stages/consent: fix error when requests with identical empty permissions

closes #3280

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,30 +1,18 @@
 [bumpversion]
-current_version = 2021.12.5
+current_version = 2022.7.3
 tag = True
 commit = True
-parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
-serialize = 
-	{major}.{minor}.{patch}-{release}
-	{major}.{minor}.{patch}
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
+serialize = {major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
-[bumpversion:part:release]
-optional_value = stable
-first_value = beta
-values = 
-	alpha
-	beta
-	stable
-
 [bumpversion:file:pyproject.toml]
 
 [bumpversion:file:docker-compose.yml]
 
 [bumpversion:file:schema.yml]
 
-[bumpversion:file:.github/workflows/release-publish.yml]
-
 [bumpversion:file:authentik/__init__.py]
 
 [bumpversion:file:internal/constants/constants.go]

.github/actions/docker-push-variables/action.yml

@@ -0,0 +1,63 @@
+name: 'Prepare docker environment variables'
+description: 'Prepare docker environment variables'
+
+outputs:
+  shouldBuild:
+    description: "Whether to build image or not"
+    value: ${{ steps.ev.outputs.shouldBuild }}
+  branchName:
+    description: "Branch name"
+    value: ${{ steps.ev.outputs.branchName }}
+  branchNameContainer:
+    description: "Branch name (for containers)"
+    value: ${{ steps.ev.outputs.branchNameContainer }}
+  timestamp:
+    description: "Timestamp"
+    value: ${{ steps.ev.outputs.timestamp }}
+  sha:
+    description: "sha"
+    value: ${{ steps.ev.outputs.sha }}
+  version:
+    description: "version"
+    value: ${{ steps.ev.outputs.version }}
+  versionFamily:
+    description: "versionFamily"
+    value: ${{ steps.ev.outputs.versionFamily }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Generate config
+      id: ev
+      shell: python
+      run: |
+        """Helper script to get the actual branch name, docker safe"""
+        import os
+        from time import time
+
+        env_pr_branch = "GITHUB_HEAD_REF"
+        default_branch = "GITHUB_REF"
+        sha = "GITHUB_SHA"
+
+        branch_name = os.environ[default_branch]
+        if os.environ.get(env_pr_branch, "") != "":
+            branch_name = os.environ[env_pr_branch]
+
+        should_build = str(os.environ.get("DOCKER_USERNAME", "") != "").lower()
+
+        print("##[set-output name=branchName]%s" % branch_name)
+        print(
+            "##[set-output name=branchNameContainer]%s"
+            % branch_name.replace("refs/heads/", "").replace("/", "-")
+        )
+        print("##[set-output name=timestamp]%s" % int(time()))
+        print("##[set-output name=sha]%s" % os.environ[sha])
+        print("##[set-output name=shouldBuild]%s" % should_build)
+
+        import configparser
+        parser = configparser.ConfigParser()
+        parser.read(".bumpversion.cfg")
+        version = parser.get("bumpversion", "current_version")
+        version_family = ".".join(version.split(".")[:-1])
+        print("##[set-output name=version]%s" % version)
+        print("##[set-output name=versionFamily]%s" % version_family)

.github/actions/setup/action.yml

@@ -0,0 +1,45 @@
+name: 'Setup authentik testing environemnt'
+description: 'Setup authentik testing environemnt'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install poetry
+      shell: bash
+      run: |
+        pipx install poetry || true
+        sudo apt update
+        sudo apt install -y libxmlsec1-dev pkg-config gettext
+    - name: Setup python and restore poetry
+      uses: actions/setup-python@v3
+      with:
+        python-version: '3.10'
+        cache: 'poetry'
+    - name: Setup node
+      uses: actions/setup-node@v3.1.0
+      with:
+        node-version: '16'
+        cache: 'npm'
+        cache-dependency-path: web/package-lock.json
+    - name: Setup dependencies
+      shell: bash
+      run: |
+        docker-compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry env use python3.10
+        poetry install
+        npm install -g pyright@1.1.136
+    - name: Generate config
+      shell: poetry run python {0}
+      run: |
+        from authentik.lib.generators import generate_id
+        from yaml import safe_dump
+
+        with open("local.env.yml", "w") as _config:
+            safe_dump(
+                {
+                    "log_level": "debug",
+                    "secret_key": generate_id(),
+                },
+                _config,
+                default_flow_style=False,
+            )

.github/dependabot.yml

@@ -1,50 +1,62 @@
 version: 2
 updates:
-- package-ecosystem: "github-actions"
-  directory: "/"
-  schedule:
-    interval: daily
-    time: "04:00"
-  open-pull-requests-limit: 10
-  assignees:
-  - BeryJu
-- package-ecosystem: gomod
-  directory: "/"
-  schedule:
-    interval: daily
-    time: "04:00"
-  open-pull-requests-limit: 10
-  assignees:
-  - BeryJu
-- package-ecosystem: npm
-  directory: "/web"
-  schedule:
-    interval: daily
-    time: "04:00"
-  open-pull-requests-limit: 10
-  assignees:
-  - BeryJu
-- package-ecosystem: npm
-  directory: "/website"
-  schedule:
-    interval: daily
-    time: "04:00"
-  open-pull-requests-limit: 10
-  assignees:
-  - BeryJu
-- package-ecosystem: pip
-  directory: "/"
-  schedule:
-    interval: daily
-    time: "04:00"
-  open-pull-requests-limit: 10
-  assignees:
-  - BeryJu
-- package-ecosystem: docker
-  directory: "/"
-  schedule:
-    interval: daily
-    time: "04:00"
-  open-pull-requests-limit: 10
-  assignees:
-  - BeryJu
+    - package-ecosystem: "github-actions"
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "ci:"
+    - package-ecosystem: gomod
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "core:"
+    - package-ecosystem: npm
+      directory: "/web"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "web:"
+    - package-ecosystem: npm
+      directory: "/website"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "website:"
+    - package-ecosystem: pip
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "core:"
+    - package-ecosystem: docker
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "core:"

.github/pull_request_template.md

@@ -1,7 +1,7 @@
 <!--
 👋 Hello there! Welcome.
 
-Please check the [Contributing guidelines](https://github.com/goauthentik/authentik/blob/master/CONTRIBUTING.md#how-can-i-contribute).
+Please check the [Contributing guidelines](https://github.com/goauthentik/authentik/blob/main/CONTRIBUTING.md#how-can-i-contribute).
 -->
 
 # Details

.github/stale.yml

@@ -7,7 +7,10 @@ exemptLabels:
   - pinned
   - security
   - pr_wanted
+  - enhancement
+  - bug/confirmed
   - enhancement/confirmed
+  - question
 # Comment to post when marking an issue as stale. Set to `false` to disable
 markComment: >
   This issue has been automatically marked as stale because it has not had

.github/workflows/ci-main.yml

@@ -3,14 +3,14 @@ name: authentik-ci-main
 on:
   push:
     branches:
-      - master
+      - main
       - next
       - version-*
     paths-ignore:
       - website
   pull_request:
     branches:
-      - master
+      - main
 
 env:
   POSTGRES_DB: authentik
@@ -31,76 +31,38 @@ jobs:
           - pending-migrations
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - uses: actions/setup-node@v2
-        with:
-          node-version: '16'
-      - id: cache-poetry
-        uses: actions/cache@v2.1.7
-        with:
-          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
-      - name: prepare
-        env:
-          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - name: run job
         run: poetry run make ci-${{ matrix.job }}
   test-migrations:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - id: cache-poetry
-        uses: actions/cache@v2.1.7
-        with:
-          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
-      - name: prepare
-        env:
-          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v2
-      - name: prepare variables
-        id: ev
-        run: |
-          python ./scripts/gh_env.py
-          sudo pip install -U pipenv
-      - id: cache-poetry
-        uses: actions/cache@v2.1.7
-        with:
-          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - name: checkout stable
         run: |
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          cp -R poetry.lock pyproject.toml ..
           git checkout $(git describe --abbrev=0 --match 'version/*')
           rm -rf .github/ scripts/
-          mv ../.github ../scripts ../poetry.lock ../pyproject.toml .
-      - name: prepare
-        env:
-          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
-        run: |
-          scripts/ci_prepare.sh
-          # Sync anyways since stable will have different dependencies
-          # TODO: Remove after next stable release
-          if [[ -f "Pipfile.lock" ]]; then
-            pipenv install --dev
-          fi
-          poetry install
+          mv ../.github ../scripts .
+      - name: Setup authentik env (ensure stable deps are installed)
+        uses: ./.github/actions/setup
       - name: run migrations to stable
         run: poetry run python -m lifecycle.migrate
       - name: checkout current code
@@ -108,34 +70,19 @@ jobs:
           set -x
           git fetch
           git reset --hard HEAD
-          # TODO: Remove after next stable release
-          rm -f poetry.lock
+          git clean -d -fx .
           git checkout $GITHUB_SHA
-          # TODO: Remove after next stable release
-          if [[ -f "Pipfile.lock" ]]; then
-            pipenv install --dev
-          fi
           poetry install
-      - name: prepare
-        env:
-          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
+      - name: Setup authentik env (ensure latest deps are installed)
+        uses: ./.github/actions/setup
       - name: migrate to latest
         run: poetry run python -m lifecycle.migrate
   test-unittest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - id: cache-poetry
-        uses: actions/cache@v2.1.7
-        with:
-          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
-      - name: prepare
-        env:
-          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - uses: testspace-com/setup-testspace@v1
         with:
           domain: ${{github.repository_owner}}
@@ -148,26 +95,18 @@ jobs:
         run: |
           testspace [unittest]unittest.xml --link=codecov
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
   test-integration:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - id: cache-poetry
-        uses: actions/cache@v2.1.7
-        with:
-          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
-      - name: prepare
-        env:
-          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
-        run: scripts/ci_prepare.sh
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - uses: testspace-com/setup-testspace@v1
         with:
           domain: ${{github.repository_owner}}
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.2.0
+        uses: helm/kind-action@v1.3.0
       - name: run integration
         run: |
           poetry run make test-integration
@@ -177,41 +116,30 @@ jobs:
         run: |
           testspace [integration]unittest.xml --link=codecov
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
   test-e2e-provider:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - uses: actions/setup-node@v2
-        with:
-          node-version: '16'
-          cache: 'npm'
-          cache-dependency-path: web/package-lock.json
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - uses: testspace-com/setup-testspace@v1
         with:
           domain: ${{github.repository_owner}}
-      - id: cache-poetry
-        uses: actions/cache@v2.1.7
-        with:
-          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
-      - name: prepare
-        env:
-          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
+      - name: Setup authentik env
         run: |
-          scripts/ci_prepare.sh
           docker-compose -f tests/e2e/docker-compose.yml up -d
       - id: cache-web
-        uses: actions/cache@v2.1.7
+        uses: actions/cache@v3
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
       - name: prepare web ui
         if: steps.cache-web.outputs.cache-hit != 'true'
+        working-directory: web
         run: |
-          cd web
-          npm i
+          npm ci
+          make -C .. gen-client-web
           npm run build
       - name: run e2e
         run: |
@@ -222,41 +150,30 @@ jobs:
         run: |
           testspace [e2e-provider]unittest.xml --link=codecov
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
   test-e2e-rest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - uses: actions/setup-node@v2
-        with:
-          node-version: '16'
-          cache: 'npm'
-          cache-dependency-path: web/package-lock.json
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - uses: testspace-com/setup-testspace@v1
         with:
           domain: ${{github.repository_owner}}
-      - id: cache-poetry
-        uses: actions/cache@v2.1.7
-        with:
-          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
-      - name: prepare
-        env:
-          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
+      - name: Setup authentik env
         run: |
-          scripts/ci_prepare.sh
           docker-compose -f tests/e2e/docker-compose.yml up -d
       - id: cache-web
-        uses: actions/cache@v2.1.7
+        uses: actions/cache@v3
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
       - name: prepare web ui
         if: steps.cache-web.outputs.cache-hit != 'true'
+        working-directory: web/
         run: |
-          cd web
-          npm i
+          npm ci
+          make -C .. gen-client-web
           npm run build
       - name: run e2e
         run: |
@@ -267,7 +184,7 @@ jobs:
         run: |
           testspace [e2e-rest]unittest.xml --link=codecov
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
   ci-core-mark:
     needs:
       - lint
@@ -290,26 +207,25 @@ jobs:
         arch:
           - 'linux/amd64'
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.2.0
+        uses: docker/setup-qemu-action@v2.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
         id: ev
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        run: |
-          python ./scripts/gh_env.py
       - name: Login to Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Building Docker Image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           tags: |
@@ -317,4 +233,5 @@ jobs:
             ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
           platforms: ${{ matrix.arch }}

.github/workflows/ci-outpost.yml

@@ -3,36 +3,47 @@ name: authentik-ci-outpost
 on:
   push:
     branches:
-      - master
+      - main
       - next
       - version-*
   pull_request:
     branches:
-      - master
+      - main
 
 jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
           go-version: "^1.17"
-      - name: Run linter
+      - name: Prepare and generate API
         run: |
           # Create folder structure for go embeds
           mkdir -p web/dist
           mkdir -p website/help
           touch web/dist/test website/help/test
-          docker run \
-            --rm \
-            -v $(pwd):/app \
-            -w /app \
-            golangci/golangci-lint:v1.39.0 \
-            golangci-lint run -v --timeout 200s
+      - name: Generate API
+        run: make gen-client-go
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+  test-unittest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "^1.17"
+      - name: Generate API
+        run: make gen-client-go
+      - name: Go unittests
+        run: |
+          go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
   ci-outpost-mark:
     needs:
       - lint-golint
+      - test-unittest
     runs-on: ubuntu-latest
     steps:
       - run: echo mark
@@ -50,26 +61,27 @@ jobs:
           - 'linux/amd64'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.2.0
+        uses: docker/setup-qemu-action@v2.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
         id: ev
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        run: |
-          python ./scripts/gh_env.py
       - name: Login to Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate API
+        run: make gen-client-go
       - name: Building Docker Image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           tags: |
@@ -79,6 +91,7 @@ jobs:
           file: ${{ matrix.type }}.Dockerfile
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
           platforms: ${{ matrix.arch }}
   build-outpost-binary:
     timeout-minutes: 120
@@ -94,19 +107,21 @@ jobs:
         goos: [linux]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
           go-version: "^1.17"
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'
           cache-dependency-path: web/package-lock.json
+      - name: Generate API
+        run: make gen-client-go
       - name: Build web
+        working-directory: web/
         run: |
-          cd web
-          npm install
+          npm ci
           npm run build-proxy
       - name: Build outpost
         run: |
@@ -114,7 +129,7 @@ jobs:
           export GOOS=${{ matrix.goos }}
           export GOARCH=${{ matrix.goarch }}
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v3
         with:
           name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           path: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}

.github/workflows/ci-web.yml

@@ -3,68 +3,67 @@ name: authentik-ci-web
 on:
   push:
     branches:
-      - master
+      - main
       - next
       - version-*
   pull_request:
     branches:
-      - master
+      - main
 
 jobs:
   lint-eslint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'
           cache-dependency-path: web/package-lock.json
-      - run: |
-          cd web
-          npm install
+      - working-directory: web/
+        run: npm ci
       - name: Generate API
-        run: make gen-web
+        run: make gen-client-web
       - name: Eslint
-        run: |
-          cd web
-          npm run lint
+        working-directory: web/
+        run: npm run lint
   lint-prettier:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'
           cache-dependency-path: web/package-lock.json
-      - run: |
-          cd web
-          npm install
+      - working-directory: web/
+        run: npm ci
       - name: Generate API
-        run: make gen-web
+        run: make gen-client-web
       - name: prettier
-        run: |
-          cd web
-          npm run prettier-check
+        working-directory: web/
+        run: npm run prettier-check
   lint-lit-analyse:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'
           cache-dependency-path: web/package-lock.json
-      - run: |
-          cd web
-          npm install
-      - name: Generate API
-        run: make gen-web
-      - name: lit-analyse
+      - working-directory: web/
         run: |
-          cd web
-          npm run lit-analyse
+          npm ci
+          # lit-analyse doesn't understand path rewrites, so make it
+          # belive it's an actual module
+          cd node_modules/@goauthentik
+          ln -s ../../src/ web
+      - name: Generate API
+        run: make gen-client-web
+      - name: lit-analyse
+        working-directory: web/
+        run: npm run lit-analyse
   ci-web-mark:
     needs:
       - lint-eslint
@@ -78,18 +77,16 @@ jobs:
       - ci-web-mark
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'
           cache-dependency-path: web/package-lock.json
-      - run: |
-          cd web
-          npm install
+      - working-directory: web/
+        run: npm ci
       - name: Generate API
-        run: make gen-web
+        run: make gen-client-web
       - name: build
-        run: |
-          cd web
-          npm run build
+        working-directory: web/
+        run: npm run build

.github/workflows/ci-website.yml

@@ -0,0 +1,33 @@
+name: authentik-ci-website
+
+on:
+  push:
+    branches:
+      - main
+      - next
+      - version-*
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  lint-prettier:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.4.1
+        with:
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        run: npm ci
+      - name: prettier
+        working-directory: website/
+        run: npm run prettier-check
+  ci-website-mark:
+    needs:
+      - lint-prettier
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark

.github/workflows/codeql-analysis.yml

@@ -2,10 +2,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ master, '*', next, version* ]
+    branches: [ main, '*', next, version* ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ master ]
+    branches: [ main ]
   schedule:
     - cron: '30 6 * * 5'
 
@@ -28,11 +28,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -43,7 +43,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -57,4 +57,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/ghcr-retention.yml

@@ -19,4 +19,4 @@ jobs:
           org-name: goauthentik
           untagged-only: false
           token: ${{ secrets.GHCR_CLEANUP_TOKEN }}
-          skip-tags: gh-next,gh-master
+          skip-tags: gh-next,gh-main

.github/workflows/release-publish.yml

@@ -5,46 +5,41 @@ on:
     types: [published, created]
 
 jobs:
-  # Build
   build-server:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.2.0
+        uses: docker/setup-qemu-action@v2.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
       - name: Docker Login Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Building Docker Image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.12.5,
+            beryju/authentik:${{ steps.ev.outputs.version }},
+            beryju/authentik:${{ steps.ev.outputs.versionFamily }},
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.12.5,
+            ghcr.io/goauthentik/server:${{ steps.ev.outputs.version }},
+            ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }},
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
-      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.12.5', 'rc') }}
-        run: |
-          docker pull beryju/authentik:latest
-          docker tag beryju/authentik:latest beryju/authentik:stable
-          docker push beryju/authentik:stable
-          docker pull ghcr.io/goauthentik/server:latest
-          docker tag ghcr.io/goauthentik/server:latest ghcr.io/goauthentik/server:stable
-          docker push ghcr.io/goauthentik/server:stable
   build-outpost:
     runs-on: ubuntu-latest
     strategy:
@@ -54,45 +49,41 @@ jobs:
           - proxy
           - ldap
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
           go-version: "^1.17"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.2.0
+        uses: docker/setup-qemu-action@v2.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
       - name: Docker Login Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Building Docker Image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-${{ matrix.type }}:2021.12.5,
+            beryju/authentik-${{ matrix.type }}:${{ steps.ev.outputs.version }},
+            beryju/authentik-${{ matrix.type }}:${{ steps.ev.outputs.versionFamily }},
             beryju/authentik-${{ matrix.type }}:latest,
-            ghcr.io/goauthentik/${{ matrix.type }}:2021.12.5,
+            ghcr.io/goauthentik/${{ matrix.type }}:${{ steps.ev.outputs.version }},
+            ghcr.io/goauthentik/${{ matrix.type }}:${{ steps.ev.outputs.versionFamily }},
             ghcr.io/goauthentik/${{ matrix.type }}:latest
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
-      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.12.5', 'rc') }}
-        run: |
-          docker pull beryju/authentik-${{ matrix.type }}:latest
-          docker tag beryju/authentik-${{ matrix.type }}:latest beryju/authentik-${{ matrix.type }}:stable
-          docker push beryju/authentik-${{ matrix.type }}:stable
-          docker pull ghcr.io/goauthentik/${{ matrix.type }}:latest
-          docker tag ghcr.io/goauthentik/${{ matrix.type }}:latest ghcr.io/goauthentik/${{ matrix.type }}:stable
-          docker push ghcr.io/goauthentik/${{ matrix.type }}:stable
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -105,19 +96,19 @@ jobs:
         goos: [linux, darwin]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
           go-version: "^1.17"
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'
           cache-dependency-path: web/package-lock.json
       - name: Build web
+        working-directory: web/
         run: |
-          cd web
-          npm install
+          npm ci
           npm run build-proxy
       - name: Build outpost
         run: |
@@ -139,7 +130,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Run test suite in final docker images
         run: |
           echo "PG_PASS=$(openssl rand -base64 32)" >> .env
@@ -155,7 +146,10 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
       - name: Get static files from docker image
         run: |
           docker pull ghcr.io/goauthentik/server:latest
@@ -170,7 +164,7 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.12.5
+          version: authentik@${{ steps.ev.outputs.version }}
           environment: beryjuorg-prod
           sourcemaps: './web/dist'
           url_prefix: '~/static/dist'

.github/workflows/release-tag.yml

@@ -10,7 +10,7 @@ jobs:
     name: Create Release from Tag
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Pre-release test
         run: |
           echo "PG_PASS=$(openssl rand -base64 32)" >> .env
@@ -27,7 +27,7 @@ jobs:
           docker-compose run -u root server test
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@v5
+        uses: actions/github-script@v6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/translation-compile.yml

@@ -1,14 +1,12 @@
 name: authentik-backend-translate-compile
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
     paths:
       - '/locale/'
   pull_request:
     paths:
       - '/locale/'
-  schedule:
-  - cron: "0 */2 * * *"
   workflow_dispatch:
 
 env:
@@ -20,24 +18,13 @@ jobs:
   compile:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - id: cache-poetry
-        uses: actions/cache@v2.1.7
-        with:
-          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
-      - name: prepare
-        env:
-          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y gettext
-          scripts/ci_prepare.sh
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - name: run compile
         run: poetry run ./manage.py compilemessages
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@v4
         id: cpr
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -47,10 +34,3 @@ jobs:
           body: "core: compile backend translations"
           delete-branch: true
           signoff: true
-      - name: Enable Pull Request Automerge
-        if: steps.cpr.outputs.pull-request-operation == 'created'
-        uses: peter-evans/enable-pull-request-automerge@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-          merge-method: squash

.github/workflows/web-api-publish.yml

@@ -1,35 +1,36 @@
 name: authentik-web-api-publish
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
     paths:
       - 'schema.yml'
+  workflow_dispatch:
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           registry-url: 'https://registry.npmjs.org'
       - name: Generate API Client
-        run: make gen-web
+        run: make gen-client-web
       - name: Publish package
+        working-directory: gen-ts-api/
         run: |
-          cd web-api/
-          npm i
+          npm ci
           npm publish
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
+        working-directory: web/
         run: |
-          cd web/
-          export VERSION=`node -e 'console.log(require("../web-api/package.json").version)'`
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@v4
         id: cpr
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -39,10 +40,3 @@ jobs:
           body: "web: Update Web API Client version"
           delete-branch: true
           signoff: true
-      - name: Enable Pull Request Automerge
-        if: steps.cpr.outputs.pull-request-operation == 'created'
-        uses: peter-evans/enable-pull-request-automerge@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-          merge-method: squash

.gitignore

@@ -193,7 +193,6 @@ pip-selfcheck.json
 # End of https://www.gitignore.io/api/python,django
 /static/
 local.env.yml
-.vscode/
 
 # Selenium Screenshots
 selenium_screenshots/
@@ -202,5 +201,4 @@ media/
 *mmdb
 
 .idea/
-/api/
-/web-api/
+/gen-*/

.python-version

@@ -1 +0,0 @@
-3.9.7

.vscode/settings.json

@@ -1,5 +1,6 @@
 {
     "cSpell.words": [
+        "akadmin",
         "asgi",
         "authentik",
         "authn",
@@ -12,7 +13,8 @@
         "totp",
         "webauthn",
         "traefik",
-        "passwordless"
+        "passwordless",
+        "kubernetes"
     ],
     "python.linting.pylintEnabled": true,
     "todo-tree.tree.showCountsInTree": true,
@@ -20,5 +22,9 @@
     "python.formatting.provider": "black",
     "files.associations": {
         "*.akflow": "json"
-    }
+    },
+    "typescript.preferences.importModuleSpecifier": "non-relative",
+    "typescript.preferences.importModuleSpecifierEnding": "index",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
+    "typescript.enablePromptUseWorkspaceTsdk": true
 }

.vscode/tasks.json

@@ -0,0 +1,86 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "authentik[core]: format & test",
+            "command": "poetry",
+            "args": [
+                "run",
+                "make"
+            ],
+            "group": "build",
+        },
+        {
+            "label": "authentik[core]: run",
+            "command": "poetry",
+            "args": [
+                "run",
+                "make",
+                "run",
+            ],
+            "group": "build",
+            "presentation": {
+                "panel": "dedicated",
+                "group": "running"
+            },
+        },
+        {
+            "label": "authentik[web]: format",
+            "command": "make",
+            "args": ["web"],
+            "group": "build",
+        },
+        {
+            "label": "authentik[web]: watch",
+            "command": "make",
+            "args": ["web-watch"],
+            "group": "build",
+            "presentation": {
+                "panel": "dedicated",
+                "group": "running"
+            },
+        },
+        {
+            "label": "authentik: install",
+            "command": "make",
+            "args": ["install"],
+            "group": "build",
+        },
+        {
+            "label": "authentik: i18n-extract",
+            "command": "poetry",
+            "args": [
+                "run",
+                "make",
+                "i18n-extract"
+            ],
+            "group": "build",
+        },
+        {
+            "label": "authentik[website]: format",
+            "command": "make",
+            "args": ["website"],
+            "group": "build",
+        },
+        {
+            "label": "authentik[website]: watch",
+            "command": "make",
+            "args": ["website-watch"],
+            "group": "build",
+            "presentation": {
+                "panel": "dedicated",
+                "group": "running"
+            },
+        },
+        {
+            "label": "authentik[api]: generate",
+            "command": "poetry",
+            "args": [
+                "run",
+                "make",
+                "gen"
+            ],
+            "group": "build"
+        },
+    ]
+}

CODE_OF_CONDUCT.md

@@ -60,7 +60,7 @@ representative at an online or offline event.
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-hello@beryju.org.
+hello@goauthentik.io.
 All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the

Dockerfile

@@ -1,22 +1,35 @@
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:16 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:18 as website-builder
 
 COPY ./website /work/website/
 
 ENV NODE_ENV=production
-RUN cd /work/website && npm i && npm run build-docs-only
+WORKDIR /work/website
+RUN npm ci && npm run build-docs-only
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:16 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:18 as web-builder
 
 COPY ./web /work/web/
 COPY ./website /work/website/
 
 ENV NODE_ENV=production
-RUN cd /work/web && npm i && npm run build
+WORKDIR /work/web
+RUN npm ci && npm run build
 
-# Stage 3: Build go proxy
-FROM docker.io/golang:1.17.5-bullseye AS builder
+# Stage 3: Poetry to requirements.txt export
+FROM docker.io/python:3.10.5-slim-bullseye AS poetry-locker
+
+WORKDIR /work
+COPY ./pyproject.toml /work
+COPY ./poetry.lock /work
+
+RUN pip install --no-cache-dir poetry && \
+    poetry export -f requirements.txt --output requirements.txt && \
+    poetry export -f requirements.txt --dev --output requirements-dev.txt
+
+# Stage 4: Build go proxy
+FROM docker.io/golang:1.18.4-bullseye AS builder
 
 WORKDIR /work
 
@@ -31,8 +44,8 @@ COPY ./go.sum /work/go.sum
 
 RUN go build -o /work/authentik ./cmd/server/main.go
 
-# Stage 4: Run
-FROM docker.io/python:3.10.1-slim-bullseye
+# Stage 5: Run
+FROM docker.io/python:3.10.5-slim-bullseye
 
 LABEL org.opencontainers.image.url https://goauthentik.io
 LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
@@ -43,26 +56,25 @@ WORKDIR /
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-COPY ./pyproject.toml /
-COPY ./poetry.lock /
+COPY --from=poetry-locker /work/requirements.txt /
+COPY --from=poetry-locker /work/requirements-dev.txt /
 
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        curl ca-certificates gnupg git runit libpq-dev \
-        postgresql-client build-essential libxmlsec1-dev \
-        pkg-config libmaxminddb0 && \
-    pip install poetry && \
-    poetry config virtualenvs.create false && \
-    poetry install --no-dev && \
-    rm -rf ~/.cache/pypoetry && \
-    apt-get remove --purge -y build-essential git && \
+    # Required for installing pip packages
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev && \
+    # Required for runtime
+    apt-get install -y --no-install-recommends libxmlsec1-openssl libmaxminddb0 && \
+    # Required for bootstrap & healtcheck
+    apt-get install -y --no-install-recommends curl runit && \
+    pip install --no-cache-dir -r /requirements.txt && \
+    apt-get remove --purge -y build-essential pkg-config libxmlsec1-dev && \
     apt-get autoremove --purge -y && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
-    mkdir -p /backups /certs /media && \
+    mkdir -p /certs /media && \
     mkdir -p /authentik/.ssh && \
-    chown authentik:authentik /backups /certs /media /authentik/.ssh
+    chown authentik:authentik /certs /media /authentik/.ssh
 
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /

Makefile

@@ -15,6 +15,18 @@ test-e2e-provider:
 test-e2e-rest:
 	coverage run manage.py test tests/e2e/test_flows* tests/e2e/test_source*
 
+test-go:
+	go test -timeout 0 -v -race -cover ./...
+
+test-docker:
+	echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+	docker-compose pull -q
+	docker-compose up --no-start
+	docker-compose start postgresql redis
+	docker-compose run -u root server test
+	rm -f .env
+
 test:
 	coverage run manage.py test authentik
 	coverage html
@@ -33,8 +45,8 @@ lint-fix:
 		website/developer-docs
 
 lint:
-	bandit -r authentik tests lifecycle -x node_modules
 	pylint authentik tests lifecycle
+	bandit -r authentik tests lifecycle -x node_modules
 	golangci-lint run -v
 
 i18n-extract: i18n-extract-core web-extract
@@ -43,28 +55,27 @@ i18n-extract-core:
 	./manage.py makemessages --ignore web --ignore internal --ignore web --ignore web-api --ignore website -l en
 
 gen-build:
-	./manage.py spectacular --file schema.yml
+	AUTHENTIK_DEBUG=true ./manage.py spectacular --file schema.yml
 
 gen-clean:
 	rm -rf web/api/src/
 	rm -rf api/
 
-gen-web:
+gen-client-web:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		openapitools/openapi-generator-cli generate \
+		openapitools/openapi-generator-cli:v6.0.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
-		-o /local/web-api \
+		-o /local/gen-ts-api \
 		--additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=@goauthentik/api,npmVersion=${NPM_VERSION}
 	mkdir -p web/node_modules/@goauthentik/api
-	python -m scripts.web_api_esm
-	\cp -fv scripts/web_api_readme.md web-api/README.md
-	cd web-api && npm i
-	\cp -rfv web-api/* web/node_modules/@goauthentik/api
+	\cp -fv scripts/web_api_readme.md gen-ts-api/README.md
+	cd gen-ts-api && npm i
+	\cp -rfv gen-ts-api/* web/node_modules/@goauthentik/api
 
-gen-outpost:
+gen-client-go:
 	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O config.yaml
 	mkdir -p templates
 	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O templates/README.mustache
@@ -72,15 +83,15 @@ gen-outpost:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		openapitools/openapi-generator-cli:v5.2.1 generate \
+		openapitools/openapi-generator-cli:v6.0.0 generate \
 		-i /local/schema.yml \
 		-g go \
-		-o /local/api \
+		-o /local/gen-go-api \
 		-c /local/config.yaml
-	go mod edit -replace goauthentik.io/api=./api
+	go mod edit -replace goauthentik.io/api/v3=./gen-go-api
 	rm -rf config.yaml ./templates/
 
