py

@@ -1,57 +0,0 @@
-"""Test blueprints v1"""
-
-from django.test import TransactionTestCase
-from guardian.shortcuts import get_perms
-
-from authentik.blueprints.v1.importer import Importer
-from authentik.core.models import User
-from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
-from authentik.rbac.models import Role
-
-
-class TestBlueprintsV1RBAC(TransactionTestCase):
-    """Test Blueprints rbac attribute"""
-
-    def test_user_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        user = User.objects.filter(username=uid).first()
-        self.assertIsNotNone(user)
-        self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"]))
-
-    def test_role_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        role = Role.objects.filter(name=uid).first()
-        self.assertIsNotNone(role)
-        self.assertEqual(
-            list(role.group.permissions.all().values_list("codename", flat=True)),
-            ["view_blueprintinstance"],
-        )
-
-    def test_object_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow = Flow.objects.filter(slug=uid).first()
-        user = User.objects.filter(username=uid).first()
-        role = Role.objects.filter(name=uid).first()
-        self.assertIsNotNone(flow)
-        self.assertEqual(get_perms(user, flow), ["view_flow"])
-        self.assertEqual(get_perms(role.group, flow), ["view_flow"])

authentik/blueprints/tests/test_v1_state.py

@@ -1,5 +1,4 @@
 """Test blueprints v1"""
-
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer