release: 2024.6.2

tests/e2e: fix ldap tests following #10270 (#10288)

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.3
+current_version = 2024.6.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/actions/comment-pr-instructions/action.yml

@@ -54,10 +54,9 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}
             ```
 
             For arm64, use these values:
@@ -66,10 +65,9 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}-arm64
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}-arm64
             ```
 
             Afterwards, run the upgrade commands from the latest release notes.

.github/actions/docker-push-variables/action.yml

@@ -29,15 +29,9 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
-  imageNames:
-    description: "Docker image names"
-    value: ${{ steps.ev.outputs.imageNames }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
-  imageMainName:
-    description: "Docker image main name"
-    value: ${{ steps.ev.outputs.imageMainName }}
 
 runs:
   using: "composite"

.github/actions/docker-push-variables/push_vars.py

@@ -7,7 +7,7 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
+should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -50,9 +50,8 @@ else:
             f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
         ]
 
-image_main_tag = image_tags[0].split(":")[-1]
+image_main_tag = image_tags[0]
 image_tags_rendered = ",".join(image_tags)
-image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldBuild={should_build}", file=_output)
@@ -60,6 +59,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
     print(f"imageTags={image_tags_rendered}", file=_output)
-    print(f"imageNames={image_names_rendered}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
-    print(f"imageMainName={image_tags[0]}", file=_output)

.github/workflows/api-ts-publish.yml

@@ -35,8 +35,8 @@ jobs:
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/packages/sfe
-        working-directory: web/packages/sfe
+      - name: Upgrade /web/sfe
+        working-directory: web/sfe
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION

.github/workflows/ci-main.yml

@@ -213,16 +213,13 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -243,8 +240,7 @@ jobs:
       - name: generate ts client
         run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
+        uses: docker/build-push-action@v5
         with:
           context: .
           secrets: |
@@ -255,15 +251,8 @@ jobs:
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max
           platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v1
-        id: attest
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   pr-comment:
     needs:
       - build
@@ -285,7 +274,6 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
-          tag: ${{ steps.ev.outputs.imageMainTag }}
+          tag: gh-${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -71,15 +71,12 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -99,8 +96,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
@@ -110,14 +106,7 @@ jobs:
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v1
-        id: attest
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache,mode=max
   build-binary:
     timeout-minutes: 120
     needs:

.github/workflows/ci-web.yml

@@ -12,24 +12,19 @@ on:
       - version-*
 
 jobs:
-  lint:
+  lint-eslint:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
         project:
           - web
           - tests/wdio
         include:
           - command: tsc
             project: web
-          - command: lit-analyse
-            project: web
+            extra_setup: |
+              cd sfe/ && npm ci
         exclude:
           - command: lint:lockfile
             project: tests/wdio
@@ -43,17 +38,85 @@ jobs:
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
-          ${{ matrix.extra_setup }}
+        run: npm ci
       - name: Generate API
         run: make gen-client-ts
-      - name: Lint
+      - name: Eslint
         working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+        run: npm run lint
+  lint-lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - working-directory: web/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
+  lint-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: TSC
+        working-directory: web/
+        run: npm run tsc
+  lint-prettier:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - web
+          - tests/wdio
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: ${{ matrix.project }}/package.json
+          cache: "npm"
+          cache-dependency-path: ${{ matrix.project }}/package-lock.json
+      - working-directory: ${{ matrix.project }}/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: prettier
+        working-directory: ${{ matrix.project }}/
+        run: npm run prettier-check
+  lint-lit-analyse:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: |
+          npm ci
+          # lit-analyse doesn't understand path rewrites, so make it
+          # belive it's an actual module
+          cd node_modules/@goauthentik
+          ln -s ../../src/ web
+      - name: Generate API
+        run: make gen-client-ts
+      - name: lit-analyse
+        working-directory: web/
+        run: npm run lit-analyse
   ci-web-mark:
     needs:
-      - lint
+      - lint-lockfile
+      - lint-eslint
+      - lint-prettier
+      - lint-lit-analyse
+      - lint-build
     runs-on: ubuntu-latest
     steps:
       - run: echo mark
@@ -75,21 +138,3 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
-  test:
-    needs:
-      - ci-web-mark
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: test
-        working-directory: web/
-        run: npm run test

.github/workflows/ci-website.yml

@@ -12,21 +12,27 @@ on:
       - version-*
 
 jobs:
-  lint:
+  lint-lockfile:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint:lockfile
-          - prettier-check
     steps:
       - uses: actions/checkout@v4
+      - working-directory: website/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
+  lint-prettier:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
       - working-directory: website/
         run: npm ci
-      - name: Lint
+      - name: prettier
         working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: npm run prettier-check
   test:
     runs-on: ubuntu-latest
     steps:
@@ -63,7 +69,8 @@ jobs:
         run: npm run ${{ matrix.job }}
   ci-website-mark:
     needs:
-      - lint
+      - lint-lockfile
+      - lint-prettier
       - test
       - build
     runs-on: ubuntu-latest

.github/workflows/release-publish.yml

@@ -11,13 +11,10 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -43,8 +40,7 @@ jobs:
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
@@ -53,20 +49,11 @@ jobs:
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v1
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -81,7 +68,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -107,20 +94,13 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v1
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -175,8 +155,8 @@ jobs:
       - uses: actions/checkout@v4
       - name: Run test suite in final docker images
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
           docker compose pull -q
           docker compose up --no-start
           docker compose start postgresql redis
@@ -198,8 +178,8 @@ jobs:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
         run: |
-          docker pull ${{ steps.ev.outputs.imageMainName }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
+          docker pull ${{ steps.ev.outputs.imageMainTag }}
+          container=$(docker container create ${{ steps.ev.outputs.imageMainTag }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1

.github/workflows/release-tag.yml

@@ -14,8 +14,8 @@ jobs:
       - uses: actions/checkout@v4
       - name: Pre-release test
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
           docker buildx install
           mkdir -p ./gen-ts-api
           docker build -t testing:latest .

.vscode/extensions.json

@@ -16,6 +16,6 @@
         "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx"
+        "unifiedjs.vscode-mdx",
     ]
 }

.vscode/launch.json

@@ -22,6 +22,6 @@
             },
             "justMyCode": true,
             "django": true
-        }
+        },
     ]
 }

.vscode/settings.json

@@ -18,21 +18,20 @@
         "sso",
         "totp",
         "traefik",
-        "webauthn"
+        "webauthn",
     ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
-        "!Condition sequence",
-        "!Context scalar",
-        "!Enumerate sequence",
-        "!Env scalar",
         "!Find sequence",
-        "!Format sequence",
-        "!If sequence",
-        "!Index scalar",
         "!KeyOf scalar",
-        "!Value scalar"
+        "!Context scalar",
+        "!Context sequence",
+        "!Format sequence",
+        "!Condition sequence",
+        "!Env sequence",
+        "!Env scalar",
+        "!If sequence"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
@@ -49,7 +48,9 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": ["-count=1"],
+    "go.testFlags": [
+        "-count=1"
+    ],
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

.vscode/tasks.json

@@ -2,67 +2,85 @@
     "version": "2.0.0",
     "tasks": [
         {
-            "label": "authentik/core: make",
+            "label": "authentik[core]: format & test",
             "command": "poetry",
-            "args": ["run", "make", "lint-fix", "lint"],
-            "presentation": {
-                "panel": "new"
-            },
-            "group": "test"
+            "args": [
+                "run",
+                "make"
+            ],
+            "group": "build",
         },
         {
-            "label": "authentik/core: run",
+            "label": "authentik[core]: run",
             "command": "poetry",
-            "args": ["run", "ak", "server"],
+            "args": [
+                "run",
+                "make",
+                "run",
+            ],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
-            "label": "authentik/web: make",
+            "label": "authentik[web]: format",
             "command": "make",
             "args": ["web"],
-            "group": "build"
+            "group": "build",
         },
         {
-            "label": "authentik/web: watch",
+            "label": "authentik[web]: watch",
             "command": "make",
             "args": ["web-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
             "label": "authentik: install",
             "command": "make",
-            "args": ["install", "-j4"],
-            "group": "build"
+            "args": ["install"],
+            "group": "build",
         },
         {
-            "label": "authentik/website: make",
+            "label": "authentik: i18n-extract",
+            "command": "poetry",
+            "args": [
+                "run",
+                "make",
+                "i18n-extract"
+            ],
+            "group": "build",
+        },
+        {
+            "label": "authentik[website]: format",
             "command": "make",
             "args": ["website"],
-            "group": "build"
+            "group": "build",
         },
         {
-            "label": "authentik/website: watch",
+            "label": "authentik[website]: watch",
             "command": "make",
             "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
-            "label": "authentik/api: generate",
+            "label": "authentik[api]: generate",
             "command": "poetry",
-            "args": ["run", "make", "gen"],
+            "args": [
+                "run",
+                "make",
+                "gen"
+            ],
             "group": "build"
-        }
+        },
     ]
 }

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:22 as website-builder
 
 ENV NODE_ENV=production
 
@@ -20,7 +20,7 @@ COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -30,9 +30,12 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
+    --mount=type=bind,target=/work/web/sfe/package.json,src=./web/sfe/package.json \
+    --mount=type=bind,target=/work/web/sfe/package-lock.json,src=./web/sfe/package-lock.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    npm ci --include=dev && \
+    cd sfe && \
     npm ci --include=dev
 
 COPY ./package.json /work
@@ -40,7 +43,9 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 
-RUN npm run build
+RUN npm run build && \
+    cd sfe && \
+    npm run build
 
 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
@@ -94,7 +99,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS python-deps
 
 WORKDIR /ak-root/poetry
 
@@ -121,7 +126,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     pip install --force-reinstall /wheels/*"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS final-image
 
 ARG GIT_BUILD_HASH
 ARG VERSION

Makefile

@@ -47,8 +47,8 @@ test-go:
 	go test -timeout 0 -v -race -cover ./...
 
 test-docker:  ## Run all tests in a docker-compose
-	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
-	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "PG_PASS=$(shell openssl rand 32 | base64)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64)" >> .env
 	docker compose pull -q
 	docker compose up --no-start
 	docker compose start postgresql redis
@@ -60,11 +60,9 @@ test: ## Run the server tests and produce a coverage report (locally)
 	coverage html
 	coverage report
 
-lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	black $(PY_SOURCES)
 	ruff check --fix $(PY_SOURCES)
-
-lint-codespell:  ## Reports spelling errors.
 	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
@@ -241,7 +239,7 @@ website: website-lint-fix website-build  ## Automatically fix formatting issues
 website-install:
 	cd website && npm ci
 
-website-lint-fix: lint-codespell
+website-lint-fix:
 	cd website && npm run prettier
 
 website-build:

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.6.3"
+__version__ = "2024.6.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/system.py

@@ -73,7 +73,7 @@ class SystemInfoSerializer(PassiveSerializer):
             "authentik_version": get_full_version(),
             "environment": get_env(),
             "openssl_fips_enabled": (
-                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
+                backend._fips_enabled if LicenseKey.get_total().is_valid() else None
             ),
             "openssl_version": OPENSSL_VERSION,
             "platform": platform.platform(),

authentik/blueprints/management/commands/apply_blueprint.py

@@ -23,11 +23,9 @@ class Command(BaseCommand):
                 for blueprint_path in options.get("blueprints", []):
                     content = BlueprintInstance(path=blueprint_path).retrieve()
                     importer = Importer.from_string(content)
-                    valid, logs = importer.validate()
+                    valid, _ = importer.validate()
                     if not valid:
-                        self.stderr.write("Blueprint invalid")
-                        for log in logs:
-                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
+                        self.stderr.write("blueprint invalid")
                         sys_exit(1)
                     importer.apply()
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -113,19 +113,16 @@ class Command(BaseCommand):
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
             self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, model, serializer)
+                self.template_entry(model_path, serializer)
             )
 
-    def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict:
+    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
         """Template entry for a single model"""
         model_schema = self.to_jsonschema(serializer)
         model_schema["required"] = []
         def_name = f"model_{model_path}"
         def_path = f"#/$defs/{def_name}"
         self.schema["$defs"][def_name] = model_schema
-        def_name_perm = f"model_{model_path}_permissions"
-        def_path_perm = f"#/$defs/{def_name_perm}"
-        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
         return {
             "type": "object",
             "required": ["model", "identifiers"],
@@ -138,7 +135,6 @@ class Command(BaseCommand):
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
-                "permissions": {"$ref": def_path_perm},
                 "attrs": {"$ref": def_path},
                 "identifiers": {"$ref": def_path},
             },
@@ -189,20 +185,3 @@ class Command(BaseCommand):
         if required:
             result["required"] = required
         return result
-
-    def model_permissions(self, model: type[Model]) -> dict:
-        perms = [x[0] for x in model._meta.permissions]
-        for action in model._meta.default_permissions:
-            perms.append(f"{action}_{model._meta.model_name}")
-        return {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": ["permission"],
-                "properties": {
-                    "permission": {"type": "string", "enum": perms},
-                    "user": {"type": "integer"},
-                    "role": {"type": "string"},
-                },
-            },
-        }

authentik/blueprints/tests/fixtures/rbac_object.yaml

@@ -1,24 +0,0 @@
-version: 1
-entries:
-  - model: authentik_core.user
-    id: user
-    identifiers:
-      username: "%(id)s"
-    attrs:
-      name: "%(id)s"
-  - model: authentik_rbac.role
-    id: role
-    identifiers:
-      name: "%(id)s"
-  - model: authentik_flows.flow
-    identifiers:
-      slug: "%(id)s"
-    attrs:
-      designation: authentication
-      name: foo
-      title: foo
-    permissions:
-      - permission: view_flow
-        user: !KeyOf user
-      - permission: view_flow
-        role: !KeyOf role

authentik/blueprints/tests/fixtures/rbac_role.yaml

@@ -1,8 +0,0 @@
-version: 1
-entries:
-  - model: authentik_rbac.role
-    identifiers:
-      name: "%(id)s"
-    attrs:
-      permissions:
-        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/rbac_user.yaml

@@ -1,9 +0,0 @@
-version: 1
-entries:
-  - model: authentik_core.user
-    identifiers:
-      username: "%(id)s"
-    attrs:
-      name: "%(id)s"
-      permissions:
-        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/test_v1_rbac.py

@@ -1,57 +0,0 @@
-"""Test blueprints v1"""
-
-from django.test import TransactionTestCase
-from guardian.shortcuts import get_perms
-
-from authentik.blueprints.v1.importer import Importer
-from authentik.core.models import User
-from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
-from authentik.rbac.models import Role
-
-
-class TestBlueprintsV1RBAC(TransactionTestCase):
-    """Test Blueprints rbac attribute"""
-
-    def test_user_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        user = User.objects.filter(username=uid).first()
-        self.assertIsNotNone(user)
-        self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"]))
-
-    def test_role_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        role = Role.objects.filter(name=uid).first()
-        self.assertIsNotNone(role)
-        self.assertEqual(
-            list(role.group.permissions.all().values_list("codename", flat=True)),
-            ["view_blueprintinstance"],
-        )
-
-    def test_object_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow = Flow.objects.filter(slug=uid).first()
-        user = User.objects.filter(username=uid).first()
-        role = Role.objects.filter(name=uid).first()
-        self.assertIsNotNone(flow)
-        self.assertEqual(get_perms(user, flow), ["view_flow"])
-        self.assertEqual(get_perms(role.group, flow), ["view_flow"])

authentik/blueprints/v1/common.py

@@ -1,7 +1,7 @@
 """transfer common classes"""
 
 from collections import OrderedDict
-from collections.abc import Generator, Iterable, Mapping
+from collections.abc import Iterable, Mapping
 from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
@@ -58,15 +58,6 @@ class BlueprintEntryDesiredState(Enum):
     MUST_CREATED = "must_created"
 
 
-@dataclass
-class BlueprintEntryPermission:
-    """Describe object-level permissions"""
-
-    permission: Union[str, "YAMLTag"]
-    user: Union[int, "YAMLTag", None] = field(default=None)
-    role: Union[str, "YAMLTag", None] = field(default=None)
-
-
 @dataclass
 class BlueprintEntry:
     """Single entry of a blueprint"""
@@ -78,7 +69,6 @@ class BlueprintEntry:
     conditions: list[Any] = field(default_factory=list)
     identifiers: dict[str, Any] = field(default_factory=dict)
     attrs: dict[str, Any] | None = field(default_factory=dict)
-    permissions: list[BlueprintEntryPermission] = field(default_factory=list)
 
     id: str | None = None
 
@@ -160,17 +150,6 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
-    def get_permissions(
-        self, blueprint: "Blueprint"
-    ) -> Generator[BlueprintEntryPermission, None, None]:
-        """Get permissions of this entry, with all yaml tags resolved"""
-        for perm in self.permissions:
-            yield BlueprintEntryPermission(
-                permission=self.tag_resolver(perm.permission, blueprint),
-                user=self.tag_resolver(perm.user, blueprint),
-                role=self.tag_resolver(perm.role, blueprint),
-            )
-
     def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
         """Check all conditions of this entry match (evaluate to True)"""
         return all(self.tag_resolver(self.conditions, blueprint))
@@ -328,10 +307,7 @@ class Find(YAMLTag):
         else:
             model_name = self.model_name
 
-        try:
-            model_class = apps.get_model(*model_name.split("."))
-        except LookupError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+        model_class = apps.get_model(*model_name.split("."))
 
         query = Q()
         for cond in self.conditions:

authentik/blueprints/v1/importer.py

@@ -16,7 +16,6 @@ from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from guardian.models import UserObjectPermission
-from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
@@ -33,11 +32,9 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
 from authentik.core.models import (
     AuthenticatedSession,
-    GroupSourceConnection,
     PropertyMapping,
     Provider,
     Source,
-    User,
     UserSourceConnection,
 )
 from authentik.enterprise.license import LicenseKey
@@ -57,13 +54,11 @@ from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
-from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
@@ -92,7 +87,6 @@ def excluded_models() -> list[type[Model]]:
         Source,
         PropertyMapping,
         UserSourceConnection,
-        GroupSourceConnection,
         Stage,
         OutpostServiceConnection,
         Policy,
@@ -142,16 +136,6 @@ def transaction_rollback():
         pass
 
 
-def rbac_models() -> dict:
-    models = {}
-    for app in get_apps():
-        for model in app.get_models():
-            if not is_model_allowed(model):
-                continue
-            models[model._meta.model_name] = app.label
-    return models
-
-
 class Importer:
     """Import Blueprint from raw dict or YAML/JSON"""
 
@@ -170,10 +154,7 @@ class Importer:
 
     def default_context(self):
         """Default context"""
-        return {
-            "goauthentik.io/enterprise/licensed": LicenseKey.get_total().status().is_valid,
-            "goauthentik.io/rbac/models": rbac_models(),
-        }
+        return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()}
 
     @staticmethod
     def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
@@ -233,17 +214,14 @@ class Importer:
 
         return main_query | sub_query
 
-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:  # noqa: PLR0915
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:
         """Validate a single entry"""
         if not entry.check_all_conditions_match(self._import):
             self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
             return None
 
         model_app_label, model_name = entry.get_model(self._import).split(".")
-        try:
-            model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
-        except LookupError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
         # Don't use isinstance since we don't want to check for inheritance
         if not is_model_allowed(model):
             raise EntryInvalidError.from_entry(f"Model {model} not allowed", entry)
@@ -318,7 +296,10 @@ class Importer:
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+            raise EntryInvalidError.from_entry(
+                exc,
+                entry,
+            ) from exc
         always_merger.merge(full_data, updated_identifiers)
         serializer_kwargs["data"] = full_data
 
@@ -339,15 +320,6 @@ class Importer:
             ) from exc
         return serializer
 
-    def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
-        """Apply object-level permissions for an entry"""
-        for perm in entry.get_permissions(self._import):
-            if perm.user is not None:
-                assign_perm(perm.permission, User.objects.get(pk=perm.user), instance)
-            if perm.role is not None:
-                role = Role.objects.get(pk=perm.role)
-                role.assign_permission(perm.permission, obj=instance)
-
     def apply(self) -> bool:
         """Apply (create/update) models yaml, in database transaction"""
         try:
@@ -412,7 +384,6 @@ class Importer:
                 if "pk" in entry.identifiers:
                     self.__pk_map[entry.identifiers["pk"]] = instance.pk
                 entry._state = BlueprintEntryState(instance)
-                self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
                 if instance.pk:

authentik/brands/api.py

@@ -55,7 +55,6 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
-            "default_application",
             "web_certificate",
             "attributes",
         ]

authentik/brands/apps.py

@@ -9,6 +9,3 @@ class AuthentikBrandsConfig(AppConfig):
     name = "authentik.brands"
     label = "authentik_brands"
     verbose_name = "authentik Brands"
-    mountpoints = {
-        "authentik.brands.urls_root": "",
-    }

authentik/brands/migrations/0007_brand_default_application.py

@@ -1,26 +0,0 @@
-# Generated by Django 5.0.6 on 2024-07-04 20:32
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0006_brand_authentik_b_domain_b9b24a_idx_and_more"),
-        ("authentik_core", "0035_alter_group_options_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="default_application",
-            field=models.ForeignKey(
-                default=None,
-                help_text="When set, external users will be redirected to this application after authenticating.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                to="authentik_core.application",
-            ),
-        ),
-    ]

authentik/brands/models.py

@@ -3,7 +3,6 @@
 from uuid import uuid4
 
 from django.db import models
-from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@@ -52,16 +51,6 @@ class Brand(SerializerModel):
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
 
-    default_application = models.ForeignKey(
-        "authentik_core.Application",
-        null=True,
-        default=None,
-        on_delete=models.SET_DEFAULT,
-        help_text=_(
-            "When set, external users will be redirected to this application after authenticating."
-        ),
-    )
-
     web_certificate = models.ForeignKey(
         CertificateKeyPair,
         null=True,
@@ -99,13 +88,3 @@ class Brand(SerializerModel):
             models.Index(fields=["domain"]),
             models.Index(fields=["default"]),
         ]
-
-
-class WebfingerProvider(models.Model):
-    """Provider which supports webfinger discovery"""
-
-    class Meta:
-        abstract = True
-
-    def webfinger(self, resource: str, request: HttpRequest) -> dict:
-        raise NotImplementedError()

authentik/brands/tests.py

@@ -5,11 +5,7 @@ from rest_framework.test import APITestCase
 
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
-from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider
-from authentik.providers.saml.models import SAMLProvider
 
 
 class TestBrands(APITestCase):
@@ -79,45 +75,3 @@ class TestBrands(APITestCase):
             reverse("authentik_api:brand-list"), data={"domain": "bar", "default": True}
         )
         self.assertEqual(response.status_code, 400)
-
-    def test_webfinger_no_app(self):
-        """Test Webfinger"""
-        create_test_brand()
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
-        )
-
-    def test_webfinger_not_supported(self):
-        """Test Webfinger"""
-        brand = create_test_brand()
-        provider = SAMLProvider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        brand.default_application = app
-        brand.save()
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
-        )
-
-    def test_webfinger_oidc(self):
-        """Test Webfinger"""
-        brand = create_test_brand()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        brand.default_application = app
-        brand.save()
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_brands:webfinger")).content.decode(),
-            {
-                "links": [
-                    {
-                        "href": f"http://testserver/application/o/{app.slug}/",
-                        "rel": "http://openid.net/specs/connect/1.0/issuer",
-                    }
-                ],
-                "subject": None,
-            },
-        )

authentik/brands/urls_root.py

@@ -1,9 +0,0 @@
-"""authentik brand root URLs"""
-
-from django.urls import path
-
-from authentik.brands.views.webfinger import WebFingerView
-
-urlpatterns = [
-    path(".well-known/webfinger", WebFingerView.as_view(), name="webfinger"),
-]

authentik/brands/utils.py

@@ -5,7 +5,7 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk import get_current_span
+from sentry_sdk.hub import Hub
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
@@ -33,7 +33,7 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
     trace = ""
-    span = get_current_span()
+    span = Hub.current.scope.span
     if span:
         trace = span.to_traceparent()
     return {

authentik/brands/views/webfinger.py

@@ -1,29 +0,0 @@
-from typing import Any
-
-from django.http import HttpRequest, HttpResponse, JsonResponse
-from django.views import View
-
-from authentik.brands.models import Brand, WebfingerProvider
-from authentik.core.models import Application
-
-
-class WebFingerView(View):
-    """Webfinger endpoint"""
-
-    def get(self, request: HttpRequest) -> HttpResponse:
-        brand: Brand = request.brand
-        if not brand.default_application:
-            return JsonResponse({})
-        application: Application = brand.default_application
-        provider = application.get_provider()
-        if not provider or not isinstance(provider, WebfingerProvider):
-            return JsonResponse({})
-        webfinger_data = provider.webfinger(request.GET.get("resource"), request)
-        return JsonResponse(webfinger_data)
-
-    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        response = super().dispatch(request, *args, **kwargs)
-        # RFC7033 spec
-        response["Access-Control-Allow-Origin"] = "*"
-        response["Content-Type"] = "application/jrd+json"
-        return response

authentik/core/api/applications.py

@@ -103,12 +103,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
-    queryset = (
-        Application.objects.all()
-        .with_provider()
-        .prefetch_related("policies")
-        .prefetch_related("backchannel_providers")
-    )
+    queryset = Application.objects.all().prefetch_related("provider")
     serializer_class = ApplicationSerializer
     search_fields = [
         "name",
@@ -152,15 +147,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 applications.append(application)
         return applications
 
-    def _filter_applications_with_launch_url(
-        self, pagined_apps: Iterator[Application]
-    ) -> list[Application]:
-        applications = []
-        for app in pagined_apps:
-            if app.get_launch_url():
-                applications.append(app)
-        return applications
-
     @extend_schema(
         parameters=[
             OpenApiParameter(
@@ -218,11 +204,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.INT,
             ),
-            OpenApiParameter(
-                name="only_with_launch_url",
-                location=OpenApiParameter.QUERY,
-                type=OpenApiTypes.BOOL,
-            ),
         ]
     )
     def list(self, request: Request) -> Response:
@@ -235,10 +216,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
-        only_with_launch_url = str(
-            request.query_params.get("only_with_launch_url", "false")
-        ).lower()
-
         queryset = self._filter_queryset_for_list(self.get_queryset())
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
@@ -274,10 +251,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     allowed_applications,
                     timeout=86400,
                 )
-
-        if only_with_launch_url == "true":
-            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
-
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/core/api/devices.py

@@ -2,13 +2,7 @@
 
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from rest_framework.fields import (
-    BooleanField,
-    CharField,
-    DateTimeField,
-    IntegerField,
-    SerializerMethodField,
-)
+from rest_framework.fields import BooleanField, CharField, IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -26,9 +20,6 @@ class DeviceSerializer(MetaNameSerializer):
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
-    created = DateTimeField(read_only=True)
-    last_updated = DateTimeField(read_only=True)
-    last_used = DateTimeField(read_only=True, allow_null=True)
 
     def get_type(self, instance: Device) -> str:
         """Get type of device"""

authentik/core/api/property_mappings.py

@@ -2,15 +2,8 @@
 
 from json import dumps
 
-from django_filters.filters import AllValuesMultipleFilter, BooleanFilter
-from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import (
-    OpenApiParameter,
-    OpenApiResponse,
-    extend_schema,
-    extend_schema_field,
-)
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
@@ -74,18 +67,6 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri
         ]
 
 
-class PropertyMappingFilterSet(FilterSet):
-    """Filter for PropertyMapping"""
-
-    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
-
-    managed__isnull = BooleanFilter(field_name="managed", lookup_expr="isnull")
-
-    class Meta:
-        model = PropertyMapping
-        fields = ["name", "managed"]
-
-
 class PropertyMappingViewSet(
     TypesMixin,
     mixins.RetrieveModelMixin,
@@ -106,9 +87,11 @@ class PropertyMappingViewSet(
 
     queryset = PropertyMapping.objects.select_subclasses()
     serializer_class = PropertyMappingSerializer
-    filterset_class = PropertyMappingFilterSet
+    search_fields = [
+        "name",
+    ]
+    filterset_fields = {"managed": ["isnull"]}
     ordering = ["name"]
-    search_fields = ["name"]
 
     @permission_required("authentik_core.view_propertymapping")
     @extend_schema(

authentik/core/api/sources.py

@@ -19,7 +19,7 @@ from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
-from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
+from authentik.core.models import Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
     FilePathSerializer,
@@ -60,8 +60,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "enabled",
             "authentication_flow",
             "enrollment_flow",
-            "user_property_mappings",
-            "group_property_mappings",
             "component",
             "verbose_name",
             "verbose_name_plural",
@@ -190,47 +188,6 @@ class UserSourceConnectionViewSet(
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
     permission_classes = [OwnerSuperuserPermissions]
-    filterset_fields = ["user", "source__slug"]
-    search_fields = ["source__slug"]
+    filterset_fields = ["user"]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-    ordering = ["source__slug", "pk"]
-
-
-class GroupSourceConnectionSerializer(SourceSerializer):
-    """Group Source Connection Serializer"""
-
-    source = SourceSerializer(read_only=True)
-
-    class Meta:
-        model = GroupSourceConnection
-        fields = [
-            "pk",
-            "group",
-            "source",
-            "identifier",
-            "created",
-        ]
-        extra_kwargs = {
-            "group": {"read_only": True},
-            "identifier": {"read_only": True},
-            "created": {"read_only": True},
-        }
-
-
-class GroupSourceConnectionViewSet(
-    mixins.RetrieveModelMixin,
-    mixins.UpdateModelMixin,
-    mixins.DestroyModelMixin,
-    UsedByMixin,
-    mixins.ListModelMixin,
-    GenericViewSet,
-):
-    """Group-source connection Viewset"""
-
-    queryset = GroupSourceConnection.objects.all()
-    serializer_class = GroupSourceConnectionSerializer
-    permission_classes = [OwnerSuperuserPermissions]
-    filterset_fields = ["group", "source__slug"]
-    search_fields = ["source__slug"]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-    ordering = ["source__slug", "pk"]
+    ordering = ["pk"]

authentik/core/api/users.py

@@ -5,7 +5,6 @@ from json import loads
 from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
-from django.contrib.auth.models import Permission
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
@@ -34,21 +33,15 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
-from rest_framework.fields import (
-    BooleanField,
-    CharField,
-    ChoiceField,
-    DateTimeField,
-    IntegerField,
-    ListField,
-    SerializerMethodField,
-)
+from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
+    BooleanField,
+    DateTimeField,
     ListSerializer,
     PrimaryKeyRelatedField,
+    ValidationError,
 )
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
@@ -85,7 +78,6 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -149,19 +141,12 @@ class UserSerializer(ModelSerializer):
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["password"] = CharField(required=False, allow_null=True)
-            self.fields["permissions"] = ListField(
-                required=False, child=ChoiceField(choices=get_permission_choices())
-            )
 
     def create(self, validated_data: dict) -> User:
         """If this serializer is used in the blueprint context, we allow for
         directly setting a password. However should be done via the `set_password`
         method instead of directly setting it like rest_framework."""
         password = validated_data.pop("password", None)
-        permissions = Permission.objects.filter(
-            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
-        )
-        validated_data["user_permissions"] = permissions
         instance: User = super().create(validated_data)
         self._set_password(instance, password)
         return instance
@@ -170,10 +155,6 @@ class UserSerializer(ModelSerializer):
         """Same as `create` above, set the password directly if we're in a blueprint
         context"""
         password = validated_data.pop("password", None)
-        permissions = Permission.objects.filter(
-            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
-        )
-        validated_data["user_permissions"] = permissions
         instance = super().update(instance, validated_data)
         self._set_password(instance, password)
         return instance

authentik/core/management/commands/change_user_type.py

@@ -1,28 +0,0 @@
-"""Change user type"""
-
-from authentik.core.models import User, UserTypes
-from authentik.tenants.management import TenantCommand
-
-
-class Command(TenantCommand):
-    """Change user type"""
-
-    def add_arguments(self, parser):
-        parser.add_argument("--type", type=str, required=True)
-        parser.add_argument("--all", action="store_true")
-        parser.add_argument("usernames", nargs="+", type=str)
-
-    def handle_per_tenant(self, **options):
-        new_type = UserTypes(options["type"])
-        qs = (
-            User.objects.exclude_anonymous()
-            .exclude(type=UserTypes.SERVICE_ACCOUNT)
-            .exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
-        )
-        if options["usernames"] and options["all"]:
-            self.stderr.write("--all and usernames specified, only one can be specified")
-            return
-        if options["usernames"] and not options["all"]:
-            qs = qs.filter(username__in=options["usernames"])
-        updated = qs.update(type=new_type)
-        self.stdout.write(f"Updated {updated} users.")

