release: 2022.4.1

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.10.4
+current_version = 2022.4.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
@@ -17,7 +17,7 @@ values =
 	beta
 	stable
 
-[bumpversion:file:website/docs/installation/docker-compose.md]
+[bumpversion:file:pyproject.toml]
 
 [bumpversion:file:docker-compose.yml]
 
@@ -30,7 +30,3 @@ values =
 [bumpversion:file:internal/constants/constants.go]
 
 [bumpversion:file:web/src/constants.ts]
-
-[bumpversion:file:website/docs/outposts/manual-deploy-docker-compose.md]
-
-[bumpversion:file:website/docs/outposts/manual-deploy-kubernetes.md]

.github/actions/docker-setup/action.yml

@@ -0,0 +1,49 @@
+name: 'Prepare docker environment variables'
+description: 'Prepare docker environment variables'
+
+outputs:
+  shouldBuild:
+    description: "Whether to build image or not"
+    value: ${{ steps.ev.outputs.shouldBuild }}
+  branchName:
+    description: "Branch name"
+    value: ${{ steps.ev.outputs.branchName }}
+  branchNameContainer:
+    description: "Branch name (for containers)"
+    value: ${{ steps.ev.outputs.branchNameContainer }}
+  timestamp:
+    description: "Timestamp"
+    value: ${{ steps.ev.outputs.timestamp }}
+  sha:
+    description: "sha"
+    value: ${{ steps.ev.outputs.sha }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Generate config
+      id: ev
+      shell: python
+      run: |
+        """Helper script to get the actual branch name, docker safe"""
+        import os
+        from time import time
+
+        env_pr_branch = "GITHUB_HEAD_REF"
+        default_branch = "GITHUB_REF"
+        sha = "GITHUB_SHA"
+
+        branch_name = os.environ[default_branch]
+        if os.environ.get(env_pr_branch, "") != "":
+            branch_name = os.environ[env_pr_branch]
+
+        should_build = str(os.environ.get("DOCKER_USERNAME", "") != "").lower()
+
+        print("##[set-output name=branchName]%s" % branch_name)
+        print(
+            "##[set-output name=branchNameContainer]%s"
+            % branch_name.replace("refs/heads/", "").replace("/", "-")
+        )
+        print("##[set-output name=timestamp]%s" % int(time()))
+        print("##[set-output name=sha]%s" % os.environ[sha])
+        print("##[set-output name=shouldBuild]%s" % should_build)

.github/actions/setup/action.yml

@@ -0,0 +1,45 @@
+name: 'Setup authentik testing environemnt'
+description: 'Setup authentik testing environemnt'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install poetry
+      shell: bash
+      run: |
+        pipx install poetry || true
+        sudo apt update
+        sudo apt install -y libxmlsec1-dev pkg-config gettext
+    - name: Setup python and restore poetry
+      uses: actions/setup-python@v3
+      with:
+        python-version: '3.10'
+        cache: 'poetry'
+    - name: Setup node
+      uses: actions/setup-node@v3.1.0
+      with:
+        node-version: '16'
+        cache: 'npm'
+        cache-dependency-path: web/package-lock.json
+    - name: Setup dependencies
+      shell: bash
+      run: |
+        docker-compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry env use python3.10
+        poetry install
+        npm install -g pyright@1.1.136
+    - name: Generate config
+      shell: poetry run python {0}
+      run: |
+        from authentik.lib.generators import generate_id
+        from yaml import safe_dump
+
+        with open("local.env.yml", "w") as _config:
+            safe_dump(
+                {
+                    "log_level": "debug",
+                    "secret_key": generate_id(),
+                },
+                _config,
+                default_flow_style=False,
+            )

.github/stale.yml

@@ -7,6 +7,7 @@ exemptLabels:
   - pinned
   - security
   - pr_wanted
+  - enhancement
 # Comment to post when marking an issue as stale. Set to `false` to disable
 markComment: >
   This issue has been automatically marked as stale because it has not had

.github/workflows/ci-main.yml

@@ -18,203 +18,90 @@ env:
   POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
 jobs:
-  lint-pylint:
+  lint:
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - pylint
+          - black
+          - isort
+          - bandit
+          - pyright
+          - pending-migrations
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      # - id: cache-pipenv
-      #   uses: actions/cache@v2.1.6
-      #   with:
-      #     path: ~/.local/share/virtualenvs
-      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
-      - name: run pylint
-        run: pipenv run pylint authentik tests lifecycle
-  lint-black:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      # - id: cache-pipenv
-      #   uses: actions/cache@v2.1.6
-      #   with:
-      #     path: ~/.local/share/virtualenvs
-      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
-      - name: run black
-        run: pipenv run black --check authentik tests lifecycle
-  lint-isort:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      # - id: cache-pipenv
-      #   uses: actions/cache@v2.1.6
-      #   with:
-      #     path: ~/.local/share/virtualenvs
-      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
-      - name: run isort
-        run: pipenv run isort --check authentik tests lifecycle
-  lint-bandit:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      # - id: cache-pipenv
-      #   uses: actions/cache@v2.1.6
-      #   with:
-      #     path: ~/.local/share/virtualenvs
-      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
-      - name: run bandit
-        run: pipenv run bandit -r authentik tests lifecycle
-  lint-pyright:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      - uses: actions/setup-node@v2
-        with:
-          node-version: '16'
-      - name: prepare
-        run: |
-          scripts/ci_prepare.sh
-          npm install -g pyright@1.1.136
-      - name: run bandit
-        run: pipenv run pyright e2e lifecycle
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - name: run job
+        run: poetry run make ci-${{ matrix.job }}
   test-migrations:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      # - id: cache-pipenv
-      #   uses: actions/cache@v2.1.6
-      #   with:
-      #     path: ~/.local/share/virtualenvs
-      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - name: run migrations
-        run: pipenv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      - name: prepare variables
-        id: ev
-        run: |
-          python ./scripts/gh_env.py
-      # - id: cache-pipenv
-      #   uses: actions/cache@v2.1.6
-      #   with:
-      #     path: ~/.local/share/virtualenvs
-      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - name: checkout stable
         run: |
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
+          cp -R .github ..
+          cp -R scripts ..
           git checkout $(git describe --abbrev=0 --match 'version/*')
-          git checkout ${{ steps.ev.outputs.branchName }} -- .github
-          git checkout ${{ steps.ev.outputs.branchName }} -- scripts
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
-        run: |
-          scripts/ci_prepare.sh
-          # Sync anyways since stable will have different dependencies
-          pipenv sync --dev
+          rm -rf .github/ scripts/
+          mv ../.github ../scripts .
+      - name: Setup authentik env (ensure stable deps are installed)
+        uses: ./.github/actions/setup
       - name: run migrations to stable
-        run: pipenv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
       - name: checkout current code
         run: |
           set -x
           git fetch
-          git checkout ${{ steps.ev.outputs.branchName }}
-          pipenv sync --dev
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
+          git reset --hard HEAD
+          git clean -d -fx .
+          git checkout $GITHUB_SHA
+          poetry install
+      - name: Setup authentik env (ensure latest deps are installed)
+        uses: ./.github/actions/setup
       - name: migrate to latest
-        run: pipenv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
   test-unittest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      # - id: cache-pipenv
-      #   uses: actions/cache@v2.1.6
-      #   with:
-      #     path: ~/.local/share/virtualenvs
-      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - uses: testspace-com/setup-testspace@v1
         with:
           domain: ${{github.repository_owner}}
       - name: run unittest
         run: |
-          pipenv run make test
-          pipenv run coverage xml
+          poetry run make test
+          poetry run coverage xml
       - name: run testspace
         if: ${{ always() }}
         run: |
           testspace [unittest]unittest.xml --link=codecov
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
   test-integration:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      # - id: cache-pipenv
-      #   uses: actions/cache@v2.1.6
-      #   with:
-      #     path: ~/.local/share/virtualenvs
-      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - uses: testspace-com/setup-testspace@v1
         with:
           domain: ${{github.repository_owner}}
@@ -222,42 +109,28 @@ jobs:
         uses: helm/kind-action@v1.2.0
       - name: run integration
         run: |
-          pipenv run make test-integration
-          pipenv run coverage xml
+          poetry run make test-integration
+          poetry run coverage xml
       - name: run testspace
         if: ${{ always() }}
         run: |
           testspace [integration]unittest.xml --link=codecov
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v2
-  test-e2e:
+        uses: codecov/codecov-action@v3
+  test-e2e-provider:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      - uses: actions/setup-node@v2
-        with:
-          node-version: '16'
-          cache: 'npm'
-          cache-dependency-path: web/package-lock.json
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - uses: testspace-com/setup-testspace@v1
         with:
           domain: ${{github.repository_owner}}
-      # - id: cache-pipenv
-      #   uses: actions/cache@v2.1.6
-      #   with:
-      #     path: ~/.local/share/virtualenvs
-      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
-      - name: prepare
-        # env:
-        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+      - name: Setup authentik env
         run: |
-          scripts/ci_prepare.sh
           docker-compose -f tests/e2e/docker-compose.yml up -d
       - id: cache-web
-        uses: actions/cache@v2.1.6
+        uses: actions/cache@v3
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
@@ -269,38 +142,79 @@ jobs:
           npm run build
       - name: run e2e
         run: |
-          pipenv run make test-e2e
-          pipenv run coverage xml
+          poetry run make test-e2e-provider
+          poetry run coverage xml
       - name: run testspace
         if: ${{ always() }}
         run: |
-          testspace [e2e]unittest.xml --link=codecov
+          testspace [e2e-provider]unittest.xml --link=codecov
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v2
-  build:
+        uses: codecov/codecov-action@v3
+  test-e2e-rest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
+      - name: Setup authentik env
+        run: |
+          docker-compose -f tests/e2e/docker-compose.yml up -d
+      - id: cache-web
+        uses: actions/cache@v3
+        with:
+          path: web/dist
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
+      - name: prepare web ui
+        if: steps.cache-web.outputs.cache-hit != 'true'
+        run: |
+          cd web
+          npm i
+          npm run build
+      - name: run e2e
+        run: |
+          poetry run make test-e2e-rest
+          poetry run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [e2e-rest]unittest.xml --link=codecov
+      - if: ${{ always() }}
+        uses: codecov/codecov-action@v3
+  ci-core-mark:
     needs:
-      - lint-pylint
-      - lint-black
-      - lint-isort
-      - lint-bandit
-      - lint-pyright
+      - lint
       - test-migrations
       - test-migrations-from-stable
       - test-unittest
       - test-integration
-      - test-e2e
+      - test-e2e-rest
+      - test-e2e-provider
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark
+  build:
+    needs: ci-core-mark
     runs-on: ubuntu-latest
     timeout-minutes: 120
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - 'linux/amd64'
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
       - name: prepare variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
-        run: |
-          python ./scripts/gh_env.py
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        uses: ./.github/actions/docker-setup
       - name: Login to Container Registry
         uses: docker/login-action@v1
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
@@ -317,3 +231,4 @@ jobs:
             ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+          platforms: ${{ matrix.arch }}

.github/workflows/ci-outpost.yml

@@ -14,10 +14,10 @@ jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
-          go-version: '^1.16.3'
+          go-version: "^1.17"
       - name: Run linter
         run: |
           # Create folder structure for go embeds
@@ -28,28 +28,49 @@ jobs:
             --rm \
             -v $(pwd):/app \
             -w /app \
-            golangci/golangci-lint:v1.39.0 \
+            golangci/golangci-lint:v1.43 \
             golangci-lint run -v --timeout 200s
+  test-unittest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "^1.17"
+      - name: Go unittests
+        run: |
+          go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
+  ci-outpost-mark:
+    needs:
+      - lint-golint
+      - test-unittest
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark
   build:
     timeout-minutes: 120
     needs:
-      - lint-golint
+      - ci-outpost-mark
     strategy:
+      fail-fast: false
       matrix:
         type:
           - proxy
           - ldap
+        arch:
+          - 'linux/amd64'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
       - name: prepare variables
         id: ev
+        uses: ./.github/actions/docker-setup
         env:
-          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
-        run: |
-          python ./scripts/gh_env.py
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
       - name: Login to Container Registry
         uses: docker/login-action@v1
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
@@ -68,3 +89,42 @@ jobs:
           file: ${{ matrix.type }}.Dockerfile
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+          platforms: ${{ matrix.arch }}
+  build-outpost-binary:
+    timeout-minutes: 120
+    needs:
+      - ci-outpost-mark
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        type:
+          - proxy
+          - ldap
+        goos: [linux]
+        goarch: [amd64, arm64]
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "^1.17"
+      - uses: actions/setup-node@v3.1.1
+        with:
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: web/package-lock.json
+      - name: Build web
+        run: |
+          cd web
+          npm install
+          npm run build-proxy
+      - name: Build outpost
+        run: |
+          set -x
+          export GOOS=${{ matrix.goos }}
+          export GOARCH=${{ matrix.goarch }}
+          go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
+      - uses: actions/upload-artifact@v3
+        with:
+          name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
+          path: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}

.github/workflows/ci-web.yml

@@ -14,8 +14,8 @@ jobs:
   lint-eslint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.1.1
         with:
           node-version: '16'
           cache: 'npm'
@@ -32,8 +32,8 @@ jobs:
   lint-prettier:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.1.1
         with:
           node-version: '16'
           cache: 'npm'
@@ -50,8 +50,8 @@ jobs:
   lint-lit-analyse:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.1.1
         with:
           node-version: '16'
           cache: 'npm'
@@ -65,15 +65,21 @@ jobs:
         run: |
           cd web
           npm run lit-analyse
-  build:
+  ci-web-mark:
     needs:
       - lint-eslint
       - lint-prettier
       - lint-lit-analyse
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - run: echo mark
+  build:
+    needs:
+      - ci-web-mark
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.1.1
         with:
           node-version: '16'
           cache: 'npm'

.github/workflows/codeql-analysis.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/release-publish.yml

@@ -9,7 +9,7 @@ jobs:
   build-server:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1.2.0
       - name: Set up Docker Buildx
@@ -30,28 +30,25 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.10.4,
+            beryju/authentik:2022.4.1,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.10.4,
+            ghcr.io/goauthentik/server:2022.4.1,
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
-      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.10.4', 'rc') }}
-        run: |
-          docker pull beryju/authentik:latest
-          docker tag beryju/authentik:latest beryju/authentik:stable
-          docker push beryju/authentik:stable
-          docker pull ghcr.io/goauthentik/server:latest
-          docker tag ghcr.io/goauthentik/server:latest ghcr.io/goauthentik/server:stable
-          docker push ghcr.io/goauthentik/server:stable
-  build-proxy:
+  build-outpost:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        type:
+          - proxy
+          - ldap
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
-          go-version: "^1.15"
+          go-version: "^1.17"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1.2.0
       - name: Set up Docker Buildx
@@ -72,71 +69,59 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-proxy:2021.10.4,
-            beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.10.4,
-            ghcr.io/goauthentik/proxy:latest
-          file: proxy.Dockerfile
+            beryju/authentik-${{ matrix.type }}:2022.4.1,
+            beryju/authentik-${{ matrix.type }}:latest,
+            ghcr.io/goauthentik/${{ matrix.type }}:2022.4.1,
+            ghcr.io/goauthentik/${{ matrix.type }}:latest
+          file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
-      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.10.4', 'rc') }}
-        run: |
-          docker pull beryju/authentik-proxy:latest
-          docker tag beryju/authentik-proxy:latest beryju/authentik-proxy:stable
-          docker push beryju/authentik-proxy:stable
-          docker pull ghcr.io/goauthentik/proxy:latest
-          docker tag ghcr.io/goauthentik/proxy:latest ghcr.io/goauthentik/proxy:stable
-          docker push ghcr.io/goauthentik/proxy:stable
-  build-ldap:
+  build-outpost-binary:
+    timeout-minutes: 120
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        type:
+          - proxy
+          - ldap
+        goos: [linux, darwin]
+        goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
-          go-version: "^1.15"
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.2.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Docker Login Registry
-        uses: docker/login-action@v1
+          go-version: "^1.17"
+      - uses: actions/setup-node@v3.1.1
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Building Docker Image
-        uses: docker/build-push-action@v2
-        with:
-          push: ${{ github.event_name == 'release' }}
-          tags: |
-            beryju/authentik-ldap:2021.10.4,
-            beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.10.4,
-            ghcr.io/goauthentik/ldap:latest
-          file: ldap.Dockerfile
-          platforms: linux/amd64,linux/arm64
-      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.10.4', 'rc') }}
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: web/package-lock.json
+      - name: Build web
         run: |
-          docker pull beryju/authentik-ldap:latest
-          docker tag beryju/authentik-ldap:latest beryju/authentik-ldap:stable
-          docker push beryju/authentik-ldap:stable
-          docker pull ghcr.io/goauthentik/ldap:latest
-          docker tag ghcr.io/goauthentik/ldap:latest ghcr.io/goauthentik/ldap:stable
-          docker push ghcr.io/goauthentik/ldap:stable
+          cd web
+          npm install
+          npm run build-proxy
+      - name: Build outpost
+        run: |
+          set -x
+          export GOOS=${{ matrix.goos }}
+          export GOARCH=${{ matrix.goarch }}
+          go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
+      - name: Upload binaries to release
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
+          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
+          tag: ${{ github.ref }}
   test-release:
     needs:
       - build-server
-      - build-proxy
-      - build-ldap
+      - build-outpost
+      - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Run test suite in final docker images
         run: |
           echo "PG_PASS=$(openssl rand -base64 32)" >> .env
@@ -147,20 +132,17 @@ jobs:
           docker-compose run -u root server test
   sentry-release:
     needs:
-      - test-release
+      - build-server
+      - build-outpost
+      - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: '16'
-      - name: Build web api client and web ui
+      - uses: actions/checkout@v3
+      - name: Get static files from docker image
         run: |
-          export NODE_ENV=production
-          cd web
-          npm i
-          npm run build
+          docker pull ghcr.io/goauthentik/server:latest
+          container=$(docker container create ghcr.io/goauthentik/server:latest)
+          docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1
         if: ${{ github.event_name == 'release' }}
@@ -170,7 +152,7 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.10.4
+          version: authentik@2022.4.1
           environment: beryjuorg-prod
           sourcemaps: './web/dist'
           url_prefix: '~/static/dist'

.github/workflows/release-tag.yml

@@ -10,11 +10,12 @@ jobs:
     name: Create Release from Tag
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Pre-release test
         run: |
           echo "PG_PASS=$(openssl rand -base64 32)" >> .env
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+          docker buildx install
           docker build \
             --no-cache \
             -t testing:latest \
@@ -26,7 +27,7 @@ jobs:
           docker-compose run -u root server test
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@v5
+        uses: actions/github-script@v6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/translation-compile.yml

@@ -4,8 +4,9 @@ on:
     branches: [ master ]
     paths:
       - '/locale/'
-  schedule:
-  - cron: "0 */2 * * *"
+  pull_request:
+    paths:
+      - '/locale/'
   workflow_dispatch:
 
 env:
@@ -17,23 +18,19 @@ jobs:
   compile:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-      - name: prepare
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y gettext
-          scripts/ci_prepare.sh
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - name: run compile
-        run: pipenv run ./manage.py compilemessages
+        run: poetry run ./manage.py compilemessages
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@v4
+        id: cpr
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           branch: compile-backend-translation
           commit-message: "core: compile backend translations"
           title: "core: compile backend translations"
+          body: "core: compile backend translations"
           delete-branch: true
           signoff: true

.github/workflows/web-api-publish.yml

@@ -8,9 +8,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3.1.1
         with:
           node-version: '16'
           registry-url: 'https://registry.npmjs.org'
@@ -29,11 +29,13 @@ jobs:
           export VERSION=`node -e 'console.log(require("../web-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@v4
+        id: cpr
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           branch: update-web-api-client
           commit-message: "web: Update Web API Client version"
           title: "web: Update Web API Client version"
+          body: "web: Update Web API Client version"
           delete-branch: true
           signoff: true

.gitignore

@@ -66,7 +66,9 @@ coverage.xml
 unittest.xml
 
 # Translations
-*.mo
+# Have to include binary mo files as they are annoying to compile at build time
+# since a full postgres and redis instance are required
+# *.mo
 
 # Django stuff:
 

.vscode/settings.json

@@ -10,7 +10,10 @@
         "plex",
         "saml",
         "totp",
-        "webauthn"
+        "webauthn",
+        "traefik",
+        "passwordless",
+        "kubernetes"
     ],
     "python.linting.pylintEnabled": true,
     "todo-tree.tree.showCountsInTree": true,

Dockerfile

@@ -1,75 +1,68 @@
-# Stage 1: Lock python dependencies
-FROM docker.io/python:3.9-slim-bullseye as locker
+# Stage 1: Build website
+FROM --platform=${BUILDPLATFORM} docker.io/node:16 as website-builder
 
-COPY ./Pipfile /app/
-COPY ./Pipfile.lock /app/
-
-WORKDIR /app/
-
-RUN pip install pipenv && \
-    pipenv lock -r > requirements.txt && \
-    pipenv lock -r --dev-only > requirements-dev.txt
-
-# Stage 2: Build website
-FROM docker.io/node:16 as website-builder
-
-COPY ./website /static/
+COPY ./website /work/website/
 
 ENV NODE_ENV=production
-RUN cd /static && npm i && npm run build-docs-only
+RUN cd /work/website && npm i && npm run build-docs-only
 
-# Stage 3: Build webui
-FROM docker.io/node:16 as web-builder
+# Stage 2: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/node:16 as web-builder
 
-COPY ./web /static/
+COPY ./web /work/web/
+COPY ./website /work/website/
 
 ENV NODE_ENV=production
-RUN cd /static && npm i && npm run build
+RUN cd /work/web && npm i && npm run build
 
-# Stage 4: Build go proxy
-FROM docker.io/golang:1.17.3-bullseye AS builder
+# Stage 3: Build go proxy
+FROM docker.io/golang:1.18.0-bullseye AS builder
 
 WORKDIR /work
 
-COPY --from=web-builder /static/robots.txt /work/web/robots.txt
-COPY --from=web-builder /static/security.txt /work/web/security.txt
-COPY --from=web-builder /static/dist/ /work/web/dist/
-COPY --from=web-builder /static/authentik/ /work/web/authentik/
-COPY --from=website-builder /static/help/ /work/website/help/
+COPY --from=web-builder /work/web/robots.txt /work/web/robots.txt
+COPY --from=web-builder /work/web/security.txt /work/web/security.txt
 
 COPY ./cmd /work/cmd
 COPY ./web/static.go /work/web/static.go
-COPY ./website/static.go /work/website/static.go
 COPY ./internal /work/internal
 COPY ./go.mod /work/go.mod
 COPY ./go.sum /work/go.sum
 
 RUN go build -o /work/authentik ./cmd/server/main.go
 
-# Stage 5: Run
-FROM docker.io/python:3.9-slim-bullseye
+# Stage 4: Run
+FROM docker.io/python:3.10.4-slim-bullseye
+
+LABEL org.opencontainers.image.url https://goauthentik.io
+LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
+LABEL org.opencontainers.image.source https://github.com/goauthentik/authentik
 
 WORKDIR /
-COPY --from=locker /app/requirements.txt /
-COPY --from=locker /app/requirements-dev.txt /
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
+COPY ./pyproject.toml /
+COPY ./poetry.lock /
+
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends curl ca-certificates gnupg git runit && \
-    curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
-    echo "deb http://apt.postgresql.org/pub/repos/apt bullseye-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends libpq-dev postgresql-client build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
-    pip install -r /requirements.txt --no-cache-dir && \
+    apt-get install -y --no-install-recommends \
+        curl ca-certificates gnupg git runit libpq-dev \
+        postgresql-client build-essential libxmlsec1-dev \
+        pkg-config libmaxminddb0 && \
+    pip install poetry && \
+    poetry config virtualenvs.create false && \
+    poetry install --no-dev && \
+    rm -rf ~/.cache/pypoetry && \
     apt-get remove --purge -y build-essential git && \
     apt-get autoremove --purge -y && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
-    mkdir /backups && \
-    chown authentik:authentik /backups
+    mkdir -p /certs /media && \
+    mkdir -p /authentik/.ssh && \
+    chown authentik:authentik /certs /media /authentik/.ssh
 
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
@@ -78,6 +71,9 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./lifecycle/ /lifecycle
 COPY --from=builder /work/authentik /authentik-proxy
+COPY --from=web-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
+COPY --from=website-builder /work/website/help/ /website/help/
 
 USER authentik
 

Makefile

@@ -4,16 +4,22 @@ UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
 
-all: lint-fix lint test gen
+all: lint-fix lint test gen web
 
 test-integration:
-	coverage run manage.py test -v 3 tests/integration
+	coverage run manage.py test tests/integration
 
-test-e2e:
-	coverage run manage.py test --failfast -v 3 tests/e2e
+test-e2e-provider:
+	coverage run manage.py test tests/e2e/test_provider*
+
+test-e2e-rest:
+	coverage run manage.py test tests/e2e/test_flows* tests/e2e/test_source*
+
+test-go:
+	go test -timeout 0 -v -race -cover ./...
 
 test:
-	coverage run manage.py test -v 3 authentik
+	coverage run manage.py test authentik
 	coverage html
 	coverage report
 
@@ -32,10 +38,12 @@ lint-fix:
 lint:
 	bandit -r authentik tests lifecycle -x node_modules
 	pylint authentik tests lifecycle
+	golangci-lint run -v
 
-i18n-extract:
+i18n-extract: i18n-extract-core web-extract
+
+i18n-extract-core:
 	./manage.py makemessages --ignore web --ignore internal --ignore web --ignore web-api --ignore website -l en
-	cd web && npm run extract
 
 gen-build:
 	./manage.py spectacular --file schema.yml
@@ -48,13 +56,12 @@ gen-web:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		ghcr.io/beryju/openapi-generator generate \
+		openapitools/openapi-generator-cli:v6.0.0-beta generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/web-api \
 		--additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=@goauthentik/api,npmVersion=${NPM_VERSION}
 	mkdir -p web/node_modules/@goauthentik/api
-	python -m scripts.web_api_esm
 	\cp -fv scripts/web_api_readme.md web-api/README.md
 	cd web-api && npm i
 	\cp -rfv web-api/* web/node_modules/@goauthentik/api
@@ -67,12 +74,13 @@ gen-outpost:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		openapitools/openapi-generator-cli generate \
+		openapitools/openapi-generator-cli:v6.0.0-beta generate \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/api \
 		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api=./api
+	rm -rf config.yaml ./templates/
 
 gen: gen-build gen-clean gen-web
 
@@ -81,3 +89,53 @@ migrate:
 
 run:
 	go run -v cmd/server/main.go
+
+web-watch:
+	cd web && npm run watch
+
+web: web-lint-fix web-lint web-extract
+
+web-lint-fix:
+	cd web && npm run prettier
+
+web-lint:
+	cd web && npm run lint
+	cd web && npm run lit-analyse
+
+web-extract:
+	cd web && npm run extract
+
+# These targets are use by GitHub actions to allow usage of matrix
+# which makes the YAML File a lot smaller
+
+ci--meta-debug:
+	python -V
+	node --version
+
+ci-pylint: ci--meta-debug
+	pylint authentik tests lifecycle
+
+ci-black: ci--meta-debug
+	black --check authentik tests lifecycle
+
+ci-isort: ci--meta-debug
+	isort --check authentik tests lifecycle
+
+ci-bandit: ci--meta-debug
+	bandit -r authentik tests lifecycle
+
+ci-pyright: ci--meta-debug
+	pyright e2e lifecycle
+
+ci-pending-migrations: ci--meta-debug
+	./manage.py makemigrations --check
+
+install:
+	poetry install
+	cd web && npm i
+	cd website && npm i
+
+a: install
+	tmux \
+		new-session 'make run' \; \
+		split-window 'make web-watch'

Pipfile

@@ -1,64 +0,0 @@
-[[source]]
-name = "pypi"
-url = "https://pypi.org/simple"
-verify_ssl = true
-
-[packages]
-boto3 = "*"
-celery = "*"
-channels = "*"
-channels-redis = "*"
-dacite = "*"
-defusedxml = "*"
-django = "*"
-django-dbbackup = { git = 'https://github.com/django-dbbackup/django-dbbackup.git', ref = '9d1909c30a3271c8c9c8450add30d6e0b996e145' }
-django-filter = "*"
-django-guardian = "*"
-django-model-utils = "*"
-django-otp = "*"
-django-prometheus = "*"
-django-redis = "*"
-django-storages = "*"
-djangorestframework = "*"
-djangorestframework-guardian = "*"
-docker = "*"
-drf-spectacular = "*"
-facebook-sdk = "*"
-geoip2 = "*"
-gunicorn = "*"
-kubernetes = "==v19.15.0"
-ldap3 = "*"
-lxml = "*"
-packaging = "*"
-psycopg2-binary = "*"
-pycryptodome = "*"
-pyjwt = "*"
-pyyaml = "*"
-requests-oauthlib = "*"
-sentry-sdk = "*"
-service_identity = "*"
-structlog = "*"
-swagger-spec-validator = "*"
-twisted = "==21.7.0"
-urllib3 = {extras = ["secure"],version = "*"}
-uvicorn = {extras = ["standard"],version = "*"}
-webauthn = "*"
-xmlsec = "*"
-duo-client = "*"
-ua-parser = "*"
-deepmerge = "*"
-colorama = "*"
-codespell = "*"
-
-[dev-packages]
-bandit = "*"
-black = "==21.9b0"
-bump2version = "*"
-colorama = "*"
-coverage = {extras = ["toml"],version = "*"}
-pylint = "*"
-pylint-django = "*"
-pytest = "*"
-pytest-django = "*"
-selenium = "*"
-requests-mock = "*"

README.md

@@ -38,3 +38,23 @@ See [Development Documentation](https://goauthentik.io/developer-docs/?utm_sourc
 ## Security
 
 See [SECURITY.md](SECURITY.md)
+
+## Sponsors
+
+This project is proudly sponsored by:
+
+<p>
+    <a href="https://www.digitalocean.com/?utm_medium=opensource&utm_source=goauthentik.io">
+        <img src="https://opensource.nyc3.cdn.digitaloceanspaces.com/attribution/assets/SVG/DO_Logo_horizontal_blue.svg" width="201px">
+    </a>
+</p>
+
+DigitalOcean provides development and testing resources for authentik.
+
+<p>
+    <a href="https://www.netlify.com">
+        <img src="https://www.netlify.com/img/global/badges/netlify-color-accent.svg" alt="Deploys by Netlify" />
+    </a>
+</p>
+
+Netlify hosts the [goauthentik.io](https://goauthentik.io) site.

SECURITY.md

@@ -6,8 +6,8 @@
 
 | Version    | Supported          |
 | ---------- | ------------------ |
-| 2021.9.x   | :white_check_mark: |
-| 2021.10.x  | :white_check_mark: |
+| 2022.3.x   | :white_check_mark: |
+| 2022.4.x   | :white_check_mark: |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -1,3 +1,19 @@
 """authentik"""
-__version__ = "2021.10.4"
+from os import environ
+from typing import Optional
+
+__version__ = "2022.4.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
+
+
+def get_build_hash(fallback: Optional[str] = None) -> str:
+    """Get build hash"""
+    return environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
+
+
+def get_full_version() -> str:
+    """Get full version, with build hash appended"""
+    version = __version__
+    if (build_hash := get_build_hash()) != "":
+        version += "." + build_hash
+    return version

authentik/admin/api/metrics.py

@@ -1,13 +1,6 @@
 """authentik administration metrics"""
-import time
-from collections import Counter
-from datetime import timedelta
-
-from django.db.models import Count, ExpressionWrapper, F
-from django.db.models.fields import DurationField
-from django.db.models.functions import ExtractHour
-from django.utils.timezone import now
 from drf_spectacular.utils import extend_schema, extend_schema_field
+from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
@@ -15,31 +8,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from authentik.core.api.utils import PassiveSerializer
-from authentik.events.models import Event, EventAction
-
-
-def get_events_per_1h(**filter_kwargs) -> list[dict[str, int]]:
-    """Get event count by hour in the last day, fill with zeros"""
-    date_from = now() - timedelta(days=1)
-    result = (
-        Event.objects.filter(created__gte=date_from, **filter_kwargs)
-        .annotate(age=ExpressionWrapper(now() - F("created"), output_field=DurationField()))
-        .annotate(age_hours=ExtractHour("age"))
-        .values("age_hours")
-        .annotate(count=Count("pk"))
-        .order_by("age_hours")
-    )
-    data = Counter({int(d["age_hours"]): d["count"] for d in result})
-    results = []
-    _now = now()
-    for hour in range(0, -24, -1):
-        results.append(
-            {
-                "x_cord": time.mktime((_now + timedelta(hours=hour)).timetuple()) * 1000,
-                "y_cord": data[hour * -1],
-            }
-        )
-    return results
+from authentik.events.models import EventAction
 
 
 class CoordinateSerializer(PassiveSerializer):
@@ -58,12 +27,22 @@ class LoginMetricsSerializer(PassiveSerializer):
     @extend_schema_field(CoordinateSerializer(many=True))
     def get_logins_per_1h(self, _):
         """Get successful logins per hour for the last 24 hours"""
-        return get_events_per_1h(action=EventAction.LOGIN)
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.LOGIN)
+            .get_events_per_hour()
+        )
 
     @extend_schema_field(CoordinateSerializer(many=True))
     def get_logins_failed_per_1h(self, _):
         """Get failed logins per hour for the last 24 hours"""
-        return get_events_per_1h(action=EventAction.LOGIN_FAILED)
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.LOGIN_FAILED)
+            .get_events_per_hour()
+        )
 
 
 class AdministrationMetricsViewSet(APIView):
@@ -75,4 +54,5 @@ class AdministrationMetricsViewSet(APIView):
     def get(self, request: Request) -> Response:
         """Login Metrics per 1h"""
         serializer = LoginMetricsSerializer(True)
+        serializer.context["user"] = request.user
         return Response(serializer.data)

authentik/admin/api/system.py

@@ -86,7 +86,7 @@ class SystemSerializer(PassiveSerializer):
     def get_embedded_outpost_host(self, request: Request) -> str:
         """Get the FQDN configured on the embedded outpost"""
         outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
-        if not outposts.exists():
+        if not outposts.exists():  # pragma: no cover
             return ""
         return outposts.first().config.authentik_host
 

authentik/admin/api/tasks.py

@@ -12,10 +12,13 @@ from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
+from structlog.stdlib import get_logger
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.monitored_tasks import TaskInfo, TaskResultStatus
 
+LOGGER = get_logger()
+
 
 class TaskSerializer(PassiveSerializer):
     """Serialize TaskInfo and TaskResult"""
@@ -36,7 +39,7 @@ class TaskSerializer(PassiveSerializer):
         are pickled in cache. In that case, just delete the info"""
         try:
             return super().to_representation(instance)
-        except AttributeError:
+        except AttributeError:  # pragma: no cover
             if isinstance(self.instance, list):
                 for inst in self.instance:
                     inst.delete()
@@ -89,13 +92,15 @@ class TaskViewSet(ViewSet):
         try:
             task_module = import_module(task.task_call_module)
             task_func = getattr(task_module, task.task_call_func)
+            LOGGER.debug("Running task", task=task_func)
             task_func.delay(*task.task_call_args, **task.task_call_kwargs)
             messages.success(
                 self.request,
                 _("Successfully re-scheduled Task %(name)s!" % {"name": task.task_name}),
             )
             return Response(status=204)
-        except ImportError:  # pragma: no cover
+        except (ImportError, AttributeError):  # pragma: no cover
+            LOGGER.warning("Failed to run task, remove state", task=task)
             # if we get an import error, the module path has probably changed
             task.delete()
             return Response(status=500)

authentik/admin/api/version.py

@@ -1,6 +1,4 @@
 """authentik administration overview"""
-from os import environ
-
 from django.core.cache import cache
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
@@ -10,7 +8,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 
@@ -25,7 +23,7 @@ class VersionSerializer(PassiveSerializer):
 
     def get_build_hash(self, _) -> str:
         """Get build hash, if version is not latest or released"""
-        return environ.get(ENV_GIT_HASH_KEY, "")
+        return get_build_hash()
 
     def get_version_current(self, _) -> str:
         """Get current version"""

authentik/admin/api/workers.py

@@ -23,6 +23,6 @@ class WorkerView(APIView):
         """Get currently connected worker count."""
         count = len(CELERY_APP.control.ping(timeout=0.5))
         # In debug we run with `CELERY_TASK_ALWAYS_EAGER`, so tasks are ran on the main process
-        if settings.DEBUG:
+        if settings.DEBUG:  # pragma: no cover
             count += 1
         return Response({"count": count})

authentik/admin/apps.py

@@ -1,4 +1,6 @@
 """authentik admin app config"""
+from importlib import import_module
+
 from django.apps import AppConfig
 
 
@@ -13,3 +15,4 @@ class AuthentikAdminConfig(AppConfig):
         from authentik.admin.tasks import clear_update_notifications
 
         clear_update_notifications.delay()
+        import_module("authentik.admin.signals")

authentik/admin/signals.py

@@ -0,0 +1,23 @@
+"""admin signals"""
+from django.dispatch import receiver
+
+from authentik.admin.api.tasks import TaskInfo
+from authentik.admin.api.workers import GAUGE_WORKERS
+from authentik.root.celery import CELERY_APP
+from authentik.root.monitoring import monitoring_set
+
+
+@receiver(monitoring_set)
+# pylint: disable=unused-argument
+def monitoring_set_workers(sender, **kwargs):
+    """Set worker gauge"""
+    count = len(CELERY_APP.control.ping(timeout=0.5))
+    GAUGE_WORKERS.set(count)
+
+
+@receiver(monitoring_set)
+# pylint: disable=unused-argument
+def monitoring_set_tasks(sender, **kwargs):
+    """Set task gauges"""
+    for task in TaskInfo.all().values():
+        task.set_prom_metrics()

authentik/admin/tasks.py

@@ -1,6 +1,5 @@
 """authentik admin tasks"""
 import re
-from os import environ
 
 from django.core.cache import cache
 from django.core.validators import URLValidator
@@ -9,7 +8,7 @@ from prometheus_client import Info
 from requests import RequestException
 from structlog.stdlib import get_logger
 
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__, get_build_hash
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.monitored_tasks import (
     MonitoredTask,
@@ -36,7 +35,7 @@ def _set_prom_info():
         {
             "version": __version__,
             "latest": cache.get(VERSION_CACHE_KEY, ""),
-            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
+            "build_hash": get_build_hash(),
         }
     )
 
@@ -54,7 +53,7 @@ def clear_update_notifications():
 
 
 @CELERY_APP.task(bind=True, base=MonitoredTask)
-@prefill_task()
+@prefill_task
 def update_latest_version(self: MonitoredTask):
     """Update latest version info"""
     if CONFIG.y_bool("disable_update_check"):

authentik/admin/tests/test_api.py

@@ -8,6 +8,7 @@ from authentik import __version__
 from authentik.core.models import Group, User
 from authentik.core.tasks import clean_expired_models
 from authentik.events.monitored_tasks import TaskResultStatus
+from authentik.managed.tasks import managed_reconcile
 
 
 class TestAdminAPI(TestCase):
@@ -94,5 +95,7 @@ class TestAdminAPI(TestCase):
 
     def test_system(self):
         """Test system API"""
+        # pyright: reportGeneralTypeIssues=false
+        managed_reconcile()  # pylint: disable=no-value-for-parameter
         response = self.client.get(reverse("authentik_api:admin_system"))
         self.assertEqual(response.status_code, 200)

authentik/admin/tests/test_tasks.py

@@ -3,8 +3,13 @@ from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker
 
-from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
+from authentik.admin.tasks import (
+    VERSION_CACHE_KEY,
+    clear_update_notifications,
+    update_latest_version,
+)
 from authentik.events.models import Event, EventAction
+from authentik.lib.config import CONFIG
 