-gen: gen-build gen-clean gen-web
+gen: gen-build gen-clean gen-client-web
 
 migrate:
 	python -m lifecycle.migrate
@@ -88,10 +99,23 @@ migrate:
 run:
 	go run -v cmd/server/main.go
 
-web-watch:
-	cd web && npm run watch
+#########################
+## Web
+#########################
 
-web: web-lint-fix web-lint web-extract
+web-build: web-install
+	cd web && npm run build
+
+web: web-lint-fix web-lint
+
+web-install:
+	cd web && npm ci
+
+web-watch:
+	rm -rf web/dist/
+	mkdir web/dist/
+	touch web/dist/.gitkeep
+	cd web && npm run watch
 
 web-lint-fix:
 	cd web && npm run prettier
@@ -103,6 +127,21 @@ web-lint:
 web-extract:
 	cd web && npm run extract
 
+#########################
+## Website
+#########################
+
+website: website-lint-fix
+
+website-install:
+	cd website && npm ci
+
+website-lint-fix:
+	cd website && npm run prettier
+
+website-watch:
+	cd website && npm run watch
+
 # These targets are use by GitHub actions to allow usage of matrix
 # which makes the YAML File a lot smaller
 
@@ -127,3 +166,6 @@ ci-pyright: ci--meta-debug
 
 ci-pending-migrations: ci--meta-debug
 	./manage.py makemigrations --check
+
+install: web-install website-install
+	poetry install

README.md

@@ -9,7 +9,7 @@
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-outpost?label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-web?label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
-[![Testspace tests](https://img.shields.io/testspace/total/goauthentik/goauthentik:authentik/master?style=for-the-badge)](https://goauthentik.testspace.com/)
+[![Testspace tests](https://img.shields.io/testspace/total/goauthentik/goauthentik:authentik/main?style=for-the-badge)](https://goauthentik.testspace.com/)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
 [![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/beryjuorg/authentik/)
@@ -57,4 +57,4 @@ DigitalOcean provides development and testing resources for authentik.
     </a>
 </p>
 
-Netlify hosts the [goauthentik.io](goauthentik.io) site.
+Netlify hosts the [goauthentik.io](https://goauthentik.io) site.

SECURITY.md

@@ -6,9 +6,10 @@
 
 | Version    | Supported          |
 | ---------- | ------------------ |
-| 2021.10.x  | :white_check_mark: |
-| 2021.12.x  | :white_check_mark: |
+| 2022.5.x   | :white_check_mark: |
+| 2022.6.x   | :white_check_mark: |
+| 2022.7.x   | :white_check_mark: |
 
 ## Reporting a Vulnerability
 
-To report a vulnerability, send an email to [security@beryju.org](mailto:security@beryju.org)
+To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io)

authentik/__init__.py

@@ -1,3 +1,22 @@
 """authentik"""
-__version__ = "2021.12.5"
+from os import environ
+from typing import Optional
+
+__version__ = "2022.7.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
+
+
+def get_build_hash(fallback: Optional[str] = None) -> str:
+    """Get build hash"""
+    build_hash = environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
+    if build_hash == "" and fallback:
+        return fallback
+    return build_hash
+
+
+def get_full_version() -> str:
+    """Get full version, with build hash appended"""
+    version = __version__
+    if (build_hash := get_build_hash()) != "":
+        version += "." + build_hash
+    return version

authentik/admin/api/tasks.py

@@ -12,10 +12,13 @@ from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
+from structlog.stdlib import get_logger
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.monitored_tasks import TaskInfo, TaskResultStatus
 
+LOGGER = get_logger()
+
 
 class TaskSerializer(PassiveSerializer):
     """Serialize TaskInfo and TaskResult"""
@@ -89,6 +92,7 @@ class TaskViewSet(ViewSet):
         try:
             task_module = import_module(task.task_call_module)
             task_func = getattr(task_module, task.task_call_func)
+            LOGGER.debug("Running task", task=task_func)
             task_func.delay(*task.task_call_args, **task.task_call_kwargs)
             messages.success(
                 self.request,
@@ -96,6 +100,7 @@ class TaskViewSet(ViewSet):
             )
             return Response(status=204)
         except (ImportError, AttributeError):  # pragma: no cover
+            LOGGER.warning("Failed to run task, remove state", task=task)
             # if we get an import error, the module path has probably changed
             task.delete()
             return Response(status=500)

authentik/admin/api/version.py

@@ -1,6 +1,4 @@
 """authentik administration overview"""
-from os import environ
-
 from django.core.cache import cache
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
@@ -10,7 +8,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 
@@ -25,7 +23,7 @@ class VersionSerializer(PassiveSerializer):
 
     def get_build_hash(self, _) -> str:
         """Get build hash, if version is not latest or released"""
-        return environ.get(ENV_GIT_HASH_KEY, "")
+        return get_build_hash()
 
     def get_version_current(self, _) -> str:
         """Get current version"""

authentik/admin/api/workers.py

@@ -1,7 +1,6 @@
 """authentik administration overview"""
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
-from prometheus_client import Gauge
 from rest_framework.fields import IntegerField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
@@ -10,8 +9,6 @@ from rest_framework.views import APIView
 
 from authentik.root.celery import CELERY_APP
 
-GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
-
 
 class WorkerView(APIView):
     """Get currently connected worker count."""