authentik/core/migrations/0036_source_group_property_mappings_and_more.py

@@ -1,43 +0,0 @@
-# Generated by Django 5.0.2 on 2024-02-29 11:05
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0035_alter_group_options_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="source",
-            name="group_property_mappings",
-            field=models.ManyToManyField(
-                blank=True,
-                default=None,
-                related_name="source_grouppropertymappings_set",
-                to="authentik_core.propertymapping",
-            ),
-        ),
-        migrations.AddField(
-            model_name="source",
-            name="user_property_mappings",
-            field=models.ManyToManyField(
-                blank=True,
-                default=None,
-                related_name="source_userpropertymappings_set",
-                to="authentik_core.propertymapping",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="source",
-            name="property_mappings",
-            field=models.ManyToManyField(
-                blank=True,
-                default=None,
-                related_name="source_set",
-                to="authentik_core.propertymapping",
-            ),
-        ),
-    ]

authentik/core/migrations/0037_remove_source_property_mappings.py

@@ -1,18 +0,0 @@
-# Generated by Django 5.0.2 on 2024-02-29 11:21
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_sources_ldap", "0005_remove_ldappropertymapping_object_field_and_more"),
-        ("authentik_core", "0036_source_group_property_mappings_and_more"),
-    ]
-
-    operations = [
-        migrations.RemoveField(
-            model_name="source",
-            name="property_mappings",
-        ),
-    ]

authentik/core/migrations/0038_source_authentik_c_enabled_d72365_idx.py

@@ -1,19 +0,0 @@
-# Generated by Django 5.0.7 on 2024-07-22 13:32
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0037_remove_source_property_mappings"),
-        ("authentik_flows", "0027_auto_20231028_1424"),
-        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
-    ]
-
-    operations = [
-        migrations.AddIndex(
-            model_name="source",
-            index=models.Index(fields=["enabled"], name="authentik_c_enabled_d72365_idx"),
-        ),
-    ]

authentik/core/migrations/0039_source_group_matching_mode_alter_group_name_and_more.py

@@ -1,67 +0,0 @@
-# Generated by Django 5.0.7 on 2024-08-01 18:52
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0038_source_authentik_c_enabled_d72365_idx"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="source",
-            name="group_matching_mode",
-            field=models.TextField(
-                choices=[
-                    ("identifier", "Use the source-specific identifier"),
-                    (
-                        "name_link",
-                        "Link to a group with identical name. Can have security implications when a group name is used with another source.",
-                    ),
-                    (
-                        "name_deny",
-                        "Use the group name, but deny enrollment when the name already exists.",
-                    ),
-                ],
-                default="identifier",
-                help_text="How the source determines if an existing group should be used or a new group created.",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="group",
-            name="name",
-            field=models.TextField(verbose_name="name"),
-        ),
-        migrations.CreateModel(
-            name="GroupSourceConnection",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
-                    ),
-                ),
-                ("created", models.DateTimeField(auto_now_add=True)),
-                ("last_updated", models.DateTimeField(auto_now=True)),
-                ("identifier", models.TextField()),
-                (
-                    "group",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
-                    ),
-                ),
-                (
-                    "source",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.source"
-                    ),
-                ),
-            ],
-            options={
-                "unique_together": {("group", "source")},
-            },
-        ),
-    ]

authentik/core/models.py

@@ -11,7 +11,6 @@ from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
 from django.db.models import Q, QuerySet, options
-from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
@@ -29,7 +28,6 @@ from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
-from authentik.lib.merge import MERGE_LIST_UNIQUE
 from authentik.lib.models import (
     CreatedUpdatedModel,
     DomainlessFormattedURLValidator,
@@ -102,38 +100,6 @@ class UserTypes(models.TextChoices):
     INTERNAL_SERVICE_ACCOUNT = "internal_service_account"
 
 
-class AttributesMixin(models.Model):
-    """Adds an attributes property to a model"""
-
-    attributes = models.JSONField(default=dict, blank=True)
-
-    class Meta:
-        abstract = True
-
-    def update_attributes(self, properties: dict[str, Any]):
-        """Update fields and attributes, but correctly by merging dicts"""
-        for key, value in properties.items():
-            if key == "attributes":
-                continue
-            setattr(self, key, value)
-        final_attributes = {}
-        MERGE_LIST_UNIQUE.merge(final_attributes, self.attributes)
-        MERGE_LIST_UNIQUE.merge(final_attributes, properties.get("attributes", {}))
-        self.attributes = final_attributes
-        self.save()
-
-    @classmethod
-    def update_or_create_attributes(
-        cls, query: dict[str, Any], properties: dict[str, Any]
-    ) -> tuple[models.Model, bool]:
-        """Same as django's update_or_create but correctly updates attributes by merging dicts"""
-        instance = cls.objects.filter(**query).first()
-        if not instance:
-            return cls.objects.create(**properties), True
-        instance.update_attributes(properties)
-        return instance, False
-
-
 class GroupQuerySet(CTEQuerySet):
     def with_children_recursive(self):
         """Recursively get all groups that have the current queryset as parents
@@ -168,12 +134,12 @@ class GroupQuerySet(CTEQuerySet):
         return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
 
 
-class Group(SerializerModel, AttributesMixin):
+class Group(SerializerModel):
     """Group model which supports a basic hierarchy and has attributes"""
 
     group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    name = models.TextField(_("name"))
+    name = models.CharField(_("name"), max_length=80)
     is_superuser = models.BooleanField(
         default=False, help_text=_("Users added to this group will be superusers.")
     )
@@ -188,27 +154,10 @@ class Group(SerializerModel, AttributesMixin):
         on_delete=models.SET_NULL,
         related_name="children",
     )
+    attributes = models.JSONField(default=dict, blank=True)
 
     objects = GroupQuerySet.as_manager()
 
-    class Meta:
-        unique_together = (
-            (
-                "name",
-                "parent",
-            ),
-        )
-        indexes = [models.Index(fields=["name"])]
-        verbose_name = _("Group")
-        verbose_name_plural = _("Groups")
-        permissions = [
-            ("add_user_to_group", _("Add user to group")),
-            ("remove_user_from_group", _("Remove user from group")),
-        ]
-
-    def __str__(self):
-        return f"Group {self.name}"
-
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.groups import GroupSerializer
@@ -233,6 +182,24 @@ class Group(SerializerModel, AttributesMixin):
             qs = Group.objects.filter(group_uuid=self.group_uuid)
         return qs.with_children_recursive()
 
+    def __str__(self):
+        return f"Group {self.name}"
+
+    class Meta:
+        unique_together = (
+            (
+                "name",
+                "parent",
+            ),
+        )
+        indexes = [models.Index(fields=["name"])]
+        verbose_name = _("Group")
+        verbose_name_plural = _("Groups")
+        permissions = [
+            ("add_user_to_group", _("Add user to group")),
+            ("remove_user_from_group", _("Remove user from group")),
+        ]
+
 
 class UserQuerySet(models.QuerySet):
     """User queryset"""
@@ -258,7 +225,7 @@ class UserManager(DjangoUserManager):
         return self.get_queryset().exclude_anonymous()
 
 
-class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
+class User(SerializerModel, GuardianUserMixin, AbstractUser):
     """authentik User model, based on django's contrib auth user model."""
 
     uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
@@ -270,30 +237,10 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
     ak_groups = models.ManyToManyField("Group", related_name="users")
     password_change_date = models.DateTimeField(auto_now_add=True)
 
+    attributes = models.JSONField(default=dict, blank=True)
+
     objects = UserManager()
 
-    class Meta:
-        verbose_name = _("User")
-        verbose_name_plural = _("Users")
-        permissions = [
-            ("reset_user_password", _("Reset Password")),
-            ("impersonate", _("Can impersonate other users")),
-            ("assign_user_permissions", _("Can assign permissions to users")),
-            ("unassign_user_permissions", _("Can unassign permissions from users")),
-            ("preview_user", _("Can preview user data sent to providers")),
-            ("view_user_applications", _("View applications the user has access to")),
-        ]
-        indexes = [
-            models.Index(fields=["last_login"]),
-            models.Index(fields=["password_change_date"]),
-            models.Index(fields=["uuid"]),
-            models.Index(fields=["path"]),
-            models.Index(fields=["type"]),
-        ]
-
-    def __str__(self):
-        return self.username
-
     @staticmethod
     def default_path() -> str:
         """Get the default user path"""
@@ -375,6 +322,25 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         """Get avatar, depending on authentik.avatar setting"""
         return get_avatar(self)
 
+    class Meta:
+        verbose_name = _("User")
+        verbose_name_plural = _("Users")
+        permissions = [
+            ("reset_user_password", _("Reset Password")),
+            ("impersonate", _("Can impersonate other users")),
+            ("assign_user_permissions", _("Can assign permissions to users")),
+            ("unassign_user_permissions", _("Can unassign permissions from users")),
+            ("preview_user", _("Can preview user data sent to providers")),
+            ("view_user_applications", _("View applications the user has access to")),
+        ]
+        indexes = [
+            models.Index(fields=["last_login"]),
+            models.Index(fields=["password_change_date"]),
+            models.Index(fields=["uuid"]),
+            models.Index(fields=["path"]),
+            models.Index(fields=["type"]),
+        ]
+
 
 class Provider(SerializerModel):
     """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
@@ -462,16 +428,6 @@ class BackchannelProvider(Provider):
         abstract = True
 
 
-class ApplicationQuerySet(QuerySet):
-    def with_provider(self) -> "QuerySet[Application]":
-        qs = self.select_related("provider")
-        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            if LOOKUP_SEP in subclass:
-                continue
-            qs = qs.select_related(f"provider__{subclass}")
-        return qs
-
-
 class Application(SerializerModel, PolicyBindingModel):
     """Every Application which uses authentik for authentication/identification/authorization
     needs an Application record. Other authentication types can subclass this Model to
@@ -503,8 +459,6 @@ class Application(SerializerModel, PolicyBindingModel):
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
 
-    objects = ApplicationQuerySet.as_manager()
-
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.applications import ApplicationSerializer
@@ -541,19 +495,16 @@ class Application(SerializerModel, PolicyBindingModel):
         return url
 
     def get_provider(self) -> Provider | None:
-        """Get casted provider instance. Needs Application queryset with_provider"""
+        """Get casted provider instance"""
         if not self.provider:
             return None
-
-        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            # We don't care about recursion, skip nested models
-            if LOOKUP_SEP in subclass:
-                continue
-            try:
-                return getattr(self.provider, subclass)
-            except AttributeError:
-                pass
-        return None
+        # if the Application class has been cache, self.provider is set
+        # but doing a direct query lookup will fail.
+        # In that case, just return None
+        try:
+            return Provider.objects.get_subclass(pk=self.provider.pk)
+        except Provider.DoesNotExist:
+            return None
 
     def __str__(self):
         return str(self.name)
@@ -583,19 +534,6 @@ class SourceUserMatchingModes(models.TextChoices):
     )
 
 
-class SourceGroupMatchingModes(models.TextChoices):
-    """Different modes a source can handle new/returning groups"""
-
-    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    NAME_LINK = "name_link", _(
-        "Link to a group with identical name. Can have security implications "
-        "when a group name is used with another source."
-    )
-    NAME_DENY = "name_deny", _(
-        "Use the group name, but deny enrollment when the name already exists."
-    )
-
-
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
 
@@ -605,12 +543,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")
 
     enabled = models.BooleanField(default=True)
-    user_property_mappings = models.ManyToManyField(
-        "PropertyMapping", default=None, blank=True, related_name="source_userpropertymappings_set"
-    )
-    group_property_mappings = models.ManyToManyField(
-        "PropertyMapping", default=None, blank=True, related_name="source_grouppropertymappings_set"
-    )
+    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
     icon = models.FileField(
         upload_to="source-icons/",
         default=None,
@@ -645,14 +578,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
             "a new user enrolled."
         ),
     )
-    group_matching_mode = models.TextField(
-        choices=SourceGroupMatchingModes.choices,
-        default=SourceGroupMatchingModes.IDENTIFIER,
-        help_text=_(
-            "How the source determines if an existing group should be used or "
-            "a new group created."
-        ),
-    )
 
     objects = InheritanceManager()
 
@@ -682,11 +607,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         """Return component used to edit this object"""
         raise NotImplementedError
 
-    @property
-    def property_mapping_type(self) -> "type[PropertyMapping]":
-        """Return property mapping type used by this object"""
-        raise NotImplementedError
-
     def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
         """If source uses a http-based flow, return UI Information about the login
         button. If source doesn't use http-based flow, return None."""
@@ -697,14 +617,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         user settings are available, or UserSettingSerializer."""
         return None
 
-    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
-        """Get base properties for a user to build final properties upon."""
-        raise NotImplementedError
-
-    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
-        """Get base properties for a group to build final properties upon."""
-        raise NotImplementedError
-
     def __str__(self):
         return str(self.name)
 
@@ -720,11 +632,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                     "name",
                 ]
             ),
-            models.Index(
-                fields=[
-                    "enabled",
-                ]
-            ),
         ]
 
 
@@ -748,27 +655,6 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         unique_together = (("user", "source"),)
 
 
-class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
-    """Connection between Group and Source."""
-
-    group = models.ForeignKey(Group, on_delete=models.CASCADE)
-    source = models.ForeignKey(Source, on_delete=models.CASCADE)
-    identifier = models.TextField()
-
-    objects = InheritanceManager()
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        """Get serializer for this model"""
-        raise NotImplementedError
-
-    def __str__(self) -> str:
-        return f"Group-source connection (group={self.group_id}, source={self.source_id})"
-
-    class Meta:
-        unique_together = (("group", "source"),)
-
-
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 

authentik/core/signals.py

@@ -52,8 +52,6 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
 @receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
     """Delete AuthenticatedSession if it exists"""
-    if not request.session or not request.session.session_key:
-        return
     AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
 
 

authentik/core/sources/flow_manager.py

@@ -4,7 +4,7 @@ from enum import Enum
 from typing import Any
 
 from django.contrib import messages
-from django.db import IntegrityError, transaction
+from django.db import IntegrityError
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
@@ -12,20 +12,8 @@ from django.urls import reverse
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
-from authentik.core.models import (
-    Group,
-    GroupSourceConnection,
-    Source,
-    SourceGroupMatchingModes,
-    SourceUserMatchingModes,
-    User,
-    UserSourceConnection,
-)
-from authentik.core.sources.mapper import SourceMapper
-from authentik.core.sources.stage import (
-    PLAN_CONTEXT_SOURCES_CONNECTION,
-    PostSourceStage,
-)
+from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
+from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostSourceStage
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
@@ -48,10 +36,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
-LOGGER = get_logger()
-
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
-PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 
 
 class Action(Enum):
@@ -85,69 +70,48 @@ class SourceFlowManager:
     or deny the request."""
 
     source: Source
-    mapper: SourceMapper
     request: HttpRequest
 
     identifier: str
 
-    user_connection_type: type[UserSourceConnection] = UserSourceConnection
-    group_connection_type: type[GroupSourceConnection] = GroupSourceConnection
+    connection_type: type[UserSourceConnection] = UserSourceConnection
 
-    user_info: dict[str, Any]
+    enroll_info: dict[str, Any]
     policy_context: dict[str, Any]
-    user_properties: dict[str, Any | dict[str, Any]]
-    groups_properties: dict[str, dict[str, Any | dict[str, Any]]]
 
     def __init__(
         self,
         source: Source,
         request: HttpRequest,
         identifier: str,
-        user_info: dict[str, Any],
-        policy_context: dict[str, Any],
+        enroll_info: dict[str, Any],
     ) -> None:
         self.source = source
-        self.mapper = SourceMapper(self.source)
         self.request = request
         self.identifier = identifier
-        self.user_info = user_info
+        self.enroll_info = enroll_info
         self._logger = get_logger().bind(source=source, identifier=identifier)
-        self.policy_context = policy_context
-
-        self.user_properties = self.mapper.build_object_properties(
-            object_type=User, request=request, user=None, **self.user_info
-        )
-        self.groups_properties = {
-            group_id: self.mapper.build_object_properties(
-                object_type=Group,
-                request=request,
-                user=None,
-                group_id=group_id,
-                **self.user_info,
-            )
-            for group_id in self.user_properties.setdefault("groups", [])
-        }
-        del self.user_properties["groups"]
+        self.policy_context = {}
 
     def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
         """decide which action should be taken"""
-        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
+        new_connection = self.connection_type(source=self.source, identifier=self.identifier)
         # When request is authenticated, always link
         if self.request.user.is_authenticated:
             new_connection.user = self.request.user
-            new_connection = self.update_user_connection(new_connection, **kwargs)
+            new_connection = self.update_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
 
-        existing_connections = self.user_connection_type.objects.filter(
+        existing_connections = self.connection_type.objects.filter(
             source=self.source, identifier=self.identifier
         )
         if existing_connections.exists():
             connection = existing_connections.first()
-            return Action.AUTH, self.update_user_connection(connection, **kwargs)
+            return Action.AUTH, self.update_connection(connection, **kwargs)
         # No connection exists, but we match on identifier, so enroll
         if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
             # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
 
         # Check for existing users with matching attributes
         query = Q()
@@ -156,24 +120,24 @@ class SourceFlowManager:
             SourceUserMatchingModes.EMAIL_LINK,
             SourceUserMatchingModes.EMAIL_DENY,
         ]:
-            if not self.user_properties.get("email", None):
-                self._logger.warning("Refusing to use none email")
+            if not self.enroll_info.get("email", None):
+                self._logger.warning("Refusing to use none email", source=self.source)
                 return Action.DENY, None
-            query = Q(email__exact=self.user_properties.get("email", None))
+            query = Q(email__exact=self.enroll_info.get("email", None))
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.USERNAME_LINK,
             SourceUserMatchingModes.USERNAME_DENY,
         ]:
-            if not self.user_properties.get("username", None):
-                self._logger.warning("Refusing to use none username")
+            if not self.enroll_info.get("username", None):
+                self._logger.warning("Refusing to use none username", source=self.source)
                 return Action.DENY, None
-            query = Q(username__exact=self.user_properties.get("username", None))
+            query = Q(username__exact=self.enroll_info.get("username", None))
         self._logger.debug("trying to link with existing user", query=query)
         matching_users = User.objects.filter(query)
         # No matching users, always enroll
         if not matching_users.exists():
             self._logger.debug("no matching users found, enrolling")
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
 
         user = matching_users.first()
         if self.source.user_matching_mode in [
@@ -181,7 +145,7 @@ class SourceFlowManager:
             SourceUserMatchingModes.USERNAME_LINK,
         ]:
             new_connection.user = user
-            new_connection = self.update_user_connection(new_connection, **kwargs)
+            new_connection = self.update_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.EMAIL_DENY,
@@ -192,10 +156,10 @@ class SourceFlowManager:
         # Should never get here as default enroll case is returned above.
         return Action.DENY, None  # pragma: no cover
 
-    def update_user_connection(
+    def update_connection(
         self, connection: UserSourceConnection, **kwargs
     ) -> UserSourceConnection:  # pragma: no cover
-        """Optionally make changes to the user connection after it is looked up/created."""
+        """Optionally make changes to the connection after it is looked up/created."""
         return connection
 
     def get_flow(self, **kwargs) -> HttpResponse:
@@ -251,31 +215,25 @@ class SourceFlowManager:
         flow: Flow | None,
         connection: UserSourceConnection,
         stages: list[StageView] | None = None,
-        **flow_context,
+        **kwargs,
     ) -> HttpResponse:
         """Prepare Authentication Plan, redirect user FlowExecutor"""
-        # Ensure redirect is carried through when user was trying to
-        # authorize application
-        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:if-user"
-        )
-        flow_context.update(
+        kwargs.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
                 PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
                 PLAN_CONTEXT_SOURCES_CONNECTION: connection,
-                PLAN_CONTEXT_SOURCE_GROUPS: self.groups_properties,
             }
         )
-        flow_context.update(self.policy_context)
+        kwargs.update(self.policy_context)
         if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
             token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
             self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
             plan = token.plan
             plan.context[PLAN_CONTEXT_IS_RESTORED] = token
-            plan.context.update(flow_context)
+            plan.context.update(kwargs)
             for stage in self.get_stages_to_append(flow):
                 plan.append_stage(stage)
             if stages:
@@ -294,8 +252,8 @@ class SourceFlowManager:
         final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
             NEXT_ARG_NAME, "authentik_core:if-user"
         )
-        if PLAN_CONTEXT_REDIRECT not in flow_context:
-            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
+        if PLAN_CONTEXT_REDIRECT not in kwargs:
+            kwargs[PLAN_CONTEXT_REDIRECT] = final_redirect
 
         if not flow:
             return bad_request_message(
@@ -307,12 +265,9 @@ class SourceFlowManager:
         # We append some stages so the initial flow we get might be empty
         planner.allow_empty_flows = True
         planner.use_cache = False
-        plan = planner.plan(self.request, flow_context)
+        plan = planner.plan(self.request, kwargs)
         for stage in self.get_stages_to_append(flow):
             plan.append_stage(stage)
-        plan.append_stage(
-            in_memory_stage(GroupUpdateStage, group_connection_type=self.group_connection_type)
-        )
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
@@ -399,123 +354,7 @@ class SourceFlowManager:
                 )
             ],
             **{
-                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.enroll_info),
                 PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
             },
         )
-
-
-class GroupUpdateStage(StageView):
-    """Dynamically injected stage which updates the user after enrollment/authentication."""
-
-    def get_action(
-        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
-    ) -> tuple[Action, GroupSourceConnection | None]:
-        """decide which action should be taken"""
-        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
-
-        existing_connections = self.group_connection_type.objects.filter(
-            source=self.source, identifier=group_id
-        )
-        if existing_connections.exists():
-            return Action.LINK, existing_connections.first()
-        # No connection exists, but we match on identifier, so enroll
-        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
-            # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, new_connection
-
-        # Check for existing groups with matching attributes
-        query = Q()
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_LINK,
-            SourceGroupMatchingModes.NAME_DENY,
-        ]:
-            if not group_properties.get("name", None):
-                LOGGER.warning(
-                    "Refusing to use none group name", source=self.source, group_id=group_id
-                )
-                return Action.DENY, None
-            query = Q(name__exact=group_properties.get("name"))
-        LOGGER.debug(
-            "trying to link with existing group", source=self.source, query=query, group_id=group_id
-        )
-        matching_groups = Group.objects.filter(query)
-        # No matching groups, always enroll
-        if not matching_groups.exists():
-            LOGGER.debug(
-                "no matching groups found, enrolling", source=self.source, group_id=group_id
-            )
-            return Action.ENROLL, new_connection
-
-        group = matching_groups.first()
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_LINK,
-        ]:
-            new_connection.group = group
-            return Action.LINK, new_connection
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_DENY,
-        ]:
-            LOGGER.info(
-                "denying source because group exists",
-                source=self.source,
-                group=group,
-                group_id=group_id,
-            )
-            return Action.DENY, None
-        # Should never get here as default enroll case is returned above.
-        return Action.DENY, None  # pragma: no cover
-
-    def handle_group(
-        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
-    ) -> Group | None:
-        action, connection = self.get_action(group_id, group_properties)
-        if action == Action.ENROLL:
-            group = Group.objects.create(**group_properties)
-            connection.group = group
-            connection.save()
-            return group
-        elif action == Action.LINK:
-            group = connection.group
-            group.update_attributes(group_properties)
-            connection.save()
-            return group
-
-        return None
-
-    def handle_groups(self) -> bool:
-        self.source: Source = self.executor.plan.context[PLAN_CONTEXT_SOURCE]
-        self.user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
-        self.group_connection_type: GroupSourceConnection = (
-            self.executor.current_stage.group_connection_type
-        )
-
-        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
-            PLAN_CONTEXT_SOURCE_GROUPS
-        ]
-        groups: list[Group] = []
-
-        for group_id, group_properties in raw_groups.items():
-            group = self.handle_group(group_id, group_properties)
-            if not group:
-                return False
-            groups.append(group)
-
-        with transaction.atomic():
-            self.user.ak_groups.remove(
-                *self.user.ak_groups.filter(groupsourceconnection__source=self.source)
-            )
-            self.user.ak_groups.add(*groups)
-
-        return True
-
-    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """Stage used after the user has been enrolled to sync their groups from source data"""
-        if self.handle_groups():
-            return self.executor.stage_ok()
-        else:
-            return self.executor.stage_invalid("Failed to update groups. Please try again later.")
-
-    def post(self, request: HttpRequest) -> HttpResponse:
-        """Wrapper for post requests"""
-        return self.get(request)

authentik/core/sources/mapper.py

@@ -1,103 +0,0 @@
-from typing import Any
-
-from django.http import HttpRequest
-from structlog.stdlib import get_logger
-
-from authentik.core.expression.exceptions import PropertyMappingExpressionException
-from authentik.core.models import Group, PropertyMapping, Source, User
-from authentik.events.models import Event, EventAction
-from authentik.lib.merge import MERGE_LIST_UNIQUE
-from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.policies.utils import delete_none_values
-
-LOGGER = get_logger()
-
-
-class SourceMapper:
-    def __init__(self, source: Source):
-        self.source = source
-
-    def get_manager(
-        self, object_type: type[User | Group], context_keys: list[str]
-    ) -> PropertyMappingManager:
-        """Get property mapping manager for this source."""
-
-        qs = PropertyMapping.objects.none()
-        if object_type == User:
-            qs = self.source.user_property_mappings.all().select_subclasses()
-        elif object_type == Group:
-            qs = self.source.group_property_mappings.all().select_subclasses()
-        qs = qs.order_by("name")
-        return PropertyMappingManager(
-            qs,
-            self.source.property_mapping_type,
-            ["source", "properties"] + context_keys,
-        )
-
-    def get_base_properties(
-        self, object_type: type[User | Group], **kwargs
-    ) -> dict[str, Any | dict[str, Any]]:
-        """Get base properties for a user or a group to build final properties upon."""
-        if object_type == User:
-            properties = self.source.get_base_user_properties(**kwargs)
-            properties.setdefault("path", self.source.get_user_path())
-            return properties
-        if object_type == Group:
-            return self.source.get_base_group_properties(**kwargs)
-        return {}
-
-    def build_object_properties(
-        self,
-        object_type: type[User | Group],
-        manager: "PropertyMappingManager | None" = None,
-        user: User | None = None,
-        request: HttpRequest | None = None,
-        **kwargs,
-    ) -> dict[str, Any | dict[str, Any]]:
-        """Build a user or group properties from the source configured property mappings."""
-
-        properties = self.get_base_properties(object_type, **kwargs)
-        if "attributes" not in properties:
-            properties["attributes"] = {}
-
-        if not manager:
-            manager = self.get_manager(object_type, list(kwargs.keys()))
-        evaluations = manager.iter_eval(
-            user=user,
-            request=request,
-            return_mapping=True,
-            source=self.source,
-            properties=properties,
-            **kwargs,
-        )
-        while True:
-            try:
-                value, mapping = next(evaluations)
-            except StopIteration:
-                break
-            except PropertyMappingExpressionException as exc:
-                Event.new(
-                    EventAction.CONFIGURATION_ERROR,
-                    message=f"Failed to evaluate property mapping: '{exc.mapping.name}'",
-                    source=self,
-                    mapping=exc.mapping,
-                ).save()
-                LOGGER.warning(
-                    "Mapping failed to evaluate",
-                    exc=exc,
-                    source=self,
-                    mapping=exc.mapping,
-                )
-                raise exc
-
-            if not value or not isinstance(value, dict):
-                LOGGER.debug(
-                    "Mapping evaluated to None or is not a dict. Skipping",
-                    source=self,
-                    mapping=mapping,
-                )
-                continue
-
-            MERGE_LIST_UNIQUE.merge(properties, value)
-
-        return delete_none_values(properties)

authentik/core/tests/test_source_flow_manager.py

@@ -38,9 +38,7 @@ class TestSourceFlowManager(TestCase):
     def test_unauthenticated_enroll(self):
         """Test un-authenticated user enrolling"""
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(
-            self.source, request, self.identifier, {"info": {}}, {}
-        )
+        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
         response = flow_manager.get_flow()
@@ -54,9 +52,7 @@ class TestSourceFlowManager(TestCase):
             user=get_anonymous_user(), source=self.source, identifier=self.identifier
         )
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(
-            self.source, request, self.identifier, {"info": {}}, {}
-        )
+        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.AUTH)
         response = flow_manager.get_flow()
@@ -68,9 +64,7 @@ class TestSourceFlowManager(TestCase):
         """Test authenticated user linking"""
         user = User.objects.create(username="foo", email="foo@bar.baz")
         request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(
-            self.source, request, self.identifier, {"info": {}}, {}
-        )
+        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -83,9 +77,7 @@ class TestSourceFlowManager(TestCase):
 
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
-        flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/"), self.identifier, {"info": {}}, {}
-        )
+        flow_manager = OAuthSourceFlowManager(self.source, get_request("/"), self.identifier, {})
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -98,7 +90,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without email, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -108,12 +100,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {
-                    "email": "foo@bar.baz",
-                },
-            },
-            {},
+            {"email": "foo@bar.baz"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -126,7 +113,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without username, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -136,10 +123,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {"username": "foo"},
-            },
-            {},
+            {"username": "foo"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -156,11 +140,8 @@ class TestSourceFlowManager(TestCase):
             get_request("/", user=AnonymousUser()),
             self.identifier,
             {
-                "info": {
-                    "username": "bar",
-                },
+                "username": "bar",
             },
-            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -170,10 +151,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {"username": "foo"},
-            },
-            {},
+            {"username": "foo"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -187,10 +165,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {"username": "foo"},
-            },
-            {},
+            {"username": "foo"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -216,10 +191,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {"username": "foo"},
-            },
-            {},
+            {"username": "foo"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)

authentik/core/tests/test_source_flow_manager_group_update_stage.py

@@ -1,237 +0,0 @@
-"""Test Source flow_manager group update stage"""
-
-from django.test import RequestFactory
-
-from authentik.core.models import Group, SourceGroupMatchingModes
-from authentik.core.sources.flow_manager import PLAN_CONTEXT_SOURCE_GROUPS, GroupUpdateStage
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.flows.models import in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE, FlowPlan
-from authentik.flows.tests import FlowTestCase
-from authentik.flows.views.executor import FlowExecutorView
-from authentik.lib.generators import generate_id
-from authentik.sources.oauth.models import GroupOAuthSourceConnection, OAuthSource
-
-
-class TestSourceFlowManager(FlowTestCase):
-    """Test Source flow_manager group update stage"""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.factory = RequestFactory()
-        self.authentication_flow = create_test_flow()
-        self.enrollment_flow = create_test_flow()
-        self.source: OAuthSource = OAuthSource.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-            authentication_flow=self.authentication_flow,
-            enrollment_flow=self.enrollment_flow,
-        )
-        self.identifier = generate_id()
-        self.user = create_test_admin_user()
-
-    def test_nonexistant_group(self):
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertTrue(
-            GroupOAuthSourceConnection.objects.filter(
-                group=Group.objects.get(name="group 1"), source=self.source
-            ).exists()
-        )
-
-    def test_nonexistant_group_name_link(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
-        self.source.save()
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertTrue(
-            GroupOAuthSourceConnection.objects.filter(
-                group=Group.objects.get(name="group 1"), source=self.source
-            ).exists()
-        )
-
-    def test_existant_group_name_link(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
-        self.source.save()
-        group = Group.objects.create(name="group 1")
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertTrue(
-            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
-        )
-
-    def test_nonexistant_group_name_deny(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
-        self.source.save()
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertTrue(
-            GroupOAuthSourceConnection.objects.filter(
-                group=Group.objects.get(name="group 1"), source=self.source
-            ).exists()
-        )
-
-    def test_existant_group_name_deny(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
-        self.source.save()
-        group = Group.objects.create(name="group 1")
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertFalse(stage.handle_groups())
-        self.assertFalse(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertFalse(
-            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
-        )
-
-    def test_group_updates(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
-        self.source.save()
-
-        other_group = Group.objects.create(name="other group")
-        old_group = Group.objects.create(name="old group")
-        new_group = Group.objects.create(name="new group")
-        self.user.ak_groups.set([other_group, old_group])
-        GroupOAuthSourceConnection.objects.create(
-            group=old_group, source=self.source, identifier=old_group.name
-        )
-        GroupOAuthSourceConnection.objects.create(
-            group=new_group, source=self.source, identifier=new_group.name
-        )
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "new group": {
-                                "name": "new group",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertFalse(self.user.ak_groups.filter(name="old group").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="other group").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="new group").exists())
-        self.assertEqual(self.user.ak_groups.count(), 2)

