Docker needs access to the git repo, if only as read-only.

This commit moves the build of the web into a sub-repository and refactors the build instructions to
understand that move.  The simple result at this time will be just a move and a re-arrangement of
the build paths so that the final product is still deposited in the `./dist` folder.

Only a few "functional" changes have been made:

- The core package has been renamed '@goauthentik/authentik' to distinguish itself from the root
  package name '@goauthentik/web'.
- The codespell paths have been updated
- The path to the imported markdown documentation has been updated.
- TSConfig.json has been split into a "base" and "build" pair. This is necessary because our future
  builds will use a slightly different configuration from our linters, as the former do not need the
  typing information (their job is to strip it away, leaving us with pure JavaScript), and the
  latter very definitely need it to make our IDE's work correctly.
- Rollup.config.js has also been split into a "base" and "build" pair. The base has been slightly
  refactored, with heavily concretized paths for the project ROOT and project DIST folders. This
  informs the moved authentik project where to put the built release.

The NPM -> Lage relationship was done mechanicall: I copied our targets from the existing
package.json into lage, then used some regex magic to tell lage "call all these targets in our
packages," of which we have exactly ONE right now.

I also had to fix yet another xliff consistency error.  *Sigh*.

.bumpversion.cfg

@@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.4.1
+current_version = 2023.10.7
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize = 
+serialize =
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:rc_t]
-values = 
+values =
 	rc
 	final
 optional_value = final
@@ -21,8 +21,6 @@ optional_value = final
 
 [bumpversion:file:schema.yml]
 
-[bumpversion:file:blueprints/schema.json]
-
 [bumpversion:file:authentik/__init__.py]
 
 [bumpversion:file:internal/constants/constants.go]

.dockerignore

@@ -6,7 +6,6 @@ build/**
 build_docs/**
 *Dockerfile
 blueprints/local
-.git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/

.github/FUNDING.yml

@@ -1 +1 @@
-custom: https://goauthentik.io/pricing/
+github: [BeryJu]

.github/ISSUE_TEMPLATE/question.md

@@ -9,7 +9,7 @@ assignees: ""
 **Describe your question/**
 A clear and concise description of what you're trying to do.
 
-**Relevant info**
+**Relevant infos**
 i.e. Version of other software you're using, specifics of your setup
 
 **Screenshots**

.github/actions/docker-push-variables/action.yml

@@ -11,10 +11,6 @@ inputs:
     description: "Docker image arch"
 
 outputs:
-  shouldBuild:
-    description: "Whether to build image or not"
-    value: ${{ steps.ev.outputs.shouldBuild }}
-
   sha:
     description: "sha"
     value: ${{ steps.ev.outputs.sha }}
@@ -38,10 +34,63 @@ runs:
   steps:
     - name: Generate config
       id: ev
-      shell: bash
+      shell: python
-      env:
-        IMAGE_NAME: ${{ inputs.image-name }}
-        IMAGE_ARCH: ${{ inputs.image-arch }}
-        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
       run: |
-        python3 ${{ github.action_path }}/push_vars.py
+        """Helper script to get the actual branch name, docker safe"""
+        import configparser
+        import os
+        from time import time
+
+        parser = configparser.ConfigParser()
+        parser.read(".bumpversion.cfg")
+
+        branch_name = os.environ["GITHUB_REF"]
+        if os.environ.get("GITHUB_HEAD_REF", "") != "":
+            branch_name = os.environ["GITHUB_HEAD_REF"]
+        safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
+
+        image_names = "${{ inputs.image-name }}".split(",")
+        image_arch = "${{ inputs.image-arch }}" or None
+
+        is_pull_request = bool("${{ github.event.pull_request.head.sha }}")
+        is_release = "dev" not in image_names[0]
+
+        sha = os.environ["GITHUB_SHA"] if not is_pull_request else "${{ github.event.pull_request.head.sha }}"
+
+        # 2042.1.0 or 2042.1.0-rc1
+        version = parser.get("bumpversion", "current_version")
+        # 2042.1
+        version_family = ".".join(version.split("-", 1)[0].split(".")[:-1])
+        prerelease = "-" in version
+
+        image_tags = []
+        if is_release:
+            for name in image_names:
+                image_tags += [
+                    f"{name}:{version}",
+                ]
+            if not prerelease:
+                image_tags += [
+                    f"{name}:latest",
+                    f"{name}:{version_family}",
+                ]
+        else:
+            suffix = ""
+            if image_arch and image_arch != "amd64":
+                suffix = f"-{image_arch}"
+            for name in image_names:
+                image_tags += [
+                    f"{name}:gh-{sha}{suffix}",  # Used for ArgoCD and PR comments
+                    f"{name}:gh-{safe_branch_name}{suffix}",  # For convenience
+                    f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
+                ]
+
+        image_main_tag = image_tags[0]
+        image_tags_rendered = ",".join(image_tags)
+
+        with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
+            print("sha=%s" % sha, file=_output)
+            print("version=%s" % version, file=_output)
+            print("prerelease=%s" % prerelease, file=_output)
+            print("imageTags=%s" % image_tags_rendered, file=_output)
+            print("imageMainTag=%s" % image_main_tag, file=_output)

.github/actions/docker-push-variables/push_vars.py

@@ -1,62 +0,0 @@
-"""Helper script to get the actual branch name, docker safe"""
-
-import configparser
-import os
-from time import time
-
-parser = configparser.ConfigParser()
-parser.read(".bumpversion.cfg")
-
-should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
-
-branch_name = os.environ["GITHUB_REF"]
-if os.environ.get("GITHUB_HEAD_REF", "") != "":
-    branch_name = os.environ["GITHUB_HEAD_REF"]
-safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
-
-image_names = os.getenv("IMAGE_NAME").split(",")
-image_arch = os.getenv("IMAGE_ARCH") or None
-
-is_pull_request = bool(os.getenv("PR_HEAD_SHA"))
-is_release = "dev" not in image_names[0]
-
-sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")
-
-# 2042.1.0 or 2042.1.0-rc1
-version = parser.get("bumpversion", "current_version")
-# 2042.1
-version_family = ".".join(version.split("-", 1)[0].split(".")[:-1])
-prerelease = "-" in version
-
-image_tags = []
-if is_release:
-    for name in image_names:
-        image_tags += [
-            f"{name}:{version}",
-        ]
-        if not prerelease:
-            image_tags += [
-                f"{name}:latest",
-                f"{name}:{version_family}",
-            ]
-else:
-    suffix = ""
-    if image_arch and image_arch != "amd64":
-        suffix = f"-{image_arch}"
-    for name in image_names:
-        image_tags += [
-            f"{name}:gh-{sha}{suffix}",  # Used for ArgoCD and PR comments
-            f"{name}:gh-{safe_branch_name}{suffix}",  # For convenience
-            f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
-        ]
-
-image_main_tag = image_tags[0]
-image_tags_rendered = ",".join(image_tags)
-
-with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldBuild={should_build}", file=_output)
-    print(f"sha={sha}", file=_output)
-    print(f"version={version}", file=_output)
-    print(f"prerelease={prerelease}", file=_output)
-    print(f"imageTags={image_tags_rendered}", file=_output)
-    print(f"imageMainTag={image_main_tag}", file=_output)

.github/actions/docker-push-variables/test.sh

@@ -1,7 +0,0 @@
-#!/bin/bash -x
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-GITHUB_OUTPUT=/dev/stdout \
-    GITHUB_REF=ref \
-    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    python $SCRIPT_DIR/push_vars.py

.github/actions/setup/action.yml

@@ -16,25 +16,25 @@ runs:
         sudo apt-get update
         sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
     - name: Setup python and restore poetry
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v4
       with:
         python-version-file: "pyproject.toml"
         cache: "poetry"
     - name: Setup node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v3
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
     - name: Setup go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v4
       with:
         go-version-file: "go.mod"
     - name: Setup dependencies
       shell: bash
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/docker-compose.yml up -d
+        docker-compose -f .github/actions/setup/docker-compose.yml up -d
         poetry install
         cd web && npm ci
     - name: Generate config

.github/dependabot.yml

@@ -52,10 +52,6 @@ updates:
       esbuild:
         patterns:
           - "@esbuild/*"
-      rollup:
-        patterns:
-          - "@rollup/*"
-          - "rollup-*"
   - package-ecosystem: npm
     directory: "/tests/wdio"
     schedule:

.github/workflows/api-py-publish.yml

@@ -1,65 +0,0 @@
-name: authentik-api-py-publish
-on:
-  push:
-    branches: [main]
-    paths:
-      - "schema.yml"
-  workflow_dispatch:
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Install poetry & deps
-        shell: bash
-        run: |
-          pipx install poetry || true
-          sudo apt-get update
-          sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
-      - name: Setup python and restore poetry
-        uses: actions/setup-python@v5
-        with:
-          python-version-file: "pyproject.toml"
-          cache: "poetry"
-      - name: Generate API Client
-        run: make gen-client-py
-      - name: Publish package
-        working-directory: gen-py-api/
-        run: |
-          poetry build
-      - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          packages-dir: gen-py-api/dist/
-      # We can't easily upgrade the API client being used due to poetry being poetry
-      # so we'll have to rely on dependabot
-      # - name: Upgrade /
-      #   run: |
-      #     export VERSION=$(cd gen-py-api && poetry version -s)
-      #     poetry add "authentik_client=$VERSION" --allow-prereleases --lock
-      # - uses: peter-evans/create-pull-request@v6
-      #   id: cpr
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     branch: update-root-api-client
-      #     commit-message: "root: bump API Client version"
-      #     title: "root: bump API Client version"
-      #     body: "root: bump API Client version"
-      #     delete-branch: true
-      #     signoff: true
-      #     # ID from https://api.github.com/users/authentik-automation[bot]
-      #     author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-      # - uses: peter-evans/enable-pull-request-automerge@v3
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-      #     merge-method: squash

.github/workflows/ci-main.yml

@@ -7,6 +7,8 @@ on:
       - main
       - next
       - version-*
+    paths-ignore:
+      - website/**
   pull_request:
     branches:
       - main
@@ -26,7 +28,10 @@ jobs:
           - bandit
           - black
           - codespell
+          - isort
           - pending-migrations
+          # - pylint
+          - pyright
           - ruff
     runs-on: ubuntu-latest
     steps:
@@ -130,7 +135,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.10.0
+        uses: helm/kind-action@v1.9.0
       - name: run integration
         run: |
           poetry run coverage run manage.py test tests/integration
@@ -160,8 +165,6 @@ jobs:
             glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
           - name: radius
             glob: tests/e2e/test_provider_radius*
-          - name: scim
-            glob: tests/e2e/test_source_scim*
           - name: flows
             glob: tests/e2e/test_flows*
     steps:
@@ -170,7 +173,7 @@ jobs:
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d
+          docker-compose -f tests/e2e/docker-compose.yml up -d
       - id: cache-web
         uses: actions/cache@v4
         with:
@@ -216,6 +219,7 @@ jobs:
       # Needed to upload contianer images to ghcr.io
       packages: write
     timeout-minutes: 120
+    if: "github.repository == 'goauthentik/authentik'"
     steps:
       - uses: actions/checkout@v4
         with:
@@ -227,13 +231,10 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-server
           image-arch: ${{ matrix.arch }}
       - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -249,7 +250,7 @@ jobs:
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           tags: ${{ steps.ev.outputs.imageTags }}
-          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          push: true
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           cache-from: type=gha
@@ -271,8 +272,6 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR

.github/workflows/ci-outpost.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v5
+        uses: golangci/golangci-lint-action@v4
         with:
           version: v1.54.2
           args: --timeout 5000s --verbose
@@ -71,6 +71,7 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+    if: "github.repository == 'goauthentik/authentik'"
     steps:
       - uses: actions/checkout@v4
         with:
@@ -82,12 +83,9 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -100,7 +98,7 @@ jobs:
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          push: true
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           platforms: linux/amd64,linux/arm64

.github/workflows/ci-web.yml

@@ -34,13 +34,6 @@ jobs:
       - name: Eslint
         working-directory: ${{ matrix.project }}/
         run: npm run lint
-  lint-lockfile:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - working-directory: web/
-        run: |
-          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
   lint-build:
     runs-on: ubuntu-latest
     steps:
@@ -102,7 +95,6 @@ jobs:
         run: npm run lit-analyse
   ci-web-mark:
     needs:
-      - lint-lockfile
       - lint-eslint
       - lint-prettier
       - lint-lit-analyse

.github/workflows/ci-website.yml

@@ -12,13 +12,6 @@ on:
       - version-*
 
 jobs:
-  lint-lockfile:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - working-directory: website/
-        run: |
-          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
   lint-prettier:
     runs-on: ubuntu-latest
     steps:
@@ -55,6 +48,7 @@ jobs:
       matrix:
         job:
           - build
+          - build-docs-only
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -69,7 +63,6 @@ jobs:
         run: npm run ${{ matrix.job }}
   ci-website-mark:
     needs:
-      - lint-lockfile
       - lint-prettier
       - test
       - build

.github/workflows/gen-update-webauthn-mds.yml

@@ -1,43 +0,0 @@
-name: authentik-gen-update-webauthn-mds
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '30 1 1,15 * *'
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - run: poetry run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v6
-        id: cpr
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          branch: update-fido-mds-client
-          commit-message: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
-          title: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
-          body: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
-          delete-branch: true
-          signoff: true
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-      - uses: peter-evans/enable-pull-request-automerge@v3
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-          merge-method: squash

.github/workflows/release-publish.yml

@@ -20,8 +20,6 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/server,beryju/authentik
       - name: Docker Login Registry
@@ -74,8 +72,6 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
       - name: make empty clients
@@ -157,10 +153,10 @@ jobs:
         run: |
           echo "PG_PASS=$(openssl rand -base64 32)" >> .env
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
-          docker compose pull -q
+          docker-compose pull -q
-          docker compose up --no-start
+          docker-compose up --no-start
-          docker compose start postgresql redis
+          docker-compose start postgresql redis
-          docker compose run -u root server test-all
+          docker-compose run -u root server test-all
   sentry-release:
     needs:
       - build-server
@@ -172,8 +168,6 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image

.github/workflows/release-tag.yml

@@ -21,9 +21,9 @@ jobs:
           docker build -t testing:latest .
           echo "AUTHENTIK_IMAGE=testing" >> .env
           echo "AUTHENTIK_TAG=latest" >> .env
-          docker compose up --no-start
+          docker-compose up --no-start
-          docker compose start postgresql redis
+          docker-compose start postgresql redis
-          docker compose run -u root server test-all
+          docker-compose run -u root server test-all
       - id: generate_token
         uses: tibdex/github-app-token@v2
         with:
@@ -32,8 +32,6 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/server
       - name: Create Release

.github/workflows/repo-stale.yml

@@ -23,7 +23,7 @@ jobs:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60
           days-before-close: 7
-          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
+          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question
           stale-issue-label: wontfix
           stale-issue-message: >
             This issue has been automatically marked as stale because it has not had

.github/workflows/web-api-publish.yml

@@ -1,4 +1,4 @@
-name: authentik-api-ts-publish
+name: authentik-web-api-publish
 on:
   push:
     branches: [main]

.vscode/extensions.json

@@ -10,7 +10,8 @@
         "Gruntfuggly.todo-tree",
         "mechatroner.rainbow-csv",
         "ms-python.black-formatter",
-        "charliermarsh.ruff",
+        "ms-python.isort",
+        "ms-python.pylint",
         "ms-python.python",
         "ms-python.vscode-pylance",
         "ms-python.black-formatter",

Dockerfile

@@ -14,10 +14,9 @@ RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.js
 
 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
-COPY ./schema.yml /work/
 COPY ./SECURITY.md /work/
 
-RUN npm run build-bundled
+RUN npm run build-docs-only
 
 # Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder
@@ -28,6 +27,7 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/work/.git,src=./.git,readonly \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
@@ -38,7 +38,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/golang:1.22.2-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.22.0-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -70,10 +70,10 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 as geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.1 as geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
-ENV GEOIPUPDATE_VERBOSE="1"
+ENV GEOIPUPDATE_VERBOSE="true"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
 ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 
@@ -84,7 +84,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM docker.io/python:3.12.3-slim-bookworm AS python-deps
+FROM docker.io/python:3.12.2-slim-bookworm AS python-deps
 
 WORKDIR /ak-root/poetry
 
@@ -104,13 +104,12 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=cache,target=/root/.cache/pip \
     --mount=type=cache,target=/root/.cache/pypoetry \
     python -m venv /ak-root/venv/ && \
-    bash -c "source ${VENV_PATH}/bin/activate && \
+    pip3 install --upgrade pip && \
-        pip3 install --upgrade pip && \
+    pip3 install poetry && \
-        pip3 install poetry && \
+    poetry install --only=main --no-ansi --no-interaction
-        poetry install --only=main --no-ansi --no-interaction --no-root"
 
 # Stage 6: Run
-FROM docker.io/python:3.12.3-slim-bookworm AS final-image
+FROM docker.io/python:3.12.2-slim-bookworm AS final-image
 
 ARG GIT_BUILD_HASH
 ARG VERSION
@@ -151,7 +150,7 @@ COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
+COPY --from=website-builder /work/website/help/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000

Makefile

@@ -5,11 +5,10 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github
+PY_SOURCES = authentik tests scripts lifecycle
 DOCKER_IMAGE ?= "authentik:test"
 
 GEN_API_TS = "gen-ts-api"
-GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"
 
 pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
@@ -48,10 +47,10 @@ test-go:
 test-docker:  ## Run all tests in a docker-compose
 	echo "PG_PASS=$(openssl rand -base64 32)" >> .env
 	echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
-	docker compose pull -q
+	docker-compose pull -q
-	docker compose up --no-start
+	docker-compose up --no-start
-	docker compose start postgresql redis
+	docker-compose start postgresql redis
-	docker compose run -u root server test-all
+	docker-compose run -u root server test-all
 	rm -f .env
 
 test: ## Run the server tests and produce a coverage report (locally)
@@ -60,12 +59,15 @@ test: ## Run the server tests and produce a coverage report (locally)
 	coverage report
 
 lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+	isort $(PY_SOURCES)
 	black $(PY_SOURCES)
-	ruff check --fix $(PY_SOURCES)
+	ruff --fix $(PY_SOURCES)
 	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
-	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
+	bandit -r $(PY_SOURCES) -x node_modules
+	./web/node_modules/.bin/pyright $(PY_SOURCES)
+	pylint $(PY_SOURCES)
 	golangci-lint run -v
 
 core-install:
@@ -138,10 +140,7 @@ gen-clean-ts:  ## Remove generated API client for Typescript
 gen-clean-go:  ## Remove generated API client for Go
 	rm -rf ./${GEN_API_GO}/
 
-gen-clean-py:  ## Remove generated API client for Python
+gen-clean: gen-clean-ts gen-clean-go  ## Remove generated API clients
-	rm -rf ./${GEN_API_PY}/
-
-gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
 
 gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
 	docker run \
@@ -159,20 +158,6 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	cd ./${GEN_API_TS} && npm i
 	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
 
-gen-client-py: gen-clean-py ## Build and install the authentik API for Python
-	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
-		-i /local/schema.yml \
-		-g python \
-		-o /local/${GEN_API_PY} \
-		-c /local/scripts/api-py-config.yaml \
-		--additional-properties=packageVersion=${NPM_VERSION} \
-		--git-repo-id authentik \
-		--git-user-id goauthentik
-	pip install ./${GEN_API_PY}
-
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
 	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
@@ -264,6 +249,9 @@ ci--meta-debug:
 	python -V
 	node --version
 
+ci-pylint: ci--meta-debug
+	pylint $(PY_SOURCES)
+
 ci-black: ci--meta-debug
 	black --check $(PY_SOURCES)
 
@@ -273,8 +261,14 @@ ci-ruff: ci--meta-debug
 ci-codespell: ci--meta-debug
 	codespell $(CODESPELL_ARGS) -s
 
+ci-isort: ci--meta-debug
+	isort --check $(PY_SOURCES)
+
 ci-bandit: ci--meta-debug
 	bandit -r $(PY_SOURCES)
 
+ci-pyright: ci--meta-debug
+	./web/node_modules/.bin/pyright $(PY_SOURCES)
+
 ci-pending-migrations: ci--meta-debug
 	ak makemigrations --check

README.md

@@ -25,10 +25,10 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 
 ## Screenshots
 
-| Light                                                       | Dark                                                       |
+| Light                                                  | Dark                                                  |
-| ----------------------------------------------------------- | ---------------------------------------------------------- |
+| ------------------------------------------------------ | ----------------------------------------------------- |
-| ![](https://docs.goauthentik.io/img/screen_apps_light.jpg)  | ![](https://docs.goauthentik.io/img/screen_apps_dark.jpg)  |
+| ![](https://goauthentik.io/img/screen_apps_light.jpg)  | ![](https://goauthentik.io/img/screen_apps_dark.jpg)  |
-| ![](https://docs.goauthentik.io/img/screen_admin_light.jpg) | ![](https://docs.goauthentik.io/img/screen_admin_dark.jpg) |
+| ![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) |
 
 ## Development
 

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version   | Supported |
+| Version | Supported |
-| --------- | --------- |
+| --- | --- |
-| 2023.10.x | ✅        |
+| 2023.6.x | ✅ |
-| 2024.2.x  | ✅        |
+| 2023.8.x | ✅ |
 
 ## Reporting a Vulnerability
 
@@ -31,12 +31,12 @@ To report a vulnerability, send an email to [security@goauthentik.io](mailto:se
 
 authentik reserves the right to reclassify CVSS as necessary. To determine severity, we will use the CVSS calculator from NVD (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The calculated CVSS score will then be translated into one of the following categories:
 
-| Score      | Severity |
+| Score | Severity |
-| ---------- | -------- |
+| --- | --- |
-| 0.0        | None     |
+| 0.0 | None |
-| 0.1 – 3.9  | Low      |
+| 0.1 – 3.9 | Low |
-| 4.0 – 6.9  | Medium   |
+| 4.0 – 6.9 | Medium |
-| 7.0 – 8.9  | High     |
+| 7.0 – 8.9 | High |
 | 9.0 – 10.0 | Critical |
 
 ## Disclosure process

authentik/__init__.py

@@ -1,12 +1,13 @@
 """authentik root module"""
 
 from os import environ
+from typing import Optional
 
-__version__ = "2024.4.1"
+__version__ = "2023.10.7"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 
-def get_build_hash(fallback: str | None = None) -> str:
+def get_build_hash(fallback: Optional[str] = None) -> str:
     """Get build hash"""
     build_hash = environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
     return fallback if build_hash == "" and fallback else build_hash

authentik/admin/api/version.py

@@ -10,7 +10,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from authentik import __version__, get_build_hash
-from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
+from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 
 
@@ -19,7 +19,6 @@ class VersionSerializer(PassiveSerializer):
 
     version_current = SerializerMethodField()
     version_latest = SerializerMethodField()
-    version_latest_valid = SerializerMethodField()
     build_hash = SerializerMethodField()
     outdated = SerializerMethodField()
 
@@ -39,10 +38,6 @@ class VersionSerializer(PassiveSerializer):
             return __version__
         return version_in_cache
 
-    def get_version_latest_valid(self, _) -> bool:
-        """Check if latest version is valid"""
-        return cache.get(VERSION_CACHE_KEY) != VERSION_NULL
-
     def get_outdated(self, instance) -> bool:
         """Check if we're running the latest version"""
         return parse(self.get_version_current(instance)) < parse(self.get_version_latest(instance))

authentik/admin/tasks.py

@@ -18,7 +18,6 @@ from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
-VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
 # Chop of the first ^ because we want to search the entire string
@@ -56,7 +55,7 @@ def clear_update_notifications():
 def update_latest_version(self: SystemTask):
     """Update latest version info"""
     if CONFIG.get_bool("disable_update_check"):
-        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
         self.set_status(TaskStatus.WARNING, "Version check disabled.")
         return
     try:
@@ -83,7 +82,7 @@ def update_latest_version(self: SystemTask):
                 event_dict["message"] = f"Changelog: {match.group()}"
             Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
     except (RequestException, IndexError) as exc:
-        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
         self.set_error(exc)
 
 

authentik/api/apps.py

@@ -10,3 +10,26 @@ class AuthentikAPIConfig(AppConfig):
     label = "authentik_api"
     mountpoint = "api/"
     verbose_name = "authentik API"
+
+    def ready(self) -> None:
+        from drf_spectacular.extensions import OpenApiAuthenticationExtension
+
+        from authentik.api.authentication import TokenAuthentication
+
+        # Class is defined here as it needs to be created early enough that drf-spectacular will
+        # find it, but also won't cause any import issues
+        # pylint: disable=unused-variable
+        class TokenSchema(OpenApiAuthenticationExtension):
+            """Auth schema"""
+
+            target_class = TokenAuthentication
+            name = "authentik"
+
+            def get_security_definition(self, auto_schema):
+                """Auth schema"""
+                return {
+                    "type": "apiKey",
+                    "in": "header",
+                    "name": "Authorization",
+                    "scheme": "bearer",
+                }

authentik/api/authentication.py

@@ -1,10 +1,9 @@
 """API Authentication"""
 
 from hmac import compare_digest
-from typing import Any
+from typing import Any, Optional
 
 from django.conf import settings
-from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
@@ -18,7 +17,7 @@ from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 LOGGER = get_logger()
 
 
-def validate_auth(header: bytes) -> str | None:
+def validate_auth(header: bytes) -> Optional[str]:
     """Validate that the header is in a correct format,
     returns type and credentials"""
     auth_credentials = header.decode().strip()
@@ -33,7 +32,7 @@ def validate_auth(header: bytes) -> str | None:
     return auth_credentials
 
 
-def bearer_auth(raw_header: bytes) -> User | None:
+def bearer_auth(raw_header: bytes) -> Optional[User]:
     """raw_header in the Format of `Bearer ....`"""
     user = auth_user_lookup(raw_header)
     if not user:
@@ -43,7 +42,7 @@ def bearer_auth(raw_header: bytes) -> User | None:
     return user
 
 
-def auth_user_lookup(raw_header: bytes) -> User | None:
+def auth_user_lookup(raw_header: bytes) -> Optional[User]:
     """raw_header in the Format of `Bearer ....`"""
     from authentik.providers.oauth2.models import AccessToken
 
@@ -73,15 +72,10 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
     if user:
         CTX_AUTH_VIA.set("secret_key")
         return user
-    # then try to auth via expression JWT
-    user = token_expression_jwt(auth_credentials)
-    if user:
-        CTX_AUTH_VIA.set("expression_jwt")
-        return user
     raise AuthenticationFailed("Token invalid/expired")
 
 
-def token_secret_key(value: str) -> User | None:
+def token_secret_key(value: str) -> Optional[User]:
     """Check if the token is the secret key
     and return the service account for the managed outpost"""
     from authentik.outposts.apps import MANAGED_OUTPOST
@@ -95,13 +89,6 @@ def token_secret_key(value: str) -> User | None:
     return outpost.user
 
 
-def token_expression_jwt(value: str) -> User | None:
-    """Authenticate API call made by Expressions"""
-    from authentik.lib.expression.evaluator import authenticate_token
-
-    return authenticate_token(value)
-
-
 class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""
 
@@ -115,14 +102,3 @@ class TokenAuthentication(BaseAuthentication):
             return None
 
         return (user, None)  # pragma: no cover
-
-
-class TokenSchema(OpenApiAuthenticationExtension):
-    """Auth schema"""
-
-    target_class = TokenAuthentication
-    name = "authentik"
-
-    def get_security_definition(self, auto_schema):
-        """Auth schema"""
-        return {"type": "http", "scheme": "bearer"}

authentik/api/decorators.py

@@ -1,7 +1,7 @@
 """API Decorators"""
 
-from collections.abc import Callable
 from functools import wraps
+from typing import Callable, Optional
 
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -11,26 +11,21 @@ from structlog.stdlib import get_logger
 LOGGER = get_logger()
 
 
-def permission_required(obj_perm: str | None = None, global_perms: list[str] | None = None):
+def permission_required(obj_perm: Optional[str] = None, global_perms: Optional[list[str]] = None):
     """Check permissions for a single custom action"""
 
-    def _check_obj_perm(self: ModelViewSet, request: Request):
+    def wrapper_outter(func: Callable):
-        # Check obj_perm both globally and on the specific object
-        # Having the global permission has higher priority
-        if request.user.has_perm(obj_perm):
-            return
-        obj = self.get_object()
-        if not request.user.has_perm(obj_perm, obj):
-            LOGGER.debug("denying access for object", user=request.user, perm=obj_perm, obj=obj)
-            self.permission_denied(request)
-
-    def wrapper_outer(func: Callable):
         """Check permissions for a single custom action"""
 
         @wraps(func)
         def wrapper(self: ModelViewSet, request: Request, *args, **kwargs) -> Response:
             if obj_perm:
-                _check_obj_perm(self, request)
+                obj = self.get_object()
+                if not request.user.has_perm(obj_perm, obj):
+                    LOGGER.debug(
+                        "denying access for object", user=request.user, perm=obj_perm, obj=obj
+                    )
+                    return self.permission_denied(request)
             if global_perms:
                 for other_perm in global_perms:
                     if not request.user.has_perm(other_perm):
@@ -40,4 +35,4 @@ def permission_required(obj_perm: str | None = None, global_perms: list[str] | N
 
         return wrapper
 
-    return wrapper_outer
+    return wrapper_outter

authentik/api/schema.py

@@ -12,7 +12,6 @@ from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
 
-from authentik.api.apps import AuthentikAPIConfig
 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
 
 
@@ -102,12 +101,3 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
             comp = result["components"]["schemas"][component]
             comp["additionalProperties"] = {}
     return result
-
-
-def preprocess_schema_exclude_non_api(endpoints, **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]

authentik/api/tests/test_auth.py

@@ -25,17 +25,17 @@ class TestAPIAuth(TestCase):
     def test_invalid_type(self):
         """Test invalid type"""
         with self.assertRaises(AuthenticationFailed):
-            bearer_auth(b"foo bar")
+            bearer_auth("foo bar".encode())
 
     def test_invalid_empty(self):
         """Test invalid type"""
-        self.assertIsNone(bearer_auth(b"Bearer "))
+        self.assertIsNone(bearer_auth("Bearer ".encode()))
-        self.assertIsNone(bearer_auth(b""))
+        self.assertIsNone(bearer_auth("".encode()))
 
     def test_invalid_no_token(self):
         """Test invalid with no token"""
         with self.assertRaises(AuthenticationFailed):
-            auth = b64encode(b":abc").decode()
+            auth = b64encode(":abc".encode()).decode()
             self.assertIsNone(bearer_auth(f"Basic :{auth}".encode()))
 
     def test_bearer_valid(self):

authentik/api/tests/test_decorators.py

@@ -0,0 +1,35 @@
+"""test decorators api"""
+
+from django.urls import reverse
+from guardian.shortcuts import assign_perm
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application, User
+from authentik.lib.generators import generate_id
+
+
+class TestAPIDecorators(APITestCase):
+    """test decorators api"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = User.objects.create(username="test-user")
+
+    def test_obj_perm_denied(self):
+        """Test object perm denied"""
+        self.client.force_login(self.user)
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
+        self.assertEqual(response.status_code, 403)
+
+    def test_other_perm_denied(self):
+        """Test other perm denied"""
+        self.client.force_login(self.user)
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        assign_perm("authentik_core.view_application", self.user, app)
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
+        self.assertEqual(response.status_code, 403)

authentik/api/tests/test_viewsets.py

@@ -1,6 +1,6 @@
 """authentik API Modelviewset tests"""
 
-from collections.abc import Callable
+from typing import Callable
 
 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
@@ -26,6 +26,6 @@ def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
 
 
 for _, viewset, _ in router.registry:
-    if not issubclass(viewset, ModelViewSet | ReadOnlyModelViewSet):
+    if not issubclass(viewset, (ModelViewSet, ReadOnlyModelViewSet)):
         continue
     setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))

authentik/api/v3/config.py

@@ -68,11 +68,7 @@ class ConfigView(APIView):
         """Get all capabilities this server instance supports"""
         caps = []
         deb_test = settings.DEBUG or settings.TEST
-        if (
+        if Path(settings.MEDIA_ROOT).is_mount() or deb_test:
-            CONFIG.get("storage.media.backend", "file") == "s3"
-            or Path(settings.STORAGES["default"]["OPTIONS"]["location"]).is_mount()
-            or deb_test
-        ):
             caps.append(Capabilities.CAN_SAVE_MEDIA)
         for processor in get_context_processors():
             if cap := processor.capability():

authentik/api/v3/urls.py

@@ -33,7 +33,7 @@ for _authentik_app in get_apps():
             app_name=_authentik_app.name,
         )
         continue
-    urls: list = api_urls.api_urlpatterns
+    urls: list = getattr(api_urls, "api_urlpatterns")
     for url in urls:
         if isinstance(url, URLPattern):
             _other_urls.append(url)

authentik/blueprints/api.py

@@ -10,13 +10,13 @@ from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.decorators import permission_required
 from authentik.blueprints.models import BlueprintInstance
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, PassiveSerializer
-from authentik.rbac.decorators import permission_required
 
 
 class ManagedSerializer:
@@ -52,9 +52,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
         valid, logs = Importer.from_string(content, context).validate()
         if not valid:
             text_logs = "\n".join([x["event"] for x in logs])
-            raise ValidationError(
+            raise ValidationError(_("Failed to validate blueprint: %(logs)s" % {"logs": text_logs}))
-                _("Failed to validate blueprint: {logs}".format_map({"logs": text_logs}))
-            )
         return content
 
     def validate(self, attrs: dict) -> dict:

authentik/blueprints/apps.py

@@ -1,6 +1,5 @@
 """authentik Blueprints app"""
 
-from collections.abc import Callable
 from importlib import import_module
 from inspect import ismethod
 
@@ -8,16 +7,14 @@ from django.apps import AppConfig
 from django.db import DatabaseError, InternalError, ProgrammingError
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.root.signals import startup
-
 
 class ManagedAppConfig(AppConfig):
     """Basic reconciliation logic for apps"""
 
     logger: BoundLogger
 
-    RECONCILE_GLOBAL_CATEGORY: str = "global"
+    RECONCILE_GLOBAL_PREFIX: str = "reconcile_global_"
-    RECONCILE_TENANT_CATEGORY: str = "tenant"
+    RECONCILE_TENANT_PREFIX: str = "reconcile_tenant_"
 
     def __init__(self, app_name: str, *args, **kwargs) -> None:
         super().__init__(app_name, *args, **kwargs)
@@ -25,13 +22,10 @@ class ManagedAppConfig(AppConfig):
 
     def ready(self) -> None:
         self.import_related()
-        startup.connect(self._on_startup_callback, dispatch_uid=self.label)
+        self.reconcile_global()
+        self.reconcile_tenant()
         return super().ready()
 
-    def _on_startup_callback(self, sender, **_):
-        self._reconcile_global()
-        self._reconcile_tenant()
-
     def import_related(self):
         """Automatically import related modules which rely on just being imported
         to register themselves (mainly django signals and celery tasks)"""
@@ -57,8 +51,7 @@ class ManagedAppConfig(AppConfig):
             meth = getattr(self, meth_name)
             if not ismethod(meth):
                 continue
-            category = getattr(meth, "_authentik_managed_reconcile", None)
+            if not meth_name.startswith(prefix):
-            if category != prefix:
                 continue
             name = meth_name.replace(prefix, "")
             try:
@@ -68,19 +61,7 @@ class ManagedAppConfig(AppConfig):
             except (DatabaseError, ProgrammingError, InternalError) as exc:
                 self.logger.warning("Failed to run reconcile", name=name, exc=exc)
 
-    @staticmethod
+    def reconcile_tenant(self) -> None:
-    def reconcile_tenant(func: Callable):
-        """Mark a function to be called on startup (for each tenant)"""
-        func._authentik_managed_reconcile = ManagedAppConfig.RECONCILE_TENANT_CATEGORY
-        return func
-
-    @staticmethod
-    def reconcile_global(func: Callable):
-        """Mark a function to be called on startup (globally)"""
-        func._authentik_managed_reconcile = ManagedAppConfig.RECONCILE_GLOBAL_CATEGORY
-        return func
-
-    def _reconcile_tenant(self) -> None:
         """reconcile ourselves for tenanted methods"""
         from authentik.tenants.models import Tenant
 