 RESPONSE_VALID = {
     "$schema": "https://version.goauthentik.io/schema.json",
@@ -56,3 +61,23 @@ class TestAdminTasks(TestCase):
                     action=EventAction.UPDATE_AVAILABLE, context__new_version="0.0.0"
                 ).exists()
             )
+
+    def test_version_disabled(self):
+        """Test Update checker while its disabled"""
+        with CONFIG.patch("disable_update_check", True):
+            update_latest_version.delay().get()
+            self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
+
+    def test_clear_update_notifications(self):
+        """Test clear of previous notification"""
+        Event.objects.create(
+            action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
+        )
+        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
+        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
+        clear_update_notifications()
+        self.assertFalse(
+            Event.objects.filter(
+                action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"
+            ).exists()
+        )

authentik/api/authentication.py

@@ -1,7 +1,5 @@
 """API Authentication"""
-from base64 import b64decode
-from binascii import Error
-from typing import Any, Optional, Union
+from typing import Any, Optional
 
 from django.conf import settings
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
@@ -16,38 +14,36 @@ from authentik.outposts.models import Outpost
 LOGGER = get_logger()
 
 
-# pylint: disable=too-many-return-statements
-def bearer_auth(raw_header: bytes) -> Optional[User]:
-    """raw_header in the Format of `Bearer dGVzdDp0ZXN0`"""
-    auth_credentials = raw_header.decode()
+def validate_auth(header: bytes) -> str:
+    """Validate that the header is in a correct format,
+    returns type and credentials"""
+    auth_credentials = header.decode().strip()
     if auth_credentials == "" or " " not in auth_credentials:
         return None
     auth_type, _, auth_credentials = auth_credentials.partition(" ")
-    if auth_type.lower() not in ["basic", "bearer"]:
+    if auth_type.lower() != "bearer":
         LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
         raise AuthenticationFailed("Unsupported authentication type")
-    password = auth_credentials
-    if auth_type.lower() == "basic":
-        try:
-            auth_credentials = b64decode(auth_credentials.encode()).decode()
-        except (UnicodeDecodeError, Error):
-            raise AuthenticationFailed("Malformed header")
-        # Accept credentials with username and without
-        if ":" in auth_credentials:
-            _, _, password = auth_credentials.partition(":")
-        else:
-            password = auth_credentials
-    if password == "":  # nosec
+    if auth_credentials == "":  # nosec
         raise AuthenticationFailed("Malformed header")
-    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
-    if not tokens.exists():
-        user = token_secret_key(password)
-        if not user:
-            raise AuthenticationFailed("Token invalid/expired")
-        return user
+    return auth_credentials
+
+
+def bearer_auth(raw_header: bytes) -> Optional[User]:
+    """raw_header in the Format of `Bearer ....`"""
+    auth_credentials = validate_auth(raw_header)
+    if not auth_credentials:
+        return None
+    # first, check traditional tokens
+    token = Token.filter_not_expired(key=auth_credentials, intent=TokenIntents.INTENT_API).first()
     if hasattr(LOCAL, "authentik"):
         LOCAL.authentik[KEY_AUTH_VIA] = "api_token"
-    return tokens.first().user
+    if token:
+        return token.user
+    user = token_secret_key(auth_credentials)
+    if user:
+        return user
+    raise AuthenticationFailed("Token invalid/expired")
 
 
 def token_secret_key(value: str) -> Optional[User]:
@@ -69,7 +65,7 @@ def token_secret_key(value: str) -> Optional[User]:
 class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""
 
-    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
+    def authenticate(self, request: Request) -> tuple[User, Any] | None:
         """Token-based authentication using HTTP Bearer authentication"""
         auth = get_authorization_header(request)
 

authentik/api/templates/api/browser.html

@@ -30,7 +30,7 @@ function getCookie(name) {
 window.addEventListener('DOMContentLoaded', (event) => {
     const rapidocEl = document.querySelector('rapi-doc');
     rapidocEl.addEventListener('before-try', (e) => {
-        e.detail.request.headers.append('X-CSRFToken', getCookie("authentik_csrf"));
+        e.detail.request.headers.append('X-authentik-CSRF', getCookie("authentik_csrf"));
     });
 });
 </script>

authentik/api/tests/test_auth.py

@@ -14,12 +14,6 @@ from authentik.outposts.managed import OutpostManager
 class TestAPIAuth(TestCase):
     """Test API Authentication"""
 
-    def test_valid_basic(self):
-        """Test valid token"""
-        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
-        auth = b64encode(f":{token.key}".encode()).decode()
-        self.assertEqual(bearer_auth(f"Basic {auth}".encode()), token.user)
-
     def test_valid_bearer(self):
         """Test valid token"""
         token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
@@ -30,16 +24,6 @@ class TestAPIAuth(TestCase):
         with self.assertRaises(AuthenticationFailed):
             bearer_auth("foo bar".encode())
 
-    def test_invalid_decode(self):
-        """Test invalid bas64"""
-        with self.assertRaises(AuthenticationFailed):
-            bearer_auth("Basic bar".encode())
-
-    def test_invalid_empty_password(self):
-        """Test invalid with empty password"""
-        with self.assertRaises(AuthenticationFailed):
-            bearer_auth("Basic :".encode())
-
     def test_invalid_no_token(self):
         """Test invalid with no token"""
         with self.assertRaises(AuthenticationFailed):

authentik/api/throttle.py

@@ -1,18 +0,0 @@
-"""Throttling classes"""
-from typing import Type
-
-from django.views import View
-from rest_framework.request import Request
-from rest_framework.throttling import ScopedRateThrottle
-
-
-class SessionThrottle(ScopedRateThrottle):
-    """Throttle based on session key"""
-
-    def allow_request(self, request: Request, view):
-        if request._request.user.is_superuser:
-            return True
-        return super().allow_request(request, view)
-
-    def get_cache_key(self, request: Request, view: Type[View]) -> str:
-        return f"authentik-throttle-session-{request._request.session.session_key}"

authentik/api/urls.py

@@ -4,7 +4,5 @@ from django.urls import include, path
 from authentik.api.v3.urls import urlpatterns as v3_urls
 
 urlpatterns = [
-    # TODO: Remove in 2022.1
-    path("v2beta/", include(v3_urls)),
     path("v3/", include(v3_urls)),
 ]

authentik/api/v3/config.py

@@ -1,11 +1,17 @@
 """core Configs API"""
-from os import environ, path
+from os import path
 
 from django.conf import settings
 from django.db import models
 from drf_spectacular.utils import extend_schema
-from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
-from rest_framework.fields import BooleanField, CharField, ChoiceField, IntegerField, ListField
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    ChoiceField,
+    FloatField,
+    IntegerField,
+    ListField,
+)
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -21,16 +27,21 @@ class Capabilities(models.TextChoices):
 
     CAN_SAVE_MEDIA = "can_save_media"
     CAN_GEO_IP = "can_geo_ip"
-    CAN_BACKUP = "can_backup"
+
+
+class ErrorReportingConfigSerializer(PassiveSerializer):
+    """Config for error reporting"""
+
+    enabled = BooleanField(read_only=True)
+    environment = CharField(read_only=True)
+    send_pii = BooleanField(read_only=True)
+    traces_sample_rate = FloatField(read_only=True)
 
 
 class ConfigSerializer(PassiveSerializer):
     """Serialize authentik Config into DRF Object"""
 
-    error_reporting_enabled = BooleanField(read_only=True)
-    error_reporting_environment = CharField(read_only=True)
-    error_reporting_send_pii = BooleanField(read_only=True)
-
+    error_reporting = ErrorReportingConfigSerializer(required=True)
     capabilities = ListField(child=ChoiceField(choices=Capabilities.choices))
 
     cache_timeout = IntegerField(required=True)
@@ -52,13 +63,6 @@ class ConfigView(APIView):
             caps.append(Capabilities.CAN_SAVE_MEDIA)
         if GEOIP_READER.enabled:
             caps.append(Capabilities.CAN_GEO_IP)
-        if SERVICE_HOST_ENV_NAME in environ:
-            # Running in k8s, only s3 backup is supported
-            if CONFIG.y("postgresql.s3_backup"):
-                caps.append(Capabilities.CAN_BACKUP)
-        else:
-            # Running in compose, backup is always supported
-            caps.append(Capabilities.CAN_BACKUP)
         return caps
 
     @extend_schema(responses={200: ConfigSerializer(many=False)})
@@ -66,9 +70,12 @@ class ConfigView(APIView):
         """Retrieve public configuration options"""
         config = ConfigSerializer(
             {
-                "error_reporting_enabled": CONFIG.y("error_reporting.enabled"),
-                "error_reporting_environment": CONFIG.y("error_reporting.environment"),
-                "error_reporting_send_pii": CONFIG.y("error_reporting.send_pii"),
+                "error_reporting": {
+                    "enabled": CONFIG.y("error_reporting.enabled") and not settings.DEBUG,
+                    "environment": CONFIG.y("error_reporting.environment"),
+                    "send_pii": CONFIG.y("error_reporting.send_pii"),
+                    "traces_sample_rate": float(CONFIG.y("error_reporting.sample_rate", 0.4)),
+                },
                 "capabilities": self.get_capabilities(),
                 "cache_timeout": int(CONFIG.y("redis.cache_timeout")),
                 "cache_timeout_flows": int(CONFIG.y("redis.cache_timeout_flows")),

authentik/api/v3/urls.py

@@ -46,11 +46,7 @@ from authentik.policies.expiry.api import PasswordExpiryPolicyViewSet
 from authentik.policies.expression.api import ExpressionPolicyViewSet
 from authentik.policies.hibp.api import HaveIBeenPwendPolicyViewSet
 from authentik.policies.password.api import PasswordPolicyViewSet
-from authentik.policies.reputation.api import (
-    IPReputationViewSet,
-    ReputationPolicyViewSet,
-    UserReputationViewSet,
-)
+from authentik.policies.reputation.api import ReputationPolicyViewSet, ReputationViewSet
 from authentik.providers.ldap.api import LDAPOutpostConfigViewSet, LDAPProviderViewSet
 from authentik.providers.oauth2.api.provider import OAuth2ProviderViewSet
 from authentik.providers.oauth2.api.scope import ScopeMappingViewSet
@@ -151,8 +147,7 @@ router.register("policies/event_matcher", EventMatcherPolicyViewSet)
 router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
 router.register("policies/password_expiry", PasswordExpiryPolicyViewSet)
 router.register("policies/password", PasswordPolicyViewSet)
-router.register("policies/reputation/users", UserReputationViewSet)
-router.register("policies/reputation/ips", IPReputationViewSet)
+router.register("policies/reputation/scores", ReputationViewSet)
 router.register("policies/reputation", ReputationPolicyViewSet)
 
 router.register("providers/all", ProviderViewSet)

authentik/core/api/applications.py

@@ -1,12 +1,15 @@
 """Application API Views"""
+from typing import Optional
+
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import ReadOnlyField
+from rest_framework.fields import ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -14,14 +17,16 @@ from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
 from structlog.stdlib import get_logger
+from structlog.testing import capture_logs
 
-from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
+from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import FilePathSerializer, FileUploadSerializer
 from authentik.core.models import Application, User
 from authentik.events.models import EventAction
+from authentik.events.utils import sanitize_dict
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyResult
@@ -38,11 +43,16 @@ def user_app_cache_key(user_pk: str) -> str:
 class ApplicationSerializer(ModelSerializer):
     """Application Serializer"""
 
-    launch_url = ReadOnlyField(source="get_launch_url")
-    provider_obj = ProviderSerializer(source="get_provider", required=False)
+    launch_url = SerializerMethodField()
+    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
 
     meta_icon = ReadOnlyField(source="get_meta_icon")
 
+    def get_launch_url(self, app: Application) -> Optional[str]:
+        """Allow formatting of launch URL"""
+        user = self.context["request"].user
+        return app.get_launch_url(user)
+
     class Meta:
 
         model = Application
@@ -58,6 +68,7 @@ class ApplicationSerializer(ModelSerializer):
             "meta_description",
             "meta_publisher",
             "policy_engine_mode",
+            "group",
         ]
         extra_kwargs = {
             "meta_icon": {"read_only": True},
@@ -75,6 +86,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         "meta_launch_url",
         "meta_description",
         "meta_publisher",
+        "group",
     ]
     lookup_field = "slug"
     ordering = ["name"]
@@ -124,12 +136,19 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 return HttpResponseBadRequest("for_user must be numerical")
         engine = PolicyEngine(application, for_user, request)
         engine.use_cache = False
-        engine.build()
-        result = engine.result
+        with capture_logs() as logs:
+            engine.build()
+            result = engine.result
         response = PolicyTestResultSerializer(PolicyResult(False))
         if result.passing:
             response = PolicyTestResultSerializer(PolicyResult(True))
         if request.user.is_superuser:
+            log_messages = []
+            for log in logs:
+                if log.get("process", "") == "PolicyProcess":
+                    continue
+                log_messages.append(sanitize_dict(log))
+            result.log_messages = log_messages
             response = PolicyTestResultSerializer(result)
         return Response(response.data)
 
@@ -239,8 +258,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         """Metrics for application logins"""
         app = self.get_object()
         return Response(
-            get_events_per_1h(
+            get_objects_for_user(request.user, "authentik_events.view_event")
+            .filter(
                 action=EventAction.AUTHORIZE_APPLICATION,
                 context__authorized_application__pk=app.pk.hex,
             )
+            .get_events_per_hour()
         )

authentik/core/api/groups.py

@@ -1,9 +1,11 @@
 """Groups API Viewset"""
+from json import loads
+
 from django.db.models.query import QuerySet
-from django_filters.filters import ModelMultipleChoiceFilter
+from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from rest_framework.fields import CharField, JSONField
-from rest_framework.serializers import ListSerializer, ModelSerializer
+from rest_framework.fields import CharField, IntegerField, JSONField
+from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
 
@@ -44,11 +46,14 @@ class GroupSerializer(ModelSerializer):
     )
     parent_name = CharField(source="parent.name", read_only=True)
 
+    num_pk = IntegerField(read_only=True)
+
     class Meta:
 
         model = Group
         fields = [
             "pk",
+            "num_pk",
             "name",
             "is_superuser",
             "parent",
@@ -62,6 +67,13 @@ class GroupSerializer(ModelSerializer):
 class GroupFilter(FilterSet):
     """Filter for groups"""
 
+    attributes = CharFilter(
+        field_name="attributes",
+        lookup_expr="",
+        label="Attributes",
+        method="filter_attributes",
+    )
+
     members_by_username = ModelMultipleChoiceFilter(
         field_name="users__username",
         to_field_name="username",
@@ -72,10 +84,28 @@ class GroupFilter(FilterSet):
         queryset=User.objects.all(),
     )
 
+    # pylint: disable=unused-argument
+    def filter_attributes(self, queryset, name, value):
+        """Filter attributes by query args"""
+        try:
+            value = loads(value)
+        except ValueError:
+            raise ValidationError(detail="filter: failed to parse JSON")
+        if not isinstance(value, dict):
+            raise ValidationError(detail="filter: value must be key:value mapping")
+        qs = {}
+        for key, _value in value.items():
+            qs[f"attributes__{key}"] = _value
+        try:
+            _ = len(queryset.filter(**qs))
+            return queryset.filter(**qs)
+        except ValueError:
+            return queryset
+
     class Meta:
 
         model = Group
-        fields = ["name", "is_superuser", "members_by_pk", "members_by_username"]
+        fields = ["name", "is_superuser", "members_by_pk", "attributes", "members_by_username"]
 
 
 class GroupViewSet(UsedByMixin, ModelViewSet):

authentik/core/api/propertymappings.py

@@ -56,6 +56,7 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri
             "component",
             "verbose_name",
             "verbose_name_plural",
+            "meta_model_name",
         ]
 
 

authentik/core/api/providers.py

@@ -43,6 +43,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
             "assigned_application_name",
             "verbose_name",
             "verbose_name_plural",
+            "meta_model_name",
         ]
 
 

authentik/core/api/sources.py

@@ -48,6 +48,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "component",
             "verbose_name",
             "verbose_name_plural",
+            "meta_model_name",
             "policy_engine_mode",
             "user_matching_mode",
         ]
@@ -103,14 +104,14 @@ class SourceViewSet(
         )
         matching_sources: list[UserSettingSerializer] = []
         for source in _all_sources:
-            user_settings = source.ui_user_settings
+            user_settings = source.ui_user_settings()
             if not user_settings:
                 continue
             policy_engine = PolicyEngine(source, request.user, request)
             policy_engine.build()
             if not policy_engine.passing:
                 continue
-            source_settings = source.ui_user_settings
+            source_settings = source.ui_user_settings()
             source_settings.initial_data["object_uid"] = source.slug
             if not source_settings.is_valid():
                 LOGGER.warning(source_settings.errors)

authentik/core/api/tokens.py

@@ -1,10 +1,9 @@
 """Tokens API Viewset"""
 from typing import Any
 
-from django.http.response import Http404
 from django_filters.rest_framework import DjangoFilterBackend
-from drf_spectacular.utils import OpenApiResponse, extend_schema
-from guardian.shortcuts import get_anonymous_user
+from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
+from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
@@ -21,13 +20,14 @@ from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents
 from authentik.events.models import Event, EventAction
+from authentik.events.utils import model_to_dict
 from authentik.managed.api import ManagedSerializer
 
 
 class TokenSerializer(ManagedSerializer, ModelSerializer):
     """Token Serializer"""
 
-    user_obj = UserSerializer(required=False, source="user")
+    user_obj = UserSerializer(required=False, source="user", read_only=True)
 
     def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
         """Ensure only API or App password tokens are created."""
@@ -96,10 +96,12 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
 
     def perform_create(self, serializer: TokenSerializer):
         if not self.request.user.is_superuser:
-            return serializer.save(
+            instance = serializer.save(
                 user=self.request.user,
                 expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True),
             )
+            assign_perm("authentik_core.view_token_key", self.request.user, instance)
+            return instance
         return super().perform_create(serializer)
 
     @permission_required("authentik_core.view_token_key")
@@ -109,12 +111,39 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
             404: OpenApiResponse(description="Token not found or expired"),
         }
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[], methods=["GET"])
     # pylint: disable=unused-argument
     def view_key(self, request: Request, identifier: str) -> Response:
         """Return token key and log access"""
         token: Token = self.get_object()
-        if token.is_expired:
-            raise Http404
         Event.new(EventAction.SECRET_VIEW, secret=token).from_http(request)  # noqa # nosec
         return Response(TokenViewSerializer({"key": token.key}).data)
+
+    @permission_required("authentik_core.set_token_key")
+    @extend_schema(
+        request=inline_serializer(
+            "TokenSetKey",
+            {
+                "key": CharField(),
+            },
+        ),
+        responses={
+            204: OpenApiResponse(description="Successfully changed key"),
+            400: OpenApiResponse(description="Missing key"),
+            404: OpenApiResponse(description="Token not found or expired"),
+        },
+    )
+    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
+    # pylint: disable=unused-argument
+    def set_key(self, request: Request, identifier: str) -> Response:
+        """Return token key and log access"""
+        token: Token = self.get_object()
+        key = request.POST.get("key")
+        if not key:
+            return Response(status=400)
+        token.key = key
+        token.save()
+        Event.new(EventAction.MODEL_UPDATED, model=model_to_dict(token)).from_http(
+            request
+        )  # noqa # nosec
+        return Response(status=204)

authentik/core/api/users.py

@@ -1,8 +1,9 @@
 """User API Views"""
 from datetime import timedelta
 from json import loads
-from typing import Optional
+from typing import Any, Optional
 
+from django.contrib.auth import update_session_auth_hash
 from django.db.models.query import QuerySet
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@@ -22,8 +23,7 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_anonymous_user, get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, DictField, JSONField, SerializerMethodField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.fields import CharField, JSONField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
@@ -38,15 +38,13 @@ from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
 from structlog.stdlib import get_logger
 
-from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
+from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.decorators import permission_required
 from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
 from authentik.core.models import (
-    USER_ATTRIBUTE_CHANGE_EMAIL,
-    USER_ATTRIBUTE_CHANGE_USERNAME,
     USER_ATTRIBUTE_SA,
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     Group,
@@ -98,14 +96,13 @@ class UserSerializer(ModelSerializer):
 
 
 class UserSelfSerializer(ModelSerializer):
-    """User Serializer for information a user can retrieve about themselves and
-    update about themselves"""
+    """User Serializer for information a user can retrieve about themselves"""
 
     is_superuser = BooleanField(read_only=True)
     avatar = CharField(read_only=True)
     groups = SerializerMethodField()
     uid = CharField(read_only=True)
-    settings = DictField(source="attributes.settings", default=dict)
+    settings = SerializerMethodField()
 
     @extend_schema_field(
         ListSerializer(
@@ -123,21 +120,9 @@ class UserSelfSerializer(ModelSerializer):
                 "pk": group.pk,
             }
 
-    def validate_email(self, email: str):
-        """Check if the user is allowed to change their email"""
-        if self.instance.group_attributes().get(USER_ATTRIBUTE_CHANGE_EMAIL, True):
-            return email
-        if email != self.instance.email:
-            raise ValidationError("Not allowed to change email.")
-        return email
-
-    def validate_username(self, username: str):
-        """Check if the user is allowed to change their username"""
-        if self.instance.group_attributes().get(USER_ATTRIBUTE_CHANGE_USERNAME, True):
-            return username
-        if username != self.instance.username:
-            raise ValidationError("Not allowed to change username.")
-        return username
+    def get_settings(self, user: User) -> dict[str, Any]:
+        """Get user settings with tenant and group settings applied"""
+        return user.group_attributes(self._context["request"]).get("settings", {})
 
     class Meta:
 
@@ -179,19 +164,31 @@ class UserMetricsSerializer(PassiveSerializer):
     def get_logins_per_1h(self, _):
         """Get successful logins per hour for the last 24 hours"""
         user = self.context["user"]
-        return get_events_per_1h(action=EventAction.LOGIN, user__pk=user.pk)
+        return (
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.LOGIN, user__pk=user.pk)
+            .get_events_per_hour()
+        )
 
     @extend_schema_field(CoordinateSerializer(many=True))
     def get_logins_failed_per_1h(self, _):
         """Get failed logins per hour for the last 24 hours"""
         user = self.context["user"]
-        return get_events_per_1h(action=EventAction.LOGIN_FAILED, context__username=user.username)
+        return (
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.LOGIN_FAILED, context__username=user.username)
+            .get_events_per_hour()
+        )
 
     @extend_schema_field(CoordinateSerializer(many=True))
     def get_authorizations_per_1h(self, _):
         """Get failed logins per hour for the last 24 hours"""
         user = self.context["user"]
-        return get_events_per_1h(action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk)
+        return (
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk)
+            .get_events_per_hour()
+        )
 
 
 class UsersFilter(FilterSet):
@@ -205,6 +202,7 @@ class UsersFilter(FilterSet):
     )
 
     is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
+    uuid = CharFilter(field_name="uuid")
 
     groups_by_name = ModelMultipleChoiceFilter(
         field_name="ak_groups__name",
@@ -228,7 +226,11 @@ class UsersFilter(FilterSet):
         qs = {}
         for key, _value in value.items():
             qs[f"attributes__{key}"] = _value
-        return queryset.filter(**qs)
+        try:
+            _ = len(queryset.filter(**qs))
+            return queryset.filter(**qs)
+        except ValueError:
+            return queryset
 
     class Meta:
         model = User
@@ -250,7 +252,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     queryset = User.objects.none()
     ordering = ["username"]
     serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email"]
+    search_fields = ["username", "name", "is_active", "email", "uuid"]
     filterset_class = UsersFilter
 
     def get_queryset(self):  # pragma: no cover
@@ -309,7 +311,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                     name=username,
                     attributes={USER_ATTRIBUTE_SA: True, USER_ATTRIBUTE_TOKEN_EXPIRING: False},
                 )
-                if create_group:
+                if create_group and self.request.user.has_perm("authentik_core.add_group"):
                     group = Group.objects.create(
                         name=username,
                     )
@@ -329,34 +331,45 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     # pylint: disable=invalid-name
     def me(self, request: Request) -> Response:
         """Get information about current user"""
+        context = {"request": request}
         serializer = SessionUserSerializer(
-            data={"user": UserSelfSerializer(instance=request.user).data}
+            data={"user": UserSelfSerializer(instance=request.user, context=context).data}
         )
         if SESSION_IMPERSONATE_USER in request._request.session:
             serializer.initial_data["original"] = UserSelfSerializer(
-                instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
+                instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER],
+                context=context,
             ).data
         return Response(serializer.initial_data)
 
-    @extend_schema(request=UserSelfSerializer, responses={200: SessionUserSerializer(many=False)})
-    @action(
-        methods=["PUT"],
-        detail=False,
-        pagination_class=None,
-        filter_backends=[],
-        permission_classes=[IsAuthenticated],
+    @permission_required("authentik_core.reset_user_password")
+    @extend_schema(
+        request=inline_serializer(
+            "UserPasswordSetSerializer",
+            {
+                "password": CharField(required=True),
+            },
+        ),
+        responses={
+            204: "",
+            400: "",
+        },
     )
-    def update_self(self, request: Request) -> Response:
-        """Allow users to change information on their own profile"""
-        data = UserSelfSerializer(instance=User.objects.get(pk=request.user.pk), data=request.data)
-        if not data.is_valid():
-            return Response(data.errors, status=400)
-        new_user = data.save()
-        # If we're impersonating, we need to update that user object
-        # since it caches the full object
-        if SESSION_IMPERSONATE_USER in request.session:
-            request.session[SESSION_IMPERSONATE_USER] = new_user
-        return Response({"user": data.data})
+    @action(detail=True, methods=["POST"])
+    # pylint: disable=invalid-name, unused-argument
+    def set_password(self, request: Request, pk: int) -> Response:
+        """Set password for user"""
+        user: User = self.get_object()
+        try:
+            user.set_password(request.data.get("password"))
+            user.save()
+        except (ValidationError, IntegrityError) as exc:
+            LOGGER.debug("Failed to set password", exc=exc)
+            return Response(status=400)
+        if user.pk == request.user.pk and SESSION_IMPERSONATE_USER not in self.request.session:
+            LOGGER.debug("Updating session hash after password change")
+            update_session_auth_hash(self.request, user)
+        return Response(status=204)
 
     @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
     @extend_schema(responses={200: UserMetricsSerializer(many=False)})

authentik/core/api/utils.py

@@ -41,6 +41,7 @@ class MetaNameSerializer(PassiveSerializer):
 
     verbose_name = SerializerMethodField()
     verbose_name_plural = SerializerMethodField()
+    meta_model_name = SerializerMethodField()
 
     def get_verbose_name(self, obj: Model) -> str:
         """Return object's verbose_name"""
@@ -50,6 +51,10 @@ class MetaNameSerializer(PassiveSerializer):
         """Return object's plural verbose_name"""
         return obj._meta.verbose_name_plural
 
+    def get_meta_model_name(self, obj: Model) -> str:
+        """Return internal model name"""
+        return f"{obj._meta.app_label}.{obj._meta.model_name}"
+
 
 class TypeCreateSerializer(PassiveSerializer):
     """Types of an object that can be created"""

authentik/core/auth.py

@@ -30,7 +30,7 @@ class InbuiltBackend(ModelBackend):
             return
         # Since we can't directly pass other variables to signals, and we want to log the method
         # and the token used, we assume we're running in a flow and set a variable in the context
-        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
+        flow_plan: FlowPlan = request.session.get(SESSION_KEY_PLAN, FlowPlan(""))
         flow_plan.context[PLAN_CONTEXT_METHOD] = method
         flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = cleanse_dict(sanitize_dict(kwargs))
         request.session[SESSION_KEY_PLAN] = flow_plan
@@ -49,6 +49,7 @@ class TokenBackend(InbuiltBackend):
             # difference between an existing and a nonexistent user (#20760).
             User().set_password(password)
             return None
+        # pylint: disable=no-member
         tokens = Token.filter_not_expired(
             user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
         )

authentik/core/management/commands/dump_config.py

@@ -1,15 +0,0 @@
-"""Output full config"""
-from json import dumps
-
-from django.core.management.base import BaseCommand, no_translations
-
-from authentik.lib.config import CONFIG
-
-
-class Command(BaseCommand):  # pragma: no cover
-    """Output full config"""
-
-    @no_translations
-    def handle(self, *args, **options):
-        """Check permissions for all apps"""
-        print(dumps(CONFIG.raw, indent=4))

authentik/core/middleware.py

@@ -5,6 +5,7 @@ from typing import Callable
 from uuid import uuid4
 
 from django.http import HttpRequest, HttpResponse
+from sentry_sdk.api import set_tag
 
 SESSION_IMPERSONATE_USER = "authentik_impersonate_user"
 SESSION_IMPERSONATE_ORIGINAL_USER = "authentik_impersonate_original_user"
@@ -12,7 +13,6 @@ LOCAL = local()
 RESPONSE_HEADER_ID = "X-authentik-id"
 KEY_AUTH_VIA = "auth_via"
 KEY_USER = "user"
-INTERNAL_HEADER_PREFIX = "X-authentik-internal-"
 
 
 class ImpersonateMiddleware:
@@ -51,11 +51,12 @@ class RequestIDMiddleware:
                 "request_id": request_id,
                 "host": request.get_host(),
             }
+            set_tag("authentik.request_id", request_id)
         response = self.get_response(request)
         response[RESPONSE_HEADER_ID] = request.request_id
-        if auth_via := LOCAL.authentik.get(KEY_AUTH_VIA, None):
-            response[INTERNAL_HEADER_PREFIX + KEY_AUTH_VIA] = auth_via
-        response[INTERNAL_HEADER_PREFIX + KEY_USER] = request.user.username
+        setattr(response, "ak_context", {})
+        response.ak_context.update(LOCAL.authentik)
+        response.ak_context[KEY_USER] = request.user.username
         for key in list(LOCAL.authentik.keys()):
             del LOCAL.authentik[key]
         return response
@@ -66,4 +67,6 @@ def structlog_add_request_id(logger: Logger, method_name: str, event_dict: dict)
     """If threadlocal has authentik defined, add request_id to log"""
     if hasattr(LOCAL, "authentik"):
         event_dict.update(LOCAL.authentik)
+    if hasattr(LOCAL, "authentik_task"):
+        event_dict.update(LOCAL.authentik_task)
     return event_dict

authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py

@@ -3,7 +3,6 @@
 import uuid
 from os import environ
 
-import django.core.validators
 import django.db.models.deletion
 from django.apps.registry import Apps
 from django.conf import settings
@@ -12,10 +11,10 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from django.db.models import Count
 
 import authentik.core.models
+import authentik.lib.models
 
 
 def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
     from django.contrib.sessions.backends.cache import KEY_PREFIX
     from django.core.cache import cache
 
@@ -161,7 +160,7 @@ class Migration(migrations.Migration):
             model_name="application",
             name="meta_launch_url",
             field=models.TextField(
-                blank=True, default="", validators=[django.core.validators.URLValidator()]
+                blank=True, default="", validators=[authentik.lib.models.DomainlessURLValidator()]
             ),
         ),
         migrations.RunPython(

authentik/core/migrations/0019_application_group.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.0.3 on 2022-04-02 19:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0018_auto_20210330_1345_squashed_0028_alter_token_intent"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="application",
+            name="group",
+            field=models.TextField(blank=True, default=""),
+        ),
+    ]

authentik/core/migrations/0022_authenticatedsession.py

@@ -12,7 +12,6 @@ import authentik.core.models
 
 
 def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
     from django.contrib.sessions.backends.cache import KEY_PREFIX
     from django.core.cache import cache
 

authentik/core/migrations/0023_alter_application_meta_launch_url.py

@@ -1,8 +1,9 @@
 # Generated by Django 3.2.3 on 2021-06-02 21:51
 
-import django.core.validators
 from django.db import migrations, models
 
+import authentik.lib.models
+
 
 class Migration(migrations.Migration):
 
@@ -17,7 +18,7 @@ class Migration(migrations.Migration):
             field=models.TextField(
                 blank=True,
                 default="",
-                validators=[django.core.validators.URLValidator()],
+                validators=[authentik.lib.models.DomainlessURLValidator()],
             ),
         ),
     ]

authentik/core/models.py

@@ -1,20 +1,20 @@
 """authentik core models"""
 from datetime import timedelta
 from hashlib import md5, sha256
-from typing import Any, Optional, Type
+from typing import Any, Optional
 from urllib.parse import urlencode
 from uuid import uuid4
 
 from deepmerge import always_merger
 from django.conf import settings
+from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
-from django.core import validators
 from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.http import HttpRequest
 from django.templatetags.static import static
-from django.utils.functional import cached_property
+from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@@ -26,10 +26,9 @@ from structlog.stdlib import get_logger
 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.signals import password_changed
 from authentik.core.types import UILoginButton, UserSettingSerializer
-from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
-from authentik.lib.models import CreatedUpdatedModel, SerializerModel
+from authentik.lib.models import CreatedUpdatedModel, DomainlessURLValidator, SerializerModel
 from authentik.lib.utils.http import get_client_ip
 from authentik.managed.models import ManagedModel
 from authentik.policies.models import PolicyBindingModel
@@ -37,9 +36,13 @@ from authentik.policies.models import PolicyBindingModel
 LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
 USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
+USER_ATTRIBUTE_GENERATED = "goauthentik.io/user/generated"
+USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
+USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
 USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
 USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
 USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
+USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
 
@@ -59,7 +62,7 @@ def default_token_key():
     """Default token key"""
     # We use generate_id since the chars in the key should be easy
     # to use in Emails (for verification) and URLs (for recovery)
-    return generate_id(128)
+    return generate_id(int(CONFIG.y("default_token_length")))
 
 
 class Group(models.Model):
@@ -81,6 +84,13 @@ class Group(models.Model):
     )
     attributes = models.JSONField(default=dict, blank=True)
 
+    @property
+    def num_pk(self) -> int:
+        """Get a numerical, int32 ID for the group"""
+        # int max is 2147483647 (10 digits) so 9 is the max usable
+        # in the LDAP Outpost we use the last 5 chars so match here
+        return int(str(self.pk.int)[:5])
+
     def is_member(self, user: "User") -> bool:
         """Recursively check if `user` is member of us, or any parent."""
         query = """
@@ -137,10 +147,12 @@ class User(GuardianUserMixin, AbstractUser):
 
     objects = UserManager()
 
-    def group_attributes(self) -> dict[str, Any]:
+    def group_attributes(self, request: Optional[HttpRequest] = None) -> dict[str, Any]:
         """Get a dictionary containing the attributes from all groups the user belongs to,
         including the users attributes"""
         final_attributes = {}
+        if request and hasattr(request, "tenant"):
+            always_merger.merge(final_attributes, request.tenant.attributes)
         for group in self.ak_groups.all().order_by("name"):
             always_merger.merge(final_attributes, group.attributes)
         always_merger.merge(final_attributes, self.attributes)
@@ -156,11 +168,27 @@ class User(GuardianUserMixin, AbstractUser):
         """superuser == staff user"""
         return self.is_superuser  # type: ignore
 
-    def set_password(self, password, signal=True):
+    def set_password(self, raw_password, signal=True):
         if self.pk and signal:
-            password_changed.send(sender=self, user=self, password=password)
+            password_changed.send(sender=self, user=self, password=raw_password)
         self.password_change_date = now()
-        return super().set_password(password)
+        return super().set_password(raw_password)
+
+    def check_password(self, raw_password: str) -> bool:
+        """
+        Return a boolean of whether the raw_password was correct. Handles
+        hashing formats behind the scenes.
+
+        Slightly changed version which doesn't send a signal for such internal hash upgrades
+        """
+
+        def setter(raw_password):
+            self.set_password(raw_password, signal=False)
+            # Password hash upgrades shouldn't be considered password changes.
+            self._password = None
+            self.save(update_fields=["password"])
+
+        return check_password(raw_password, self.password, setter)
 
     @property
     def uid(self) -> str:
@@ -204,7 +232,7 @@ class Provider(SerializerModel):
     name = models.TextField()
 
     authorization_flow = models.ForeignKey(
-        Flow,
+        "authentik_flows.Flow",
         on_delete=models.CASCADE,
         help_text=_("Flow used when authorizing this provider."),
         related_name="provider_authorization",
@@ -226,7 +254,7 @@ class Provider(SerializerModel):
         raise NotImplementedError
 
     @property
-    def serializer(self) -> Type[Serializer]:
+    def serializer(self) -> type[Serializer]:
         """Get serializer for this model"""
         raise NotImplementedError
 
@@ -241,12 +269,14 @@ class Application(PolicyBindingModel):
 
     name = models.TextField(help_text=_("Application's display Name."))
     slug = models.SlugField(help_text=_("Internal application name, used in URLs."), unique=True)
+    group = models.TextField(blank=True, default="")
+
     provider = models.OneToOneField(
         "Provider", null=True, blank=True, default=None, on_delete=models.SET_DEFAULT
     )
 
     meta_launch_url = models.TextField(
-        default="", blank=True, validators=[validators.URLValidator()]
+        default="", blank=True, validators=[DomainlessURLValidator()]
     )
     # For template applications, this can be set to /static/authentik/applications/*
     meta_icon = models.FileField(
@@ -264,23 +294,40 @@ class Application(PolicyBindingModel):
         it is returned as-is"""
         if not self.meta_icon:
             return None
-        if self.meta_icon.name.startswith("http") or self.meta_icon.name.startswith("/static"):
+        if "://" in self.meta_icon.name or self.meta_icon.name.startswith("/static"):
             return self.meta_icon.name
         return self.meta_icon.url
 
-    def get_launch_url(self) -> Optional[str]:
+    def get_launch_url(self, user: Optional["User"] = None) -> Optional[str]:
         """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
+        url = None
+        if provider := self.get_provider():
+            url = provider.launch_url
         if self.meta_launch_url:
-            return self.meta_launch_url
-        if self.provider:
-            return self.get_provider().launch_url
-        return None
+            url = self.meta_launch_url
+        if user and url:
+            if isinstance(user, SimpleLazyObject):
+                user._setup()
+                user = user._wrapped
+            try:
+                return url % user.__dict__
+            # pylint: disable=broad-except
+            except Exception as exc:
+                LOGGER.warning("Failed to format launch url", exc=exc)
+                return url
+        return url
 
     def get_provider(self) -> Optional[Provider]:
         """Get casted provider instance"""
         if not self.provider:
             return None
-        return Provider.objects.get_subclass(pk=self.provider.pk)
+        # if the Application class has been cache, self.provider is set
+        # but doing a direct query lookup will fail.
+        # In that case, just return None
+        try:
+            return Provider.objects.get_subclass(pk=self.provider.pk)
+        except Provider.DoesNotExist:
+            return None
 
     def __str__(self):
         return self.name
@@ -325,7 +372,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
 
     authentication_flow = models.ForeignKey(
-        Flow,
+        "authentik_flows.Flow",
         blank=True,
         null=True,
         default=None,
@@ -334,7 +381,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         related_name="source_authentication",
     )
     enrollment_flow = models.ForeignKey(
-        Flow,
+        "authentik_flows.Flow",
         blank=True,
         null=True,
         default=None,
@@ -361,13 +408,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         """Return component used to edit this object"""
         raise NotImplementedError
 
-    @property
-    def ui_login_button(self) -> Optional[UILoginButton]:
+    def ui_login_button(self, request: HttpRequest) -> Optional[UILoginButton]:
         """If source uses a http-based flow, return UI Information about the login
         button. If source doesn't use http-based flow, return None."""
         return None
 
-    @property
     def ui_user_settings(self) -> Optional[UserSettingSerializer]:
         """Entrypoint to integrate with User settings. Can either return None if no
         user settings are available, or UserSettingSerializer."""
@@ -454,6 +499,14 @@ class Token(ManagedModel, ExpiringModel):
         """Handler which is called when this object is expired."""
         from authentik.events.models import Event, EventAction
 
+        if self.intent in [
+            TokenIntents.INTENT_RECOVERY,
+            TokenIntents.INTENT_VERIFICATION,
+            TokenIntents.INTENT_APP_PASSWORD,
+        ]:
+            super().expire_action(*args, **kwargs)
+            return
+
         self.key = default_token_key()
         self.expires = default_token_duration()
         self.save(*args, **kwargs)
@@ -495,7 +548,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
         raise NotImplementedError
 
     @property
-    def serializer(self) -> Type[Serializer]:
+    def serializer(self) -> type[Serializer]:
         """Get serializer for this model"""
         raise NotImplementedError
 

authentik/core/signals.py

@@ -1,6 +1,7 @@
 """authentik core signals"""
-from typing import TYPE_CHECKING, Type
+from typing import TYPE_CHECKING
 
+from django.apps import apps
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
@@ -11,6 +12,8 @@ from django.dispatch import receiver
 from django.http.request import HttpRequest
 from prometheus_client import Gauge
 
+from authentik.root.monitoring import monitoring_set
+
 # Arguments: user: User, password: str
 password_changed = Signal()
 
@@ -20,6 +23,17 @@ if TYPE_CHECKING:
     from authentik.core.models import AuthenticatedSession, User
 
 
+@receiver(monitoring_set)
+# pylint: disable=unused-argument
+def monitoring_set_models(sender, **kwargs):
+    """set models gauges"""
+    for model in apps.get_models():
+        GAUGE_MODELS.labels(
+            model_name=model._meta.model_name,
+            app=model._meta.app_label,
+        ).set(model.objects.count())
+
+
 @receiver(post_save)
 # pylint: disable=unused-argument
 def post_save_application(sender: type[Model], instance, created: bool, **_):
@@ -27,11 +41,6 @@ def post_save_application(sender: type[Model], instance, created: bool, **_):
     from authentik.core.api.applications import user_app_cache_key
     from authentik.core.models import Application
 
-    GAUGE_MODELS.labels(
-        model_name=sender._meta.model_name,
-        app=sender._meta.app_label,
-    ).set(sender.objects.count())
-
     if sender != Application:
         return
     if not created:  # pragma: no cover
@@ -62,7 +71,7 @@ def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
 
 
 @receiver(pre_delete)
-def authenticated_session_delete(sender: Type[Model], instance: "AuthenticatedSession", **_):
+def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
     """Delete session when authenticated session is deleted"""
     from authentik.core.models import AuthenticatedSession
 

authentik/core/sources/flow_manager.py

@@ -1,6 +1,6 @@
 """Source decision helper"""
 from enum import Enum
-from typing import Any, Optional, Type
+from typing import Any, Optional
 
 from django.contrib import messages
 from django.db import IntegrityError
@@ -14,6 +14,7 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostUserEnrollmentStage
 from authentik.events.models import Event, EventAction
+from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, Stage, in_memory_stage
 from authentik.flows.planner import (
     PLAN_CONTEXT_PENDING_USER,
@@ -24,6 +25,8 @@ from authentik.flows.planner import (
 )
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
+from authentik.policies.denied import AccessDeniedResponse
+from authentik.policies.types import PolicyResult
 from authentik.policies.utils import delete_none_keys
 from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
@@ -50,7 +53,10 @@ class SourceFlowManager:
 
     identifier: str
 
-    connection_type: Type[UserSourceConnection] = UserSourceConnection
+    connection_type: type[UserSourceConnection] = UserSourceConnection
+
+    enroll_info: dict[str, Any]
+    policy_context: dict[str, Any]
 
     def __init__(
         self,
@@ -64,6 +70,7 @@ class SourceFlowManager:
         self.identifier = identifier
         self.enroll_info = enroll_info
         self._logger = get_logger().bind(source=source, identifier=identifier)
+        self.policy_context = {}
 
     # pylint: disable=too-many-return-statements
     def get_action(self, **kwargs) -> tuple[Action, Optional[UserSourceConnection]]:
@@ -144,20 +151,23 @@ class SourceFlowManager:
         except IntegrityError as exc:
             self._logger.warning("failed to get action", exc=exc)
             return redirect("/")
-        self._logger.debug("get_action() says", action=action, connection=connection)
-        if connection:
-            if action == Action.LINK:
-                self._logger.debug("Linking existing user")
-                return self.handle_existing_user_link(connection)
-            if action == Action.AUTH:
-                self._logger.debug("Handling auth user")
-                return self.handle_auth_user(connection)
-            if action == Action.ENROLL:
-                self._logger.debug("Handling enrollment of new user")
-                return self.handle_enroll(connection)
+        self._logger.debug("get_action", action=action, connection=connection)
+        try:
+            if connection:
+                if action == Action.LINK:
+                    self._logger.debug("Linking existing user")
+                    return self.handle_existing_user_link(connection)
+                if action == Action.AUTH:
+                    self._logger.debug("Handling auth user")
+                    return self.handle_auth_user(connection)
+                if action == Action.ENROLL:
+                    self._logger.debug("Handling enrollment of new user")
+                    return self.handle_enroll(connection)
+        except FlowNonApplicableException as exc:
+            self._logger.warning("Flow non applicable", exc=exc)
+            return self.error_handler(exc, exc.policy_result)
         # Default case, assume deny
-        messages.error(
-            self.request,
+        error = (
             _(
                 (
                     "Request to authenticate with %(source)s has been denied. Please authenticate "
@@ -166,7 +176,17 @@ class SourceFlowManager:
                 % {"source": self.source.name}
             ),
         )
-        return redirect(reverse("authentik_core:root-redirect"))
+        return self.error_handler(error)
+
+    def error_handler(
+        self, error: Exception, policy_result: Optional[PolicyResult] = None
+    ) -> HttpResponse:
+        """Handle any errors by returning an access denied stage"""
+        response = AccessDeniedResponse(self.request)
+        response.error_message = str(error)
+        if policy_result:
+            response.policy_result = policy_result
+        return response
 
     # pylint: disable=unused-argument
     def get_stages_to_append(self, flow: Flow) -> list[Stage]:
@@ -179,7 +199,9 @@ class SourceFlowManager:
             ]
         return []
 
-    def _handle_login_flow(self, flow: Flow, **kwargs) -> HttpResponse:
+    def _handle_login_flow(
+        self, flow: Flow, connection: UserSourceConnection, **kwargs
+    ) -> HttpResponse:
         """Prepare Authentication Plan, redirect user FlowExecutor"""
         # Ensure redirect is carried through when user was trying to
         # authorize application
@@ -193,8 +215,10 @@ class SourceFlowManager:
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
                 PLAN_CONTEXT_REDIRECT: final_redirect,
+                PLAN_CONTEXT_SOURCES_CONNECTION: connection,
             }
         )
+        kwargs.update(self.policy_context)
         if not flow:
             return HttpResponseBadRequest()
         # We run the Flow planner here so we can pass the Pending user in the context
@@ -220,7 +244,7 @@ class SourceFlowManager:
             _("Successfully authenticated with %(source)s!" % {"source": self.source.name}),
         )
         flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user}
-        return self._handle_login_flow(self.source.authentication_flow, **flow_kwargs)
+        return self._handle_login_flow(self.source.authentication_flow, connection, **flow_kwargs)
 
     def handle_existing_user_link(
         self,
@@ -264,8 +288,8 @@ class SourceFlowManager:
             return HttpResponseBadRequest()
         return self._handle_login_flow(
             self.source.enrollment_flow,
+            connection,
             **{
                 PLAN_CONTEXT_PROMPT: delete_none_keys(self.enroll_info),
-                PLAN_CONTEXT_SOURCES_CONNECTION: connection,
             },
         )

authentik/core/tasks.py

@@ -1,35 +1,31 @@
 """authentik core tasks"""
-from datetime import datetime
-from io import StringIO
-from os import environ
+from datetime import datetime, timedelta
 
-from boto3.exceptions import Boto3Error
-from botocore.exceptions import BotoCoreError, ClientError
-from dbbackup.db.exceptions import CommandConnectorError
-from django.conf import settings
-from django.contrib.humanize.templatetags.humanize import naturaltime
 from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.core import management
 from django.core.cache import cache
 from django.utils.timezone import now
-from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
 from structlog.stdlib import get_logger
 
-from authentik.core.models import AuthenticatedSession, ExpiringModel
+from authentik.core.models import (
+    USER_ATTRIBUTE_EXPIRES,
+    USER_ATTRIBUTE_GENERATED,
+    AuthenticatedSession,
+    ExpiringModel,
+    User,
+)
 from authentik.events.monitored_tasks import (
     MonitoredTask,
     TaskResult,
     TaskResultStatus,
     prefill_task,
 )
-from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
 
 
 @CELERY_APP.task(bind=True, base=MonitoredTask)
-@prefill_task()
+@prefill_task
 def clean_expired_models(self: MonitoredTask):
     """Remove expired objects"""
     messages = []
@@ -56,46 +52,22 @@ def clean_expired_models(self: MonitoredTask):
     self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL, messages))
 
 
-def should_backup() -> bool:
-    """Check if we should be doing backups"""
-    if SERVICE_HOST_ENV_NAME in environ and not CONFIG.y("postgresql.s3_backup.bucket"):
-        LOGGER.info("Running in k8s and s3 backups are not configured, skipping")
-        return False
-    if not CONFIG.y_bool("postgresql.backup.enabled"):
-        return False
-    if settings.DEBUG:
-        return False
-    return True
-
-
 @CELERY_APP.task(bind=True, base=MonitoredTask)
-@prefill_task()
-def backup_database(self: MonitoredTask):  # pragma: no cover
-    """Database backup"""
-    self.result_timeout_hours = 25
-    if not should_backup():
-        self.set_status(TaskResult(TaskResultStatus.UNKNOWN, ["Backups are not configured."]))
-        return
-    try:
-        start = datetime.now()
-        out = StringIO()
-        management.call_command("dbbackup", quiet=True, stdout=out)
-        self.set_status(
-            TaskResult(
-                TaskResultStatus.SUCCESSFUL,
-                [
-                    f"Successfully finished database backup {naturaltime(start)} {out.getvalue()}",
-                ],
-            )
+@prefill_task
+def clean_temporary_users(self: MonitoredTask):
+    """Remove temporary users created by SAML Sources"""
+    _now = datetime.now()
+    messages = []
+    deleted_users = 0
+    for user in User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_GENERATED}": True}):
+        if not user.attributes.get(USER_ATTRIBUTE_EXPIRES):
+            continue
+        delta: timedelta = _now - datetime.fromtimestamp(
+            user.attributes.get(USER_ATTRIBUTE_EXPIRES)
         )
-        LOGGER.info("Successfully backed up database.")
-    except (
-        IOError,
-        BotoCoreError,
-        ClientError,
-        Boto3Error,
-        PermissionError,
-        CommandConnectorError,
-        ValueError,
-    ) as exc:
-        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
+        if delta.total_seconds() > 0:
+            LOGGER.debug("User is expired and will be deleted.", user=user, delta=delta)
+            user.delete()
+            deleted_users += 1
+    messages.append(f"Successfully deleted {deleted_users} users.")
+    self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL, messages))

authentik/core/templates/base/skeleton.html

@@ -16,9 +16,11 @@
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}">
         <script src="{% static 'dist/poly.js' %}" type="module"></script>
         {% block head %}
         {% endblock %}
+        <meta name="sentry-trace" content="{{ sentry_trace }}" />
     </head>
     <body>
         {% block body %}

authentik/core/templates/if/admin.html

@@ -5,11 +5,13 @@
 
 {% block head %}
 <script src="{% static 'dist/admin/AdminInterface.js' %}" type="module"></script>
+<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
+<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% endblock %}
 
 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-interface-admin>
+<ak-message-container data-refresh-on-locale="true"></ak-message-container>
+<ak-interface-admin data-refresh-on-locale="true">
     <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
         <div class="pf-c-empty-state" style="height: 100vh;">
             <div class="pf-c-empty-state__content">

authentik/core/templates/if/flow.html

@@ -20,8 +20,8 @@
 {% endblock %}
 
 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-flow-executor>
+<ak-message-container data-refresh-on-locale="true"></ak-message-container>
+<ak-flow-executor data-refresh-on-locale="true">
     <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
         <div class="pf-c-empty-state" style="height: 100vh;">
             <div class="pf-c-empty-state__content">

authentik/core/templates/if/user.html

@@ -5,11 +5,13 @@
 
 {% block head %}
 <script src="{% static 'dist/user/UserInterface.js' %}" type="module"></script>
+<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
+<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
 
 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-interface-user>
+<ak-message-container data-refresh-on-locale="true"></ak-message-container>
+<ak-interface-user data-refresh-on-locale="true">
     <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
         <div class="pf-c-empty-state" style="height: 100vh;">
             <div class="pf-c-empty-state__content">

authentik/core/tests/test_applications_api.py

@@ -1,19 +1,36 @@
 """Test Applications API"""
+from json import loads
+
 from django.urls import reverse
-from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Application, User
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.flows.models import Flow
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
+from authentik.providers.oauth2.models import OAuth2Provider
 
 
 class TestApplicationsAPI(APITestCase):
     """Test applications API"""
 
     def setUp(self) -> None:
-        self.user = User.objects.get(username="akadmin")
-        self.allowed = Application.objects.create(name="allowed", slug="allowed")
+        self.user = create_test_admin_user()
+        self.provider = OAuth2Provider.objects.create(
+            name="test",
+            redirect_uris="http://some-other-domain",
+            authorization_flow=Flow.objects.create(
+                name="test",
+                slug="test",
+            ),
+        )
+        self.allowed = Application.objects.create(
+            name="allowed",
+            slug="allowed",
+            meta_launch_url="https://goauthentik.io/%(username)s",
+            provider=self.provider,
+        )
         self.denied = Application.objects.create(name="denied", slug="denied")
         PolicyBinding.objects.create(
             target=self.denied,
@@ -31,7 +48,10 @@ class TestApplicationsAPI(APITestCase):
             )
         )
         self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(force_str(response.content), {"messages": [], "passing": True})
+        body = loads(response.content.decode())
+        self.assertEqual(body["passing"], True)
+        self.assertEqual(body["messages"], [])
+        self.assertEqual(len(body["log_messages"]), 0)
         response = self.client.get(
             reverse(
                 "authentik_api:application-check-access",
@@ -39,14 +59,16 @@ class TestApplicationsAPI(APITestCase):
             )
         )
         self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(force_str(response.content), {"messages": ["dummy"], "passing": False})
+        body = loads(response.content.decode())
+        self.assertEqual(body["passing"], False)
+        self.assertEqual(body["messages"], ["dummy"])
 
     def test_list(self):
         """Test list operation without superuser_full_list"""
         self.client.force_login(self.user)
         response = self.client.get(reverse("authentik_api:application-list"))
         self.assertJSONEqual(
-            force_str(response.content),
+            response.content.decode(),
             {
                 "pagination": {
                     "next": 0,
@@ -62,10 +84,22 @@ class TestApplicationsAPI(APITestCase):
                         "pk": str(self.allowed.pk),
                         "name": "allowed",
                         "slug": "allowed",
-                        "provider": None,
-                        "provider_obj": None,
-                        "launch_url": None,
-                        "meta_launch_url": "",
+                        "group": "",
+                        "provider": self.provider.pk,
+                        "provider_obj": {
+                            "assigned_application_name": "allowed",
+                            "assigned_application_slug": "allowed",
+                            "authorization_flow": str(self.provider.authorization_flow.pk),
+                            "component": "ak-provider-oauth2-form",
+                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
+                            "name": self.provider.name,
+                            "pk": self.provider.pk,
+                            "property_mappings": [],
+                            "verbose_name": "OAuth2/OpenID Provider",
+                            "verbose_name_plural": "OAuth2/OpenID Providers",
+                        },
+                        "launch_url": f"https://goauthentik.io/{self.user.username}",
+                        "meta_launch_url": "https://goauthentik.io/%(username)s",
                         "meta_icon": None,
                         "meta_description": "",
                         "meta_publisher": "",
@@ -82,7 +116,7 @@ class TestApplicationsAPI(APITestCase):
             reverse("authentik_api:application-list") + "?superuser_full_list=true"
         )
         self.assertJSONEqual(
-            force_str(response.content),
+            response.content.decode(),
             {
                 "pagination": {
                     "next": 0,
@@ -98,10 +132,22 @@ class TestApplicationsAPI(APITestCase):
                         "pk": str(self.allowed.pk),
                         "name": "allowed",
                         "slug": "allowed",
-                        "provider": None,
-                        "provider_obj": None,
-                        "launch_url": None,
-                        "meta_launch_url": "",
+                        "group": "",
+                        "provider": self.provider.pk,
+                        "provider_obj": {
+                            "assigned_application_name": "allowed",
+                            "assigned_application_slug": "allowed",
+                            "authorization_flow": str(self.provider.authorization_flow.pk),
+                            "component": "ak-provider-oauth2-form",
+                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
+                            "name": self.provider.name,
+                            "pk": self.provider.pk,
+                            "property_mappings": [],
+                            "verbose_name": "OAuth2/OpenID Provider",
+                            "verbose_name_plural": "OAuth2/OpenID Providers",
+                        },
+                        "launch_url": f"https://goauthentik.io/{self.user.username}",
+                        "meta_launch_url": "https://goauthentik.io/%(username)s",
                         "meta_icon": None,
                         "meta_description": "",
                         "meta_publisher": "",
@@ -113,6 +159,7 @@ class TestApplicationsAPI(APITestCase):
                         "meta_icon": None,
                         "meta_launch_url": "",
                         "meta_publisher": "",
+                        "group": "",
                         "name": "denied",
                         "pk": str(self.denied.pk),
                         "policy_engine_mode": "any",

authentik/core/tests/test_applications_views.py

@@ -0,0 +1,67 @@
+"""Test Applications API"""
+from unittest.mock import MagicMock, patch
+
+from django.urls import reverse
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_tenant
+from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.tests import FlowTestCase
+from authentik.tenants.models import Tenant
+
+
+class TestApplicationsViews(FlowTestCase):
+    """Test applications Views"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.allowed = Application.objects.create(
+            name="allowed", slug="allowed", meta_launch_url="https://goauthentik.io/%(username)s"
+        )
+
+    def test_check_redirect(self):
+        """Test redirect"""
+        empty_flow = Flow.objects.create(
+            name="foo",
+            slug="foo",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        tenant: Tenant = create_test_tenant()
+        tenant.flow_authentication = empty_flow
+        tenant.save()
+        response = self.client.get(
+            reverse(
+                "authentik_core:application-launch",
+                kwargs={"application_slug": self.allowed.slug},
+            ),
+            follow=True,
+        )
+        self.assertEqual(response.status_code, 200)
+        with patch(
+            "authentik.flows.stage.StageView.get_pending_user", MagicMock(return_value=self.user)
+        ):
+            response = self.client.post(
+                reverse("authentik_api:flow-executor", kwargs={"flow_slug": empty_flow.slug})
+            )
+            self.assertEqual(response.status_code, 200)
+            self.assertStageRedirects(response, f"https://goauthentik.io/{self.user.username}")
+
+    def test_check_redirect_auth(self):
+        """Test redirect"""
+        self.client.force_login(self.user)
+        empty_flow = Flow.objects.create(
+            name="foo",
+            slug="foo",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        tenant: Tenant = create_test_tenant()
+        tenant.flow_authentication = empty_flow
+        tenant.save()
+        response = self.client.get(
+            reverse(
+                "authentik_core:application-launch",
+                kwargs={"application_slug": self.allowed.slug},
+            ),
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, f"https://goauthentik.io/{self.user.username}")

authentik/core/tests/test_authenticated_sessions_api.py

@@ -2,10 +2,10 @@
 from json import loads
 
 from django.urls.base import reverse
-from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 
 from authentik.core.models import User
+from authentik.core.tests.utils import create_test_admin_user
 
 
 class TestAuthenticatedSessionsAPI(APITestCase):
@@ -13,7 +13,7 @@ class TestAuthenticatedSessionsAPI(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.user = User.objects.get(username="akadmin")
+        self.user = create_test_admin_user()
         self.other_user = User.objects.create(username="normal-user")
 
     def test_list(self):
@@ -27,5 +27,5 @@ class TestAuthenticatedSessionsAPI(APITestCase):
         self.client.force_login(self.other_user)
         response = self.client.get(reverse("authentik_api:authenticatedsession-list"))
         self.assertEqual(response.status_code, 200)
-        body = loads(force_str(response.content))
+        body = loads(response.content.decode())
         self.assertEqual(body["pagination"]["count"], 1)

authentik/core/tests/test_impersonation.py

@@ -5,6 +5,7 @@ from django.test.testcases import TestCase
 from django.urls import reverse
 
 from authentik.core.models import User
+from authentik.core.tests.utils import create_test_admin_user
 
 
 class TestImpersonation(TestCase):
@@ -13,14 +14,14 @@ class TestImpersonation(TestCase):
     def setUp(self) -> None:
         super().setUp()
         self.other_user = User.objects.create(username="to-impersonate")
-        self.akadmin = User.objects.get(username="akadmin")
+        self.user = create_test_admin_user()
 
     def test_impersonate_simple(self):
         """test simple impersonation and un-impersonation"""
         # test with an inactive user to ensure that still works
         self.other_user.is_active = False
         self.other_user.save()
-        self.client.force_login(self.akadmin)
+        self.client.force_login(self.user)
 
         self.client.get(
             reverse(
@@ -32,13 +33,13 @@ class TestImpersonation(TestCase):
         response = self.client.get(reverse("authentik_api:user-me"))
         response_body = loads(response.content.decode())
         self.assertEqual(response_body["user"]["username"], self.other_user.username)
-        self.assertEqual(response_body["original"]["username"], self.akadmin.username)
+        self.assertEqual(response_body["original"]["username"], self.user.username)
 
         self.client.get(reverse("authentik_core:impersonate-end"))
 
         response = self.client.get(reverse("authentik_api:user-me"))
         response_body = loads(response.content.decode())
-        self.assertEqual(response_body["user"]["username"], self.akadmin.username)
+        self.assertEqual(response_body["user"]["username"], self.user.username)
         self.assertNotIn("original", response_body)
 
     def test_impersonate_denied(self):
@@ -46,7 +47,7 @@ class TestImpersonation(TestCase):
         self.client.force_login(self.other_user)
 
         self.client.get(
-            reverse("authentik_core:impersonate-init", kwargs={"user_id": self.akadmin.pk})
+            reverse("authentik_core:impersonate-init", kwargs={"user_id": self.user.pk})
         )
 
         response = self.client.get(reverse("authentik_api:user-me"))

authentik/core/tests/test_models.py

@@ -1,8 +1,8 @@
 """authentik core models tests"""
 from time import sleep
-from typing import Callable, Type
+from typing import Callable
 
-from django.test import TestCase
+from django.test import RequestFactory, TestCase
 from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user
 
@@ -27,9 +27,12 @@ class TestModels(TestCase):
         self.assertFalse(token.is_expired)
 
 
-def source_tester_factory(test_model: Type[Stage]) -> Callable:
+def source_tester_factory(test_model: type[Stage]) -> Callable:
     """Test source"""
 
+    factory = RequestFactory()
+    request = factory.get("/")
+
     def tester(self: TestModels):
         model_class = None
         if test_model._meta.abstract:
@@ -38,18 +41,18 @@ def source_tester_factory(test_model: Type[Stage]) -> Callable:
             model_class = test_model()
         model_class.slug = "test"
         self.assertIsNotNone(model_class.component)
-        _ = model_class.ui_login_button
-        _ = model_class.ui_user_settings
+        _ = model_class.ui_login_button(request)
+        _ = model_class.ui_user_settings()
 
     return tester
 
 
-def provider_tester_factory(test_model: Type[Stage]) -> Callable:
+def provider_tester_factory(test_model: type[Stage]) -> Callable:
     """Test provider"""
 
     def tester(self: TestModels):
         model_class = None
-        if test_model._meta.abstract:
+        if test_model._meta.abstract:  # pragma: no cover
             model_class = test_model.__bases__[0]()
         else:
             model_class = test_model()
@@ -59,6 +62,6 @@ def provider_tester_factory(test_model: Type[Stage]) -> Callable:
 
 
 for model in all_subclasses(Source):
-    setattr(TestModels, f"test_model_{model.__name__}", source_tester_factory(model))
+    setattr(TestModels, f"test_source_{model.__name__}", source_tester_factory(model))
 for model in all_subclasses(Provider):
-    setattr(TestModels, f"test_model_{model.__name__}", provider_tester_factory(model))
+    setattr(TestModels, f"test_provider_{model.__name__}", provider_tester_factory(model))

authentik/core/tests/test_property_mapping_api.py

@@ -6,7 +6,8 @@ from rest_framework.serializers import ValidationError
 from rest_framework.test import APITestCase
 
 from authentik.core.api.propertymappings import PropertyMappingSerializer
-from authentik.core.models import PropertyMapping, User
+from authentik.core.models import PropertyMapping
+from authentik.core.tests.utils import create_test_admin_user
 
 
 class TestPropertyMappingAPI(APITestCase):
@@ -17,7 +18,7 @@ class TestPropertyMappingAPI(APITestCase):
         self.mapping = PropertyMapping.objects.create(
             name="dummy", expression="""return {'foo': 'bar'}"""
         )
-        self.user = User.objects.get(username="akadmin")
+        self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
     def test_test_call(self):
@@ -40,7 +41,7 @@ class TestPropertyMappingAPI(APITestCase):
         expr = "return True"
         self.assertEqual(PropertyMappingSerializer().validate_expression(expr), expr)
         with self.assertRaises(ValidationError):
-            print(PropertyMappingSerializer().validate_expression("/"))
+            PropertyMappingSerializer().validate_expression("/")
 
     def test_types(self):
         """Test PropertyMappigns's types endpoint"""

authentik/core/tests/test_providers_api.py

@@ -2,7 +2,8 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import PropertyMapping, User
+from authentik.core.models import PropertyMapping
+from authentik.core.tests.utils import create_test_admin_user
 
 
 class TestProvidersAPI(APITestCase):
@@ -13,7 +14,7 @@ class TestProvidersAPI(APITestCase):
         self.mapping = PropertyMapping.objects.create(
             name="dummy", expression="""return {'foo': 'bar'}"""
         )
-        self.user = User.objects.get(username="akadmin")
+        self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
     def test_types(self):

authentik/core/tests/test_source_flow_manager.py

@@ -6,8 +6,12 @@ from guardian.utils import get_anonymous_user
 
 from authentik.core.models import SourceUserMatchingModes, User
 from authentik.core.sources.flow_manager import Action
+from authentik.flows.models import Flow, FlowDesignation
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
+from authentik.policies.denied import AccessDeniedResponse
+from authentik.policies.expression.models import ExpressionPolicy
+from authentik.policies.models import PolicyBinding
 from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
 from authentik.sources.oauth.views.callback import OAuthSourceFlowManager
 
@@ -17,7 +21,7 @@ class TestSourceFlowManager(TestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.source = OAuthSource.objects.create(name="test")
+        self.source: OAuthSource = OAuthSource.objects.create(name="test")
         self.factory = RequestFactory()
         self.identifier = generate_id()
 
@@ -143,3 +147,34 @@ class TestSourceFlowManager(TestCase):
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
         flow_manager.get_flow()
+
+    def test_error_non_applicable_flow(self):
+        """Test error handling when a source selected flow is non-applicable due to a policy"""
+        self.source.user_matching_mode = SourceUserMatchingModes.USERNAME_LINK
+
+        flow = Flow.objects.create(
+            name="test", slug="test", title="test", designation=FlowDesignation.ENROLLMENT
+        )
+        policy = ExpressionPolicy.objects.create(
+            name="false", expression="""ak_message("foo");return False"""
+        )
+        PolicyBinding.objects.create(
+            policy=policy,
+            target=flow,
+            order=0,
+        )
+        self.source.enrollment_flow = flow
+        self.source.save()
+
+        flow_manager = OAuthSourceFlowManager(
+            self.source,
+            get_request("/", user=AnonymousUser()),
+            self.identifier,
+            {"username": "foo"},
+        )
+        action, _ = flow_manager.get_action()
+        self.assertEqual(action, Action.ENROLL)
+        response = flow_manager.get_flow()
+        self.assertIsInstance(response, AccessDeniedResponse)
+        # pylint: disable=no-member
+        self.assertEqual(response.error_message, "foo")

authentik/core/tests/test_tasks.py

@@ -0,0 +1,50 @@
+"""Test tasks"""
+from time import mktime
+
+from django.utils.timezone import now
+from guardian.shortcuts import get_anonymous_user
+from rest_framework.test import APITestCase
+
+from authentik.core.models import (
+    USER_ATTRIBUTE_EXPIRES,
+    USER_ATTRIBUTE_GENERATED,
+    Token,
+    TokenIntents,
+    User,
+)
+from authentik.core.tasks import clean_expired_models, clean_temporary_users
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+
+
+class TestTasks(APITestCase):
+    """Test token API"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = User.objects.create(username="testuser")
+        self.admin = create_test_admin_user()
+        self.client.force_login(self.user)
+
+    def test_token_expire(self):
+        """Test Token expire task"""
+        token: Token = Token.objects.create(
+            expires=now(), user=get_anonymous_user(), intent=TokenIntents.INTENT_API
+        )
+        key = token.key
+        clean_expired_models.delay().get()
+        token.refresh_from_db()
+        self.assertNotEqual(key, token.key)
+
+    def test_clean_temporary_users(self):
+        """Test clean_temporary_users task"""
+        username = generate_id
+        User.objects.create(
+            username=username,
+            attributes={
+                USER_ATTRIBUTE_GENERATED: True,
+                USER_ATTRIBUTE_EXPIRES: mktime(now().timetuple()),
+            },
+        )
+        clean_temporary_users.delay().get()
+        self.assertFalse(User.objects.filter(username=username))

authentik/core/tests/test_token_api.py

@@ -2,12 +2,11 @@
 from json import loads
 
 from django.urls.base import reverse
-from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.test import APITestCase
 
 from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents, User
-from authentik.core.tasks import clean_expired_models
+from authentik.core.tests.utils import create_test_admin_user
 
 
 class TestTokenAPI(APITestCase):
@@ -16,7 +15,7 @@ class TestTokenAPI(APITestCase):
     def setUp(self) -> None:
         super().setUp()
         self.user = User.objects.create(username="testuser")
-        self.admin = User.objects.get(username="akadmin")
+        self.admin = create_test_admin_user()
         self.client.force_login(self.user)
 
     def test_token_create(self):
@@ -29,6 +28,7 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(token.user, self.user)
         self.assertEqual(token.intent, TokenIntents.INTENT_API)
         self.assertEqual(token.expiring, True)
+        self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
 
     def test_token_create_invalid(self):
         """Test token creation endpoint (invalid data)"""
@@ -51,14 +51,6 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(token.intent, TokenIntents.INTENT_API)
         self.assertEqual(token.expiring, False)
 
-    def test_token_expire(self):
-        """Test Token expire task"""
-        token: Token = Token.objects.create(expires=now(), user=get_anonymous_user())
-        key = token.key
-        clean_expired_models.delay().get()
-        token.refresh_from_db()
-        self.assertNotEqual(key, token.key)
-
     def test_list(self):
         """Test Token List (Test normal authentication)"""
         token_should: Token = Token.objects.create(

authentik/core/tests/test_users_api.py

@@ -2,8 +2,10 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import USER_ATTRIBUTE_CHANGE_EMAIL, USER_ATTRIBUTE_CHANGE_USERNAME, User
-from authentik.flows.models import Flow, FlowDesignation
+from authentik.core.models import User
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
+from authentik.flows.models import FlowDesignation
+from authentik.lib.generators import generate_key
 from authentik.stages.email.models import EmailStage
 from authentik.tenants.models import Tenant
 
@@ -12,37 +14,9 @@ class TestUsersAPI(APITestCase):
     """Test Users API"""
 
     def setUp(self) -> None:
-        self.admin = User.objects.get(username="akadmin")
+        self.admin = create_test_admin_user()
         self.user = User.objects.create(username="test-user")
 
-    def test_update_self(self):
-        """Test update_self"""
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_update_self_username_denied(self):
-        """Test update_self"""
-        self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False
-        self.admin.save()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_update_self_email_denied(self):
-        """Test update_self"""
-        self.admin.attributes[USER_ATTRIBUTE_CHANGE_EMAIL] = False
-        self.admin.save()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"email": "foo", "name": "foo"}
-        )
-        self.assertEqual(response.status_code, 400)
-
     def test_metrics(self):
         """Test user's metrics"""
         self.client.force_login(self.admin)
@@ -67,12 +41,22 @@ class TestUsersAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 404)
 
+    def test_set_password(self):
+        """Test Direct password set"""
+        self.client.force_login(self.admin)
+        new_pw = generate_key()
+        response = self.client.post(
+            reverse("authentik_api:user-set-password", kwargs={"pk": self.admin.pk}),
+            data={"password": new_pw},
+        )
+        self.assertEqual(response.status_code, 204)
+        self.admin.refresh_from_db()
+        self.assertTrue(self.admin.check_password(new_pw))
+
     def test_recovery(self):
         """Test user recovery link (no recovery flow set)"""
-        flow = Flow.objects.create(
-            name="test", title="test", slug="test", designation=FlowDesignation.RECOVERY
-        )
-        tenant: Tenant = Tenant.objects.first()
+        flow = create_test_flow(FlowDesignation.RECOVERY)
+        tenant: Tenant = create_test_tenant()
         tenant.flow_recovery = flow
         tenant.save()
         self.client.force_login(self.admin)
@@ -99,10 +83,8 @@ class TestUsersAPI(APITestCase):
         """Test user recovery link (no email stage)"""
         self.user.email = "foo@bar.baz"
         self.user.save()
-        flow = Flow.objects.create(
-            name="test", title="test", slug="test", designation=FlowDesignation.RECOVERY
-        )
-        tenant: Tenant = Tenant.objects.first()
+        flow = create_test_flow(designation=FlowDesignation.RECOVERY)
+        tenant: Tenant = create_test_tenant()
         tenant.flow_recovery = flow
         tenant.save()
         self.client.force_login(self.admin)
@@ -115,10 +97,8 @@ class TestUsersAPI(APITestCase):
         """Test user recovery link"""
         self.user.email = "foo@bar.baz"
         self.user.save()
-        flow = Flow.objects.create(
-            name="test", title="test", slug="test", designation=FlowDesignation.RECOVERY
-        )
-        tenant: Tenant = Tenant.objects.first()
+        flow = create_test_flow(FlowDesignation.RECOVERY)
+        tenant: Tenant = create_test_tenant()
         tenant.flow_recovery = flow
         tenant.save()
 

authentik/core/tests/utils.py

@@ -0,0 +1,57 @@
+"""Test Utils"""
+from typing import Optional
+
+from django.utils.text import slugify
+
+from authentik.core.models import Group, User
+from authentik.crypto.builder import CertificateBuilder
+from authentik.crypto.models import CertificateKeyPair
+from authentik.flows.models import Flow, FlowDesignation
+from authentik.lib.generators import generate_id
+from authentik.tenants.models import Tenant
+
+
+def create_test_flow(designation: FlowDesignation = FlowDesignation.STAGE_CONFIGURATION) -> Flow:
+    """Generate a flow that can be used for testing"""
+    uid = generate_id(10)
+    return Flow.objects.create(
+        name=uid,
+        title=uid,
+        slug=slugify(uid),
+        designation=designation,
+    )
+
+
+def create_test_admin_user(name: Optional[str] = None) -> User:
+    """Generate a test-admin user"""
+    uid = generate_id(20) if not name else name
+    group = Group.objects.create(name=uid, is_superuser=True)
+    user: User = User.objects.create(
+        username=uid,
+        name=uid,
+        email=f"{uid}@goauthentik.io",
+    )
+    user.set_password(uid)
+    user.save()
+    group.users.add(user)
+    return user
+
+
+def create_test_tenant() -> Tenant:
+    """Generate a test tenant, removing all other tenants to make sure this one
+    matches."""
+    uid = generate_id(20)
+    Tenant.objects.all().delete()
+    return Tenant.objects.create(domain=uid, default=True)
+
+
+def create_test_cert() -> CertificateKeyPair:
+    """Generate a certificate for testing"""
+    CertificateKeyPair.objects.filter(name="goauthentik.io").delete()
+    builder = CertificateBuilder()
+    builder.common_name = "goauthentik.io"
+    builder.build(
+        subject_alt_names=["goauthentik.io"],
+        validity_days=360,
+    )
+    return builder.save()

authentik/core/types.py

@@ -29,3 +29,4 @@ class UserSettingSerializer(PassiveSerializer):
     component = CharField()
     title = CharField()
     configure_url = CharField(required=False)
+    icon_url = CharField(required=False)

authentik/core/urls.py

@@ -5,7 +5,7 @@ from django.views.decorators.csrf import ensure_csrf_cookie
 from django.views.generic import RedirectView
 from django.views.generic.base import TemplateView
 
-from authentik.core.views import impersonate
+from authentik.core.views import apps, impersonate
 from authentik.core.views.interface import FlowInterfaceView
 from authentik.core.views.session import EndSessionView
 
@@ -15,6 +15,12 @@ urlpatterns = [
         login_required(RedirectView.as_view(pattern_name="authentik_core:if-user")),
         name="root-redirect",
     ),
+    path(
+        # We have to use this format since everything else uses applications/o or applications/saml
+        "application/launch/<slug:application_slug>/",
+        apps.RedirectToAppLaunch.as_view(),
+        name="application-launch",
+    ),
     # Impersonation
     path(
         "-/impersonation/<int:user_id>/",

authentik/core/views/apps.py

@@ -0,0 +1,75 @@
+"""app views"""
+from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect
+from django.shortcuts import get_object_or_404
+from django.utils.translation import gettext_lazy as _
+from django.views import View
+
+from authentik.core.models import Application
+from authentik.flows.challenge import (
+    ChallengeResponse,
+    ChallengeTypes,
+    HttpChallengeResponse,
+    RedirectChallenge,
+)
+from authentik.flows.models import in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
+from authentik.flows.stage import ChallengeStageView
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.utils.urls import redirect_with_qs
+from authentik.stages.consent.stage import (
+    PLAN_CONTEXT_CONSENT_HEADER,
+    PLAN_CONTEXT_CONSENT_PERMISSIONS,
+)
+from authentik.tenants.models import Tenant
+
+
+class RedirectToAppLaunch(View):
+    """Application launch view, redirect to the launch URL"""
+
+    def dispatch(self, request: HttpRequest, application_slug: str) -> HttpResponse:
+        app = get_object_or_404(Application, slug=application_slug)
+        # Check here if the application has any launch URL set, if not 404
+        launch = app.get_launch_url()
+        if not launch:
+            raise Http404
+        # Check if we're authenticated already, saves us the flow run
+        if request.user.is_authenticated:
+            return HttpResponseRedirect(app.get_launch_url(request.user))
+        # otherwise, do a custom flow plan that includes the application that's
+        # being accessed, to improve usability
+        tenant: Tenant = request.tenant
+        flow = tenant.flow_authentication
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        plan = planner.plan(
+            request,
+            {
+                PLAN_CONTEXT_APPLICATION: app,
+                PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
+                % {"application": app.name},
+                PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
+            },
+        )
+        plan.insert_stage(in_memory_stage(RedirectToAppStage))
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
+
+
+class RedirectToAppStage(ChallengeStageView):
+    """Final stage to be inserted after the user logs in"""
+
+    def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
+        app = self.executor.plan.context[PLAN_CONTEXT_APPLICATION]
+        launch = app.get_launch_url(self.get_pending_user())
+        # sanity check to ensure launch is still set
+        if not launch:
+            raise Http404
+        return RedirectChallenge(
+            instance={
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": launch,
+            }
+        )
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        return HttpChallengeResponse(self.get_challenge())

authentik/crypto/api.py

@@ -1,4 +1,6 @@
 """Crypto API Views"""
+from typing import Optional
+
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import load_pem_x509_certificate
@@ -15,14 +17,18 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
+from structlog.stdlib import get_logger
 
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.builder import CertificateBuilder
+from authentik.crypto.managed import MANAGED_KEY
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 
+LOGGER = get_logger()
+
 
 class CertificateKeyPairSerializer(ModelSerializer):
     """CertificateKeyPair Serializer"""
@@ -30,6 +36,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
     cert_expiry = DateTimeField(source="certificate.not_valid_after", read_only=True)
     cert_subject = SerializerMethodField()
     private_key_available = SerializerMethodField()
+    private_key_type = SerializerMethodField()
 
     certificate_download_url = SerializerMethodField()
     private_key_download_url = SerializerMethodField()
@@ -42,6 +49,13 @@ class CertificateKeyPairSerializer(ModelSerializer):
         """Show if this keypair has a private key configured or not"""
         return instance.key_data != "" and instance.key_data is not None
 
+    def get_private_key_type(self, instance: CertificateKeyPair) -> Optional[str]:
+        """Get the private key's type, if set"""
+        key = instance.private_key
+        if key:
+            return key.__class__.__name__.replace("_", "").lower().replace("privatekey", "")
+        return None
+
     def get_certificate_download_url(self, instance: CertificateKeyPair) -> str:
         """Get URL to download certificate"""
         return (
@@ -65,22 +79,30 @@ class CertificateKeyPairSerializer(ModelSerializer):
     def validate_certificate_data(self, value: str) -> str:
         """Verify that input is a valid PEM x509 Certificate"""
         try:
-            load_pem_x509_certificate(value.encode("utf-8"), default_backend())
-        except ValueError:
+            # Cast to string to fully load and parse certificate
+            # Prevents issues like https://github.com/goauthentik/authentik/issues/2082
+            str(load_pem_x509_certificate(value.encode("utf-8"), default_backend()))
+        except ValueError as exc:
+            LOGGER.warning("Failed to load certificate", exc=exc)
             raise ValidationError("Unable to load certificate.")
         return value
 
     def validate_key_data(self, value: str) -> str:
-        """Verify that input is a valid PEM RSA Key"""
+        """Verify that input is a valid PEM Key"""
         # Since this field is optional, data can be empty.
         if value != "":
             try:
-                load_pem_private_key(
-                    str.encode("\n".join([x.strip() for x in value.split("\n")])),
-                    password=None,
-                    backend=default_backend(),
+                # Cast to string to fully load and parse certificate
+                # Prevents issues like https://github.com/goauthentik/authentik/issues/2082
+                str(
+                    load_pem_private_key(
+                        str.encode("\n".join([x.strip() for x in value.split("\n")])),
+                        password=None,
+                        backend=default_backend(),
+                    )
                 )
-            except (ValueError, TypeError):
+            except (ValueError, TypeError) as exc:
+                LOGGER.warning("Failed to load private key", exc=exc)
                 raise ValidationError("Unable to load private key (possibly encrypted?).")
         return value
 
@@ -97,6 +119,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
             "cert_expiry",
             "cert_subject",
             "private_key_available",
+            "private_key_type",
             "certificate_download_url",
             "private_key_download_url",
             "managed",
@@ -141,9 +164,11 @@ class CertificateKeyPairFilter(FilterSet):
 class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
     """CertificateKeyPair Viewset"""
 
-    queryset = CertificateKeyPair.objects.exclude(managed__isnull=False)
+    queryset = CertificateKeyPair.objects.exclude(managed=MANAGED_KEY)
     serializer_class = CertificateKeyPairSerializer
     filterset_class = CertificateKeyPairFilter
+    ordering = ["name"]
+    search_fields = ["name"]
 
     @permission_required(None, ["authentik_crypto.add_certificatekeypair"])
     @extend_schema(
@@ -189,7 +214,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
             secret=certificate,
             type="certificate",
         ).from_http(request)
-        if "download" in request._request.GET:
+        if "download" in request.query_params:
             # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
             response = HttpResponse(
                 certificate.certificate_data, content_type="application/x-pem-file"
@@ -220,7 +245,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
             secret=certificate,
             type="private_key",
         ).from_http(request)
-        if "download" in request._request.GET:
+        if "download" in request.query_params:
             # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
             response = HttpResponse(certificate.key_data, content_type="application/x-pem-file")
             response[

authentik/crypto/apps.py

@@ -13,3 +13,4 @@ class AuthentikCryptoConfig(AppConfig):
 
     def ready(self):
         import_module("authentik.crypto.managed")
+        import_module("authentik.crypto.tasks")

authentik/crypto/builder.py

@@ -44,7 +44,7 @@ class CertificateBuilder:
         """Build self-signed certificate"""
         one_day = datetime.timedelta(1, 0, 0)
         self.__private_key = rsa.generate_private_key(
-            public_exponent=65537, key_size=2048, backend=default_backend()
+            public_exponent=65537, key_size=4096, backend=default_backend()
         )
         self.__public_key = self.__private_key.public_key()
         alt_names: list[x509.GeneralName] = [x509.DNSName(x) for x in subject_alt_names or []]

authentik/crypto/models.py

@@ -6,15 +6,23 @@ from uuid import uuid4
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric.ec import (
+    EllipticCurvePrivateKey,
+    EllipticCurvePublicKey,
+)
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import Certificate, load_pem_x509_certificate
 from django.db import models
 from django.utils.translation import gettext_lazy as _
+from structlog.stdlib import get_logger
 
 from authentik.lib.models import CreatedUpdatedModel
 from authentik.managed.models import ManagedModel
 
+LOGGER = get_logger()
+
 
 class CertificateKeyPair(ManagedModel, CreatedUpdatedModel):
     """CertificateKeyPair that can be used for signing or encrypting if `key_data`
@@ -33,8 +41,8 @@ class CertificateKeyPair(ManagedModel, CreatedUpdatedModel):
     )
 
     _cert: Optional[Certificate] = None
-    _private_key: Optional[RSAPrivateKey] = None
-    _public_key: Optional[RSAPublicKey] = None
+    _private_key: Optional[RSAPrivateKey | EllipticCurvePrivateKey | Ed25519PrivateKey] = None
+    _public_key: Optional[RSAPublicKey | EllipticCurvePublicKey | Ed25519PublicKey] = None
 
     @property
     def certificate(self) -> Certificate:
@@ -46,23 +54,26 @@ class CertificateKeyPair(ManagedModel, CreatedUpdatedModel):
         return self._cert
 
     @property
-    def public_key(self) -> Optional[RSAPublicKey]:
+    def public_key(self) -> Optional[RSAPublicKey | EllipticCurvePublicKey | Ed25519PublicKey]:
         """Get public key of the private key"""
         if not self._public_key:
             self._public_key = self.private_key.public_key()
         return self._public_key
 
     @property
-    def private_key(self) -> Optional[RSAPrivateKey]:
+    def private_key(
+        self,
+    ) -> Optional[RSAPrivateKey | EllipticCurvePrivateKey | Ed25519PrivateKey]:
         """Get python cryptography PrivateKey instance"""
-        if not self._private_key and self._private_key != "":
+        if not self._private_key and self.key_data != "":
             try:
                 self._private_key = load_pem_private_key(
                     str.encode("\n".join([x.strip() for x in self.key_data.split("\n")])),
                     password=None,
                     backend=default_backend(),
                 )
-            except ValueError:
+            except ValueError as exc:
+                LOGGER.warning(exc)
                 return None
         return self._private_key
 

authentik/crypto/settings.py

@@ -1,10 +1,10 @@
-"""saml source settings"""
+"""Crypto task Settings"""
 from celery.schedules import crontab
 
 CELERY_BEAT_SCHEDULE = {
-    "saml_source_cleanup": {
-        "task": "authentik.sources.saml.tasks.clean_temporary_users",
+    "crypto_certificate_discovery": {
+        "task": "authentik.crypto.tasks.certificate_discovery",
         "schedule": crontab(minute="*/5"),
         "options": {"queue": "authentik_scheduled"},
-    }
+    },
 }

authentik/crypto/tasks.py

@@ -0,0 +1,95 @@
+"""Crypto tasks"""
+from glob import glob
+from pathlib import Path
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+from cryptography.x509.base import load_pem_x509_certificate
+from django.utils.translation import gettext_lazy as _
+from structlog.stdlib import get_logger
+
+from authentik.crypto.models import CertificateKeyPair
+from authentik.events.monitored_tasks import (
+    MonitoredTask,
+    TaskResult,
+    TaskResultStatus,
+    prefill_task,
+)
+from authentik.lib.config import CONFIG
+from authentik.root.celery import CELERY_APP
+
+LOGGER = get_logger()
+
+MANAGED_DISCOVERED = "goauthentik.io/crypto/discovered/%s"
+
+
+def ensure_private_key_valid(body: str):
+    """Attempt loading of a PEM Private key without password"""
+    load_pem_private_key(
+        str.encode("\n".join([x.strip() for x in body.split("\n")])),
+        password=None,
+        backend=default_backend(),
+    )
+    return body
+
+
+def ensure_certificate_valid(body: str):
+    """Attempt loading of a PEM-encoded certificate"""
+    load_pem_x509_certificate(body.encode("utf-8"), default_backend())
+    return body
+
+
+@CELERY_APP.task(bind=True, base=MonitoredTask)
+@prefill_task
+def certificate_discovery(self: MonitoredTask):
+    """Discover, import and update certificates from the filesystem"""
+    certs = {}
+    private_keys = {}
+    discovered = 0
+    for file in glob(CONFIG.y("cert_discovery_dir") + "/**", recursive=True):
+        path = Path(file)
+        if not path.exists():
+            continue
+        if path.is_dir():
+            continue
+        # For certbot setups, we want to ignore archive.
+        if "archive" in file:
+            continue
+        # Support certbot's directory structure
+        if path.name in ["fullchain.pem", "privkey.pem"]:
+            cert_name = path.parent.name
+        else:
+            cert_name = path.name.replace(path.suffix, "")
+        try:
+            with open(path, "r", encoding="utf-8") as _file:
+                body = _file.read()
+                if "PRIVATE KEY" in body:
+                    private_keys[cert_name] = ensure_private_key_valid(body)
+                else:
+                    certs[cert_name] = ensure_certificate_valid(body)
+            discovered += 1
+        except (OSError, ValueError) as exc:
+            LOGGER.warning("Failed to open file or invalid format", exc=exc, file=path)
+    for name, cert_data in certs.items():
+        cert = CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % name).first()
+        if not cert:
+            cert = CertificateKeyPair(
+                name=name,
+                managed=MANAGED_DISCOVERED % name,
+            )
+        dirty = False
+        if cert.certificate_data != cert_data:
+            cert.certificate_data = cert_data
+            dirty = True
+        if name in private_keys:
+            if cert.key_data != private_keys[name]:
+                cert.key_data = private_keys[name]
+                dirty = True
+        if dirty:
+            cert.save()
+    self.set_status(
+        TaskResult(
+            TaskResultStatus.SUCCESSFUL,
+            messages=[_("Successfully imported %(count)d files." % {"count": discovered})],
+        )
+    )

authentik/crypto/tests.py

@@ -1,25 +1,37 @@
 """Crypto tests"""
 import datetime
+from os import makedirs
+from tempfile import TemporaryDirectory
 
-from django.test import TestCase
 from django.urls import reverse
+from rest_framework.test import APITestCase
 
 from authentik.core.api.used_by import DeleteAction
-from authentik.core.models import User
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.crypto.api import CertificateKeyPairSerializer
 from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
-from authentik.flows.models import Flow
+from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
+from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_key
 from authentik.providers.oauth2.models import OAuth2Provider
 
 
-class TestCrypto(TestCase):
+class TestCrypto(APITestCase):
     """Test Crypto validation"""
 
+    def test_model_private(self):
+        """Test model private key"""
+        cert = CertificateKeyPair.objects.create(
+            name="test",
+            certificate_data="foo",
+            key_data="foo",
+        )
+        self.assertIsNone(cert.private_key)
+
     def test_serializer(self):
         """Test API Validation"""
-        keypair = CertificateKeyPair.objects.first()
+        keypair = create_test_cert()
         self.assertTrue(
             CertificateKeyPairSerializer(
                 data={
@@ -54,10 +66,38 @@ class TestCrypto(TestCase):
         self.assertEqual(instance.name, "test-cert")
         self.assertEqual((instance.certificate.not_valid_after - now).days, 2)
 
+    def test_builder_api(self):
+        """Test Builder (via API)"""
+        self.client.force_login(create_test_admin_user())
+        self.client.post(
+            reverse("authentik_api:certificatekeypair-generate"),
+            data={"common_name": "foo", "subject_alt_name": "bar,baz", "validity_days": 3},
+        )
+        self.assertTrue(CertificateKeyPair.objects.filter(name="foo").exists())
+
+    def test_builder_api_invalid(self):
+        """Test Builder (via API) (invalid)"""
+        self.client.force_login(create_test_admin_user())
+        response = self.client.post(
+            reverse("authentik_api:certificatekeypair-generate"),
+            data={},
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_list(self):
+        """Test API List"""
+        self.client.force_login(create_test_admin_user())
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-list",
+            )
+        )
+        self.assertEqual(200, response.status_code)
+
     def test_certificate_download(self):
         """Test certificate export (download)"""
-        self.client.force_login(User.objects.get(username="akadmin"))
-        keypair = CertificateKeyPair.objects.first()
+        self.client.force_login(create_test_admin_user())
+        keypair = create_test_cert()
         response = self.client.get(
             reverse(
                 "authentik_api:certificatekeypair-view-certificate",
@@ -77,8 +117,8 @@ class TestCrypto(TestCase):
 
     def test_private_key_download(self):
         """Test private_key export (download)"""
-        self.client.force_login(User.objects.get(username="akadmin"))
-        keypair = CertificateKeyPair.objects.first()
+        self.client.force_login(create_test_admin_user())
+        keypair = create_test_cert()
         response = self.client.get(
             reverse(
                 "authentik_api:certificatekeypair-view-private-key",
@@ -98,15 +138,15 @@ class TestCrypto(TestCase):
 
     def test_used_by(self):
         """Test used_by endpoint"""
-        self.client.force_login(User.objects.get(username="akadmin"))
-        keypair = CertificateKeyPair.objects.first()
+        self.client.force_login(create_test_admin_user())
+        keypair = create_test_cert()
         provider = OAuth2Provider.objects.create(
             name="test",
             client_id="test",
             client_secret=generate_key(),
-            authorization_flow=Flow.objects.first(),
+            authorization_flow=create_test_flow(),
             redirect_uris="http://localhost",
-            rsa_key=CertificateKeyPair.objects.first(),
+            signing_key=keypair,
         )
         response = self.client.get(
             reverse(
@@ -127,3 +167,36 @@ class TestCrypto(TestCase):
                 }
             ],
         )
+
+    def test_discovery(self):
+        """Test certificate discovery"""
+        builder = CertificateBuilder()
+        builder.common_name = "test-cert"
+        with self.assertRaises(ValueError):
+            builder.save()
+        builder.build(
+            subject_alt_names=[],
+            validity_days=3,
+        )
+        with TemporaryDirectory() as temp_dir:
+            with open(f"{temp_dir}/foo.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder.certificate)
+            with open(f"{temp_dir}/foo.key", "w+", encoding="utf-8") as _key:
+                _key.write(builder.private_key)
+            makedirs(f"{temp_dir}/foo.bar", exist_ok=True)
+            with open(f"{temp_dir}/foo.bar/fullchain.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder.certificate)
+            with open(f"{temp_dir}/foo.bar/privkey.pem", "w+", encoding="utf-8") as _key:
+                _key.write(builder.private_key)
+            with CONFIG.patch("cert_discovery_dir", temp_dir):
+                # pyright: reportGeneralTypeIssues=false
+                certificate_discovery()  # pylint: disable=no-value-for-parameter
+        keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
+            managed=MANAGED_DISCOVERED % "foo"
+        ).first()
+        self.assertIsNotNone(keypair)
+        self.assertIsNotNone(keypair.certificate)
+        self.assertIsNotNone(keypair.private_key)
+        self.assertTrue(
+            CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "foo.bar").exists()
+        )

authentik/events/api/event.py

@@ -1,4 +1,6 @@
 """Events API Views"""
+from json import loads
+
 import django_filters
 from django.db.models.aggregates import Count
 from django.db.models.fields.json import KeyTextTransform
@@ -12,6 +14,7 @@ from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.core.api.utils import PassiveSerializer, TypeCreateSerializer
 from authentik.events.models import Event, EventAction
 
@@ -110,13 +113,20 @@ class EventViewSet(ModelViewSet):
     @extend_schema(
         methods=["GET"],
         responses={200: EventTopPerUserSerializer(many=True)},
+        filters=[],
         parameters=[
+            OpenApiParameter(
+                "action",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                required=False,
+            ),
             OpenApiParameter(
                 "top_n",
                 type=OpenApiTypes.INT,
                 location=OpenApiParameter.QUERY,
                 required=False,
-            )
+            ),
         ],
     )
     @action(detail=False, methods=["GET"], pagination_class=None)
@@ -137,6 +147,40 @@ class EventViewSet(ModelViewSet):
             .order_by("-counted_events")[:top_n]
         )
 
+    @extend_schema(
+        methods=["GET"],
+        responses={200: CoordinateSerializer(many=True)},
+        filters=[],
+        parameters=[
+            OpenApiParameter(
+                "action",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                required=False,
+            ),
+            OpenApiParameter(
+                "query",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                required=False,
+            ),
+        ],
+    )
+    @action(detail=False, methods=["GET"], pagination_class=None)
+    def per_month(self, request: Request):
+        """Get the count of events per month"""
+        filtered_action = request.query_params.get("action", EventAction.LOGIN)
+        try:
+            query = loads(request.query_params.get("query", "{}"))
+        except ValueError:
+            return Response(status=400)
+        return Response(
+            get_objects_for_user(request.user, "authentik_events.view_event")
+            .filter(action=filtered_action)
+            .filter(**query)
+            .get_events_per_day()
+        )
+
     @extend_schema(responses={200: TypeCreateSerializer(many=True)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def actions(self, request: Request) -> Response:

authentik/events/api/notification_transport.py

@@ -15,12 +15,14 @@ from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import (
+    Event,
     Notification,
     NotificationSeverity,
     NotificationTransport,
     NotificationTransportError,
     TransportMode,
 )
+from authentik.events.utils import get_user
 
 
 class NotificationTransportSerializer(ModelSerializer):
@@ -86,6 +88,12 @@ class NotificationTransportViewSet(UsedByMixin, ModelViewSet):
             severity=NotificationSeverity.NOTICE,
             body=f"Test Notification from transport {transport.name}",
             user=request.user,
+            event=Event(
+                action="Test",
+                user=get_user(request.user),
+                app=self.__class__.__module__,
+                context={"foo": "bar"},
+            ),
         )
         try:
             response = NotificationTransportTestSerializer(

authentik/events/geo.py

@@ -1,12 +1,11 @@
 """events GeoIP Reader"""
-from datetime import datetime
 from os import stat
-from time import time
 from typing import Optional, TypedDict
 
 from geoip2.database import Reader
 from geoip2.errors import GeoIP2Error
 from geoip2.models import City
+from sentry_sdk.hub import Hub
 from structlog.stdlib import get_logger
 
 from authentik.lib.config import CONFIG
@@ -34,26 +33,29 @@ class GeoIPReader:
 
     def __open(self):
         """Get GeoIP Reader, if configured, otherwise none"""
-        path = CONFIG.y("authentik.geoip")
+        path = CONFIG.y("geoip")
         if path == "" or not path:
             return
         try:
-            reader = Reader(path)
-            self.__reader = reader
+            self.__reader = Reader(path)
             self.__last_mtime = stat(path).st_mtime
             LOGGER.info("Loaded GeoIP database", last_write=self.__last_mtime)
         except OSError as exc:
             LOGGER.warning("Failed to load GeoIP database", exc=exc)
 
     def __check_expired(self):
-        """Check if the geoip database has been opened longer than 8 hours,
-        and re-open it, as it will probably will have been re-downloaded"""
-        now = time()
-        diff = datetime.fromtimestamp(now) - datetime.fromtimestamp(self.__last_mtime)
-        diff_hours = diff.total_seconds() // 3600
-        if diff_hours >= 8:
-            LOGGER.info("GeoIP databased loaded too long, re-opening", diff=diff)
-            self.__open()
+        """Check if the modification date of the GeoIP database has
+        changed, and reload it if so"""
+        path = CONFIG.y("geoip")
+        try:
+            mtime = stat(path).st_mtime
+            diff = self.__last_mtime < mtime
+            if diff > 0:
+                LOGGER.info("Found new GeoIP Database, reopening", diff=diff)
+                self.__open()
+        except OSError as exc:
+            LOGGER.warning("Failed to check GeoIP age", exc=exc)
+            return
 