authentik/core/tests/test_source_property_mappings.py

@@ -1,72 +0,0 @@
-"""Test Source Property mappings"""
-
-from django.test import TestCase
-
-from authentik.core.models import Group, PropertyMapping, Source, User
-from authentik.core.sources.mapper import SourceMapper
-from authentik.lib.generators import generate_id
-
-
-class ProxySource(Source):
-    @property
-    def property_mapping_type(self):
-        return PropertyMapping
-
-    def get_base_user_properties(self, **kwargs):
-        return {
-            "username": kwargs.get("username", None),
-            "email": kwargs.get("email", "default@authentik"),
-        }
-
-    def get_base_group_properties(self, **kwargs):
-        return {"name": kwargs.get("name", None)}
-
-    class Meta:
-        proxy = True
-
-
-class TestSourcePropertyMappings(TestCase):
-    """Test Source PropertyMappings"""
-
-    def test_base_properties(self):
-        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
-        mapper = SourceMapper(source)
-
-        user_base_properties = mapper.get_base_properties(User, username="test1")
-        self.assertEqual(
-            user_base_properties,
-            {
-                "username": "test1",
-                "email": "default@authentik",
-                "path": f"goauthentik.io/sources/{source.slug}",
-            },
-        )
-
-        group_base_properties = mapper.get_base_properties(Group)
-        self.assertEqual(group_base_properties, {"name": None})
-
-    def test_build_properties(self):
-        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
-        mapper = SourceMapper(source)
-
-        source.user_property_mappings.add(
-            PropertyMapping.objects.create(
-                name=generate_id(),
-                expression="""
-                    return {"username": data.get("username", None), "email": None}
-                """,
-            )
-        )
-
-        properties = mapper.build_object_properties(
-            object_type=User, user=None, request=None, username="test1", data={"username": "test2"}
-        )
-
-        self.assertEqual(
-            properties,
-            {
-                "username": "test2",
-                "path": f"goauthentik.io/sources/{source.slug}",
-                "attributes": {},
-            },
-        )

authentik/core/urls.py

@@ -6,6 +6,7 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
+from django.views.generic import RedirectView
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -17,13 +18,9 @@ from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSe
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
-from authentik.core.views.apps import RedirectToAppLaunch
+from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import (
-    BrandDefaultRedirectView,
-    InterfaceView,
-    RootRedirectView,
-)
+from authentik.core.views.interface import InterfaceView
 from authentik.core.views.session import EndSessionView
 from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
@@ -33,24 +30,26 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
     path(
         "",
-        login_required(RootRedirectView.as_view()),
+        login_required(
+            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
+        ),
         name="root-redirect",
     ),
     path(
-        # We have to use this format since everything else uses application/o or application/saml
+        # We have to use this format since everything else uses applications/o or applications/saml
         "application/launch/<slug:application_slug>/",
-        RedirectToAppLaunch.as_view(),
+        apps.RedirectToAppLaunch.as_view(),
         name="application-launch",
     ),
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
+        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/admin.html")),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
+        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/user.html")),
         name="if-user",
     ),
     path(

authentik/core/views/apps.py

@@ -8,6 +8,7 @@ from django.views import View
 from authentik.core.models import Application
 from authentik.flows.challenge import (
     ChallengeResponse,
+    ChallengeTypes,
     HttpChallengeResponse,
     RedirectChallenge,
 )
@@ -73,6 +74,7 @@ class RedirectToAppStage(ChallengeStageView):
             raise Http404
         return RedirectChallenge(
             instance={
+                "type": ChallengeTypes.REDIRECT.value,
                 "to": launch,
             }
         )

authentik/core/views/interface.py

@@ -3,42 +3,13 @@
 from json import dumps
 from typing import Any
 
-from django.http import HttpRequest
-from django.http.response import HttpResponse
-from django.shortcuts import redirect
-from django.utils.translation import gettext as _
-from django.views.generic.base import RedirectView, TemplateView
+from django.views.generic.base import TemplateView
 from rest_framework.request import Request
 
 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
-from authentik.brands.models import Brand
-from authentik.core.models import UserTypes
-from authentik.policies.denied import AccessDeniedResponse
-
-
-class RootRedirectView(RedirectView):
-    """Root redirect view, redirect to brand's default application if set"""
-
-    pattern_name = "authentik_core:if-user"
-    query_string = True
-
-    def redirect_to_app(self, request: HttpRequest):
-        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
-            brand: Brand = request.brand
-            if brand.default_application:
-                return redirect(
-                    "authentik_core:application-launch",
-                    application_slug=brand.default_application.slug,
-                )
-        return None
-
-    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        if redirect_response := RootRedirectView().redirect_to_app(request):
-            return redirect_response
-        return super().dispatch(request, *args, **kwargs)
 
 
 class InterfaceView(TemplateView):
@@ -52,20 +23,3 @@ class InterfaceView(TemplateView):
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
         return super().get_context_data(**kwargs)
-
-
-class BrandDefaultRedirectView(InterfaceView):
-    """By default redirect to default app"""
-
-    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
-            brand: Brand = request.brand
-            if brand.default_application:
-                return redirect(
-                    "authentik_core:application-launch",
-                    application_slug=brand.default_application.slug,
-                )
-            response = AccessDeniedResponse(self.request)
-            response.error_message = _("Interface can only be accessed by internal users.")
-            return response
-        return super().dispatch(request, *args, **kwargs)

authentik/crypto/builder.py

@@ -76,7 +76,7 @@ class CertificateBuilder:
             .subject_name(
                 x509.Name(
                     [
-                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name[:64]),
+                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name),
                         x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
                         x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"),
                     ]

authentik/enterprise/api.py

@@ -19,7 +19,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
-from authentik.enterprise.models import License, LicenseUsageStatus
+from authentik.enterprise.models import License
 from authentik.rbac.decorators import permission_required
 from authentik.tenants.utils import get_unique_identifier
 
@@ -30,7 +30,7 @@ class EnterpriseRequiredMixin:
 
     def validate(self, attrs: dict) -> dict:
         """Check that a valid license exists"""
-        if LicenseKey.cached_summary().status != LicenseUsageStatus.UNLICENSED:
+        if not LicenseKey.cached_summary().has_license:
             raise ValidationError(_("Enterprise is required to create/update this object."))
         return super().validate(attrs)
 
@@ -128,7 +128,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         forecast_for_months = 12
         response = LicenseForecastSerializer(
             data={
-                "internal_users": LicenseKey.get_internal_user_count(),
+                "internal_users": LicenseKey.get_default_user_count(),
                 "external_users": LicenseKey.get_external_user_count(),
                 "forecasted_internal_users": (internal_in_last_month * forecast_for_months),
                 "forecasted_external_users": (external_in_last_month * forecast_for_months),

authentik/enterprise/apps.py

@@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig):
         """Actual enterprise check, cached"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.cached_summary().status
+        return LicenseKey.cached_summary().valid

authentik/enterprise/license.py

@@ -3,36 +3,24 @@
 from base64 import b64decode
 from binascii import Error
 from dataclasses import asdict, dataclass, field
-from datetime import UTC, datetime, timedelta
+from datetime import datetime, timedelta
 from enum import Enum
 from functools import lru_cache
 from time import mktime
 
 from cryptography.exceptions import InvalidSignature
 from cryptography.x509 import Certificate, load_der_x509_certificate, load_pem_x509_certificate
-from dacite import DaciteError, from_dict
+from dacite import from_dict
 from django.core.cache import cache
 from django.db.models.query import QuerySet
 from django.utils.timezone import now
 from jwt import PyJWTError, decode, get_unverified_header
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import (
-    ChoiceField,
-    DateTimeField,
-    IntegerField,
-)
+from rest_framework.fields import BooleanField, DateTimeField, IntegerField
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
-from authentik.enterprise.models import (
-    THRESHOLD_READ_ONLY_WEEKS,
-    THRESHOLD_WARNING_ADMIN_WEEKS,
-    THRESHOLD_WARNING_EXPIRY_WEEKS,
-    THRESHOLD_WARNING_USER_WEEKS,
-    License,
-    LicenseUsage,
-    LicenseUsageStatus,
-)
+from authentik.enterprise.models import License, LicenseUsage
 from authentik.tenants.utils import get_unique_identifier
 
 CACHE_KEY_ENTERPRISE_LICENSE = "goauthentik.io/enterprise/license"
@@ -54,8 +42,6 @@ def get_license_aud() -> str:
 class LicenseFlags(Enum):
     """License flags"""
 
-    TRIAL = "trial"
-
 
 @dataclass
 class LicenseSummary:
@@ -63,8 +49,12 @@ class LicenseSummary:
 
     internal_users: int
     external_users: int
-    status: LicenseUsageStatus
+    valid: bool
+    show_admin_warning: bool
+    show_user_warning: bool
+    read_only: bool
     latest_valid: datetime
+    has_license: bool
 
 
 class LicenseSummarySerializer(PassiveSerializer):
@@ -72,8 +62,12 @@ class LicenseSummarySerializer(PassiveSerializer):
 
     internal_users = IntegerField(required=True)
     external_users = IntegerField(required=True)
-    status = ChoiceField(choices=LicenseUsageStatus.choices)
+    valid = BooleanField()
+    show_admin_warning = BooleanField()
+    show_user_warning = BooleanField()
+    read_only = BooleanField()
     latest_valid = DateTimeField()
+    has_license = BooleanField()
 
 
 @dataclass
@@ -89,7 +83,7 @@ class LicenseKey:
     flags: list[LicenseFlags] = field(default_factory=list)
 
     @staticmethod
-    def validate(jwt: str, check_expiry=True) -> "LicenseKey":
+    def validate(jwt: str) -> "LicenseKey":
         """Validate the license from a given JWT"""
         try:
             headers = get_unverified_header(jwt)
@@ -113,7 +107,6 @@ class LicenseKey:
                     our_cert.public_key(),
                     algorithms=["ES512"],
                     audience=get_license_aud(),
-                    options={"verify_exp": check_expiry},
                 ),
             )
         except PyJWTError:
@@ -123,8 +116,9 @@ class LicenseKey:
     @staticmethod
     def get_total() -> "LicenseKey":
         """Get a summarized version of all (not expired) licenses"""
+        active_licenses = License.objects.filter(expiry__gte=now())
         total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
-        for lic in License.objects.all():
+        for lic in active_licenses:
             total.internal_users += lic.internal_users
             total.external_users += lic.external_users
             exp_ts = int(mktime(lic.expiry.timetuple()))
@@ -141,7 +135,7 @@ class LicenseKey:
         return User.objects.all().exclude_anonymous().exclude(is_active=False)
 
     @staticmethod
-    def get_internal_user_count():
+    def get_default_user_count():
         """Get current default user count"""
         return LicenseKey.base_user_qs().filter(type=UserTypes.INTERNAL).count()
 
@@ -150,72 +144,59 @@ class LicenseKey:
         """Get current external user count"""
         return LicenseKey.base_user_qs().filter(type=UserTypes.EXTERNAL).count()
 
-    def _last_valid_date(self):
-        last_valid_date = (
-            LicenseUsage.objects.order_by("-record_date")
-            .filter(status=LicenseUsageStatus.VALID)
-            .first()
-        )
-        if not last_valid_date:
-            return datetime.fromtimestamp(0, UTC)
-        return last_valid_date.record_date
+    def is_valid(self) -> bool:
+        """Check if the given license body covers all users
 
-    def status(self) -> LicenseUsageStatus:
-        """Check if the given license body covers all users, and is valid."""
-        last_valid = self._last_valid_date()
-        if self.exp == 0 and not License.objects.exists():
-            return LicenseUsageStatus.UNLICENSED
-        _now = now()
-        # Check limit-exceeded based status
-        internal_users = self.get_internal_user_count()
-        external_users = self.get_external_user_count()
-        if internal_users > self.internal_users or external_users > self.external_users:
-            if last_valid < _now - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS):
-                return LicenseUsageStatus.READ_ONLY
-            if last_valid < _now - timedelta(weeks=THRESHOLD_WARNING_USER_WEEKS):
-                return LicenseUsageStatus.LIMIT_EXCEEDED_USER
-            if last_valid < _now - timedelta(weeks=THRESHOLD_WARNING_ADMIN_WEEKS):
-                return LicenseUsageStatus.LIMIT_EXCEEDED_ADMIN
-        # Check expiry based status
-        if datetime.fromtimestamp(self.exp, UTC) < _now:
-            if datetime.fromtimestamp(self.exp, UTC) < _now - timedelta(
-                weeks=THRESHOLD_READ_ONLY_WEEKS
-            ):
-                return LicenseUsageStatus.READ_ONLY
-            return LicenseUsageStatus.EXPIRED
-        # Expiry warning
-        if datetime.fromtimestamp(self.exp, UTC) <= _now + timedelta(
-            weeks=THRESHOLD_WARNING_EXPIRY_WEEKS
-        ):
-            return LicenseUsageStatus.EXPIRY_SOON
-        return LicenseUsageStatus.VALID
+        Only checks the current count, no historical data is checked"""
+        default_users = self.get_default_user_count()
+        if default_users > self.internal_users:
+            return False
+        active_users = self.get_external_user_count()
+        if active_users > self.external_users:
+            return False
+        return True
 
     def record_usage(self):
         """Capture the current validity status and metrics and save them"""
         threshold = now() - timedelta(hours=8)
-        usage = (
-            LicenseUsage.objects.order_by("-record_date").filter(record_date__gte=threshold).first()
-        )
-        if not usage:
-            usage = LicenseUsage.objects.create(
-                internal_user_count=self.get_internal_user_count(),
+        if not LicenseUsage.objects.filter(record_date__gte=threshold).exists():
+            LicenseUsage.objects.create(
+                user_count=self.get_default_user_count(),
                 external_user_count=self.get_external_user_count(),
-                status=self.status(),
+                within_limits=self.is_valid(),
             )
         summary = asdict(self.summary())
         # Also cache the latest summary for the middleware
         cache.set(CACHE_KEY_ENTERPRISE_LICENSE, summary, timeout=CACHE_EXPIRY_ENTERPRISE_LICENSE)
-        return usage
+        return summary
+
+    @staticmethod
+    def last_valid_date() -> datetime:
+        """Get the last date the license was valid"""
+        usage: LicenseUsage = (
+            LicenseUsage.filter_not_expired(within_limits=True).order_by("-record_date").first()
+        )
+        if not usage:
+            return now()
+        return usage.record_date
 
     def summary(self) -> LicenseSummary:
         """Summary of license status"""
-        status = self.status()
+        has_license = License.objects.all().count() > 0
+        last_valid = LicenseKey.last_valid_date()
+        show_admin_warning = last_valid < now() - timedelta(weeks=2)
+        show_user_warning = last_valid < now() - timedelta(weeks=4)
+        read_only = last_valid < now() - timedelta(weeks=6)
         latest_valid = datetime.fromtimestamp(self.exp)
         return LicenseSummary(
+            show_admin_warning=show_admin_warning and has_license,
+            show_user_warning=show_user_warning and has_license,
+            read_only=read_only and has_license,
             latest_valid=latest_valid,
             internal_users=self.internal_users,
             external_users=self.external_users,
-            status=status,
+            valid=self.is_valid(),
+            has_license=has_license,
         )
 
     @staticmethod
@@ -224,8 +205,4 @@ class LicenseKey:
         summary = cache.get(CACHE_KEY_ENTERPRISE_LICENSE)
         if not summary:
             return LicenseKey.get_total().summary()
-        try:
-            return from_dict(LicenseSummary, summary)
-        except DaciteError:
-            cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
-            return LicenseKey.get_total().summary()
+        return from_dict(LicenseSummary, summary)

authentik/enterprise/middleware.py

@@ -8,7 +8,6 @@ from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import LicenseUsageStatus
 from authentik.flows.views.executor import FlowExecutorView
 from authentik.lib.utils.reflection import class_to_path
 
@@ -44,7 +43,7 @@ class EnterpriseMiddleware:
         cached_status = LicenseKey.cached_summary()
         if not cached_status:
             return True
-        if cached_status.status == LicenseUsageStatus.READ_ONLY:
+        if cached_status.read_only:
             return False
         return True
 