@@ -91,9 +72,9 @@ class ManagedAppConfig(AppConfig):
             return
         for tenant in tenants:
             with tenant:
-                self._reconcile(self.RECONCILE_TENANT_CATEGORY)
+                self._reconcile(self.RECONCILE_TENANT_PREFIX)
 
-    def _reconcile_global(self) -> None:
+    def reconcile_global(self) -> None:
         """
         reconcile ourselves for global methods.
         Used for signals, tasks, etc. Database queries should not be made in here.
@@ -101,7 +82,7 @@ class ManagedAppConfig(AppConfig):
         from django_tenants.utils import get_public_schema_name, schema_context
 
         with schema_context(get_public_schema_name()):
-            self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)
+            self._reconcile(self.RECONCILE_GLOBAL_PREFIX)
 
 
 class AuthentikBlueprintsConfig(ManagedAppConfig):
@@ -112,13 +93,11 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
     verbose_name = "authentik Blueprints"
     default = True
 
-    @ManagedAppConfig.reconcile_global
+    def reconcile_global_load_blueprints_v1_tasks(self):
-    def load_blueprints_v1_tasks(self):
         """Load v1 tasks"""
         self.import_module("authentik.blueprints.v1.tasks")
 
-    @ManagedAppConfig.reconcile_tenant
+    def reconcile_tenant_blueprints_discovery(self):
-    def blueprints_discovery(self):
         """Run blueprint discovery"""
         from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -4,14 +4,12 @@ from json import dumps
 from typing import Any
 
 from django.core.management.base import BaseCommand, no_translations
-from django.db.models import Model, fields
+from django.db.models import Model
-from drf_jsonschema_serializer.convert import converter, field_to_converter
+from drf_jsonschema_serializer.convert import field_to_converter
 from rest_framework.fields import Field, JSONField, UUIDField
-from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
-from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
@@ -20,23 +18,6 @@ from authentik.lib.models import SerializerModel
 LOGGER = get_logger()
 
 
-@converter
-class PrimaryKeyRelatedFieldConverter:
-    """Custom primary key field converter which is aware of non-integer based PKs
-
-    This is not an exhaustive fix for other non-int PKs, however in authentik we either
-    use UUIDs or ints"""
-
-    field_class = PrimaryKeyRelatedField
-
-    def convert(self, field: PrimaryKeyRelatedField):
-        model: Model = field.queryset.model
-        pk_field = model._meta.pk
-        if isinstance(pk_field, fields.UUIDField):
-            return {"type": "string", "format": "uuid"}
-        return {"type": "integer"}
-
-
 class Command(BaseCommand):
     """Generate JSON Schema for blueprints"""
 
@@ -48,7 +29,7 @@ class Command(BaseCommand):
             "$schema": "http://json-schema.org/draft-07/schema",
             "$id": "https://goauthentik.io/blueprints/schema.json",
             "type": "object",
-            "title": f"authentik {__version__} Blueprint schema",
+            "title": "authentik Blueprint schema",
             "required": ["version", "entries"],
             "properties": {
                 "version": {

authentik/blueprints/models.py

@@ -71,19 +71,6 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
     enabled = models.BooleanField(default=True)
     managed_models = ArrayField(models.TextField(), default=list)
 
-    class Meta:
-        verbose_name = _("Blueprint Instance")
-        verbose_name_plural = _("Blueprint Instances")
-        unique_together = (
-            (
-                "name",
-                "path",
-            ),
-        )
-
-    def __str__(self) -> str:
-        return f"Blueprint Instance {self.name}"
-
     def retrieve_oci(self) -> str:
         """Get blueprint from an OCI registry"""
         client = BlueprintOCIClient(self.path.replace(OCI_PREFIX, "https://"))
@@ -102,7 +89,7 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
                 raise BlueprintRetrievalFailed("Invalid blueprint path")
             with full_path.open("r", encoding="utf-8") as _file:
                 return _file.read()
-        except OSError as exc:
+        except (IOError, OSError) as exc:
             raise BlueprintRetrievalFailed(exc) from exc
 
     def retrieve(self) -> str:
@@ -118,3 +105,16 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
         from authentik.blueprints.api import BlueprintInstanceSerializer
 
         return BlueprintInstanceSerializer
+
+    def __str__(self) -> str:
+        return f"Blueprint Instance {self.name}"
+
+    class Meta:
+        verbose_name = _("Blueprint Instance")
+        verbose_name_plural = _("Blueprint Instances")
+        unique_together = (
+            (
+                "name",
+                "path",
+            ),
+        )

authentik/blueprints/tests/__init__.py

@@ -1,7 +1,7 @@
 """Blueprint helpers"""
 
-from collections.abc import Callable
 from functools import wraps
+from typing import Callable
 
 from django.apps import apps
 
@@ -39,7 +39,7 @@ def reconcile_app(app_name: str):
         def wrapper(*args, **kwargs):
             config = apps.get_app_config(app_name)
             if isinstance(config, ManagedAppConfig):
-                config._on_startup_callback(None)
+                config.ready()
             return func(*args, **kwargs)
 
         return wrapper

authentik/blueprints/tests/test_packaged.py

@@ -1,7 +1,7 @@
 """test packaged blueprints"""
 
-from collections.abc import Callable
 from pathlib import Path
+from typing import Callable
 
 from django.test import TransactionTestCase
 

authentik/blueprints/tests/test_serializer_models.py

@@ -1,6 +1,6 @@
 """authentik managed models tests"""
 
-from collections.abc import Callable
+from typing import Callable, Type
 
 from django.apps import apps
 from django.test import TestCase
@@ -14,7 +14,7 @@ class TestModels(TestCase):
     """Test Models"""
 
 
-def serializer_tester_factory(test_model: type[SerializerModel]) -> Callable:
+def serializer_tester_factory(test_model: Type[SerializerModel]) -> Callable:
     """Test serializer"""
 
     def tester(self: TestModels):

authentik/blueprints/tests/test_v1_tasks.py

@@ -54,7 +54,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
             file.seek(0)
             file_hash = sha512(file.read().encode()).hexdigest()
             file.flush()
-            blueprints_discovery()
+            blueprints_discovery()  # pylint: disable=no-value-for-parameter
             instance = BlueprintInstance.objects.filter(name=blueprint_id).first()
             self.assertEqual(instance.last_applied_hash, file_hash)
             self.assertEqual(
@@ -82,7 +82,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                 )
             )
             file.flush()
-            blueprints_discovery()
+            blueprints_discovery()  # pylint: disable=no-value-for-parameter
             blueprint = BlueprintInstance.objects.filter(name="foo").first()
             self.assertEqual(
                 blueprint.last_applied_hash,
@@ -107,7 +107,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                 )
             )
             file.flush()
-            blueprints_discovery()
+            blueprints_discovery()  # pylint: disable=no-value-for-parameter
             blueprint.refresh_from_db()
             self.assertEqual(
                 blueprint.last_applied_hash,
@@ -149,7 +149,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                 instance.status,
                 BlueprintInstanceStatus.UNKNOWN,
             )
-            apply_blueprint(instance.pk)
+            apply_blueprint(instance.pk)  # pylint: disable=no-value-for-parameter
             instance.refresh_from_db()
             self.assertEqual(instance.last_applied_hash, "")
             self.assertEqual(

authentik/blueprints/v1/common.py

@@ -1,14 +1,13 @@
 """transfer common classes"""
 
 from collections import OrderedDict
-from collections.abc import Iterable, Mapping
 from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
 from functools import reduce
 from operator import ixor
 from os import getenv
-from typing import Any, Literal, Union
+from typing import Any, Iterable, Literal, Mapping, Optional, Union
 from uuid import UUID
 
 from deepmerge import always_merger
@@ -46,7 +45,7 @@ def get_attrs(obj: SerializerModel) -> dict[str, Any]:
 class BlueprintEntryState:
     """State of a single instance"""
 
-    instance: Model | None = None
+    instance: Optional[Model] = None
 
 
 class BlueprintEntryDesiredState(Enum):
@@ -68,9 +67,9 @@ class BlueprintEntry:
     )
     conditions: list[Any] = field(default_factory=list)
     identifiers: dict[str, Any] = field(default_factory=dict)
-    attrs: dict[str, Any] | None = field(default_factory=dict)
+    attrs: Optional[dict[str, Any]] = field(default_factory=dict)
 
-    id: str | None = None
+    id: Optional[str] = None
 
     _state: BlueprintEntryState = field(default_factory=BlueprintEntryState)
 
@@ -93,10 +92,10 @@ class BlueprintEntry:
             attrs=all_attrs,
         )
 
-    def get_tag_context(
+    def _get_tag_context(
         self,
         depth: int = 0,
-        context_tag_type: type["YAMLTagContext"] | tuple["YAMLTagContext", ...] | None = None,
+        context_tag_type: Optional[type["YAMLTagContext"] | tuple["YAMLTagContext", ...]] = None,
     ) -> "YAMLTagContext":
         """Get a YAMLTagContext object located at a certain depth in the tag tree"""
         if depth < 0:
@@ -109,8 +108,8 @@ class BlueprintEntry:
 
         try:
             return contexts[-(depth + 1)]
-        except IndexError as exc:
+        except IndexError:
-            raise ValueError(f"invalid depth: {depth}. Max depth: {len(contexts) - 1}") from exc
+            raise ValueError(f"invalid depth: {depth}. Max depth: {len(contexts) - 1}")
 
     def tag_resolver(self, value: Any, blueprint: "Blueprint") -> Any:
         """Check if we have any special tags that need handling"""
@@ -171,7 +170,7 @@ class Blueprint:
     entries: list[BlueprintEntry] = field(default_factory=list)
     context: dict = field(default_factory=dict)
 
-    metadata: BlueprintMetadata | None = field(default=None)
+    metadata: Optional[BlueprintMetadata] = field(default=None)
 
 
 class YAMLTag:
@@ -219,7 +218,7 @@ class Env(YAMLTag):
     """Lookup environment variable with optional default"""
 
     key: str
-    default: Any | None
+    default: Optional[Any]
 
     def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
         super().__init__()
@@ -238,7 +237,7 @@ class Context(YAMLTag):
     """Lookup key from instance context"""
 
     key: str
-    default: Any | None
+    default: Optional[Any]
 
     def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
         super().__init__()
@@ -282,7 +281,7 @@ class Format(YAMLTag):
         try:
             return self.format_string % tuple(args)
         except TypeError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+            raise EntryInvalidError.from_entry(exc, entry)
 
 
 class Find(YAMLTag):
@@ -367,7 +366,7 @@ class Condition(YAMLTag):
             comparator = self._COMPARATORS[self.mode.upper()]
             return comparator(tuple(bool(x) for x in args))
         except (TypeError, KeyError) as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+            raise EntryInvalidError.from_entry(exc, entry)
 
 
 class If(YAMLTag):
@@ -399,7 +398,7 @@ class If(YAMLTag):
                 blueprint,
             )
         except TypeError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+            raise EntryInvalidError.from_entry(exc, entry)
 
 
 class Enumerate(YAMLTag, YAMLTagContext):
@@ -413,7 +412,9 @@ class Enumerate(YAMLTag, YAMLTagContext):
         "SEQ": (list, lambda a, b: [*a, b]),
         "MAP": (
             dict,
-            lambda a, b: always_merger.merge(a, {b[0]: b[1]} if isinstance(b, tuple | list) else b),
+            lambda a, b: always_merger.merge(
+                a, {b[0]: b[1]} if isinstance(b, (tuple, list)) else b
+            ),
         ),
     }
 
@@ -455,7 +456,7 @@ class Enumerate(YAMLTag, YAMLTagContext):
         try:
             output_class, add_fn = self._OUTPUT_BODIES[self.output_body.upper()]
         except KeyError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+            raise EntryInvalidError.from_entry(exc, entry)
 
         result = output_class()
 
@@ -483,13 +484,13 @@ class EnumeratedItem(YAMLTag):
 
     _SUPPORTED_CONTEXT_TAGS = (Enumerate,)
 
-    def __init__(self, _loader: "BlueprintLoader", node: ScalarNode) -> None:
+    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
         super().__init__()
         self.depth = int(node.value)
 
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
         try:
-            context_tag: Enumerate = entry.get_tag_context(
+            context_tag: Enumerate = entry._get_tag_context(
                 depth=self.depth,
                 context_tag_type=EnumeratedItem._SUPPORTED_CONTEXT_TAGS,
             )
@@ -499,11 +500,9 @@ class EnumeratedItem(YAMLTag):
                     f"{self.__class__.__name__} tags are only usable "
                     f"inside an {Enumerate.__name__} tag",
                     entry,
-                ) from exc
+                )
 
-            raise EntryInvalidError.from_entry(
+            raise EntryInvalidError.from_entry(f"{self.__class__.__name__} tag: {exc}", entry)
-                f"{self.__class__.__name__} tag: {exc}", entry
-            ) from exc
 
         return context_tag.get_context(entry, blueprint)
 
@@ -516,8 +515,8 @@ class Index(EnumeratedItem):
 
         try:
             return context[0]
-        except IndexError as exc:  # pragma: no cover
+        except IndexError:  # pragma: no cover
-            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc
+            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry)
 
 
 class Value(EnumeratedItem):
@@ -528,8 +527,8 @@ class Value(EnumeratedItem):
 
         try:
             return context[1]
-        except IndexError as exc:  # pragma: no cover
+        except IndexError:  # pragma: no cover
-            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc
+            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry)
 
 
 class BlueprintDumper(SafeDumper):
@@ -556,11 +555,7 @@ class BlueprintDumper(SafeDumper):
 
             def factory(items):
                 final_dict = dict(items)
-                # Remove internal state variables
                 final_dict.pop("_state", None)
-                # Future-proof to only remove the ID if we don't set a value
-                if "id" in final_dict and final_dict.get("id") is None:
-                    final_dict.pop("id")
                 return final_dict
 
             data = asdict(data, dict_factory=factory)
@@ -587,13 +582,13 @@ class BlueprintLoader(SafeLoader):
 class EntryInvalidError(SentryIgnoredException):
     """Error raised when an entry is invalid"""
 
-    entry_model: str | None
+    entry_model: Optional[str]
-    entry_id: str | None
+    entry_id: Optional[str]
-    validation_error: ValidationError | None
+    validation_error: Optional[ValidationError]
-    serializer: Serializer | None = None
+    serializer: Optional[Serializer] = None
 
     def __init__(
-        self, *args: object, validation_error: ValidationError | None = None, **kwargs
+        self, *args: object, validation_error: Optional[ValidationError] = None, **kwargs
     ) -> None:
         super().__init__(*args)
         self.entry_model = None

authentik/blueprints/v1/exporter.py

@@ -1,6 +1,6 @@
 """Blueprint exporter"""
 
-from collections.abc import Iterable
+from typing import Iterable
 from uuid import UUID
 
 from django.apps import apps
@@ -59,7 +59,7 @@ class Exporter:
         blueprint = Blueprint()
         self._pre_export(blueprint)
         blueprint.metadata = BlueprintMetadata(
-            name=_("authentik Export - {date}".format_map({"date": str(now())})),
+            name=_("authentik Export - %(date)s" % {"date": str(now())}),
             labels={
                 LABEL_AUTHENTIK_GENERATED: "true",
             },
@@ -74,7 +74,7 @@ class Exporter:
 
 
 class FlowExporter(Exporter):
-    """Exporter customized to only return objects related to `flow`"""
+    """Exporter customised to only return objects related to `flow`"""
 
     flow: Flow
     with_policies: bool

authentik/blueprints/v1/importer.py

@@ -2,7 +2,7 @@
 
 from contextlib import contextmanager
 from copy import deepcopy
-from typing import Any
+from typing import Any, Optional
 
 from dacite.config import Config
 from dacite.core import from_dict
@@ -19,6 +19,8 @@ from guardian.models import UserObjectPermission
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
+from structlog.testing import capture_logs
+from structlog.types import EventDict
 from yaml import load
 
 from authentik.blueprints.v1.common import (
@@ -40,7 +42,6 @@ from authentik.core.models import (
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsage
 from authentik.enterprise.providers.rac.models import ConnectionToken
-from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
@@ -51,8 +52,6 @@ from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
-from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
-from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
@@ -63,7 +62,7 @@ SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 def excluded_models() -> list[type[Model]]:
     """Return a list of all excluded models that shouldn't be exposed via API
     or other means (internal only, base classes, non-used objects, etc)"""
-
+    # pylint: disable=imported-auth-user
     from django.contrib.auth.models import Group as DjangoGroup
     from django.contrib.auth.models import User as DjangoUser
 
@@ -97,15 +96,12 @@ def excluded_models() -> list[type[Model]]:
         AccessToken,
         RefreshToken,
         Reputation,
-        WebAuthnDeviceType,
-        SCIMSourceUser,
-        SCIMSourceGroup,
     )
 
 
 def is_model_allowed(model: type[Model]) -> bool:
     """Check if model is allowed"""
-    return model not in excluded_models() and issubclass(model, SerializerModel | BaseMetaModel)
+    return model not in excluded_models() and issubclass(model, (SerializerModel, BaseMetaModel))
 
 
 class DoRollback(SentryIgnoredException):
@@ -129,7 +125,7 @@ class Importer:
     logger: BoundLogger
     _import: Blueprint
 
-    def __init__(self, blueprint: Blueprint, context: dict | None = None):
+    def __init__(self, blueprint: Blueprint, context: Optional[dict] = None):
         self.__pk_map: dict[Any, Model] = {}
         self._import = blueprint
         self.logger = get_logger()
@@ -165,14 +161,14 @@ class Importer:
 
         def updater(value) -> Any:
             if value in self.__pk_map:
-                self.logger.debug("Updating reference in entry", value=value)
+                self.logger.debug("updating reference in entry", value=value)
                 return self.__pk_map[value]
             return value
 
         for key, value in attrs.items():
             try:
                 if isinstance(value, dict):
-                    for _, _inner_key in enumerate(value):
+                    for idx, _inner_key in enumerate(value):
                         value[_inner_key] = updater(value[_inner_key])
                 elif isinstance(value, list):
                     for idx, _inner_value in enumerate(value):
@@ -201,7 +197,8 @@ class Importer:
 
         return main_query | sub_query
 
-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:
+    # pylint: disable-msg=too-many-locals
+    def _validate_single(self, entry: BlueprintEntry) -> Optional[BaseSerializer]:
         """Validate a single entry"""
         if not entry.check_all_conditions_match(self._import):
             self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
@@ -254,7 +251,7 @@ class Importer:
         model_instance = existing_models.first()
         if not isinstance(model(), BaseMetaModel) and model_instance:
             self.logger.debug(
-                "Initialise serializer with instance",
+                "initialise serializer with instance",
                 model=model,
                 instance=model_instance,
                 pk=model_instance.pk,
@@ -264,14 +261,14 @@ class Importer:
         elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
             raise EntryInvalidError.from_entry(
                 (
-                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
+                    f"state is set to {BlueprintEntryDesiredState.MUST_CREATED} "
                     "and object exists already",
                 ),
                 entry,
             )
         else:
             self.logger.debug(
-                "Initialised new serializer instance",
+                "initialised new serializer instance",
                 model=model,
                 **cleanse_dict(updated_identifiers),
             )
@@ -328,7 +325,7 @@ class Importer:
                 model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
             except LookupError:
                 self.logger.warning(
-                    "App or Model does not exist", app=model_app_label, model=model_name
+                    "app or model does not exist", app=model_app_label, model=model_name
                 )
                 return False
             # Validate each single entry
@@ -340,7 +337,7 @@ class Importer:
                 if entry.get_state(self._import) == BlueprintEntryDesiredState.ABSENT:
                     serializer = exc.serializer
                 else:
-                    self.logger.warning(f"Entry invalid: {exc}", entry=entry, error=exc)
+                    self.logger.warning(f"entry invalid: {exc}", entry=entry, error=exc)
                     if raise_errors:
                         raise exc
                     return False
@@ -360,27 +357,27 @@ class Importer:
                     and state == BlueprintEntryDesiredState.CREATED
                 ):
                     self.logger.debug(
-                        "Instance exists, skipping",
+                        "instance exists, skipping",
                         model=model,
                         instance=instance,
                         pk=instance.pk,
                     )
                 else:
                     instance = serializer.save()
-                    self.logger.debug("Updated model", model=instance)
+                    self.logger.debug("updated model", model=instance)
                 if "pk" in entry.identifiers:
                     self.__pk_map[entry.identifiers["pk"]] = instance.pk
                 entry._state = BlueprintEntryState(instance)
             elif state == BlueprintEntryDesiredState.ABSENT:
-                instance: Model | None = serializer.instance
+                instance: Optional[Model] = serializer.instance
                 if instance.pk:
                     instance.delete()
-                    self.logger.debug("Deleted model", mode=instance)
+                    self.logger.debug("deleted model", mode=instance)
                     continue
-                self.logger.debug("Entry to delete with no instance, skipping")
+                self.logger.debug("entry to delete with no instance, skipping")
         return True
 
-    def validate(self, raise_validation_errors=False) -> tuple[bool, list[LogEvent]]:
+    def validate(self, raise_validation_errors=False) -> tuple[bool, list[EventDict]]:
         """Validate loaded blueprint export, ensure all models are allowed
         and serializers have no errors"""
         self.logger.debug("Starting blueprint import validation")
@@ -394,7 +391,9 @@ class Importer:
         ):
             successful = self._apply_models(raise_errors=raise_validation_errors)
             if not successful:
-                self.logger.warning("Blueprint validation failed")
+                self.logger.debug("Blueprint validation failed")
+        for log in logs:
+            getattr(self.logger, log.get("log_level"))(**log)
         self.logger.debug("Finished blueprint import validation")
         self._import = orig_import
         return successful, logs

authentik/blueprints/v1/meta/apply_blueprint.py

@@ -43,7 +43,7 @@ class ApplyBlueprintMetaSerializer(PassiveSerializer):
             LOGGER.info("Blueprint does not exist, but not required")
             return MetaResult()
         LOGGER.debug("Applying blueprint from meta model", blueprint=self.blueprint_instance)
-
+        # pylint: disable=no-value-for-parameter
         apply_blueprint(str(self.blueprint_instance.pk))
         return MetaResult()
 

authentik/blueprints/v1/meta/registry.py

@@ -8,15 +8,15 @@ from rest_framework.serializers import Serializer
 class BaseMetaModel(Model):
     """Base models"""
 
-    class Meta:
-        abstract = True
-
     @staticmethod
     def serializer() -> Serializer:
         """Serializer similar to SerializerModel, but as a static method since
         this is an abstract model"""
         raise NotImplementedError
 
+    class Meta:
+        abstract = True
+
 
 class MetaResult:
     """Result returned by Meta Models' serializers. Empty class but we can't return none as

authentik/blueprints/v1/tasks.py

@@ -4,6 +4,7 @@ from dataclasses import asdict, dataclass, field
 from hashlib import sha512
 from pathlib import Path
 from sys import platform
+from typing import Optional
 
 from dacite.core import from_dict
 from django.db import DatabaseError, InternalError, ProgrammingError
@@ -30,7 +31,6 @@ from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata, E
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
 from authentik.blueprints.v1.oci import OCI_PREFIX
-from authentik.events.logs import capture_logs
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.events.utils import sanitize_dict
@@ -50,14 +50,14 @@ class BlueprintFile:
     version: int
     hash: str
     last_m: int
-    meta: BlueprintMetadata | None = field(default=None)
+    meta: Optional[BlueprintMetadata] = field(default=None)
 
 
 def start_blueprint_watcher():
     """Start blueprint watcher, if it's not running already."""
     # This function might be called twice since it's called on celery startup
-
+    # pylint: disable=global-statement
-    global _file_watcher_started  # noqa: PLW0603
+    global _file_watcher_started
     if _file_watcher_started:
         return
     observer = Observer()
@@ -126,7 +126,7 @@ def blueprints_find() -> list[BlueprintFile]:
         # Check if any part in the path starts with a dot and assume a hidden file
         if any(part for part in path.parts if part.startswith(".")):
             continue
-        with open(path, encoding="utf-8") as blueprint_file:
+        with open(path, "r", encoding="utf-8") as blueprint_file:
             try:
                 raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
             except YAMLError as exc:
@@ -150,7 +150,7 @@ def blueprints_find() -> list[BlueprintFile]:
     throws=(DatabaseError, ProgrammingError, InternalError), base=SystemTask, bind=True
 )
 @prefill_task
-def blueprints_discovery(self: SystemTask, path: str | None = None):
+def blueprints_discovery(self: SystemTask, path: Optional[str] = None):
     """Find blueprints and check if they need to be created in the database"""
     count = 0
     for blueprint in blueprints_find():
@@ -197,7 +197,7 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
 def apply_blueprint(self: SystemTask, instance_pk: str):
     """Apply single blueprint"""
     self.save_on_success = False
-    instance: BlueprintInstance | None = None
+    instance: Optional[BlueprintInstance] = None
     try:
         instance: BlueprintInstance = BlueprintInstance.objects.filter(pk=instance_pk).first()
         if not instance or not instance.enabled:
@@ -212,24 +212,23 @@ def apply_blueprint(self: SystemTask, instance_pk: str):
         if not valid:
             instance.status = BlueprintInstanceStatus.ERROR
             instance.save()
-            self.set_status(TaskStatus.ERROR, *logs)
+            self.set_status(TaskStatus.ERROR, *[x["event"] for x in logs])
+            return
+        applied = importer.apply()
+        if not applied:
+            instance.status = BlueprintInstanceStatus.ERROR
+            instance.save()
+            self.set_status(TaskStatus.ERROR, "Failed to apply")
             return
-        with capture_logs() as logs:
-            applied = importer.apply()
-            if not applied:
-                instance.status = BlueprintInstanceStatus.ERROR
-                instance.save()
-                self.set_status(TaskStatus.ERROR, *logs)
-                return
         instance.status = BlueprintInstanceStatus.SUCCESSFUL
         instance.last_applied_hash = file_hash
         instance.last_applied = now()
         self.set_status(TaskStatus.SUCCESSFUL)
     except (
-        OSError,
         DatabaseError,
         ProgrammingError,
         InternalError,
+        IOError,
         BlueprintRetrievalFailed,
         EntryInvalidError,
     ) as exc:

authentik/brands/middleware.py

@@ -1,6 +1,6 @@
 """Inject brand into current request"""
 
-from collections.abc import Callable
+from typing import Callable
 
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
@@ -20,7 +20,7 @@ class BrandMiddleware:
     def __call__(self, request: HttpRequest) -> HttpResponse:
         if not hasattr(request, "brand"):
             brand = get_brand_for_request(request)
-            request.brand = brand
+            setattr(request, "brand", brand)
             locale = brand.default_locale
             if locale != "":
                 activate(locale)

authentik/brands/migrations/0006_brand_authentik_b_domain_b9b24a_idx_and_more.py

@@ -1,21 +0,0 @@
-# Generated by Django 5.0.4 on 2024-04-18 18:56
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0005_tenantuuid_to_branduuid"),
-    ]
-
-    operations = [
-        migrations.AddIndex(
-            model_name="brand",
-            index=models.Index(fields=["domain"], name="authentik_b_domain_b9b24a_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="brand",
-            index=models.Index(fields=["default"], name="authentik_b_default_3ccf12_idx"),
-        ),
-    ]

authentik/brands/models.py

@@ -71,7 +71,7 @@ class Brand(SerializerModel):
         """Get default locale"""
         try:
             return self.attributes.get("settings", {}).get("locale", "")
-
+        # pylint: disable=broad-except
         except Exception as exc:
             LOGGER.warning("Failed to get default locale", exc=exc)
             return ""
@@ -84,7 +84,3 @@ class Brand(SerializerModel):
     class Meta:
         verbose_name = _("Brand")
         verbose_name_plural = _("Brands")
-        indexes = [
-            models.Index(fields=["domain"]),
-            models.Index(fields=["default"]),
-        ]

authentik/brands/utils.py

@@ -9,7 +9,6 @@ from sentry_sdk.hub import Hub
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
-from authentik.tenants.models import Tenant
 
 _q_default = Q(default=True)
 DEFAULT_BRAND = Brand(domain="fallback")
@@ -31,14 +30,13 @@ def get_brand_for_request(request: HttpRequest) -> Brand:
 def context_processor(request: HttpRequest) -> dict[str, Any]:
     """Context Processor that injects brand object into every template"""
     brand = getattr(request, "brand", DEFAULT_BRAND)
-    tenant = getattr(request, "tenant", Tenant())
     trace = ""
     span = Hub.current.scope.span
     if span:
         trace = span.to_traceparent()
     return {
         "brand": brand,
-        "footer_links": tenant.footer_links,
+        "footer_links": request.tenant.footer_links,
         "sentry_trace": trace,
         "version": get_full_version(),
     }

authentik/core/api/applications.py

@@ -1,8 +1,8 @@
 """Application API Views"""
 
-from collections.abc import Iterator
 from copy import copy
 from datetime import timedelta
+from typing import Iterator, Optional
 
 from django.core.cache import cache
 from django.db.models import QuerySet
@@ -20,15 +20,16 @@ from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
+from structlog.testing import capture_logs
 
 from authentik.admin.api.metrics import CoordinateSerializer
-from authentik.api.pagination import Pagination
+from authentik.api.decorators import permission_required
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.models import Application, User
-from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
+from authentik.events.utils import sanitize_dict
 from authentik.lib.utils.file import (
     FilePathSerializer,
     FileUploadSerializer,
@@ -37,19 +38,15 @@ from authentik.lib.utils.file import (
 )
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.types import CACHE_PREFIX, PolicyResult
+from authentik.policies.types import PolicyResult
-from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
 
-def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
+def user_app_cache_key(user_pk: str) -> str:
     """Cache key where application list for user is saved"""
-    key = f"{CACHE_PREFIX}/app_access/{user_pk}"
+    return f"goauthentik.io/core/app_access/{user_pk}"
-    if page_number:
-        key += f"/{page_number}"
-    return key
 
 
 class ApplicationSerializer(ModelSerializer):
@@ -63,7 +60,7 @@ class ApplicationSerializer(ModelSerializer):
 
     meta_icon = ReadOnlyField(source="get_meta_icon")
 
-    def get_launch_url(self, app: Application) -> str | None:
+    def get_launch_url(self, app: Application) -> Optional[str]:
         """Allow formatting of launch URL"""
         user = None
         if "request" in self.context:
@@ -103,6 +100,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
+    # pylint: disable=no-member
     queryset = Application.objects.all().prefetch_related("provider")
     serializer_class = ApplicationSerializer
     search_fields = [
@@ -133,7 +131,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         return queryset
 
     def _get_allowed_applications(
-        self, pagined_apps: Iterator[Application], user: User | None = None
+        self, pagined_apps: Iterator[Application], user: Optional[User] = None
     ) -> list[Application]:
         applications = []
         request = self.request._request
@@ -171,7 +169,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             try:
                 for_user = User.objects.filter(pk=request.query_params.get("for_user")).first()
             except ValueError:
-                raise ValidationError({"for_user": "for_user must be numerical"}) from None
+                raise ValidationError({"for_user": "for_user must be numerical"})
             if not for_user:
                 raise ValidationError({"for_user": "User not found"})
         engine = PolicyEngine(application, for_user, request)
@@ -185,9 +183,9 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if request.user.is_superuser:
             log_messages = []
             for log in logs:
-                if log.attributes.get("process", "") == "PolicyProcess":
+                if log.get("process", "") == "PolicyProcess":
                     continue
-                log_messages.append(LogEventSerializer(log).data)
+                log_messages.append(sanitize_dict(log))
             result.log_messages = log_messages
             response = PolicyTestResultSerializer(result)
         return Response(response.data)
@@ -217,8 +215,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             return super().list(request)
 
         queryset = self._filter_queryset_for_list(self.get_queryset())
-        paginator: Pagination = self.paginator
+        pagined_apps = self.paginate_queryset(queryset)
-        paginated_apps = paginator.paginate_queryset(queryset, request)
 
         if "for_user" in request.query_params:
             try:
@@ -232,22 +229,20 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     raise ValidationError({"for_user": "User not found"})
             except ValueError as exc:
                 raise ValidationError from exc
-            allowed_applications = self._get_allowed_applications(paginated_apps, user=for_user)
+            allowed_applications = self._get_allowed_applications(pagined_apps, user=for_user)
             serializer = self.get_serializer(allowed_applications, many=True)
             return self.get_paginated_response(serializer.data)
 
         allowed_applications = []
         if not should_cache:
-            allowed_applications = self._get_allowed_applications(paginated_apps)
+            allowed_applications = self._get_allowed_applications(pagined_apps)
         if should_cache:
-            allowed_applications = cache.get(
+            allowed_applications = cache.get(user_app_cache_key(self.request.user.pk))
-                user_app_cache_key(self.request.user.pk, paginator.page.number)
-            )
             if not allowed_applications:
-                LOGGER.debug("Caching allowed application list", page=paginator.page.number)
+                LOGGER.debug("Caching allowed application list")
-                allowed_applications = self._get_allowed_applications(paginated_apps)
+                allowed_applications = self._get_allowed_applications(pagined_apps)
                 cache.set(
-                    user_app_cache_key(self.request.user.pk, paginator.page.number),
+                    user_app_cache_key(self.request.user.pk),
                     allowed_applications,
                     timeout=86400,
                 )

authentik/core/api/authenticated_sessions.py

@@ -1,6 +1,6 @@
 """AuthenticatedSessions API Viewset"""
 
-from typing import TypedDict
+from typing import Optional, TypedDict
 
 from django_filters.rest_framework import DjangoFilterBackend
 from guardian.utils import get_anonymous_user
@@ -72,11 +72,11 @@ class AuthenticatedSessionSerializer(ModelSerializer):
         """Get parsed user agent"""
         return user_agent_parser.Parse(instance.last_user_agent)
 
-    def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
+    def get_geo_ip(self, instance: AuthenticatedSession) -> Optional[GeoIPDict]:  # pragma: no cover
         """Get GeoIP Data"""
         return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)
 
-    def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
+    def get_asn(self, instance: AuthenticatedSession) -> Optional[ASNDict]:  # pragma: no cover
         """Get ASN Data"""
         return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)
 

authentik/core/api/groups.py

@@ -1,29 +1,25 @@
 """Groups API Viewset"""
 
 from json import loads
+from typing import Optional
 
 from django.http import Http404
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from drf_spectacular.utils import (
+from drf_spectacular.utils import OpenApiResponse, extend_schema
-    OpenApiParameter,
-    OpenApiResponse,
-    extend_schema,
-    extend_schema_field,
-)
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, IntegerField, SerializerMethodField
+from rest_framework.fields import CharField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
-from authentik.rbac.decorators import permission_required
 
 
 class GroupMemberSerializer(ModelSerializer):
@@ -50,7 +46,9 @@ class GroupSerializer(ModelSerializer):
     """Group Serializer"""
 
     attributes = JSONDictField(required=False)
-    users_obj = SerializerMethodField(allow_null=True)
+    users_obj = ListSerializer(
+        child=GroupMemberSerializer(), read_only=True, source="users", required=False
+    )
     roles_obj = ListSerializer(
         child=RoleSerializer(),
         read_only=True,
@@ -61,20 +59,7 @@ class GroupSerializer(ModelSerializer):
 
     num_pk = IntegerField(read_only=True)
 
-    @property
+    def validate_parent(self, parent: Optional[Group]):
-    def _should_include_users(self) -> bool:
-        request: Request = self.context.get("request", None)
-        if not request:
-            return True
-        return str(request.query_params.get("include_users", "true")).lower() == "true"
-
-    @extend_schema_field(GroupMemberSerializer(many=True))
-    def get_users_obj(self, instance: Group) -> list[GroupMemberSerializer] | None:
-        if not self._should_include_users:
-            return None
-        return GroupMemberSerializer(instance.users, many=True).data
-
-    def validate_parent(self, parent: Group | None):
         """Validate group parent (if set), ensuring the parent isn't itself"""
         if not self.instance or not parent:
             return parent
@@ -129,7 +114,7 @@ class GroupFilter(FilterSet):
         try:
             value = loads(value)
         except ValueError:
-            raise ValidationError(detail="filter: failed to parse JSON") from None
+            raise ValidationError(detail="filter: failed to parse JSON")
         if not isinstance(value, dict):
             raise ValidationError(detail="filter: value must be key:value mapping")
         qs = {}
@@ -146,35 +131,23 @@ class GroupFilter(FilterSet):
         fields = ["name", "is_superuser", "members_by_pk", "attributes", "members_by_username"]
 