     @property
     def enabled(self) -> bool:
@@ -62,13 +64,17 @@ class GeoIPReader:
 
     def city(self, ip_address: str) -> Optional[City]:
         """Wrapper for Reader.city"""
-        if not self.enabled:
-            return None
-        self.__check_expired()
-        try:
-            return self.__reader.city(ip_address)
-        except (GeoIP2Error, ValueError):
-            return None
+        with Hub.current.start_span(
+            op="authentik.events.geo.city",
+            description=ip_address,
+        ):
+            if not self.enabled:
+                return None
+            self.__check_expired()
+            try:
+                return self.__reader.city(ip_address)
+            except (GeoIP2Error, ValueError):
+                return None
 
     def city_dict(self, ip_address: str) -> Optional[GeoIPDict]:
         """Wrapper for self.city that returns a dict"""

authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py

@@ -4,7 +4,6 @@ import uuid
 from datetime import timedelta
 from typing import Iterable
 
-import django.core.validators
 import django.db.models.deletion
 from django.apps.registry import Apps
 from django.conf import settings
@@ -12,6 +11,7 @@ from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 import authentik.events.models
+import authentik.lib.models
 from authentik.events.models import EventAction, NotificationSeverity, TransportMode
 
 
@@ -19,7 +19,7 @@ def convert_user_to_json(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     Event = apps.get_model("authentik_events", "Event")
 
     db_alias = schema_editor.connection.alias
-    for event in Event.objects.all():
+    for event in Event.objects.using(db_alias).all():
         event.delete()
         # Because event objects cannot be updated, we have to re-create them
         event.pk = None
@@ -314,169 +314,10 @@ class Migration(migrations.Migration):
             old_name="user_json",
             new_name="user",
         ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("sign_up", "Sign Up"),
-                    ("authorize_application", "Authorize Application"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("invitation_created", "Invite Created"),
-                    ("invitation_used", "Invite Used"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("user_write", "User Write"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("invitation_created", "Invite Created"),
-                    ("invitation_used", "Invite Used"),
-                    ("authorize_application", "Authorize Application"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
         migrations.RemoveField(
             model_name="event",
             name="date",
         ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("user_write", "User Write"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("token_view", "Token View"),
-                    ("invitation_created", "Invite Created"),
-                    ("invitation_used", "Invite Used"),
-                    ("authorize_application", "Authorize Application"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("user_write", "User Write"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("token_view", "Token View"),
-                    ("invitation_created", "Invite Created"),
-                    ("invitation_used", "Invite Used"),
-                    ("authorize_application", "Authorize Application"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("policy_execution", "Policy Execution"),
-                    ("policy_exception", "Policy Exception"),
-                    ("property_mapping_exception", "Property Mapping Exception"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("user_write", "User Write"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("token_view", "Token View"),
-                    ("invitation_created", "Invite Created"),
-                    ("invitation_used", "Invite Used"),
-                    ("authorize_application", "Authorize Application"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("policy_execution", "Policy Execution"),
-                    ("policy_exception", "Policy Exception"),
-                    ("property_mapping_exception", "Property Mapping Exception"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("update_available", "Update Available"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("user_write", "User Write"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("token_view", "Token View"),
-                    ("invitation_used", "Invite Used"),
-                    ("authorize_application", "Authorize Application"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("policy_execution", "Policy Execution"),
-                    ("policy_exception", "Policy Exception"),
-                    ("property_mapping_exception", "Property Mapping Exception"),
-                    ("configuration_error", "Configuration Error"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("update_available", "Update Available"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
         migrations.CreateModel(
             name="NotificationTransport",
             fields=[
@@ -610,68 +451,6 @@ class Migration(migrations.Migration):
                 help_text="Only send notification once, for example when sending a webhook into a chat channel.",
             ),
         ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("user_write", "User Write"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("token_view", "Token View"),
-                    ("invitation_used", "Invite Used"),
-                    ("authorize_application", "Authorize Application"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("policy_execution", "Policy Execution"),
-                    ("policy_exception", "Policy Exception"),
-                    ("property_mapping_exception", "Property Mapping Exception"),
-                    ("system_task_execution", "System Task Execution"),
-                    ("system_task_exception", "System Task Exception"),
-                    ("configuration_error", "Configuration Error"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("update_available", "Update Available"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("user_write", "User Write"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("secret_view", "Secret View"),
-                    ("invitation_used", "Invite Used"),
-                    ("authorize_application", "Authorize Application"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("policy_execution", "Policy Execution"),
-                    ("policy_exception", "Policy Exception"),
-                    ("property_mapping_exception", "Property Mapping Exception"),
-                    ("system_task_execution", "System Task Execution"),
-                    ("system_task_exception", "System Task Exception"),
-                    ("configuration_error", "Configuration Error"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("update_available", "Update Available"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
         migrations.RunPython(
             code=token_view_to_secret_view,
         ),
@@ -688,76 +467,11 @@ class Migration(migrations.Migration):
         migrations.RunPython(
             code=update_expires,
         ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("user_write", "User Write"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("secret_view", "Secret View"),
-                    ("invitation_used", "Invite Used"),
-                    ("authorize_application", "Authorize Application"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("policy_execution", "Policy Execution"),
-                    ("policy_exception", "Policy Exception"),
-                    ("property_mapping_exception", "Property Mapping Exception"),
-                    ("system_task_execution", "System Task Execution"),
-                    ("system_task_exception", "System Task Exception"),
-                    ("configuration_error", "Configuration Error"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("email_sent", "Email Sent"),
-                    ("update_available", "Update Available"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
         migrations.AddField(
             model_name="event",
             name="tenant",
             field=models.JSONField(blank=True, default=authentik.events.models.default_tenant),
         ),
-        migrations.AlterField(
-            model_name="event",
-            name="action",
-            field=models.TextField(
-                choices=[
-                    ("login", "Login"),
-                    ("login_failed", "Login Failed"),
-                    ("logout", "Logout"),
-                    ("user_write", "User Write"),
-                    ("suspicious_request", "Suspicious Request"),
-                    ("password_set", "Password Set"),
-                    ("secret_view", "Secret View"),
-                    ("invitation_used", "Invite Used"),
-                    ("authorize_application", "Authorize Application"),
-                    ("source_linked", "Source Linked"),
-                    ("impersonation_started", "Impersonation Started"),
-                    ("impersonation_ended", "Impersonation Ended"),
-                    ("policy_execution", "Policy Execution"),
-                    ("policy_exception", "Policy Exception"),
-                    ("property_mapping_exception", "Property Mapping Exception"),
-                    ("system_task_execution", "System Task Execution"),
-                    ("system_task_exception", "System Task Exception"),
-                    ("system_exception", "System Exception"),
-                    ("configuration_error", "Configuration Error"),
-                    ("model_created", "Model Created"),
-                    ("model_updated", "Model Updated"),
-                    ("model_deleted", "Model Deleted"),
-                    ("email_sent", "Email Sent"),
-                    ("update_available", "Update Available"),
-                    ("custom_", "Custom Prefix"),
-                ]
-            ),
-        ),
         migrations.AlterField(
             model_name="event",
             name="action",
@@ -776,6 +490,7 @@ class Migration(migrations.Migration):
                     ("source_linked", "Source Linked"),
                     ("impersonation_started", "Impersonation Started"),
                     ("impersonation_ended", "Impersonation Ended"),
+                    ("flow_execution", "Flow Execution"),
                     ("policy_execution", "Policy Execution"),
                     ("policy_exception", "Policy Exception"),
                     ("property_mapping_exception", "Property Mapping Exception"),
@@ -826,6 +541,8 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name="notificationtransport",
             name="webhook_url",
-            field=models.TextField(blank=True, validators=[django.core.validators.URLValidator()]),
+            field=models.TextField(
+                blank=True, validators=[authentik.lib.models.DomainlessURLValidator()]
+            ),
         ),
     ]

authentik/events/migrations/0003_auto_20200917_1155.py

@@ -10,7 +10,7 @@ def convert_user_to_json(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     Event = apps.get_model("authentik_events", "Event")
 
     db_alias = schema_editor.connection.alias
-    for event in Event.objects.all():
+    for event in Event.objects.using(db_alias).all():
         event.delete()
         # Because event objects cannot be updated, we have to re-create them
         event.pk = None

authentik/events/migrations/0019_alter_notificationtransport_webhook_url.py

@@ -1,8 +1,9 @@
 # Generated by Django 3.2.7 on 2021-10-04 15:31
 
-import django.core.validators
 from django.db import migrations, models
 
+import authentik.lib.models
+
 
 class Migration(migrations.Migration):
 
@@ -14,6 +15,8 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name="notificationtransport",
             name="webhook_url",
-            field=models.TextField(blank=True, validators=[django.core.validators.URLValidator()]),
+            field=models.TextField(
+                blank=True, validators=[authentik.lib.models.DomainlessURLValidator()]
+            ),
         ),
     ]

authentik/events/models.py

@@ -1,13 +1,20 @@
 """authentik events models"""
+import time
+from collections import Counter
 from datetime import timedelta
-from inspect import getmodule, stack
+from inspect import currentframe
 from smtplib import SMTPException
-from typing import TYPE_CHECKING, Optional, Type, Union
+from typing import TYPE_CHECKING, Optional
 from uuid import uuid4
 
 from django.conf import settings
-from django.core.validators import URLValidator
 from django.db import models
+from django.db.models import Count, ExpressionWrapper, F
+from django.db.models.fields import DurationField
+from django.db.models.functions import ExtractHour
+from django.db.models.functions.datetime import ExtractDay
+from django.db.models.manager import Manager
+from django.db.models.query import QuerySet
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.utils.timezone import now
@@ -20,6 +27,7 @@ from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION
 from authentik.core.models import ExpiringModel, Group, PropertyMapping, User
 from authentik.events.geo import GEOIP_READER
 from authentik.events.utils import cleanse_dict, get_user, model_to_dict, sanitize_dict
+from authentik.lib.models import DomainlessURLValidator
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.http import get_client_ip, get_http_session
 from authentik.lib.utils.time import timedelta_from_string
@@ -70,6 +78,7 @@ class EventAction(models.TextChoices):
     IMPERSONATION_STARTED = "impersonation_started"
     IMPERSONATION_ENDED = "impersonation_ended"
 
+    FLOW_EXECUTION = "flow_execution"
     POLICY_EXECUTION = "policy_execution"
     POLICY_EXCEPTION = "policy_exception"
     PROPERTY_MAPPING_EXCEPTION = "property_mapping_exception"
@@ -90,6 +99,72 @@ class EventAction(models.TextChoices):
     CUSTOM_PREFIX = "custom_"
 
 
+class EventQuerySet(QuerySet):
+    """Custom events query set with helper functions"""
+
+    def get_events_per_hour(self) -> list[dict[str, int]]:
+        """Get event count by hour in the last day, fill with zeros"""
+        date_from = now() - timedelta(days=1)
+        result = (
+            self.filter(created__gte=date_from)
+            .annotate(age=ExpressionWrapper(now() - F("created"), output_field=DurationField()))
+            .annotate(age_hours=ExtractHour("age"))
+            .values("age_hours")
+            .annotate(count=Count("pk"))
+            .order_by("age_hours")
+        )
+        data = Counter({int(d["age_hours"]): d["count"] for d in result})
+        results = []
+        _now = now()
+        for hour in range(0, -24, -1):
+            results.append(
+                {
+                    "x_cord": time.mktime((_now + timedelta(hours=hour)).timetuple()) * 1000,
+                    "y_cord": data[hour * -1],
+                }
+            )
+        return results
+
+    def get_events_per_day(self) -> list[dict[str, int]]:
+        """Get event count by hour in the last day, fill with zeros"""
+        date_from = now() - timedelta(weeks=4)
+        result = (
+            self.filter(created__gte=date_from)
+            .annotate(age=ExpressionWrapper(now() - F("created"), output_field=DurationField()))
+            .annotate(age_days=ExtractDay("age"))
+            .values("age_days")
+            .annotate(count=Count("pk"))
+            .order_by("age_days")
+        )
+        data = Counter({int(d["age_days"]): d["count"] for d in result})
+        results = []
+        _now = now()
+        for day in range(0, -30, -1):
+            results.append(
+                {
+                    "x_cord": time.mktime((_now + timedelta(days=day)).timetuple()) * 1000,
+                    "y_cord": data[day * -1],
+                }
+            )
+        return results
+
+
+class EventManager(Manager):
+    """Custom helper methods for Events"""
+
+    def get_queryset(self) -> QuerySet:
+        """use custom queryset"""
+        return EventQuerySet(self.model, using=self._db)
+
+    def get_events_per_hour(self) -> list[dict[str, int]]:
+        """Wrap method from queryset"""
+        return self.get_queryset().get_events_per_hour()
+
+    def get_events_per_day(self) -> list[dict[str, int]]:
+        """Wrap method from queryset"""
+        return self.get_queryset().get_events_per_day()
+
+
 class Event(ExpiringModel):
     """An individual Audit/Metrics/Notification/Error Event"""
 
@@ -105,6 +180,8 @@ class Event(ExpiringModel):
     # Shadow the expires attribute from ExpiringModel to override the default duration
     expires = models.DateTimeField(default=default_event_duration)
 
+    objects = EventManager()
+
     @staticmethod
     def _get_app_from_request(request: HttpRequest) -> str:
         if not isinstance(request, HttpRequest):
@@ -113,16 +190,17 @@ class Event(ExpiringModel):
 
     @staticmethod
     def new(
-        action: Union[str, EventAction],
+        action: str | EventAction,
         app: Optional[str] = None,
-        _inspect_offset: int = 1,
         **kwargs,
     ) -> "Event":
         """Create new Event instance from arguments. Instance is NOT saved."""
         if not isinstance(action, EventAction):
             action = EventAction.CUSTOM_PREFIX + action
         if not app:
-            app = getmodule(stack()[_inspect_offset][0]).__name__
+            current = currentframe()
+            parent = current.f_back
+            app = parent.f_globals["__name__"]
         cleaned_kwargs = cleanse_dict(sanitize_dict(kwargs))
         event = Event(action=action, app=app, context=cleaned_kwargs)
         return event
@@ -224,7 +302,7 @@ class NotificationTransport(models.Model):
     name = models.TextField(unique=True)
     mode = models.TextField(choices=TransportMode.choices)
 
-    webhook_url = models.TextField(blank=True, validators=[URLValidator()])
+    webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
     webhook_mapping = models.ForeignKey(
         "NotificationWebhookMapping", on_delete=models.SET_DEFAULT, null=True, default=None
     )
@@ -439,7 +517,7 @@ class NotificationWebhookMapping(PropertyMapping):
         return "ak-property-mapping-notification-form"
 
     @property
-    def serializer(self) -> Type["Serializer"]:
+    def serializer(self) -> type["Serializer"]:
         from authentik.events.api.notification_mapping import NotificationWebhookMappingSerializer
 
         return NotificationWebhookMappingSerializer

authentik/events/monitored_tasks.py

@@ -46,7 +46,7 @@ class TaskResult:
 
     def with_error(self, exc: Exception) -> "TaskResult":
         """Since errors might not always be pickle-able, set the traceback"""
-        self.messages.extend(exception_to_string(exc).splitlines())
+        self.messages.append(str(exc))
         return self
 
 
@@ -112,30 +112,6 @@ class TaskInfo:
         cache.set(key, self, timeout=timeout_hours * 60 * 60)
 
 
-def prefill_task():
-    """Ensure a task's details are always in cache, so it can always be triggered via API"""
-
-    def inner_wrap(func):
-        status = TaskInfo.by_name(func.__name__)
-        if status:
-            return func
-        TaskInfo(
-            task_name=func.__name__,
-            task_description=func.__doc__,
-            result=TaskResult(TaskResultStatus.UNKNOWN, messages=[_("Task has not been run yet.")]),
-            task_call_module=func.__module__,
-            task_call_func=func.__name__,
-            # We don't have real values for these attributes but they cannot be null
-            start_timestamp=default_timer(),
-            finish_timestamp=default_timer(),
-            finish_time=datetime.now(),
-        ).save(86400)
-        LOGGER.debug("prefilled task", task_name=func.__name__)
-        return func
-
-    return inner_wrap
-
-
 class MonitoredTask(Task):
     """Task which can save its state to the cache"""
 
@@ -210,5 +186,21 @@ class MonitoredTask(Task):
         raise NotImplementedError
 
 
-for task in TaskInfo.all().values():
-    task.set_prom_metrics()
+def prefill_task(func):
+    """Ensure a task's details are always in cache, so it can always be triggered via API"""
+    status = TaskInfo.by_name(func.__name__)
+    if status:
+        return func
+    TaskInfo(
+        task_name=func.__name__,
+        task_description=func.__doc__,
+        result=TaskResult(TaskResultStatus.UNKNOWN, messages=[_("Task has not been run yet.")]),
+        task_call_module=func.__module__,
+        task_call_func=func.__name__,
+        # We don't have real values for these attributes but they cannot be null
+        start_timestamp=default_timer(),
+        finish_timestamp=default_timer(),
+        finish_time=datetime.now(),
+    ).save(86400)
+    LOGGER.debug("prefilled task", task_name=func.__name__)
+    return func

authentik/events/signals.py

@@ -3,14 +3,14 @@ from threading import Thread
 from typing import Any, Optional
 
 from django.contrib.auth.signals import user_logged_in, user_logged_out, user_login_failed
-from django.db.models.signals import post_save
+from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
 
 from authentik.core.models import User
 from authentik.core.signals import password_changed
 from authentik.events.models import Event, EventAction
-from authentik.events.tasks import event_notification_handler
+from authentik.events.tasks import event_notification_handler, gdpr_cleanup
 from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.stages.invitation.models import Invitation
@@ -108,3 +108,10 @@ def on_password_changed(sender, user: User, password: str, **_):
 def event_post_save_notification(sender, instance: Event, **_):
     """Start task to check if any policies trigger an notification on this event"""
     event_notification_handler.delay(instance.event_uuid.hex)
+
+
+@receiver(pre_delete, sender=User)
+# pylint: disable=unused-argument
+def event_user_pre_delete_cleanup(sender, instance: User, **_):
+    """If gdpr_compliance is enabled, remove all the user's events"""
+    gdpr_cleanup.delay(instance.pk)

authentik/events/tasks.py

@@ -106,3 +106,11 @@ def notification_transport(self: MonitoredTask, notification_pk: int, transport_
     except NotificationTransportError as exc:
         self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
         raise exc
+
+
+@CELERY_APP.task()
+def gdpr_cleanup(user_pk: int):
+    """cleanup events from gdpr_compliance"""
+    events = Event.objects.filter(user__pk=user_pk)
+    LOGGER.debug("GDPR cleanup, removing events from user", events=events.count())
+    events.delete()

authentik/events/tests/test_api.py

@@ -3,7 +3,7 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import User
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import (
     Event,
     EventAction,
@@ -17,7 +17,7 @@ class TestEventsAPI(APITestCase):
     """Test Event API"""
 
     def setUp(self) -> None:
-        self.user = User.objects.get(username="akadmin")
+        self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
     def test_top_n(self):

authentik/events/tests/test_middleware.py

@@ -3,7 +3,8 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Application, User
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
 
 
@@ -12,7 +13,7 @@ class TestEventsMiddleware(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.user = User.objects.get(username="akadmin")
+        self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
     def test_create(self):

authentik/events/utils.py

@@ -93,6 +93,11 @@ def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:
             final_dict[key] = value.hex
         elif isinstance(value, (HttpRequest, WSGIRequest)):
             continue
+        elif isinstance(value, type):
+            final_dict[key] = {
+                "type": value.__name__,
+                "module": value.__module__,
+            }
         else:
             final_dict[key] = value
     return final_dict

authentik/flows/api/stages.py

@@ -41,6 +41,7 @@ class StageSerializer(ModelSerializer, MetaNameSerializer):
             "component",
             "verbose_name",
             "verbose_name_plural",
+            "meta_model_name",
             "flow_set",
         ]
 
@@ -89,7 +90,7 @@ class StageViewSet(
             stages += list(configurable_stage.objects.all().order_by("name"))
         matching_stages: list[dict] = []
         for stage in stages:
-            user_settings = stage.ui_user_settings
+            user_settings = stage.ui_user_settings()
             if not user_settings:
                 continue
             user_settings.initial_data["object_uid"] = str(stage.pk)