@@ -54,10 +53,10 @@ class EnterpriseMiddleware:
         if request.method.lower() in ["get", "head", "options", "trace"]:
             return True
         # Always allow requests to manage licenses
-        if request.resolver_match._func_path == class_to_path(LicenseViewSet):
+        if class_to_path(request.resolver_match.func) == class_to_path(LicenseViewSet):
             return True
         # Flow executor is mounted as an API path but explicitly allowed
-        if request.resolver_match._func_path == class_to_path(FlowExecutorView):
+        if class_to_path(request.resolver_match.func) == class_to_path(FlowExecutorView):
             return True
         # Only apply these restrictions to the API
         if "authentik_api" not in request.resolver_match.app_names:

authentik/enterprise/migrations/0003_remove_licenseusage_within_limits_and_more.py

@@ -1,68 +0,0 @@
-# Generated by Django 5.0.8 on 2024-08-08 14:15
-
-from django.db import migrations, models
-from django.apps.registry import Apps
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_license_usage(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    LicenseUsage = apps.get_model("authentik_enterprise", "licenseusage")
-    db_alias = schema_editor.connection.alias
-
-    for usage in LicenseUsage.objects.using(db_alias).all():
-        usage.status = "valid" if usage.within_limits else "limit_exceeded_admin"
-        usage.save()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_enterprise", "0002_rename_users_license_internal_users_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="licenseusage",
-            name="status",
-            field=models.TextField(
-                choices=[
-                    ("unlicensed", "Unlicensed"),
-                    ("valid", "Valid"),
-                    ("expired", "Expired"),
-                    ("expiry_soon", "Expiry Soon"),
-                    ("limit_exceeded_admin", "Limit Exceeded Admin"),
-                    ("limit_exceeded_user", "Limit Exceeded User"),
-                    ("read_only", "Read Only"),
-                ],
-                default=None,
-                null=True,
-            ),
-            preserve_default=False,
-        ),
-        migrations.RunPython(migrate_license_usage),
-        migrations.RemoveField(
-            model_name="licenseusage",
-            name="within_limits",
-        ),
-        migrations.AlterField(
-            model_name="licenseusage",
-            name="status",
-            field=models.TextField(
-                choices=[
-                    ("unlicensed", "Unlicensed"),
-                    ("valid", "Valid"),
-                    ("expired", "Expired"),
-                    ("expiry_soon", "Expiry Soon"),
-                    ("limit_exceeded_admin", "Limit Exceeded Admin"),
-                    ("limit_exceeded_user", "Limit Exceeded User"),
-                    ("read_only", "Read Only"),
-                ],
-            ),
-            preserve_default=False,
-        ),
-        migrations.RenameField(
-            model_name="licenseusage",
-            old_name="user_count",
-            new_name="internal_user_count",
-        ),
-    ]

authentik/enterprise/models.py

@@ -17,17 +17,6 @@ if TYPE_CHECKING:
     from authentik.enterprise.license import LicenseKey
 
 
-def usage_expiry():
-    """Keep license usage records for 3 months"""
-    return now() + timedelta(days=30 * 3)
-
-
-THRESHOLD_WARNING_ADMIN_WEEKS = 2
-THRESHOLD_WARNING_USER_WEEKS = 4
-THRESHOLD_WARNING_EXPIRY_WEEKS = 2
-THRESHOLD_READ_ONLY_WEEKS = 6
-
-
 class License(SerializerModel):
     """An authentik enterprise license"""
 
@@ -50,7 +39,7 @@ class License(SerializerModel):
         """Get parsed license status"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.validate(self.key, check_expiry=False)
+        return LicenseKey.validate(self.key)
 
     class Meta:
         indexes = (HashIndex(fields=("key",)),)
@@ -58,23 +47,9 @@ class License(SerializerModel):
         verbose_name_plural = _("Licenses")
 
 
-class LicenseUsageStatus(models.TextChoices):
-    """License states an instance/tenant can be in"""
-
-    UNLICENSED = "unlicensed"
-    VALID = "valid"
-    EXPIRED = "expired"
-    EXPIRY_SOON = "expiry_soon"
-    # User limit exceeded, 2 week threshold, show message in admin interface
-    LIMIT_EXCEEDED_ADMIN = "limit_exceeded_admin"
-    # User limit exceeded, 4 week threshold, show message in user interface
-    LIMIT_EXCEEDED_USER = "limit_exceeded_user"
-    READ_ONLY = "read_only"
-
-    @property
-    def is_valid(self) -> bool:
-        """Quickly check if a license is valid"""
-        return self in [LicenseUsageStatus.VALID, LicenseUsageStatus.EXPIRY_SOON]
+def usage_expiry():
+    """Keep license usage records for 3 months"""
+    return now() + timedelta(days=30 * 3)
 
 
 class LicenseUsage(ExpiringModel):
@@ -84,9 +59,9 @@ class LicenseUsage(ExpiringModel):
 
     usage_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    internal_user_count = models.BigIntegerField()
+    user_count = models.BigIntegerField()
     external_user_count = models.BigIntegerField()
-    status = models.TextField(choices=LicenseUsageStatus.choices)
+    within_limits = models.BooleanField()
 
     record_date = models.DateTimeField(auto_now_add=True)
 

authentik/enterprise/policy.py

@@ -13,7 +13,7 @@ class EnterprisePolicyAccessView(PolicyAccessView):
 
     def check_license(self):
         """Check license"""
-        if not LicenseKey.get_total().status().is_valid:
+        if not LicenseKey.get_total().is_valid():
             return PolicyResult(False, _("Enterprise required to access this feature."))
         if self.request.user.type != UserTypes.INTERNAL:
             return PolicyResult(False, _("Feature only accessible for internal users."))

authentik/enterprise/providers/rac/api/connection_tokens.py

@@ -34,12 +34,6 @@ class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
         ]
 
 
-class ConnectionTokenOwnerFilter(OwnerFilter):
-    """Owner filter for connection tokens (checks session's user)"""
-
-    owner_key = "session__user"
-
-
 class ConnectionTokenViewSet(
     mixins.RetrieveModelMixin,
     mixins.UpdateModelMixin,
@@ -56,9 +50,4 @@ class ConnectionTokenViewSet(
     search_fields = ["endpoint__name", "provider__name"]
     ordering = ["endpoint__name", "provider__name"]
     permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [
-        ConnectionTokenOwnerFilter,
-        DjangoFilterBackend,
-        OrderingFilter,
-        SearchFilter,
-    ]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]

authentik/enterprise/providers/rac/signals.py

@@ -21,8 +21,6 @@ from authentik.enterprise.providers.rac.models import ConnectionToken, Endpoint
 @receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
     """Disconnect any open RAC connections"""
-    if not request.session or not request.session.session_key:
-        return
     layer = get_channel_layer()
     async_to_sync(layer.group_send)(
         RAC_CLIENT_GROUP_SESSION

authentik/enterprise/tests/test_license.py

@@ -9,26 +9,10 @@ from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError
 
 from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import (
-    THRESHOLD_READ_ONLY_WEEKS,
-    THRESHOLD_WARNING_ADMIN_WEEKS,
-    THRESHOLD_WARNING_USER_WEEKS,
-    License,
-    LicenseUsage,
-    LicenseUsageStatus,
-)
+from authentik.enterprise.models import License
 from authentik.lib.generators import generate_id
 
-# Valid license expiry
-expiry_valid = int(mktime((now() + timedelta(days=3000)).timetuple()))
-# Valid license expiry, expires soon
-expiry_soon = int(mktime((now() + timedelta(hours=10)).timetuple()))
-# Invalid license expiry, recently expired
-expiry_expired = int(mktime((now() - timedelta(hours=10)).timetuple()))
-# Invalid license expiry, expired longer ago
-expiry_expired_read_only = int(
-    mktime((now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)).timetuple())
-)
+_exp = int(mktime((now() + timedelta(days=3000)).timetuple()))
 
 
 class TestEnterpriseLicense(TestCase):
@@ -39,7 +23,7 @@ class TestEnterpriseLicense(TestCase):
         MagicMock(
             return_value=LicenseKey(
                 aud="",
-                exp=expiry_valid,
+                exp=_exp,
                 name=generate_id(),
                 internal_users=100,
                 external_users=100,
@@ -49,7 +33,7 @@ class TestEnterpriseLicense(TestCase):
     def test_valid(self):
         """Check license verification"""
         lic = License.objects.create(key=generate_id())
-        self.assertTrue(lic.status.status().is_valid)
+        self.assertTrue(lic.status.is_valid())
         self.assertEqual(lic.internal_users, 100)
 
     def test_invalid(self):
@@ -62,7 +46,7 @@ class TestEnterpriseLicense(TestCase):
         MagicMock(
             return_value=LicenseKey(
                 aud="",
-                exp=expiry_valid,
+                exp=_exp,
                 name=generate_id(),
                 internal_users=100,
                 external_users=100,
@@ -72,186 +56,11 @@ class TestEnterpriseLicense(TestCase):
     def test_valid_multiple(self):
         """Check license verification"""
         lic = License.objects.create(key=generate_id())
-        self.assertTrue(lic.status.status().is_valid)
+        self.assertTrue(lic.status.is_valid())
         lic2 = License.objects.create(key=generate_id())
-        self.assertTrue(lic2.status.status().is_valid)
+        self.assertTrue(lic2.status.is_valid())
         total = LicenseKey.get_total()
         self.assertEqual(total.internal_users, 200)
         self.assertEqual(total.external_users, 200)
-        self.assertEqual(total.exp, expiry_valid)
-        self.assertTrue(total.status().is_valid)
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_valid,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_external_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_limit_exceeded_read_only(self):
-        """Check license verification"""
-        License.objects.create(key=generate_id())
-        usage = LicenseUsage.objects.create(
-            internal_user_count=100,
-            external_user_count=100,
-            status=LicenseUsageStatus.VALID,
-        )
-        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
-        usage.save(update_fields=["record_date"])
-        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.READ_ONLY)
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_valid,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_external_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_limit_exceeded_user_warning(self):
-        """Check license verification"""
-        License.objects.create(key=generate_id())
-        usage = LicenseUsage.objects.create(
-            internal_user_count=100,
-            external_user_count=100,
-            status=LicenseUsageStatus.VALID,
-        )
-        usage.record_date = now() - timedelta(weeks=THRESHOLD_WARNING_USER_WEEKS + 1)
-        usage.save(update_fields=["record_date"])
-        self.assertEqual(
-            LicenseKey.get_total().summary().status, LicenseUsageStatus.LIMIT_EXCEEDED_USER
-        )
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_valid,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_external_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_limit_exceeded_admin_warning(self):
-        """Check license verification"""
-        License.objects.create(key=generate_id())
-        usage = LicenseUsage.objects.create(
-            internal_user_count=100,
-            external_user_count=100,
-            status=LicenseUsageStatus.VALID,
-        )
-        usage.record_date = now() - timedelta(weeks=THRESHOLD_WARNING_ADMIN_WEEKS + 1)
-        usage.save(update_fields=["record_date"])
-        self.assertEqual(
-            LicenseKey.get_total().summary().status, LicenseUsageStatus.LIMIT_EXCEEDED_ADMIN
-        )
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_expired_read_only,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_expiry_read_only(self):
-        """Check license verification"""
-        License.objects.create(key=generate_id())
-        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.READ_ONLY)
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_expired,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_expiry_expired(self):
-        """Check license verification"""
-        License.objects.create(key=generate_id())
-        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_soon,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_expiry_soon(self):
-        """Check license verification"""
-        License.objects.create(key=generate_id())
-        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRY_SOON)
+        self.assertEqual(total.exp, _exp)
+        self.assertTrue(total.is_valid())

authentik/enterprise/tests/test_read_only.py

@@ -1,217 +0,0 @@
-"""read only tests"""
-
-from datetime import timedelta
-from unittest.mock import MagicMock, patch
-
-from django.urls import reverse
-from django.utils.timezone import now
-
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
-from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import (
-    THRESHOLD_READ_ONLY_WEEKS,
-    License,
-    LicenseUsage,
-    LicenseUsageStatus,
-)
-from authentik.enterprise.tests.test_license import expiry_valid
-from authentik.flows.models import (
-    FlowDesignation,
-    FlowStageBinding,
-)
-from authentik.flows.tests import FlowTestCase
-from authentik.lib.generators import generate_id
-from authentik.stages.identification.models import IdentificationStage, UserFields
-from authentik.stages.password import BACKEND_INBUILT
-from authentik.stages.password.models import PasswordStage
-from authentik.stages.user_login.models import UserLoginStage
-
-
-class TestReadOnly(FlowTestCase):
-    """Test read_only"""
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_valid,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_external_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_login(self):
-        """Test flow, ensure login is still possible with read only mode"""
-        License.objects.create(key=generate_id())
-        usage = LicenseUsage.objects.create(
-            internal_user_count=100,
-            external_user_count=100,
-            status=LicenseUsageStatus.VALID,
-        )
-        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
-        usage.save(update_fields=["record_date"])
-
-        flow = create_test_flow(
-            FlowDesignation.AUTHENTICATION,
-        )
-
-        ident_stage = IdentificationStage.objects.create(
-            name=generate_id(),
-            user_fields=[UserFields.E_MAIL],
-            pretend_user_exists=False,
-        )
-        FlowStageBinding.objects.create(
-            target=flow,
-            stage=ident_stage,
-            order=0,
-        )
-        password_stage = PasswordStage.objects.create(
-            name=generate_id(), backends=[BACKEND_INBUILT]
-        )
-        FlowStageBinding.objects.create(
-            target=flow,
-            stage=password_stage,
-            order=1,
-        )
-        login_stage = UserLoginStage.objects.create(
-            name=generate_id(),
-        )
-        FlowStageBinding.objects.create(
-            target=flow,
-            stage=login_stage,
-            order=2,
-        )
-
-        user = create_test_user()
-
-        exec_url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
-        response = self.client.get(exec_url)
-        self.assertStageResponse(
-            response,
-            flow,
-            component="ak-stage-identification",
-            password_fields=False,
-            primary_action="Log in",
-            sources=[],
-            show_source_labels=False,
-            user_fields=[UserFields.E_MAIL],
-        )
-        response = self.client.post(exec_url, {"uid_field": user.email}, follow=True)
-        self.assertStageResponse(response, flow, component="ak-stage-password")
-        response = self.client.post(exec_url, {"password": user.username}, follow=True)
-        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_valid,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_external_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_manage_licenses(self):
-        """Test that managing licenses is still possible"""
-        license = License.objects.create(key=generate_id())
-        usage = LicenseUsage.objects.create(
-            internal_user_count=100,
-            external_user_count=100,
-            status=LicenseUsageStatus.VALID,
-        )
-        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
-        usage.save(update_fields=["record_date"])
-
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-
-        # Reading is always allowed
-        response = self.client.get(reverse("authentik_api:license-list"))
-        self.assertEqual(response.status_code, 200)
-
-        # Writing should also be allowed
-        response = self.client.patch(
-            reverse("authentik_api:license-detail", kwargs={"pk": license.pk})
-        )
-        self.assertEqual(response.status_code, 200)
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_valid,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_external_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_manage_flows(self):
-        """Test flow"""
-        License.objects.create(key=generate_id())
-        usage = LicenseUsage.objects.create(
-            internal_user_count=100,
-            external_user_count=100,
-            status=LicenseUsageStatus.VALID,
-        )
-        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
-        usage.save(update_fields=["record_date"])
-
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-
-        # Read only is still allowed
-        response = self.client.get(reverse("authentik_api:flow-list"))
-        self.assertEqual(response.status_code, 200)
-
-        flow = create_test_flow()
-        # Writing is not
-        response = self.client.patch(
-            reverse("authentik_api:flow-detail", kwargs={"slug": flow.slug})
-        )
-        self.assertJSONEqual(
-            response.content,
-            {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
-        )
-        self.assertEqual(response.status_code, 400)

authentik/events/context_processors/asn.py

@@ -5,7 +5,7 @@ from typing import TYPE_CHECKING, Optional, TypedDict
 from django.http import HttpRequest
 from geoip2.errors import GeoIP2Error
 from geoip2.models import ASN
-from sentry_sdk import start_span
+from sentry_sdk import Hub
 
 from authentik.events.context_processors.mmdb import MMDBContextProcessor
 from authentik.lib.config import CONFIG
@@ -48,7 +48,7 @@ class ASNContextProcessor(MMDBContextProcessor):
 
     def asn(self, ip_address: str) -> ASN | None:
         """Wrapper for Reader.asn"""
-        with start_span(
+        with Hub.current.start_span(
             op="authentik.events.asn.asn",
             description=ip_address,
         ):

authentik/events/context_processors/geoip.py

@@ -5,7 +5,7 @@ from typing import TYPE_CHECKING, Optional, TypedDict
 from django.http import HttpRequest
 from geoip2.errors import GeoIP2Error
 from geoip2.models import City
-from sentry_sdk import start_span
+from sentry_sdk.hub import Hub
 
 from authentik.events.context_processors.mmdb import MMDBContextProcessor
 from authentik.lib.config import CONFIG
@@ -49,7 +49,7 @@ class GeoIPContextProcessor(MMDBContextProcessor):
 
     def city(self, ip_address: str) -> City | None:
         """Wrapper for Reader.city"""
-        with start_span(
+        with Hub.current.start_span(
             op="authentik.events.geo.city",
             description=ip_address,
         ):

authentik/flows/challenge.py

@@ -32,6 +32,14 @@ class FlowLayout(models.TextChoices):
     SIDEBAR_RIGHT = "sidebar_right"
 
 
+class ChallengeTypes(Enum):
+    """Currently defined challenge types"""
+
+    NATIVE = "native"
+    SHELL = "shell"
+    REDIRECT = "redirect"
+
+
 class ErrorDetailSerializer(PassiveSerializer):
     """Serializer for rest_framework's error messages"""
 
@@ -52,6 +60,9 @@ class Challenge(PassiveSerializer):
     """Challenge that gets sent to the client based on which stage
     is currently active"""
 
+    type = ChoiceField(
+        choices=[(x.value, x.name) for x in ChallengeTypes],
+    )
     flow_info = ContextualFlowInfo(required=False)
     component = CharField(default="")
 
@@ -85,6 +96,7 @@ class FlowErrorChallenge(Challenge):
     """Challenge class when an unhandled error occurs during a stage. Normal users
     are shown an error message, superusers are shown a full stacktrace."""
 