 
+class UserAccountSerializer(PassiveSerializer):
+    """Account adding/removing operations"""
+
+    pk = IntegerField(required=True)
+
+
 class GroupViewSet(UsedByMixin, ModelViewSet):
     """Group Viewset"""
 
-    class UserAccountSerializer(PassiveSerializer):
+    # pylint: disable=no-member
-        """Account adding/removing operations"""
+    queryset = Group.objects.all().select_related("parent").prefetch_related("users")
-
-        pk = IntegerField(required=True)
-
-    queryset = Group.objects.none()
     serializer_class = GroupSerializer
     search_fields = ["name", "is_superuser"]
     filterset_class = GroupFilter
     ordering = ["name"]
 
-    def get_queryset(self):
+    @permission_required(None, ["authentik_core.add_user"])
-        base_qs = Group.objects.all().select_related("parent").prefetch_related("roles")
-        if self.serializer_class(context={"request": self.request})._should_include_users:
-            base_qs = base_qs.prefetch_related("users")
-        return base_qs
-
-    @extend_schema(
-        parameters=[
-            OpenApiParameter("include_users", bool, default=True),
-        ]
-    )
-    def list(self, request, *args, **kwargs):
-        return super().list(request, *args, **kwargs)
-
-    @permission_required("authentik_core.add_user_to_group")
     @extend_schema(
         request=UserAccountSerializer,
         responses={
@@ -182,13 +155,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
             404: OpenApiResponse(description="User not found"),
         },
     )
-    @action(
+    @action(detail=True, methods=["POST"], pagination_class=None, filter_backends=[])
-        detail=True,
-        methods=["POST"],
-        pagination_class=None,
-        filter_backends=[],
-        permission_classes=[],
-    )
     def add_user(self, request: Request, pk: str) -> Response:
         """Add user to group"""
         group: Group = self.get_object()
@@ -204,7 +171,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
         group.users.add(user)
         return Response(status=204)
 
-    @permission_required("authentik_core.remove_user_from_group")
+    @permission_required(None, ["authentik_core.add_user"])
     @extend_schema(
         request=UserAccountSerializer,
         responses={
@@ -212,13 +179,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
             404: OpenApiResponse(description="User not found"),
         },
     )
-    @action(
+    @action(detail=True, methods=["POST"], pagination_class=None, filter_backends=[])
-        detail=True,
-        methods=["POST"],
-        pagination_class=None,
-        filter_backends=[],
-        permission_classes=[],
-    )
     def remove_user(self, request: Request, pk: str) -> Response:
         """Add user to group"""
         group: Group = self.get_object()

authentik/core/api/propertymappings.py

@@ -14,6 +14,7 @@ from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
+from authentik.api.decorators import permission_required
 from authentik.blueprints.api import ManagedSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, PassiveSerializer, TypeCreateSerializer
@@ -22,7 +23,6 @@ from authentik.core.models import PropertyMapping
 from authentik.events.utils import sanitize_item
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.exec import PolicyTestSerializer
-from authentik.rbac.decorators import permission_required
 
 
 class PropertyMappingTestResultSerializer(PassiveSerializer):
@@ -146,7 +146,7 @@ class PropertyMappingViewSet(
             response_data["result"] = dumps(
                 sanitize_item(result), indent=(4 if format_result else None)
             )
-        except Exception as exc:
+        except Exception as exc:  # pylint: disable=broad-except
             response_data["result"] = str(exc)
             response_data["successful"] = False
         response = PropertyMappingTestResultSerializer(response_data)

authentik/core/api/sources.py

@@ -1,6 +1,6 @@
 """Source API Views"""
 
-from collections.abc import Iterable
+from typing import Iterable
 
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
@@ -16,6 +16,7 @@ from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
+from authentik.api.decorators import permission_required
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
@@ -29,7 +30,6 @@ from authentik.lib.utils.file import (
 )
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.engine import PolicyEngine
-from authentik.rbac.decorators import permission_required
 
 LOGGER = get_logger()
 

authentik/core/api/tokens.py

@@ -2,7 +2,6 @@
 
 from typing import Any
 
-from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import assign_perm, get_anonymous_user
@@ -16,23 +15,15 @@ from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import OwnerSuperuserPermissions
+from authentik.api.decorators import permission_required
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import (
+from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents
-    USER_ATTRIBUTE_TOKEN_EXPIRING,
-    USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
-    Token,
-    TokenIntents,
-    User,
-    default_token_duration,
-)
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
-from authentik.lib.utils.time import timedelta_from_string
-from authentik.rbac.decorators import permission_required
 
 
 class TokenSerializer(ManagedSerializer, ModelSerializer):
@@ -58,32 +49,6 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
         attrs.setdefault("intent", TokenIntents.INTENT_API)
         if attrs.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
             raise ValidationError({"intent": f"Invalid intent {attrs.get('intent')}"})
-
-        if attrs.get("intent") == TokenIntents.INTENT_APP_PASSWORD:
-            # user IS in attrs
-            user: User = attrs.get("user")
-            max_token_lifetime = user.group_attributes(request).get(
-                USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
-            )
-            max_token_lifetime_dt = default_token_duration()
-            if max_token_lifetime is not None:
-                try:
-                    max_token_lifetime_dt = now() + timedelta_from_string(max_token_lifetime)
-                except ValueError:
-                    pass
-
-            if "expires" in attrs and attrs.get("expires") > max_token_lifetime_dt:
-                raise ValidationError(
-                    {
-                        "expires": (
-                            f"Token expires exceeds maximum lifetime ({max_token_lifetime_dt} UTC)."
-                        )
-                    }
-                )
-        elif attrs.get("intent") == TokenIntents.INTENT_API:
-            # For API tokens, expires cannot be overridden
-            attrs["expires"] = default_token_duration()
-
         return attrs
 
     class Meta:

authentik/core/api/transactional_applications.py

@@ -65,7 +65,7 @@ class TransactionApplicationSerializer(PassiveSerializer):
                 raise ValidationError("Invalid provider model")
             self._provider_model = model
         except LookupError:
-            raise ValidationError("Invalid provider model") from None
+            raise ValidationError("Invalid provider model")
         return fq_model_name
 
     def validate(self, attrs: dict) -> dict:
@@ -106,7 +106,7 @@ class TransactionApplicationSerializer(PassiveSerializer):
                 {
                     exc.entry_id: exc.validation_error.detail,
                 }
-            ) from None
+            )
         return blueprint
 
 

authentik/core/api/used_by.py

@@ -54,6 +54,7 @@ class UsedByMixin:
         responses={200: UsedBySerializer(many=True)},
     )
     @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=too-many-locals
     def used_by(self, request: Request, *args, **kwargs) -> Response:
         """Get a list of all objects that use this object"""
         model: Model = self.get_object()

authentik/core/api/users.py

@@ -2,7 +2,7 @@
 
 from datetime import timedelta
 from json import loads
-from typing import Any
+from typing import Any, Optional
 
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.sessions.backends.cache import KEY_PREFIX
@@ -49,6 +49,7 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.admin.api.metrics import CoordinateSerializer
+from authentik.api.decorators import permission_required
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
@@ -73,7 +74,6 @@ from authentik.flows.models import FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
-from authentik.rbac.decorators import permission_required
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -85,7 +85,7 @@ class UserGroupSerializer(ModelSerializer):
     """Simplified Group Serializer for user's groups"""
 
     attributes = JSONDictField(required=False)
-    parent_name = CharField(source="parent.name", read_only=True, allow_null=True)
+    parent_name = CharField(source="parent.name", read_only=True)
 
     class Meta:
         model = Group
@@ -113,26 +113,13 @@ class UserSerializer(ModelSerializer):
         queryset=Group.objects.all().order_by("name"),
         default=list,
     )
-    groups_obj = SerializerMethodField(allow_null=True)
+    groups_obj = ListSerializer(child=UserGroupSerializer(), read_only=True, source="ak_groups")
     uid = CharField(read_only=True)
     username = CharField(
         max_length=150,
         validators=[UniqueValidator(queryset=User.objects.all().order_by("username"))],
     )
 
-    @property
-    def _should_include_groups(self) -> bool:
-        request: Request = self.context.get("request", None)
-        if not request:
-            return True
-        return str(request.query_params.get("include_groups", "true")).lower() == "true"
-
-    @extend_schema_field(UserGroupSerializer(many=True))
-    def get_groups_obj(self, instance: User) -> list[UserGroupSerializer] | None:
-        if not self._should_include_groups:
-            return None
-        return UserGroupSerializer(instance.ak_groups, many=True).data
-
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
@@ -155,7 +142,7 @@ class UserSerializer(ModelSerializer):
         self._set_password(instance, password)
         return instance
 
-    def _set_password(self, instance: User, password: str | None):
+    def _set_password(self, instance: User, password: Optional[str]):
         """Set password of user if we're in a blueprint context, and if it's an empty
         string then use an unusable password"""
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context and password:
@@ -167,7 +154,7 @@ class UserSerializer(ModelSerializer):
 
     def get_avatar(self, user: User) -> str:
         """User's avatar, either a http/https URL or a data URI"""
-        return get_avatar(user, self.context.get("request"))
+        return get_avatar(user, self.context["request"])
 
     def validate_path(self, path: str) -> str:
         """Validate path"""
@@ -231,7 +218,7 @@ class UserSelfSerializer(ModelSerializer):
 
     def get_avatar(self, user: User) -> str:
         """User's avatar, either a http/https URL or a data URI"""
-        return get_avatar(user, self.context.get("request"))
+        return get_avatar(user, self.context["request"])
 
     @extend_schema_field(
         ListSerializer(
@@ -371,7 +358,7 @@ class UsersFilter(FilterSet):
         try:
             value = loads(value)
         except ValueError:
-            raise ValidationError(detail="filter: failed to parse JSON") from None
+            raise ValidationError(detail="filter: failed to parse JSON")
         if not isinstance(value, dict):
             raise ValidationError(detail="filter: value must be key:value mapping")
         qs = {}
@@ -407,28 +394,18 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     search_fields = ["username", "name", "is_active", "email", "uuid"]
     filterset_class = UsersFilter
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
-        base_qs = User.objects.all().exclude_anonymous()
+        return User.objects.all().exclude_anonymous().prefetch_related("ak_groups")
-        if self.serializer_class(context={"request": self.request})._should_include_groups:
-            base_qs = base_qs.prefetch_related("ak_groups")
-        return base_qs
 
-    @extend_schema(
+    def _create_recovery_link(self) -> tuple[Optional[str], Optional[Token]]:
-        parameters=[
-            OpenApiParameter("include_groups", bool, default=True),
-        ]
-    )
-    def list(self, request, *args, **kwargs):
-        return super().list(request, *args, **kwargs)
-
-    def _create_recovery_link(self) -> tuple[str, Token]:
         """Create a recovery link (when the current brand has a recovery flow set),
         that can either be shown to an admin or sent to the user directly"""
         brand: Brand = self.request._request.brand
         # Check that there is a recovery flow, if not return an error
         flow = brand.flow_recovery
         if not flow:
-            raise ValidationError({"non_field_errors": "No recovery flow set."})
+            LOGGER.debug("No recovery flow set")
+            return None, None
         user: User = self.get_object()
         planner = FlowPlanner(flow)
         planner.allow_empty_flows = True
@@ -440,9 +417,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                 },
             )
         except FlowNonApplicableException:
-            raise ValidationError(
+            LOGGER.warning("Recovery flow not applicable to user")
-                {"non_field_errors": "Recovery flow not applicable to user"}
+            return None, None
-            ) from None
         token, __ = FlowToken.objects.update_or_create(
             identifier=f"{user.uid}-password-reset",
             defaults={
@@ -557,7 +533,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             400: OpenApiResponse(description="Bad request"),
         },
     )
-    @action(detail=True, methods=["POST"], permission_classes=[])
+    @action(detail=True, methods=["POST"])
     def set_password(self, request: Request, pk: int) -> Response:
         """Set password for user"""
         user: User = self.get_object()
@@ -587,13 +563,16 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     @extend_schema(
         responses={
             "200": LinkSerializer(many=False),
+            "404": LinkSerializer(many=False),
         },
-        request=None,
     )
-    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
+    @action(detail=True, pagination_class=None, filter_backends=[])
     def recovery(self, request: Request, pk: int) -> Response:
         """Create a temporary link that a user can use to recover their accounts"""
         link, _ = self._create_recovery_link()
+        if not link:
+            LOGGER.debug("Couldn't create token")
+            return Response({"link": ""}, status=404)
         return Response({"link": link})
 
     @permission_required("authentik_core.reset_user_password")
@@ -608,28 +587,31 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={
             "204": OpenApiResponse(description="Successfully sent recover email"),
+            "404": OpenApiResponse(description="Bad request"),
         },
-        request=None,
     )
-    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
+    @action(detail=True, pagination_class=None, filter_backends=[])
     def recovery_email(self, request: Request, pk: int) -> Response:
         """Create a temporary link that a user can use to recover their accounts"""
         for_user: User = self.get_object()
         if for_user.email == "":
             LOGGER.debug("User doesn't have an email address")
-            raise ValidationError({"non_field_errors": "User does not have an email address set."})
+            return Response(status=404)
         link, token = self._create_recovery_link()
+        if not link:
+            LOGGER.debug("Couldn't create token")
+            return Response(status=404)
         # Lookup the email stage to assure the current user can access it
         stages = get_objects_for_user(
             request.user, "authentik_stages_email.view_emailstage"
         ).filter(pk=request.query_params.get("email_stage"))
         if not stages.exists():
             LOGGER.debug("Email stage does not exist/user has no permissions")
-            raise ValidationError({"non_field_errors": "Email stage does not exist."})
+            return Response(status=404)
         email_stage: EmailStage = stages.first()
         message = TemplateEmailMessage(
             subject=_(email_stage.subject),
-            to=[(for_user.name, for_user.email)],
+            to=[for_user.email],
             template_name=email_stage.template,
             language=for_user.locale(request),
             template_context={
@@ -649,7 +631,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             "401": OpenApiResponse(description="Access denied"),
         },
     )
-    @action(detail=True, methods=["POST"], permission_classes=[])
+    @action(detail=True, methods=["POST"])
     def impersonate(self, request: Request, pk: int) -> Response:
         """Impersonate a user"""
         if not request.tenant.impersonation:

authentik/core/apps.py

@@ -14,16 +14,14 @@ class AuthentikCoreConfig(ManagedAppConfig):
     mountpoint = ""
     default = True
 
-    @ManagedAppConfig.reconcile_global
+    def reconcile_global_debug_worker_hook(self):
-    def debug_worker_hook(self):
         """Dispatch startup tasks inline when debugging"""
         if settings.DEBUG:
             from authentik.root.celery import worker_ready_hook
 
             worker_ready_hook()
 
-    @ManagedAppConfig.reconcile_tenant
+    def reconcile_tenant_source_inbuilt(self):
-    def source_inbuilt(self):
         """Reconcile inbuilt source"""
         from authentik.core.models import Source
 

authentik/core/auth.py

@@ -1,6 +1,6 @@
 """Authenticate with tokens"""
 
-from typing import Any
+from typing import Any, Optional
 
 from django.contrib.auth.backends import ModelBackend
 from django.http.request import HttpRequest
@@ -16,15 +16,15 @@ class InbuiltBackend(ModelBackend):
     """Inbuilt backend"""
 
     def authenticate(
-        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
+        self, request: HttpRequest, username: Optional[str], password: Optional[str], **kwargs: Any
-    ) -> User | None:
+    ) -> Optional[User]:
         user = super().authenticate(request, username=username, password=password, **kwargs)
         if not user:
             return None
         self.set_method("password", request)
         return user
 
-    def set_method(self, method: str, request: HttpRequest | None, **kwargs):
+    def set_method(self, method: str, request: Optional[HttpRequest], **kwargs):
         """Set method data on current flow, if possbiel"""
         if not request:
             return
@@ -40,18 +40,18 @@ class TokenBackend(InbuiltBackend):
     """Authenticate with token"""
 
     def authenticate(
-        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
+        self, request: HttpRequest, username: Optional[str], password: Optional[str], **kwargs: Any
-    ) -> User | None:
+    ) -> Optional[User]:
         try:
-
+            # pylint: disable=no-member
             user = User._default_manager.get_by_natural_key(username)
-
+        # pylint: disable=no-member
         except User.DoesNotExist:
             # Run the default password hasher once to reduce the timing
             # difference between an existing and a nonexistent user (#20760).
             User().set_password(password)
             return None
-
+        # pylint: disable=no-member
         tokens = Token.filter_not_expired(
             user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
         )

authentik/core/channels.py

@@ -38,6 +38,6 @@ class TokenOutpostMiddleware:
                 raise DenyConnection()
         except AuthenticationFailed as exc:
             LOGGER.warning("Failed to authenticate", exc=exc)
-            raise DenyConnection() from None
+            raise DenyConnection()
 
         scope["user"] = user

authentik/core/expression/evaluator.py

@@ -1,6 +1,6 @@
 """Property Mapping Evaluator"""
 
-from typing import Any
+from typing import Any, Optional
 
 from django.db.models import Model
 from django.http import HttpRequest
@@ -27,16 +27,16 @@ class PropertyMappingEvaluator(BaseEvaluator):
     def __init__(
         self,
         model: Model,
-        user: User | None = None,
+        user: Optional[User] = None,
-        request: HttpRequest | None = None,
+        request: Optional[HttpRequest] = None,
-        dry_run: bool | None = False,
+        dry_run: Optional[bool] = False,
         **kwargs,
     ):
         if hasattr(model, "name"):
             _filename = model.name
         else:
             _filename = str(model)
-        super().__init__(None, filename=_filename)
+        super().__init__(filename=_filename)
         req = PolicyRequest(user=User())
         req.obj = model
         if user:

authentik/core/management/commands/dev_server.py

@@ -1,34 +1,10 @@
 """custom runserver command"""
 
-from typing import TextIO
-
 from daphne.management.commands.runserver import Command as RunServer
-from daphne.server import Server
-
-from authentik.root.signals import post_startup, pre_startup, startup
-
-
-class SignalServer(Server):
-    """Server which signals back to authentik when it finished starting up"""
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-
-        def ready_callable():
-            pre_startup.send(sender=self)
-            startup.send(sender=self)
-            post_startup.send(sender=self)
-
-        self.ready_callable = ready_callable
 
 
 class Command(RunServer):
     """custom runserver command, which doesn't show the misleading django startup message"""
 
-    server_cls = SignalServer
+    def on_bind(self, server_port):
-
+        pass
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        # Redirect standard stdout banner from Daphne into the void
-        # as there are a couple more steps that happen before startup is fully done
-        self.stdout = TextIO()

authentik/core/management/commands/shell.py

@@ -16,8 +16,13 @@ from authentik.events.middleware import should_log_model
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
 
-BANNER_TEXT = f"""### authentik shell ({get_full_version()})
+BANNER_TEXT = """### authentik shell ({authentik})
-### Node {platform.node()} | Arch {platform.machine()} | Python {platform.python_version()} """
+### Node {node} | Arch {arch} | Python {python} """.format(
+    node=platform.node(),
+    python=platform.python_version(),
+    arch=platform.machine(),
+    authentik=get_full_version(),
+)
 
 
 class Command(BaseCommand):
@@ -81,7 +86,7 @@ class Command(BaseCommand):
 
         # If Python code has been passed, execute it and exit.
         if options["command"]:
-
+            # pylint: disable=exec-used
             exec(options["command"], namespace)  # nosec # noqa
             return
 
@@ -94,7 +99,7 @@ class Command(BaseCommand):
         else:
             try:
                 hook()
-            except Exception:
+            except Exception:  # pylint: disable=broad-except
                 # Match the behavior of the cpython shell where an error in
                 # sys.__interactivehook__ prints a warning and the exception
                 # and continues.

authentik/core/middleware.py

@@ -1,7 +1,7 @@
 """authentik admin Middleware to impersonate users"""
 
-from collections.abc import Callable
 from contextvars import ContextVar
+from typing import Callable, Optional
 from uuid import uuid4
 
 from django.http import HttpRequest, HttpResponse
@@ -15,9 +15,9 @@ RESPONSE_HEADER_ID = "X-authentik-id"
 KEY_AUTH_VIA = "auth_via"
 KEY_USER = "user"
 
-CTX_REQUEST_ID = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + "request_id", default=None)
+CTX_REQUEST_ID = ContextVar[Optional[str]](STRUCTLOG_KEY_PREFIX + "request_id", default=None)
-CTX_HOST = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + "host", default=None)
+CTX_HOST = ContextVar[Optional[str]](STRUCTLOG_KEY_PREFIX + "host", default=None)
-CTX_AUTH_VIA = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + KEY_AUTH_VIA, default=None)
+CTX_AUTH_VIA = ContextVar[Optional[str]](STRUCTLOG_KEY_PREFIX + KEY_AUTH_VIA, default=None)
 
 
 class ImpersonateMiddleware:
@@ -55,7 +55,7 @@ class RequestIDMiddleware:
     def __call__(self, request: HttpRequest) -> HttpResponse:
         if not hasattr(request, "request_id"):
             request_id = uuid4().hex
-            request.request_id = request_id
+            setattr(request, "request_id", request_id)
             CTX_REQUEST_ID.set(request_id)
             CTX_HOST.set(request.get_host())
             set_tag("authentik.request_id", request_id)
@@ -67,7 +67,7 @@ class RequestIDMiddleware:
         response = self.get_response(request)
 
         response[RESPONSE_HEADER_ID] = request.request_id
-        response.ak_context = {}
+        setattr(response, "ak_context", {})
         response.ak_context["request_id"] = CTX_REQUEST_ID.get()
         response.ak_context["host"] = CTX_HOST.get()
         response.ak_context[KEY_AUTH_VIA] = CTX_AUTH_VIA.get()

authentik/core/migrations/0012_auto_20201003_1737_squashed_0016_auto_20201202_2234.py

@@ -5,7 +5,6 @@ from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 import authentik.core.models
-from authentik.lib.generators import generate_id
 
 
 def set_default_token_key(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@@ -17,10 +16,6 @@ def set_default_token_key(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
         token.save()
 
 
-def default_token_key():
-    return generate_id(60)
-
-
 class Migration(migrations.Migration):
     replaces = [
         ("authentik_core", "0012_auto_20201003_1737"),
@@ -67,7 +62,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name="token",
             name="key",
-            field=models.TextField(default=default_token_key),
+            field=models.TextField(default=authentik.core.models.default_token_key),
         ),
         migrations.AlterUniqueTogether(
             name="token",

authentik/core/migrations/0034_alter_authenticatedsession_expires_and_more.py

@@ -1,31 +0,0 @@
-# Generated by Django 5.0.2 on 2024-02-29 10:15
-
-from django.db import migrations, models
-
-import authentik.core.models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0033_alter_user_options"),
-        ("authentik_tenants", "0002_tenant_default_token_duration_and_more"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="authenticatedsession",
-            name="expires",
-            field=models.DateTimeField(default=None, null=True),
-        ),
-        migrations.AlterField(
-            model_name="token",
-            name="expires",
-            field=models.DateTimeField(default=None, null=True),
-        ),
-        migrations.AlterField(
-            model_name="token",
-            name="key",
-            field=models.TextField(default=authentik.core.models.default_token_key),
-        ),
-    ]

authentik/core/migrations/0035_alter_group_options_and_more.py

@@ -1,52 +0,0 @@
-# Generated by Django 5.0.4 on 2024-04-15 11:28
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("auth", "0012_alter_user_first_name_max_length"),
-        ("authentik_core", "0034_alter_authenticatedsession_expires_and_more"),
-        ("authentik_rbac", "0003_alter_systempermission_options"),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name="group",
-            options={
-                "permissions": [
-                    ("add_user_to_group", "Add user to group"),
-                    ("remove_user_from_group", "Remove user from group"),
-                ],
-                "verbose_name": "Group",
-                "verbose_name_plural": "Groups",
-            },
-        ),
-        migrations.AddIndex(
-            model_name="group",
-            index=models.Index(fields=["name"], name="authentik_c_name_9ba8e4_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="user",
-            index=models.Index(fields=["last_login"], name="authentik_c_last_lo_f0179a_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="user",
-            index=models.Index(
-                fields=["password_change_date"], name="authentik_c_passwor_eec915_idx"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="user",
-            index=models.Index(fields=["uuid"], name="authentik_c_uuid_3dae2f_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="user",
-            index=models.Index(fields=["path"], name="authentik_c_path_b1f502_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="user",
-            index=models.Index(fields=["type"], name="authentik_c_type_ecf60d_idx"),
-        ),
-    ]

authentik/core/models.py

@@ -1,6 +1,6 @@
 """authentik core models"""
 
-from datetime import datetime
+from datetime import timedelta
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@@ -25,16 +25,15 @@ from authentik.blueprints.models import ManagedModel
 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
+from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
 from authentik.lib.models import (
     CreatedUpdatedModel,
     DomainlessFormattedURLValidator,
     SerializerModel,
 )
-from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
-from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGTH
+from authentik.root.install_id import get_install_id
-from authentik.tenants.utils import get_current_tenant, get_unique_identifier
 
 LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
@@ -43,42 +42,33 @@ USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
 USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
 USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
 USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
-USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = "goauthentik.io/user/token-maximum-lifetime"  # nosec
 USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
 USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
 USER_PATH_SERVICE_ACCOUNT = USER_PATH_SYSTEM_PREFIX + "/service-accounts"
 
+
 options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
     # used_by API that allows models to specify if they shadow an object
     # for example the proxy provider which is built on top of an oauth provider
     "authentik_used_by_shadows",
+    # List fields for which changes are not logged (due to them having dedicated objects)
+    # for example user's password and last_login
+    "authentik_signals_ignored_fields",
 )
 
 
-def default_token_duration() -> datetime:
+def default_token_duration():
     """Default duration a Token is valid"""
-    current_tenant = get_current_tenant()
+    return now() + timedelta(minutes=30)
-    token_duration = (
-        current_tenant.default_token_duration
-        if hasattr(current_tenant, "default_token_duration")
-        else DEFAULT_TOKEN_DURATION
-    )
-    return now() + timedelta_from_string(token_duration)
 
 
-def default_token_key() -> str:
+def default_token_key():
     """Default token key"""
-    current_tenant = get_current_tenant()
-    token_length = (
-        current_tenant.default_token_length
-        if hasattr(current_tenant, "default_token_length")
-        else DEFAULT_TOKEN_LENGTH
-    )
     # We use generate_id since the chars in the key should be easy
     # to use in Emails (for verification) and URLs (for recovery)
-    return generate_id(token_length)
+    return generate_id(CONFIG.get_int("default_token_length"))
 
 
 class UserTypes(models.TextChoices):
@@ -177,13 +167,8 @@ class Group(SerializerModel):
                 "parent",
             ),
         )
-        indexes = [models.Index(fields=["name"])]
         verbose_name = _("Group")
         verbose_name_plural = _("Groups")
-        permissions = [
-            ("add_user_to_group", _("Add user to group")),
-            ("remove_user_from_group", _("Remove user from group")),
-        ]
 
 
 class UserQuerySet(models.QuerySet):
@@ -237,7 +222,7 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         there are at most 3 queries done"""
         return Group.children_recursive(self.ak_groups.all())
 
-    def group_attributes(self, request: HttpRequest | None = None) -> dict[str, Any]:
+    def group_attributes(self, request: Optional[HttpRequest] = None) -> dict[str, Any]:
         """Get a dictionary containing the attributes from all groups the user belongs to,
         including the users attributes"""
         final_attributes = {}
@@ -291,13 +276,13 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
     @property
     def uid(self) -> str:
         """Generate a globally unique UID, based on the user ID and the hashed secret key"""
-        return sha256(f"{self.id}-{get_unique_identifier()}".encode("ascii")).hexdigest()
+        return sha256(f"{self.id}-{get_install_id()}".encode("ascii")).hexdigest()
 
-    def locale(self, request: HttpRequest | None = None) -> str:
+    def locale(self, request: Optional[HttpRequest] = None) -> str:
         """Get the locale the user has configured"""
         try:
             return self.attributes.get("settings", {}).get("locale", "")
-
+        # pylint: disable=broad-except
         except Exception as exc:
             LOGGER.warning("Failed to get default locale", exc=exc)
         if request:
@@ -320,12 +305,13 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
             ("preview_user", _("Can preview user data sent to providers")),
             ("view_user_applications", _("View applications the user has access to")),
         ]
-        indexes = [
+        authentik_signals_ignored_fields = [
-            models.Index(fields=["last_login"]),
+            # Logged by the events `password_set`
-            models.Index(fields=["password_change_date"]),
+            # the `password_set` action/signal doesn't currently convey which user
-            models.Index(fields=["uuid"]),
+            # initiated the password change, so for now we'll log two actions
-            models.Index(fields=["path"]),
+            # ("password", "password_change_date"),
-            models.Index(fields=["type"]),
+            # Logged by `login`
+            ("last_login",),
         ]
 
 
@@ -372,7 +358,7 @@ class Provider(SerializerModel):
     objects = InheritanceManager()
 
     @property
-    def launch_url(self) -> str | None:
+    def launch_url(self) -> Optional[str]:
         """URL to this provider and initiate authorization for the user.
         Can return None for providers that are not URL-based"""
         return None
@@ -449,7 +435,7 @@ class Application(SerializerModel, PolicyBindingModel):
         return ApplicationSerializer
 
     @property
-    def get_meta_icon(self) -> str | None:
+    def get_meta_icon(self) -> Optional[str]:
         """Get the URL to the App Icon image. If the name is /static or starts with http
         it is returned as-is"""
         if not self.meta_icon:
@@ -458,7 +444,7 @@ class Application(SerializerModel, PolicyBindingModel):
             return self.meta_icon.name
         return self.meta_icon.url
 
-    def get_launch_url(self, user: Optional["User"] = None) -> str | None:
+    def get_launch_url(self, user: Optional["User"] = None) -> Optional[str]:
         """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
         url = None
         if self.meta_launch_url:
@@ -471,13 +457,13 @@ class Application(SerializerModel, PolicyBindingModel):
                 user = user._wrapped
             try:
                 return url % user.__dict__
-
+            # pylint: disable=broad-except
             except Exception as exc:
                 LOGGER.warning("Failed to format launch url", exc=exc)
                 return url
         return url
 
-    def get_provider(self) -> Provider | None:
+    def get_provider(self) -> Optional[Provider]:
         """Get casted provider instance"""
         if not self.provider:
             return None
@@ -565,7 +551,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     objects = InheritanceManager()
 
     @property
-    def icon_url(self) -> str | None:
+    def icon_url(self) -> Optional[str]:
         """Get the URL to the Icon. If the name is /static or
         starts with http it is returned as-is"""
         if not self.icon:
@@ -580,7 +566,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
             return self.user_path_template % {
                 "slug": self.slug,
             }
-
+        # pylint: disable=broad-except
         except Exception as exc:
             LOGGER.warning("Failed to template user path", exc=exc, source=self)
             return User.default_path()
@@ -590,12 +576,12 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         """Return component used to edit this object"""
         raise NotImplementedError
 
-    def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
+    def ui_login_button(self, request: HttpRequest) -> Optional[UILoginButton]:
         """If source uses a http-based flow, return UI Information about the login
         button. If source doesn't use http-based flow, return None."""
         return None
 
-    def ui_user_settings(self) -> UserSettingSerializer | None:
+    def ui_user_settings(self) -> Optional[UserSettingSerializer]:
         """Entrypoint to integrate with User settings. Can either return None if no
         user settings are available, or UserSettingSerializer."""
         return None
@@ -631,9 +617,6 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         """Get serializer for this model"""
         raise NotImplementedError
 
-    def __str__(self) -> str:
-        return f"User-source connection (user={self.user_id}, source={self.source_id})"
-
     class Meta:
         unique_together = (("user", "source"),)
 
@@ -641,12 +624,9 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 
-    expires = models.DateTimeField(default=None, null=True)
+    expires = models.DateTimeField(default=default_token_duration)
     expiring = models.BooleanField(default=True)
 
-    class Meta:
-        abstract = True
-
     def expire_action(self, *args, **kwargs):
         """Handler which is called when this object is expired. By
         default the object is deleted. This is less efficient compared
@@ -655,7 +635,7 @@ class ExpiringModel(models.Model):
         return self.delete(*args, **kwargs)
 
     @classmethod
-    def filter_not_expired(cls, **kwargs) -> QuerySet["Token"]:
+    def filter_not_expired(cls, **kwargs) -> QuerySet:
         """Filer for tokens which are not expired yet or are not expiring,
         and match filters in `kwargs`"""
         for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
@@ -669,6 +649,9 @@ class ExpiringModel(models.Model):
             return False
         return now() > self.expires
 
+    class Meta:
+        abstract = True
+
 
 class TokenIntents(models.TextChoices):
     """Intents a Token can be created for."""
@@ -698,21 +681,6 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
     user = models.ForeignKey("User", on_delete=models.CASCADE, related_name="+")
     description = models.TextField(default="", blank=True)
 
-    class Meta:
-        verbose_name = _("Token")
-        verbose_name_plural = _("Tokens")
-        indexes = [
-            models.Index(fields=["identifier"]),
-            models.Index(fields=["key"]),
-        ]
-        permissions = [("view_token_key", _("View token's key"))]
-
-    def __str__(self):
-        description = f"{self.identifier}"
-        if self.expiring:
-            description += f" (expires={self.expires})"
-        return description
-
     @property
     def serializer(self) -> type[Serializer]:
         from authentik.core.api.tokens import TokenSerializer
@@ -740,6 +708,21 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
             message=f"Token {self.identifier}'s secret was rotated.",
         ).save()
 
+    def __str__(self):
+        description = f"{self.identifier}"
+        if self.expiring:
+            description += f" (expires={self.expires})"
+        return description
+
+    class Meta:
+        verbose_name = _("Token")
+        verbose_name_plural = _("Tokens")
+        indexes = [
+            models.Index(fields=["identifier"]),
+            models.Index(fields=["key"]),
+        ]
+        permissions = [("view_token_key", _("View token's key"))]
+
 
 class PropertyMapping(SerializerModel, ManagedModel):
     """User-defined key -> x mapping which can be used by providers to expose extra data."""
@@ -760,7 +743,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
         """Get serializer for this model"""
         raise NotImplementedError
 
-    def evaluate(self, user: User | None, request: HttpRequest | None, **kwargs) -> Any:
+    def evaluate(self, user: Optional[User], request: Optional[HttpRequest], **kwargs) -> Any:
         """Evaluate `self.expression` using `**kwargs` as Context."""
         from authentik.core.expression.evaluator import PropertyMappingEvaluator
 
@@ -796,13 +779,6 @@ class AuthenticatedSession(ExpiringModel):
     last_user_agent = models.TextField(blank=True)
     last_used = models.DateTimeField(auto_now=True)
 
-    class Meta:
-        verbose_name = _("Authenticated Session")
-        verbose_name_plural = _("Authenticated Sessions")
-
-    def __str__(self) -> str:
-        return f"Authenticated Session {self.session_key[:10]}"
-
     @staticmethod
     def from_request(request: HttpRequest, user: User) -> Optional["AuthenticatedSession"]:
         """Create a new session from a http request"""
@@ -817,3 +793,7 @@ class AuthenticatedSession(ExpiringModel):
             last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
             expires=request.session.get_expiry_date(),
         )
+
+    class Meta:
+        verbose_name = _("Authenticated Session")
+        verbose_name_plural = _("Authenticated Sessions")

authentik/core/signals.py

@@ -10,14 +10,7 @@ from django.dispatch import receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
 
-from authentik.core.models import (
+from authentik.core.models import Application, AuthenticatedSession, BackchannelProvider, User
-    Application,
-    AuthenticatedSession,
-    BackchannelProvider,
-    ExpiringModel,
-    User,
-    default_token_duration,
-)
 