+    type = CharField(default=ChallengeTypes.NATIVE.value)
     component = CharField(default="ak-stage-flow-error")
 
     request_id = CharField()

authentik/flows/planner.py

@@ -5,7 +5,7 @@ from typing import Any
 
 from django.core.cache import cache
 from django.http import HttpRequest
-from sentry_sdk import start_span
+from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
 
@@ -151,7 +151,9 @@ class FlowPlanner:
     def plan(self, request: HttpRequest, default_context: dict[str, Any] | None = None) -> FlowPlan:
         """Check each of the flows' policies, check policies for each stage with PolicyBinding
         and return ordered list"""
-        with start_span(op="authentik.flow.planner.plan", description=self.flow.slug) as span:
+        with Hub.current.start_span(
+            op="authentik.flow.planner.plan", description=self.flow.slug
+        ) as span:
             span: Span
             span.set_data("flow", self.flow)
             span.set_data("request", request)
@@ -216,7 +218,7 @@ class FlowPlanner:
         """Build flow plan by checking each stage in their respective
         order and checking the applied policies"""
         with (
-            start_span(
+            Hub.current.start_span(
                 op="authentik.flow.planner.build_plan",
                 description=self.flow.slug,
             ) as span,

authentik/flows/stage.py

@@ -10,7 +10,7 @@ from django.urls import reverse
 from django.views.generic.base import View
 from prometheus_client import Histogram
 from rest_framework.request import Request
-from sentry_sdk import start_span
+from sentry_sdk.hub import Hub
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.core.models import User
@@ -18,6 +18,7 @@ from authentik.flows.challenge import (
     AccessDeniedChallenge,
     Challenge,
     ChallengeResponse,
+    ChallengeTypes,
     ContextualFlowInfo,
     HttpChallengeResponse,
     RedirectChallenge,
@@ -123,7 +124,7 @@ class ChallengeStageView(StageView):
                 )
                 return self.executor.restart_flow(keep_context)
             with (
-                start_span(
+                Hub.current.start_span(
                     op="authentik.flow.stage.challenge_invalid",
                     description=self.__class__.__name__,
                 ),
@@ -133,7 +134,7 @@ class ChallengeStageView(StageView):
             ):
                 return self.challenge_invalid(challenge)
         with (
-            start_span(
+            Hub.current.start_span(
                 op="authentik.flow.stage.challenge_valid",
                 description=self.__class__.__name__,
             ),
@@ -159,7 +160,7 @@ class ChallengeStageView(StageView):
 
     def _get_challenge(self, *args, **kwargs) -> Challenge:
         with (
-            start_span(
+            Hub.current.start_span(
                 op="authentik.flow.stage.get_challenge",
                 description=self.__class__.__name__,
             ),
@@ -172,7 +173,7 @@ class ChallengeStageView(StageView):
             except StageInvalidException as exc:
                 self.logger.debug("Got StageInvalidException", exc=exc)
                 return self.executor.stage_invalid()
-        with start_span(
+        with Hub.current.start_span(
             op="authentik.flow.stage._get_challenge",
             description=self.__class__.__name__,
         ):
@@ -243,6 +244,7 @@ class AccessDeniedChallengeView(ChallengeStageView):
         return AccessDeniedChallenge(
             data={
                 "error_message": str(self.error_message or "Unknown error"),
+                "type": ChallengeTypes.NATIVE.value,
                 "component": "ak-stage-access-denied",
             }
         )
@@ -262,6 +264,7 @@ class RedirectStage(ChallengeStageView):
         )
         return RedirectChallenge(
             data={
+                "type": ChallengeTypes.REDIRECT.value,
                 "to": destination,
             }
         )

authentik/flows/tests/__init__.py

@@ -8,6 +8,7 @@ from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.models import User
+from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow
 
 
@@ -25,6 +26,7 @@ class FlowTestCase(APITestCase):
         self.assertEqual(response.status_code, 200)
         raw_response = loads(response.content.decode())
         self.assertIsNotNone(raw_response["component"])
+        self.assertIsNotNone(raw_response["type"])
         if flow:
             self.assertIn("flow_info", raw_response)
             self.assertEqual(raw_response["flow_info"]["background"], flow.background_url)
@@ -44,4 +46,6 @@ class FlowTestCase(APITestCase):
 
     def assertStageRedirects(self, response: HttpResponse, to: str) -> dict[str, Any]:
         """Wrapper around assertStageResponse that checks for a redirect"""
-        return self.assertStageResponse(response, component="xak-flow-redirect", to=to)
+        return self.assertStageResponse(
+            response, component="xak-flow-redirect", to=to, type=ChallengeTypes.REDIRECT.value
+        )

authentik/flows/tests/test_challenges.py

@@ -2,7 +2,7 @@
 
 from django.test import TestCase
 
-from authentik.flows.challenge import AutosubmitChallenge
+from authentik.flows.challenge import AutosubmitChallenge, ChallengeTypes
 
 
 class TestChallenges(TestCase):
@@ -12,6 +12,7 @@ class TestChallenges(TestCase):
         """Test blank autosubmit"""
         challenge = AutosubmitChallenge(
             data={
+                "type": ChallengeTypes.NATIVE.value,
                 "url": "http://localhost",
                 "attrs": {},
             }
@@ -20,6 +21,7 @@ class TestChallenges(TestCase):
         # Test with an empty value
         challenge = AutosubmitChallenge(
             data={
+                "type": ChallengeTypes.NATIVE.value,
                 "url": "http://localhost",
                 "attrs": {"foo": ""},
             }

authentik/flows/tests/test_inspector.py

@@ -7,6 +7,7 @@ from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import FlowDesignation, FlowStageBinding, InvalidResponseAction
 from authentik.stages.dummy.models import DummyStage
 from authentik.stages.identification.models import IdentificationStage, UserFields
@@ -45,7 +46,6 @@ class TestFlowInspector(APITestCase):
         self.assertJSONEqual(
             res.content,
             {
-                "allow_show_password": False,
                 "component": "ak-stage-identification",
                 "flow_info": {
                     "background": flow.background_url,
@@ -54,6 +54,7 @@ class TestFlowInspector(APITestCase):
                     "layout": "stacked",
                 },
                 "flow_designation": "authentication",
+                "type": ChallengeTypes.NATIVE.value,
                 "password_fields": False,
                 "primary_action": "Log in",
                 "sources": [],

authentik/flows/views/executor.py

@@ -18,8 +18,9 @@ from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, PolymorphicProxySerializer, extend_schema
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
-from sentry_sdk import capture_exception, start_span
+from sentry_sdk import capture_exception
 from sentry_sdk.api import set_tag
+from sentry_sdk.hub import Hub
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.brands.models import Brand
@@ -29,6 +30,7 @@ from authentik.flows.apps import HIST_FLOW_EXECUTION_STAGE_TIME
 from authentik.flows.challenge import (
     Challenge,
     ChallengeResponse,
+    ChallengeTypes,
     FlowErrorChallenge,
     HttpChallengeResponse,
     RedirectChallenge,
@@ -153,7 +155,9 @@ class FlowExecutorView(APIView):
         return plan
 
     def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
-        with start_span(op="authentik.flow.executor.dispatch", description=self.flow.slug) as span:
+        with Hub.current.start_span(
+            op="authentik.flow.executor.dispatch", description=self.flow.slug
+        ) as span:
             span.set_data("authentik Flow", self.flow.slug)
             get_params = QueryDict(request.GET.get(QS_QUERY, ""))
             if QS_KEY_TOKEN in get_params:
@@ -271,7 +275,7 @@ class FlowExecutorView(APIView):
         )
         try:
             with (
-                start_span(
+                Hub.current.start_span(
                     op="authentik.flow.executor.stage",
                     description=class_path,
                 ) as span,
@@ -322,7 +326,7 @@ class FlowExecutorView(APIView):
         )
         try:
             with (
-                start_span(
+                Hub.current.start_span(
                     op="authentik.flow.executor.stage",
                     description=class_path,
                 ) as span,
@@ -548,6 +552,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
         return HttpChallengeResponse(
             RedirectChallenge(
                 {
+                    "type": ChallengeTypes.REDIRECT,
                     "to": str(redirect_url),
                 }
             )
@@ -556,6 +561,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
         return HttpChallengeResponse(
             ShellChallenge(
                 {
+                    "type": ChallengeTypes.SHELL,
                     "body": source.render().content.decode("utf-8"),
                 }
             )
@@ -565,6 +571,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
         return HttpChallengeResponse(
             ShellChallenge(
                 {
+                    "type": ChallengeTypes.SHELL,
                     "body": source.content.decode("utf-8"),
                 }
             )

authentik/lib/avatars.py

@@ -13,7 +13,7 @@ from lxml import etree  # nosec
 from lxml.etree import Element, SubElement  # nosec
 from requests.exceptions import ConnectionError, HTTPError, RequestException, Timeout
 
-from authentik.lib.utils.dict import get_path_from_dict
+from authentik.lib.config import get_path_from_dict
 from authentik.lib.utils.http import get_http_session
 from authentik.tenants.utils import get_current_tenant
 

authentik/lib/config.py

@@ -19,8 +19,6 @@ from urllib.parse import quote_plus, urlparse
 import yaml
 from django.conf import ImproperlyConfigured
 
-from authentik.lib.utils.dict import get_path_from_dict, set_path_in_dict
-
 SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] + glob(
     "/etc/authentik/config.d/*.yml", recursive=True
 )
@@ -49,6 +47,29 @@ DEPRECATIONS = {
 }
 
 
+def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
+    """Recursively walk through `root`, checking each part of `path` separated by `sep`.
+    If at any point a dict does not exist, return default"""
+    for comp in path.split(sep):
+        if root and comp in root:
+            root = root.get(comp)
+        else:
+            return default
+    return root
+
+
+def set_path_in_dict(root: dict, path: str, value: Any, sep="."):
+    """Recursively walk through `root`, checking each part of `path` separated by `sep`
+    and setting the last value to `value`"""
+    # Walk each component of the path
+    path_parts = path.split(sep)
+    for comp in path_parts[:-1]:
+        if comp not in root:
+            root[comp] = {}
+        root = root.get(comp, {})
+    root[path_parts[-1]] = value
+
+
 @dataclass(slots=True)
 class Attr:
     """Single configuration attribute"""

authentik/lib/expression/evaluator.py

@@ -13,7 +13,7 @@ from django.core.exceptions import FieldError
 from django.utils.text import slugify
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.serializers import ValidationError
-from sentry_sdk import start_span
+from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
 
@@ -195,7 +195,7 @@ class BaseEvaluator:
         """Parse and evaluate expression. If the syntax is incorrect, a SyntaxError is raised.
         If any exception is raised during execution, it is raised.
         The result is returned without any type-checking."""
-        with start_span(op="authentik.lib.evaluator.evaluate") as span:
+        with Hub.current.start_span(op="authentik.lib.evaluator.evaluate") as span:
             span: Span
             span.description = self._filename
             span.set_data("expression", expression_source)

authentik/lib/models.py

@@ -62,7 +62,7 @@ class DomainlessURLValidator(URLValidator):
             r"^(?:[a-z0-9.+-]*)://"  # scheme is validated separately
             r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?"  # user:pass authentication
             r"(?:" + self.ipv4_re + "|" + self.ipv6_re + "|" + self.host_re + ")"
-            r"(?::\d{1,5})?"  # port
+            r"(?::\d{2,5})?"  # port
             r"(?:[/?#][^\s]*)?"  # resource path
             r"\Z",
             re.IGNORECASE,
@@ -88,7 +88,7 @@ class DomainlessFormattedURLValidator(DomainlessURLValidator):
             r"^(?:[a-z0-9.+-]*)://"  # scheme is validated separately
             r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?"  # user:pass authentication
             r"(?:" + self.ipv4_re + "|" + self.ipv6_re + "|" + self.host_re + ")"
-            r"(?::\d{1,5})?"  # port
+            r"(?::\d{2,5})?"  # port
             r"(?:[/?#][^\s]*)?"  # resource path
             r"\Z",
             re.IGNORECASE,

authentik/lib/sentry.py

@@ -59,16 +59,15 @@ def sentry_init(**sentry_init_kwargs):
         "_experiments": {
             "profiles_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.1)),
         },
-        **sentry_init_kwargs,
-        **CONFIG.get_dict_from_b64_json("error_reporting.extra_args", {}),
     }
+    kwargs.update(**sentry_init_kwargs)
 
     sentry_sdk_init(
         dsn=CONFIG.get("error_reporting.sentry_dsn"),
         integrations=[
             ArgvIntegration(),
             StdlibIntegration(),
-            DjangoIntegration(transaction_style="function_name", cache_spans=True),
+            DjangoIntegration(transaction_style="function_name"),
             CeleryIntegration(),
             RedisIntegration(),
             ThreadingIntegration(propagate_hub=True),

authentik/lib/sync/mapper.py

@@ -20,10 +20,6 @@ class PropertyMappingManager:
 
     _evaluators: list[PropertyMappingEvaluator]
 
-    globals: dict
-
-    __has_compiled: bool
-
     def __init__(
         self,
         qs: QuerySet[PropertyMapping],
@@ -34,11 +30,10 @@ class PropertyMappingManager:
         # we need a list of all parameter names that will be used during evaluation
         context_keys: list[str],
     ) -> None:
-        self.query_set = qs.order_by("name")
+        self.query_set = qs
         self.mapping_subclass = mapping_subclass
         self.context_keys = context_keys
-        self.globals = {}
-        self.__has_compiled = False
+        self.compile()
 
     def compile(self):
         self._evaluators = []
@@ -48,7 +43,6 @@ class PropertyMappingManager:
             evaluator = PropertyMappingEvaluator(
                 mapping, **{key: None for key in self.context_keys}
             )
-            evaluator._globals.update(self.globals)
             # Compile and cache expression
             evaluator.compile()
             self._evaluators.append(evaluator)
@@ -62,9 +56,6 @@ class PropertyMappingManager:
     ) -> Generator[tuple[dict, PropertyMapping], None]:
         """Iterate over all mappings that were pre-compiled and
         execute all of them with the given context"""
-        if not self.__has_compiled:
-            self.compile()
-            self.__has_compiled = True
         for mapping in self._evaluators:
             mapping.set_context(user, request, **kwargs)
             try:

authentik/lib/utils/dict.py

@@ -1,24 +0,0 @@
-from typing import Any
-
-
-def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
-    """Recursively walk through `root`, checking each part of `path` separated by `sep`.
-    If at any point a dict does not exist, return default"""
-    for comp in path.split(sep):
-        if root and comp in root:
-            root = root.get(comp)
-        else:
-            return default
-    return root
-
-
-def set_path_in_dict(root: dict, path: str, value: Any, sep="."):
-    """Recursively walk through `root`, checking each part of `path` separated by `sep`
-    and setting the last value to `value`"""
-    # Walk each component of the path
-    path_parts = path.split(sep)
-    for comp in path_parts[:-1]:
-        if comp not in root:
-            root[comp] = {}
-        root = root.get(comp, {})
-    root[path_parts[-1]] = value

authentik/outposts/api/outposts.py

@@ -140,7 +140,7 @@ class OutpostHealthSerializer(PassiveSerializer):
 
     def get_fips_enabled(self, obj: dict) -> bool | None:
         """Get FIPS enabled"""
-        if not LicenseKey.get_total().status().is_valid:
+        if not LicenseKey.get_total().is_valid():
             return None
         return obj["fips_enabled"]
 

authentik/policies/engine.py

@@ -7,7 +7,7 @@ from time import perf_counter
 
 from django.core.cache import cache
 from django.http import HttpRequest
-from sentry_sdk import start_span
+from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
 
@@ -111,7 +111,7 @@ class PolicyEngine:
     def build(self) -> "PolicyEngine":
         """Build wrapper which monitors performance"""
         with (
-            start_span(
+            Hub.current.start_span(
                 op="authentik.policy.engine.build",
                 description=self.__pbm,
             ) as span,

authentik/policies/geoip/api.py

@@ -1,55 +0,0 @@
-"""GeoIP Policy API Views"""
-
-from django_countries import countries
-from django_countries.serializer_fields import CountryField
-from django_countries.serializers import CountryFieldMixin
-from rest_framework import serializers
-from rest_framework.generics import ListAPIView
-from rest_framework.permissions import AllowAny
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.used_by import UsedByMixin
-from authentik.policies.api.policies import PolicySerializer
-from authentik.policies.geoip.models import GeoIPPolicy
-from authentik.policies.geoip.serializer_fields import DetailedCountryField
-
-
-class DetailedCountrySerializer(serializers.Serializer):
-    code = CountryField()
-    name = serializers.CharField()
-
-
-class ISO3166View(ListAPIView):
-    """Get all countries in ISO-3166-1"""
-
-    permission_classes = [AllowAny]
-    queryset = [{"code": code, "name": name} for (code, name) in countries]
-    serializer_class = DetailedCountrySerializer
-    filter_backends = []
-    pagination_class = None
-
-
-class GeoIPPolicySerializer(CountryFieldMixin, PolicySerializer):
-    """GeoIP Policy Serializer"""
-
-    countries_obj = serializers.ListField(
-        child=DetailedCountryField(), source="countries", read_only=True
-    )
-
-    class Meta:
-        model = GeoIPPolicy
-        fields = PolicySerializer.Meta.fields + [
-            "asns",
-            "countries",
-            "countries_obj",
-        ]
-
-
-class GeoIPPolicyViewSet(UsedByMixin, ModelViewSet):
-    """GeoIP Viewset"""
-
-    queryset = GeoIPPolicy.objects.all()
-    serializer_class = GeoIPPolicySerializer
-    filterset_fields = ["name"]
-    ordering = ["name"]
-    search_fields = ["name"]

authentik/policies/geoip/apps.py

@@ -1,11 +0,0 @@
-"""Authentik policy geoip app config"""
-
-from django.apps import AppConfig
-
-
-class AuthentikPolicyGeoIPConfig(AppConfig):
-    """Authentik policy_geoip app config"""
-
-    name = "authentik.policies.geoip"
-    label = "authentik_policies_geoip"
-    verbose_name = "authentik Policies.GeoIP"

authentik/policies/geoip/exceptions.py

@@ -1,5 +0,0 @@
-from authentik.lib.sentry import SentryIgnoredException
-
-
-class GeoIPNotFoundException(SentryIgnoredException):
-    """Exception raised when an IP is not found in a GeoIP database"""

authentik/policies/geoip/migrations/0001_initial.py

@@ -1,52 +0,0 @@
-# Generated by Django 5.0.7 on 2024-07-16 11:23
-
-import django.contrib.postgres.fields
-import django.db.models.deletion
-import django_countries.fields
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="GeoIPPolicy",
-            fields=[
-                (
-                    "policy_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_policies.policy",
-                    ),
-                ),
-                (
-                    "asns",
-                    django.contrib.postgres.fields.ArrayField(
-                        base_field=models.IntegerField(), blank=True, default=list, size=None
-                    ),
-                ),
-                (
-                    "countries",
-                    django_countries.fields.CountryField(blank=True, max_length=746, multiple=True),
-                ),
-            ],
-            options={
-                "verbose_name": "GeoIP Policy",
-                "verbose_name_plural": "GeoIP Policies",
-                "indexes": [
-                    models.Index(fields=["policy_ptr_id"], name="authentik_p_policy__5cc4a9_idx")
-                ],
-            },
-            bases=("authentik_policies.policy",),
-        ),
-    ]

authentik/policies/geoip/models.py

@@ -1,92 +0,0 @@
-"""GeoIP policy"""
-
-from itertools import chain
-
-from django.contrib.postgres.fields import ArrayField
-from django.db import models
-from django.utils.translation import gettext as _
-from django_countries.fields import CountryField
-from rest_framework.serializers import BaseSerializer
-
-from authentik.policies.exceptions import PolicyException
-from authentik.policies.geoip.exceptions import GeoIPNotFoundException
-from authentik.policies.models import Policy
-from authentik.policies.types import PolicyRequest, PolicyResult
-
-
-class GeoIPPolicy(Policy):
-    """Ensure the user satisfies requirements of geography or network topology, based on IP
-    address."""
-
-    asns = ArrayField(models.IntegerField(), blank=True, default=list)
-    countries = CountryField(multiple=True, blank=True)
-
-    @property
-    def serializer(self) -> type[BaseSerializer]:
-        from authentik.policies.geoip.api import GeoIPPolicySerializer
-
-        return GeoIPPolicySerializer
-
-    @property
-    def component(self) -> str:  # pragma: no cover
-        return "ak-policy-geoip-form"
-
-    def passes(self, request: PolicyRequest) -> PolicyResult:
-        """
-        Passes if any of the following is true:
-        - the client IP is advertised by an autonomous system with ASN in the `asns`
-        - the client IP is geolocated in a country of `countries`
-        """
-        results: list[PolicyResult] = []
-
-        if self.asns:
-            results.append(self.passes_asn(request))
-        if self.countries:
-            results.append(self.passes_country(request))
-
-        if not results:
-            return PolicyResult(True)
-
-        passing = any(r.passing for r in results)
-        messages = chain(*[r.messages for r in results])
-
-        result = PolicyResult(passing, *messages)
-        result.source_results = results
-
-        return result
-
-    def passes_asn(self, request: PolicyRequest) -> PolicyResult:
-        # This is not a single get chain because `request.context` can contain `{ "asn": None }`.
-        asn_data = request.context.get("asn")
-        asn = asn_data.get("asn") if asn_data else None
-
-        if not asn:
-            raise PolicyException(
-                GeoIPNotFoundException(_("GeoIP: client IP not found in ASN database."))
-            )
-
-        if asn not in self.asns:
-            message = _("Client IP is not part of an allowed autonomous system.")
-            return PolicyResult(False, message)
-
-        return PolicyResult(True)
-
-    def passes_country(self, request: PolicyRequest) -> PolicyResult:
-        # This is not a single get chain because `request.context` can contain `{ "geoip": None }`.
-        geoip_data = request.context.get("geoip")
-        country = geoip_data.get("country") if geoip_data else None
-
-        if not country:
-            raise PolicyException(
-                GeoIPNotFoundException(_("GeoIP: client IP address not found in City database."))
-            )
-
-        if country not in self.countries:
-            message = _("Client IP is not in an allowed country.")
-            return PolicyResult(False, message)
-
-        return PolicyResult(True)
-
-    class Meta(Policy.PolicyMeta):
-        verbose_name = _("GeoIP Policy")
-        verbose_name_plural = _("GeoIP Policies")

authentik/policies/geoip/serializer_fields.py

@@ -1,21 +0,0 @@
-"""Workaround for https://github.com/SmileyChris/django-countries/issues/441"""
-
-from django_countries.serializer_fields import CountryField
-from drf_spectacular.utils import extend_schema_field, inline_serializer
-from rest_framework import serializers
-
-DETAILED_COUNTRY_SCHEMA = {
-    "code": CountryField(),
-    "name": serializers.CharField(),
-}
-
-
-@extend_schema_field(
-    inline_serializer(
-        "DetailedCountryField",
-        DETAILED_COUNTRY_SCHEMA,
-    )
-)
-class DetailedCountryField(CountryField):
-    def __init__(self):
-        super().__init__(country_dict=True)

authentik/policies/geoip/tests.py

@@ -1,128 +0,0 @@
-"""geoip policy tests"""
-
-from django.test import TestCase
-from guardian.shortcuts import get_anonymous_user
-
-from authentik.policies.engine import PolicyRequest, PolicyResult
-from authentik.policies.exceptions import PolicyException
-from authentik.policies.geoip.exceptions import GeoIPNotFoundException
-from authentik.policies.geoip.models import GeoIPPolicy
-
-
-class TestGeoIPPolicy(TestCase):
-    """Test GeoIP Policy"""
-
-    def setUp(self):
-        super().setUp()
-
-        self.request = PolicyRequest(get_anonymous_user())
-
-        self.context_disabled_geoip = {}
-        self.context_unknown_ip = {"asn": None, "geoip": None}
-        # 8.8.8.8
-        self.context = {
-            "asn": {"asn": 15169, "as_org": "GOOGLE", "network": "8.8.8.0/24"},
-            "geoip": {
-                "continent": "NA",
-                "country": "US",
-                "lat": 37.751,
-                "long": -97.822,
-                "city": "",
-            },
-        }
-
-        self.matching_asns = [13335, 15169]
-        self.matching_countries = ["US", "CA"]
-        self.mismatching_asns = [1, 2]
-        self.mismatching_countries = ["MX", "UA"]
-
-    def enrich_context_disabled_geoip(self):
-        pass
-
-    def enrich_context_unknown_ip(self):
-        self.request.context["asn"] = self.context_unknown_ip["asn"]
-        self.request.context["geoip"] = self.context_unknown_ip["geoip"]
-
-    def enrich_context(self):
-        self.request.context["asn"] = self.context["asn"]
-        self.request.context["geoip"] = self.context["geoip"]
-
-    def test_disabled_geoip(self):
-        """Test that disabled GeoIP raises PolicyException with GeoIPNotFoundException"""
-        self.enrich_context_disabled_geoip()
-        policy = GeoIPPolicy.objects.create(
-            asns=self.matching_asns, countries=self.matching_countries
-        )
-
-        with self.assertRaises(PolicyException) as cm:
-            policy.passes(self.request)
-
-        self.assertIsInstance(cm.exception.src_exc, GeoIPNotFoundException)
-
-    def test_unknown_ip(self):
-        """Test that unknown IP raises PolicyException with GeoIPNotFoundException"""
-        self.enrich_context_unknown_ip()
-        policy = GeoIPPolicy.objects.create(
-            asns=self.matching_asns, countries=self.matching_countries
-        )
-
-        with self.assertRaises(PolicyException) as cm:
-            policy.passes(self.request)
-
-        self.assertIsInstance(cm.exception.src_exc, GeoIPNotFoundException)
-
-    def test_empty_policy(self):
-        """Test that empty policy passes"""
-        self.enrich_context()
-        policy = GeoIPPolicy.objects.create()
-
-        result: PolicyResult = policy.passes(self.request)
-
-        self.assertTrue(result.passing)
-
-    def test_policy_with_matching_asns(self):
-        """Test that a policy with matching ASNs passes"""
-        self.enrich_context()
-        policy = GeoIPPolicy.objects.create(asns=self.matching_asns)
-
-        result: PolicyResult = policy.passes(self.request)
-
-        self.assertTrue(result.passing)
-
-    def test_policy_with_mismatching_asns(self):
-        """Test that a policy with mismatching ASNs fails"""
-        self.enrich_context()
-        policy = GeoIPPolicy.objects.create(asns=self.mismatching_asns)
-
-        result: PolicyResult = policy.passes(self.request)
-
-        self.assertFalse(result.passing)
-
-    def test_policy_with_matching_countries(self):
-        """Test that a policy with matching countries passes"""
-        self.enrich_context()
-        policy = GeoIPPolicy.objects.create(countries=self.matching_countries)
-
-        result: PolicyResult = policy.passes(self.request)
-
-        self.assertTrue(result.passing)
-
-    def test_policy_with_mismatching_countries(self):
-        """Test that a policy with mismatching countries fails"""
-        self.enrich_context()
-        policy = GeoIPPolicy.objects.create(countries=self.mismatching_countries)
-
-        result: PolicyResult = policy.passes(self.request)
-
-        self.assertFalse(result.passing)
-
-    def test_policy_requires_only_one_match(self):
-        """Test that a policy with one matching value passes"""
-        self.enrich_context()
-        policy = GeoIPPolicy.objects.create(
-            asns=self.mismatching_asns, countries=self.matching_countries
-        )
-
-        result: PolicyResult = policy.passes(self.request)
-
-        self.assertTrue(result.passing)

authentik/policies/geoip/urls.py

@@ -1,10 +0,0 @@
-"""API URLs"""
-
-from django.urls import path
-
-from authentik.policies.geoip.api import GeoIPPolicyViewSet, ISO3166View
-
-api_urlpatterns = [
-    ("policies/geoip", GeoIPPolicyViewSet),
-    path("policies/geoip_iso3166/", ISO3166View.as_view(), name="iso-3166-view"),
-]

authentik/policies/process.py

@@ -4,7 +4,7 @@ from multiprocessing import get_context
 from multiprocessing.connection import Connection
 
 from django.core.cache import cache
-from sentry_sdk import start_span
+from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
 
@@ -121,7 +121,7 @@ class PolicyProcess(PROCESS_CLASS):
     def profiling_wrapper(self):
         """Run with profiling enabled"""
         with (
-            start_span(
+            Hub.current.start_span(
                 op="authentik.policy.process.execute",
             ) as span,
             HIST_POLICIES_EXECUTION_TIME.labels(

authentik/providers/ldap/api.py

@@ -5,8 +5,7 @@ from django.db.models.query import Q
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from rest_framework.fields import CharField, ListField, SerializerMethodField
-from rest_framework.mixins import ListModelMixin
-from rest_framework.viewsets import GenericViewSet, ModelViewSet
+from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
 
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
@@ -106,7 +105,7 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
         ]
 
 
-class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
+class LDAPOutpostConfigViewSet(ReadOnlyModelViewSet):
     """LDAPProvider Viewset"""
 
     queryset = LDAPProvider.objects.filter(

authentik/providers/oauth2/api/scopes.py

@@ -1,10 +1,14 @@
 """OAuth2Provider API Views"""
 
+from django_filters.filters import AllValuesMultipleFilter
+from django_filters.filterset import FilterSet
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import extend_schema_field
 from rest_framework.fields import CharField
 from rest_framework.serializers import ValidationError
 from rest_framework.viewsets import ModelViewSet
 
-from authentik.core.api.property_mappings import PropertyMappingFilterSet, PropertyMappingSerializer
+from authentik.core.api.property_mappings import PropertyMappingSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.providers.oauth2.models import ScopeMapping
 
@@ -29,12 +33,14 @@ class ScopeMappingSerializer(PropertyMappingSerializer):
         ]
 
 
-class ScopeMappingFilter(PropertyMappingFilterSet):
+class ScopeMappingFilter(FilterSet):
     """Filter for ScopeMapping"""
 
-    class Meta(PropertyMappingFilterSet.Meta):
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
+
+    class Meta:
         model = ScopeMapping
-        fields = PropertyMappingFilterSet.Meta.fields + ["scope_name"]
+        fields = ["scope_name", "name", "managed"]
 
 
 class ScopeMappingViewSet(UsedByMixin, ModelViewSet):

authentik/providers/oauth2/apps.py

@@ -1,9 +1,9 @@
 """authentik oauth provider app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikProviderOAuth2Config(ManagedAppConfig):
+class AuthentikProviderOAuth2Config(AppConfig):
     """authentik oauth provider app config"""
 
     name = "authentik.providers.oauth2"
@@ -13,4 +13,3 @@ class AuthentikProviderOAuth2Config(ManagedAppConfig):
         "authentik.providers.oauth2.urls_root": "",
         "authentik.providers.oauth2.urls": "application/o/",
     }
-    default = True