 # Arguments: user: User, password: str
 password_changed = Signal()
@@ -68,12 +61,3 @@ def backchannel_provider_pre_save(sender: type[Model], instance: Model, **_):
     if not isinstance(instance, BackchannelProvider):
         return
     instance.is_backchannel = True
-
-
-@receiver(pre_save)
-def expiring_model_pre_save(sender: type[Model], instance: Model, **_):
-    """Ensure expires is set on ExpiringModels that are set to expire"""
-    if not issubclass(sender, ExpiringModel):
-        return
-    if instance.expiring and instance.expires is None:
-        instance.expires = default_token_duration()

authentik/core/sources/flow_manager.py

@@ -1,7 +1,7 @@
 """Source decision helper"""
 
 from enum import Enum
-from typing import Any
+from typing import Any, Optional
 
 from django.contrib import messages
 from django.db import IntegrityError
@@ -16,9 +16,8 @@ from authentik.core.models import Source, SourceUserMatchingModes, User, UserSou
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostUserEnrollmentStage
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
-from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
+from authentik.flows.models import Flow, Stage, in_memory_stage
 from authentik.flows.planner import (
-    PLAN_CONTEXT_IS_RESTORED,
     PLAN_CONTEXT_PENDING_USER,
     PLAN_CONTEXT_REDIRECT,
     PLAN_CONTEXT_SOURCE,
@@ -36,8 +35,6 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
-SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
-
 
 class Action(Enum):
     """Actions that can be decided based on the request
@@ -93,14 +90,15 @@ class SourceFlowManager:
         self._logger = get_logger().bind(source=source, identifier=identifier)
         self.policy_context = {}
 
-    def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
+    # pylint: disable=too-many-return-statements
+    def get_action(self, **kwargs) -> tuple[Action, Optional[UserSourceConnection]]:
         """decide which action should be taken"""
         new_connection = self.connection_type(source=self.source, identifier=self.identifier)
         # When request is authenticated, always link
         if self.request.user.is_authenticated:
             new_connection.user = self.request.user
             new_connection = self.update_connection(new_connection, **kwargs)
-
+            # pylint: disable=no-member
             new_connection.save()
             return Action.LINK, new_connection
 
@@ -190,10 +188,8 @@ class SourceFlowManager:
         # Default case, assume deny
         error = Exception(
             _(
-                "Request to authenticate with {source} has been denied. Please authenticate "
+                "Request to authenticate with %(source)s has been denied. Please authenticate "
-                "with the source you've previously signed up with.".format_map(
+                "with the source you've previously signed up with." % {"source": self.source.name}
-                    {"source": self.source.name}
-                )
             ),
         )
         return self.error_handler(error)
@@ -221,47 +217,26 @@ class SourceFlowManager:
         self,
         flow: Flow,
         connection: UserSourceConnection,
-        stages: list[StageView] | None = None,
+        stages: Optional[list[StageView]] = None,
         **kwargs,
     ) -> HttpResponse:
         """Prepare Authentication Plan, redirect user FlowExecutor"""
+        # Ensure redirect is carried through when user was trying to
+        # authorize application
+        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:if-user"
+        )
         kwargs.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
                 PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
+                PLAN_CONTEXT_REDIRECT: final_redirect,
                 PLAN_CONTEXT_SOURCES_CONNECTION: connection,
             }
         )
         kwargs.update(self.policy_context)
-        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
-            token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
-            self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
-            plan = token.plan
-            plan.context[PLAN_CONTEXT_IS_RESTORED] = token
-            plan.context.update(kwargs)
-            for stage in self.get_stages_to_append(flow):
-                plan.append_stage(stage)
-            if stages:
-                for stage in stages:
-                    plan.append_stage(stage)
-            self.request.session[SESSION_KEY_PLAN] = plan
-            flow_slug = token.flow.slug
-            token.delete()
-            return redirect_with_qs(
-                "authentik_core:if-flow",
-                self.request.GET,
-                flow_slug=flow_slug,
-            )
-        # Ensure redirect is carried through when user was trying to
-        # authorize application
-        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:if-user"
-        )
-        if PLAN_CONTEXT_REDIRECT not in kwargs:
-            kwargs[PLAN_CONTEXT_REDIRECT] = final_redirect
-
         if not flow:
             return bad_request_message(
                 self.request,
@@ -295,9 +270,7 @@ class SourceFlowManager:
                 in_memory_stage(
                     MessageStage,
                     message=_(
-                        "Successfully authenticated with {source}!".format_map(
+                        "Successfully authenticated with %(source)s!" % {"source": self.source.name}
-                            {"source": self.source.name}
-                        )
                     ),
                 )
             ],
@@ -321,7 +294,7 @@ class SourceFlowManager:
         ).from_http(self.request)
         messages.success(
             self.request,
-            _("Successfully linked {source}!".format_map({"source": self.source.name})),
+            _("Successfully linked %(source)s!" % {"source": self.source.name}),
         )
         return redirect(
             reverse(
@@ -349,9 +322,7 @@ class SourceFlowManager:
                 in_memory_stage(
                     MessageStage,
                     message=_(
-                        "Successfully authenticated with {source}!".format_map(
+                        "Successfully authenticated with %(source)s!" % {"source": self.source.name}
-                            {"source": self.source.name}
-                        )
                     ),
                 )
             ],

authentik/core/tasks.py

@@ -37,20 +37,20 @@ def clean_expired_models(self: SystemTask):
         messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
     # Special case
     amount = 0
-
+    # pylint: disable=no-member
     for session in AuthenticatedSession.objects.all():
         cache_key = f"{KEY_PREFIX}{session.session_key}"
         value = None
         try:
             value = cache.get(cache_key)
-
+        # pylint: disable=broad-except
         except Exception as exc:
             LOGGER.debug("Failed to get session from cache", exc=exc)
         if not value:
             session.delete()
             amount += 1
     LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
-
+    # pylint: disable=no-member
     messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
     self.set_status(TaskStatus.SUCCESSFUL, *messages)
 

authentik/core/tests/test_groups_api.py

@@ -1,11 +1,10 @@
 """Test Groups API"""
 
 from django.urls.base import reverse
-from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
 from authentik.core.models import Group, User
-from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 
 
@@ -13,22 +12,13 @@ class TestGroupsAPI(APITestCase):
     """Test Groups API"""
 
     def setUp(self) -> None:
-        self.login_user = create_test_user()
+        self.admin = create_test_admin_user()
         self.user = User.objects.create(username="test-user")
 
-    def test_list_with_users(self):
-        """Test listing with users"""
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-        response = self.client.get(reverse("authentik_api:group-list"), {"include_users": "true"})
-        self.assertEqual(response.status_code, 200)
-
     def test_add_user(self):
         """Test add_user"""
         group = Group.objects.create(name=generate_id())
-        assign_perm("authentik_core.add_user_to_group", self.login_user, group)
+        self.client.force_login(self.admin)
-        assign_perm("authentik_core.view_user", self.login_user)
-        self.client.force_login(self.login_user)
         res = self.client.post(
             reverse("authentik_api:group-add-user", kwargs={"pk": group.pk}),
             data={
@@ -42,9 +32,7 @@ class TestGroupsAPI(APITestCase):
     def test_add_user_404(self):
         """Test add_user"""
         group = Group.objects.create(name=generate_id())
-        assign_perm("authentik_core.add_user_to_group", self.login_user, group)
+        self.client.force_login(self.admin)
-        assign_perm("authentik_core.view_user", self.login_user)
-        self.client.force_login(self.login_user)
         res = self.client.post(
             reverse("authentik_api:group-add-user", kwargs={"pk": group.pk}),
             data={
@@ -56,10 +44,8 @@ class TestGroupsAPI(APITestCase):
     def test_remove_user(self):
         """Test remove_user"""
         group = Group.objects.create(name=generate_id())
-        assign_perm("authentik_core.remove_user_from_group", self.login_user, group)
-        assign_perm("authentik_core.view_user", self.login_user)
         group.users.add(self.user)
-        self.client.force_login(self.login_user)
+        self.client.force_login(self.admin)
         res = self.client.post(
             reverse("authentik_api:group-remove-user", kwargs={"pk": group.pk}),
             data={
@@ -73,10 +59,8 @@ class TestGroupsAPI(APITestCase):
     def test_remove_user_404(self):
         """Test remove_user"""
         group = Group.objects.create(name=generate_id())
-        assign_perm("authentik_core.remove_user_from_group", self.login_user, group)
-        assign_perm("authentik_core.view_user", self.login_user)
         group.users.add(self.user)
-        self.client.force_login(self.login_user)
+        self.client.force_login(self.admin)
         res = self.client.post(
             reverse("authentik_api:group-remove-user", kwargs={"pk": group.pk}),
             data={
@@ -88,12 +72,11 @@ class TestGroupsAPI(APITestCase):
     def test_parent_self(self):
         """Test parent"""
         group = Group.objects.create(name=generate_id())
-        assign_perm("view_group", self.login_user, group)
+        self.client.force_login(self.admin)
-        assign_perm("change_group", self.login_user, group)
-        self.client.force_login(self.login_user)
         res = self.client.patch(
             reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
             data={
+                "pk": self.user.pk + 3,
                 "parent": group.pk,
             },
         )

authentik/core/tests/test_models.py

@@ -1,7 +1,7 @@
 """authentik core models tests"""
 
-from collections.abc import Callable
 from time import sleep
+from typing import Callable
 
 from django.test import RequestFactory, TestCase
 from django.utils.timezone import now

authentik/core/tests/test_property_mapping.py

@@ -66,11 +66,14 @@ class TestPropertyMappings(TestCase):
             expression="return request.http_request.path",
         )
         http_request = self.factory.get("/")
-        tmpl = f"""
+        tmpl = (
-        res = ak_call_policy('{expr.name}')
+            """
+        res = ak_call_policy('%s')
         result = [request.http_request.path, res.raw_result]
         return result
         """
+            % expr.name
+        )
         evaluator = PropertyMapping(expression=tmpl, name=generate_id())
         res = evaluator.evaluate(self.user, http_request)
         self.assertEqual(res, ["/", "/"])

authentik/core/tests/test_source_flow_manager.py

@@ -173,5 +173,5 @@ class TestSourceFlowManager(TestCase):
         self.assertEqual(action, Action.ENROLL)
         response = flow_manager.get_flow()
         self.assertIsInstance(response, AccessDeniedResponse)
-
+        # pylint: disable=no-member
         self.assertEqual(response.error_message, "foo")

authentik/core/tests/test_token_api.py

@@ -1,6 +1,5 @@
 """Test token API"""
 
-from datetime import datetime, timedelta
 from json import loads
 
 from django.urls.base import reverse
@@ -8,13 +7,7 @@ from guardian.shortcuts import get_anonymous_user
 from rest_framework.test import APITestCase
 
 from authentik.core.api.tokens import TokenSerializer
-from authentik.core.models import (
+from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents, User
-    USER_ATTRIBUTE_TOKEN_EXPIRING,
-    USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
-    Token,
-    TokenIntents,
-    User,
-)
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 
@@ -83,77 +76,6 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(token.intent, TokenIntents.INTENT_API)
         self.assertEqual(token.expiring, False)
 
-    def test_token_create_expiring(self):
-        """Test token creation endpoint"""
-        self.user.attributes[USER_ATTRIBUTE_TOKEN_EXPIRING] = True
-        self.user.save()
-        response = self.client.post(
-            reverse("authentik_api:token-list"), {"identifier": "test-token"}
-        )
-        self.assertEqual(response.status_code, 201)
-        token = Token.objects.get(identifier="test-token")
-        self.assertEqual(token.user, self.user)
-        self.assertEqual(token.intent, TokenIntents.INTENT_API)
-        self.assertEqual(token.expiring, True)
-
-    def test_token_create_expiring_custom_ok(self):
-        """Test token creation endpoint"""
-        self.user.attributes[USER_ATTRIBUTE_TOKEN_EXPIRING] = True
-        self.user.attributes[USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME] = "hours=2"
-        self.user.save()
-        expires = datetime.now() + timedelta(hours=1)
-        response = self.client.post(
-            reverse("authentik_api:token-list"),
-            {
-                "identifier": "test-token",
-                "expires": expires,
-                "intent": TokenIntents.INTENT_APP_PASSWORD,
-            },
-        )
-        self.assertEqual(response.status_code, 201)
-        token = Token.objects.get(identifier="test-token")
-        self.assertEqual(token.user, self.user)
-        self.assertEqual(token.intent, TokenIntents.INTENT_APP_PASSWORD)
-        self.assertEqual(token.expiring, True)
-        self.assertEqual(token.expires.timestamp(), expires.timestamp())
-
-    def test_token_create_expiring_custom_nok(self):
-        """Test token creation endpoint"""
-        self.user.attributes[USER_ATTRIBUTE_TOKEN_EXPIRING] = True
-        self.user.attributes[USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME] = "hours=2"
-        self.user.save()
-        expires = datetime.now() + timedelta(hours=3)
-        response = self.client.post(
-            reverse("authentik_api:token-list"),
-            {
-                "identifier": "test-token",
-                "expires": expires,
-                "intent": TokenIntents.INTENT_APP_PASSWORD,
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_token_create_expiring_custom_api(self):
-        """Test token creation endpoint"""
-        self.user.attributes[USER_ATTRIBUTE_TOKEN_EXPIRING] = True
-        self.user.attributes[USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME] = "hours=2"
-        self.user.save()
-        expires = datetime.now() + timedelta(seconds=3)
-        response = self.client.post(
-            reverse("authentik_api:token-list"),
-            {
-                "identifier": "test-token",
-                "expires": expires,
-                "intent": TokenIntents.INTENT_API,
-            },
-        )
-        self.assertEqual(response.status_code, 201)
-        token = Token.objects.get(identifier="test-token")
-        self.assertEqual(token.user, self.user)
-        self.assertEqual(token.intent, TokenIntents.INTENT_API)
-        self.assertEqual(token.expiring, True)
-        self.assertNotEqual(token.expires.timestamp(), expires.timestamp())
-
     def test_list(self):
         """Test Token List (Test normal authentication)"""
         Token.objects.all().delete()

authentik/core/tests/test_users_api.py

@@ -41,12 +41,6 @@ class TestUsersAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 200)
 
-    def test_list_with_groups(self):
-        """Test listing with groups"""
-        self.client.force_login(self.admin)
-        response = self.client.get(reverse("authentik_api:user-list"), {"include_groups": "true"})
-        self.assertEqual(response.status_code, 200)
-
     def test_metrics(self):
         """Test user's metrics"""
         self.client.force_login(self.admin)
@@ -66,11 +60,10 @@ class TestUsersAPI(APITestCase):
     def test_recovery_no_flow(self):
         """Test user recovery link (no recovery flow set)"""
         self.client.force_login(self.admin)
-        response = self.client.post(
+        response = self.client.get(
             reverse("authentik_api:user-recovery", kwargs={"pk": self.user.pk})
         )
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, 404)
-        self.assertJSONEqual(response.content, {"non_field_errors": "No recovery flow set."})
 
     def test_set_password(self):
         """Test Direct password set"""
@@ -91,7 +84,7 @@ class TestUsersAPI(APITestCase):
         brand.flow_recovery = flow
         brand.save()
         self.client.force_login(self.admin)
-        response = self.client.post(
+        response = self.client.get(
             reverse("authentik_api:user-recovery", kwargs={"pk": self.user.pk})
         )
         self.assertEqual(response.status_code, 200)
@@ -99,20 +92,16 @@ class TestUsersAPI(APITestCase):
     def test_recovery_email_no_flow(self):
         """Test user recovery link (no recovery flow set)"""
         self.client.force_login(self.admin)
-        response = self.client.post(
+        response = self.client.get(
             reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk})
         )
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, 404)
-        self.assertJSONEqual(
-            response.content, {"non_field_errors": "User does not have an email address set."}
-        )
         self.user.email = "foo@bar.baz"
         self.user.save()
-        response = self.client.post(
+        response = self.client.get(
             reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk})
         )
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, 404)
-        self.assertJSONEqual(response.content, {"non_field_errors": "No recovery flow set."})
 
     def test_recovery_email_no_stage(self):
         """Test user recovery link (no email stage)"""
@@ -123,11 +112,10 @@ class TestUsersAPI(APITestCase):
         brand.flow_recovery = flow
         brand.save()
         self.client.force_login(self.admin)
-        response = self.client.post(
+        response = self.client.get(
             reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk})
         )
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, 404)
-        self.assertJSONEqual(response.content, {"non_field_errors": "Email stage does not exist."})
 
     def test_recovery_email(self):
         """Test user recovery link"""
@@ -141,7 +129,7 @@ class TestUsersAPI(APITestCase):
         stage = EmailStage.objects.create(name="email")
 
         self.client.force_login(self.admin)
-        response = self.client.post(
+        response = self.client.get(
             reverse(
                 "authentik_api:user-recovery-email",
                 kwargs={"pk": self.user.pk},

authentik/core/tests/test_users_avatars.py

@@ -8,6 +8,7 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.config import CONFIG
 from authentik.tenants.utils import get_current_tenant
 
 
@@ -24,6 +25,7 @@ class TestUsersAvatars(APITestCase):
         tenant.avatars = mode
         tenant.save()
 
+    @CONFIG.patch("avatars", "none")
     def test_avatars_none(self):
         """Test avatars none"""
         self.set_avatar_mode("none")

authentik/core/tests/utils.py

@@ -1,5 +1,7 @@
 """Test Utils"""
 
+from typing import Optional
+
 from django.utils.text import slugify
 
 from authentik.brands.models import Brand
@@ -20,7 +22,7 @@ def create_test_flow(
     )
 
 
-def create_test_user(name: str | None = None, **kwargs) -> User:
+def create_test_user(name: Optional[str] = None, **kwargs) -> User:
     """Generate a test user"""
     uid = generate_id(20) if not name else name
     kwargs.setdefault("email", f"{uid}@goauthentik.io")
@@ -34,7 +36,7 @@ def create_test_user(name: str | None = None, **kwargs) -> User:
     return user
 
 
-def create_test_admin_user(name: str | None = None, **kwargs) -> User:
+def create_test_admin_user(name: Optional[str] = None, **kwargs) -> User:
     """Generate a test-admin user"""
     user = create_test_user(name, **kwargs)
     group = Group.objects.create(name=user.name or name, is_superuser=True)

authentik/core/types.py

@@ -1,6 +1,7 @@
 """authentik core dataclasses"""
 
 from dataclasses import dataclass
+from typing import Optional
 
 from rest_framework.fields import CharField
 
@@ -19,7 +20,7 @@ class UILoginButton:
     challenge: Challenge
 
     # Icon URL, used as-is
-    icon_url: str | None = None
+    icon_url: Optional[str] = None
 
 
 class UserSettingSerializer(PassiveSerializer):

authentik/core/views/apps.py

@@ -57,7 +57,7 @@ class RedirectToAppLaunch(View):
                 },
             )
         except FlowNonApplicableException:
-            raise Http404 from None
+            raise Http404
         plan.insert_stage(in_memory_stage(RedirectToAppStage))
         request.session[SESSION_KEY_PLAN] = plan
         return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)

authentik/core/views/error.py

@@ -61,6 +61,7 @@ class ServerErrorView(TemplateView):
     response_class = ServerErrorTemplateResponse
     template_name = "if/error.html"
 
+    # pylint: disable=useless-super-delegation
     def dispatch(self, *args, **kwargs):  # pragma: no cover
         """Little wrapper so django accepts this function"""
         return super().dispatch(*args, **kwargs)

authentik/crypto/api.py

@@ -1,6 +1,7 @@
 """Crypto API Views"""
 
 from datetime import datetime
+from typing import Optional
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
@@ -23,13 +24,13 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authorization import SecretKeyFilter
+from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
-from authentik.rbac.decorators import permission_required
 
 LOGGER = get_logger()
 
@@ -55,25 +56,25 @@ class CertificateKeyPairSerializer(ModelSerializer):
             return True
         return str(request.query_params.get("include_details", "true")).lower() == "true"
 
-    def get_fingerprint_sha256(self, instance: CertificateKeyPair) -> str | None:
+    def get_fingerprint_sha256(self, instance: CertificateKeyPair) -> Optional[str]:
         "Get certificate Hash (SHA256)"
         if not self._should_include_details:
             return None
         return instance.fingerprint_sha256
 
-    def get_fingerprint_sha1(self, instance: CertificateKeyPair) -> str | None:
+    def get_fingerprint_sha1(self, instance: CertificateKeyPair) -> Optional[str]:
         "Get certificate Hash (SHA1)"
         if not self._should_include_details:
             return None
         return instance.fingerprint_sha1
 
-    def get_cert_expiry(self, instance: CertificateKeyPair) -> datetime | None:
+    def get_cert_expiry(self, instance: CertificateKeyPair) -> Optional[datetime]:
         "Get certificate expiry"
         if not self._should_include_details:
             return None
-        return DateTimeField().to_representation(instance.certificate.not_valid_after_utc)
+        return DateTimeField().to_representation(instance.certificate.not_valid_after)
 
-    def get_cert_subject(self, instance: CertificateKeyPair) -> str | None:
+    def get_cert_subject(self, instance: CertificateKeyPair) -> Optional[str]:
         """Get certificate subject as full rfc4514"""
         if not self._should_include_details:
             return None
@@ -83,7 +84,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
         """Show if this keypair has a private key configured or not"""
         return instance.key_data != "" and instance.key_data is not None
 
-    def get_private_key_type(self, instance: CertificateKeyPair) -> str | None:
+    def get_private_key_type(self, instance: CertificateKeyPair) -> Optional[str]:
         """Get the private key's type, if set"""
         if not self._should_include_details:
             return None
@@ -120,7 +121,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
             str(load_pem_x509_certificate(value.encode("utf-8"), default_backend()))
         except ValueError as exc:
             LOGGER.warning("Failed to load certificate", exc=exc)
-            raise ValidationError("Unable to load certificate.") from None
+            raise ValidationError("Unable to load certificate.")
         return value
 
     def validate_key_data(self, value: str) -> str:
@@ -139,7 +140,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
                 )
             except (ValueError, TypeError) as exc:
                 LOGGER.warning("Failed to load private key", exc=exc)
-                raise ValidationError("Unable to load private key (possibly encrypted?).") from None
+                raise ValidationError("Unable to load private key (possibly encrypted?).")
         return value
 
     class Meta:

authentik/crypto/apps.py

@@ -1,6 +1,7 @@
 """authentik crypto app config"""
 
-from datetime import UTC, datetime
+from datetime import datetime, timezone
+from typing import Optional
 
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.generators import generate_id
@@ -35,22 +36,20 @@ class AuthentikCryptoConfig(ManagedAppConfig):
             },
         )
 
-    @ManagedAppConfig.reconcile_tenant
+    def reconcile_tenant_managed_jwt_cert(self):
-    def managed_jwt_cert(self):
         """Ensure managed JWT certificate"""
         from authentik.crypto.models import CertificateKeyPair
 
-        cert: CertificateKeyPair | None = CertificateKeyPair.objects.filter(
+        cert: Optional[CertificateKeyPair] = CertificateKeyPair.objects.filter(
             managed=MANAGED_KEY
         ).first()
-        now = datetime.now(tz=UTC)
+        now = datetime.now(tz=timezone.utc)
         if not cert or (
             now < cert.certificate.not_valid_after_utc or now > cert.certificate.not_valid_after_utc
         ):
             self._create_update_cert()
 
-    @ManagedAppConfig.reconcile_tenant
+    def reconcile_tenant_self_signed(self):
-    def self_signed(self):
         """Create self-signed keypair"""
         from authentik.crypto.builder import CertificateBuilder
         from authentik.crypto.models import CertificateKeyPair

authentik/crypto/builder.py

@@ -2,6 +2,7 @@
 
 import datetime
 import uuid
+from typing import Optional
 
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
@@ -51,7 +52,7 @@ class CertificateBuilder:
     def build(
         self,
         validity_days: int = 365,
-        subject_alt_names: list[str] | None = None,
+        subject_alt_names: Optional[list[str]] = None,
     ):
         """Build self-signed certificate"""
         one_day = datetime.timedelta(1, 0, 0)

authentik/crypto/management/commands/import_certificate.py

@@ -24,13 +24,13 @@ class Command(TenantCommand):
         if not keypair:
             keypair = CertificateKeyPair(name=options["name"])
             dirty = True
-        with open(options["certificate"], encoding="utf-8") as _cert:
+        with open(options["certificate"], mode="r", encoding="utf-8") as _cert:
             cert_data = _cert.read()
             if keypair.certificate_data != cert_data:
                 dirty = True
             keypair.certificate_data = cert_data
         if options["private_key"]:
-            with open(options["private_key"], encoding="utf-8") as _key:
+            with open(options["private_key"], mode="r", encoding="utf-8") as _key:
                 key_data = _key.read()
                 if keypair.key_data != key_data:
                     dirty = True

authentik/crypto/models.py

@@ -2,6 +2,7 @@
 
 from binascii import hexlify
 from hashlib import md5
+from typing import Optional
 from uuid import uuid4
 
 from cryptography.hazmat.backends import default_backend
@@ -36,9 +37,9 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
         default="",
     )
 
-    _cert: Certificate | None = None
+    _cert: Optional[Certificate] = None
-    _private_key: PrivateKeyTypes | None = None
+    _private_key: Optional[PrivateKeyTypes] = None
-    _public_key: PublicKeyTypes | None = None
+    _public_key: Optional[PublicKeyTypes] = None
 
     @property
     def serializer(self) -> Serializer:
@@ -56,7 +57,7 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
         return self._cert
 
     @property
-    def public_key(self) -> PublicKeyTypes | None:
+    def public_key(self) -> Optional[PublicKeyTypes]:
         """Get public key of the private key"""
         if not self._public_key:
             self._public_key = self.private_key.public_key()
@@ -65,7 +66,7 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
     @property
     def private_key(
         self,
-    ) -> PrivateKeyTypes | None:
+    ) -> Optional[PrivateKeyTypes]:
         """Get python cryptography PrivateKey instance"""
         if not self._private_key and self.key_data != "":
             try:

authentik/crypto/tasks.py

@@ -58,7 +58,7 @@ def certificate_discovery(self: SystemTask):
         else:
             cert_name = path.name.replace(path.suffix, "")
         try:
-            with open(path, encoding="utf-8") as _file:
+            with open(path, "r", encoding="utf-8") as _file:
                 body = _file.read()
                 if "PRIVATE KEY" in body:
                     private_keys[cert_name] = ensure_private_key_valid(body)

authentik/crypto/tests.py

@@ -1,5 +1,6 @@
 """Crypto tests"""
 
+import datetime
 from json import loads
 from os import makedirs
 from tempfile import TemporaryDirectory
@@ -7,7 +8,6 @@ from tempfile import TemporaryDirectory
 from cryptography.x509.extensions import SubjectAlternativeName
 from cryptography.x509.general_name import DNSName
 from django.urls import reverse
-from django.utils.timezone import now
 from rest_framework.test import APITestCase
 
 from authentik.core.api.used_by import DeleteAction
@@ -68,9 +68,9 @@ class TestCrypto(APITestCase):
             validity_days=3,
         )
         instance = builder.save()
-        _now = now()
+        now = datetime.datetime.today()
         self.assertEqual(instance.name, name)
-        self.assertEqual((instance.certificate.not_valid_after_utc - _now).days, 2)
+        self.assertEqual((instance.certificate.not_valid_after - now).days, 2)
 
     def test_builder_api(self):
         """Test Builder (via API)"""
@@ -267,7 +267,7 @@ class TestCrypto(APITestCase):
             with open(f"{temp_dir}/foo.bar/privkey.pem", "w+", encoding="utf-8") as _key:
                 _key.write(builder.private_key)
             with CONFIG.patch("cert_discovery_dir", temp_dir):
-                certificate_discovery()
+                certificate_discovery()  # pylint: disable=no-value-for-parameter
         keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
             managed=MANAGED_DISCOVERED % "foo"
         ).first()

authentik/enterprise/api.py

@@ -16,13 +16,13 @@ from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
 from authentik.enterprise.models import License
-from authentik.rbac.decorators import permission_required
+from authentik.root.install_id import get_install_id
-from authentik.tenants.utils import get_unique_identifier
 
 
 class EnterpriseRequiredMixin:
@@ -31,7 +31,7 @@ class EnterpriseRequiredMixin:
 
     def validate(self, attrs: dict) -> dict:
         """Check that a valid license exists"""
-        if not LicenseKey.cached_summary().has_license:
+        if not LicenseKey.cached_summary().valid:
             raise ValidationError(_("Enterprise is required to create/update this object."))
         return super().validate(attrs)
 
@@ -92,7 +92,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         """Get install_id"""
         return Response(
             data={
-                "install_id": get_unique_identifier(),
+                "install_id": get_install_id(),
             }
         )
 

authentik/enterprise/audit/apps.py

@@ -13,9 +13,8 @@ class AuthentikEnterpriseAuditConfig(EnterpriseConfig):
     verbose_name = "authentik Enterprise.Audit"
     default = True
 
-    def ready(self):
+    def reconcile_global_install_middleware(self):
         """Install enterprise audit middleware"""
         orig_import = "authentik.events.middleware.AuditMiddleware"
         new_import = "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware"
         settings.MIDDLEWARE = [new_import if x == orig_import else x for x in settings.MIDDLEWARE]
-        return super().ready()

authentik/enterprise/audit/middleware.py

@@ -11,6 +11,7 @@ from django.db.models.expressions import BaseExpression, Combinable
 from django.db.models.signals import post_init
 from django.http import HttpRequest
 
+from authentik.core.models import User
 from authentik.events.middleware import AuditMiddleware, should_log_model
 from authentik.events.utils import cleanse_dict, sanitize_item
 
@@ -27,10 +28,13 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
         super().connect(request)
         if not self.enabled:
             return
+        user = getattr(request, "user", self.anonymous_user)
+        if not user.is_authenticated:
+            user = self.anonymous_user
         if not hasattr(request, "request_id"):
             return
         post_init.connect(
-            partial(self.post_init_handler, request=request),
+            partial(self.post_init_handler, user=user, request=request),
             dispatch_uid=request.request_id,
             weak=False,
         )
@@ -58,7 +62,7 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
                 field_value = value.name
 
             # If current field value is an expression, we are not evaluating it
-            if isinstance(field_value, BaseExpression | Combinable):
+            if isinstance(field_value, (BaseExpression, Combinable)):
                 continue
             field_value = field.to_python(field_value)
             data[field.name] = deepcopy(field_value)
@@ -72,20 +76,22 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
                 diff[key] = {"previous_value": value, "new_value": after.get(key)}
         return sanitize_item(diff)
 
-    def post_init_handler(self, request: HttpRequest, sender, instance: Model, **_):
+    def post_init_handler(self, user: User, request: HttpRequest, sender, instance: Model, **_):
         """post_init django model handler"""
         if not should_log_model(instance):
             return
         if hasattr(instance, "_previous_state"):
             return
         before = len(connection.queries)
-        instance._previous_state = self.serialize_simple(instance)
+        setattr(instance, "_previous_state", self.serialize_simple(instance))
         after = len(connection.queries)
         if after > before:
             raise AssertionError("More queries generated by serialize_simple")
 
+    # pylint: disable=too-many-arguments
     def post_save_handler(
         self,
+        user: User,
         request: HttpRequest,
         sender,
         instance: Model,
@@ -102,4 +108,11 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
             new_state = self.serialize_simple(instance)
             diff = self.diff(prev_state, new_state)
             thread_kwargs["diff"] = diff
-        return super().post_save_handler(request, sender, instance, created, thread_kwargs, **_)
+            if not created:
+                ignored_field_sets = getattr(instance._meta, "authentik_signals_ignored_fields", [])
+                for field_set in ignored_field_sets:
+                    if set(diff.keys()) == set(field_set):
+                        return None
+        return super().post_save_handler(
+            user, request, sender, instance, created, thread_kwargs, **_
+        )

authentik/enterprise/audit/tests.py

@@ -1,18 +0,0 @@
-from django.apps import apps
-from django.conf import settings
-from django.test import TestCase
-
-
-class TestEnterpriseAudit(TestCase):
-
-    def test_import(self):
-        """Ensure middleware is imported when app.ready is called"""
-        # Revert import swap
-        orig_import = "authentik.events.middleware.AuditMiddleware"
-        new_import = "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware"
-        settings.MIDDLEWARE = [orig_import if x == new_import else x for x in settings.MIDDLEWARE]
-        # Re-call ready()
-        apps.get_app_config("authentik_enterprise_audit").ready()
-        self.assertIn(
-            "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware", settings.MIDDLEWARE
-        )

authentik/enterprise/license.py

@@ -21,13 +21,13 @@ from rest_framework.fields import BooleanField, DateTimeField, IntegerField
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.models import License, LicenseUsage
-from authentik.tenants.utils import get_unique_identifier
+from authentik.root.install_id import get_install_id
 
 CACHE_KEY_ENTERPRISE_LICENSE = "goauthentik.io/enterprise/license"
 CACHE_EXPIRY_ENTERPRISE_LICENSE = 3 * 60 * 60  # 2 Hours
 
 
-@lru_cache
+@lru_cache()
 def get_licensing_key() -> Certificate:
     """Get Root CA PEM"""
     with open("authentik/enterprise/public.pem", "rb") as _key:
@@ -36,7 +36,7 @@ def get_licensing_key() -> Certificate:
 
 def get_license_aud() -> str:
     """Get the JWT audience field"""
-    return f"enterprise.goauthentik.io/license/{get_unique_identifier()}"
+    return f"enterprise.goauthentik.io/license/{get_install_id()}"
 
 
 class LicenseFlags(Enum):
@@ -88,7 +88,7 @@ class LicenseKey:
         try:
             headers = get_unverified_header(jwt)
         except PyJWTError:
-            raise ValidationError("Unable to verify license") from None
+            raise ValidationError("Unable to verify license")
         x5c: list[str] = headers.get("x5c", [])
         if len(x5c) < 1:
             raise ValidationError("Unable to verify license")
@@ -98,7 +98,7 @@ class LicenseKey:
             our_cert.verify_directly_issued_by(intermediate)
             intermediate.verify_directly_issued_by(get_licensing_key())
         except (InvalidSignature, TypeError, ValueError, Error):
-            raise ValidationError("Unable to verify license") from None
+            raise ValidationError("Unable to verify license")
         try:
             body = from_dict(
                 LicenseKey,
@@ -110,7 +110,7 @@ class LicenseKey:
                 ),
             )
         except PyJWTError:
-            raise ValidationError("Unable to verify license") from None
+            raise ValidationError("Unable to verify license")
         return body
 
     @staticmethod
@@ -142,7 +142,13 @@ class LicenseKey:
     @staticmethod
     def get_external_user_count():
         """Get current external user count"""
-        return LicenseKey.base_user_qs().filter(type=UserTypes.EXTERNAL).count()
+        # Count since start of the month
+        last_month = now().replace(day=1)
+        return (
+            LicenseKey.base_user_qs()
+            .filter(type=UserTypes.EXTERNAL, last_login__gte=last_month)
+            .count()
+        )
 
     def is_valid(self) -> bool:
         """Check if the given license body covers all users
@@ -182,21 +188,20 @@ class LicenseKey:
 
     def summary(self) -> LicenseSummary:
         """Summary of license status"""
-        has_license = License.objects.all().count() > 0
         last_valid = LicenseKey.last_valid_date()
         show_admin_warning = last_valid < now() - timedelta(weeks=2)
         show_user_warning = last_valid < now() - timedelta(weeks=4)
         read_only = last_valid < now() - timedelta(weeks=6)
         latest_valid = datetime.fromtimestamp(self.exp)
         return LicenseSummary(
-            show_admin_warning=show_admin_warning and has_license,
+            show_admin_warning=show_admin_warning,
-            show_user_warning=show_user_warning and has_license,
+            show_user_warning=show_user_warning,
-            read_only=read_only and has_license,
+            read_only=read_only,
             latest_valid=latest_valid,
             internal_users=self.internal_users,
             external_users=self.external_users,
             valid=self.is_valid(),
-            has_license=has_license,
+            has_license=License.objects.all().count() > 0,
         )
 
     @staticmethod