authentik/admin/apps.py

@@ -1,5 +1,11 @@
 """authentik admin app config"""
+from importlib import import_module
+
 from django.apps import AppConfig
+from prometheus_client import Gauge, Info
+
+PROM_INFO = Info("authentik_version", "Currently running authentik version")
+GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 
 
 class AuthentikAdminConfig(AppConfig):
@@ -10,6 +16,4 @@ class AuthentikAdminConfig(AppConfig):
     verbose_name = "authentik Admin"
 
     def ready(self):
-        from authentik.admin.tasks import clear_update_notifications
-
-        clear_update_notifications.delay()
+        import_module("authentik.admin.signals")

authentik/admin/settings.py

@@ -1,10 +1,12 @@
 """authentik admin settings"""
 from celery.schedules import crontab
 
+from authentik.lib.utils.time import fqdn_rand
+
 CELERY_BEAT_SCHEDULE = {
     "admin_latest_version": {
         "task": "authentik.admin.tasks.update_latest_version",
-        "schedule": crontab(minute="*/60"),  # Run every hour
+        "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
         "options": {"queue": "authentik_scheduled"},
     }
 }

authentik/admin/signals.py

@@ -0,0 +1,23 @@
+"""admin signals"""
+from django.dispatch import receiver
+
+from authentik.admin.api.tasks import TaskInfo
+from authentik.admin.apps import GAUGE_WORKERS
+from authentik.root.celery import CELERY_APP
+from authentik.root.monitoring import monitoring_set
+
+
+@receiver(monitoring_set)
+# pylint: disable=unused-argument
+def monitoring_set_workers(sender, **kwargs):
+    """Set worker gauge"""
+    count = len(CELERY_APP.control.ping(timeout=0.5))
+    GAUGE_WORKERS.set(count)
+
+
+@receiver(monitoring_set)
+# pylint: disable=unused-argument
+def monitoring_set_tasks(sender, **kwargs):
+    """Set task gauges"""
+    for task in TaskInfo.all().values():
+        task.set_prom_metrics()

authentik/admin/tasks.py

@@ -1,15 +1,14 @@
 """authentik admin tasks"""
 import re
-from os import environ
 
 from django.core.cache import cache
 from django.core.validators import URLValidator
 from packaging.version import parse
-from prometheus_client import Info
 from requests import RequestException
 from structlog.stdlib import get_logger
 
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__, get_build_hash
+from authentik.admin.apps import PROM_INFO
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.monitored_tasks import (
     MonitoredTask,
@@ -26,7 +25,6 @@ VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
 # Chop of the first ^ because we want to search the entire string
 URL_FINDER = URLValidator.regex.pattern[1:]
-PROM_INFO = Info("authentik_version", "Currently running authentik version")
 LOCAL_VERSION = parse(__version__)
 
 
@@ -36,7 +34,7 @@ def _set_prom_info():
         {
             "version": __version__,
             "latest": cache.get(VERSION_CACHE_KEY, ""),
-            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
+            "build_hash": get_build_hash(),
         }
     )
 

authentik/admin/tests/test_tasks.py

@@ -26,7 +26,7 @@ class TestAdminTasks(TestCase):
 
     def test_version_valid_response(self):
         """Test Update checker with valid response"""
-        with Mocker() as mocker:
+        with Mocker() as mocker, CONFIG.patch("disable_update_check", False):
             mocker.get("https://version.goauthentik.io/version.json", json=RESPONSE_VALID)
             update_latest_version.delay().get()
             self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")

authentik/api/authentication.py

@@ -1,6 +1,4 @@
 """API Authentication"""
-from base64 import b64decode
-from binascii import Error
 from typing import Any, Optional
 
 from django.conf import settings
@@ -12,42 +10,58 @@ from structlog.stdlib import get_logger
 from authentik.core.middleware import KEY_AUTH_VIA, LOCAL
 from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
+from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
+from authentik.providers.oauth2.models import RefreshToken
 
 LOGGER = get_logger()
 
 
-# pylint: disable=too-many-return-statements
-def bearer_auth(raw_header: bytes) -> Optional[User]:
-    """raw_header in the Format of `Bearer dGVzdDp0ZXN0`"""
-    auth_credentials = raw_header.decode()
+def validate_auth(header: bytes) -> str:
+    """Validate that the header is in a correct format,
+    returns type and credentials"""
+    auth_credentials = header.decode().strip()
     if auth_credentials == "" or " " not in auth_credentials:
         return None
     auth_type, _, auth_credentials = auth_credentials.partition(" ")
-    if auth_type.lower() not in ["basic", "bearer"]:
+    if auth_type.lower() != "bearer":
         LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
         raise AuthenticationFailed("Unsupported authentication type")
-    password = auth_credentials
-    if auth_type.lower() == "basic":
-        try:
-            auth_credentials = b64decode(auth_credentials.encode()).decode()
-        except (UnicodeDecodeError, Error):
-            raise AuthenticationFailed("Malformed header")
-        # Accept credentials with username and without
-        if ":" in auth_credentials:
-            _, _, password = auth_credentials.partition(":")
-        else:
-            password = auth_credentials
-    if password == "":  # nosec
+    if auth_credentials == "":  # nosec # noqa
         raise AuthenticationFailed("Malformed header")
-    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
-    if not tokens.exists():
-        user = token_secret_key(password)
-        if not user:
-            raise AuthenticationFailed("Token invalid/expired")
-        return user
-    if hasattr(LOCAL, "authentik"):
+    return auth_credentials
+
+
+def bearer_auth(raw_header: bytes) -> Optional[User]:
+    """raw_header in the Format of `Bearer ....`"""
+    auth_credentials = validate_auth(raw_header)
+    if not auth_credentials:
+        return None
+    if not hasattr(LOCAL, "authentik"):
+        LOCAL.authentik = {}
+    # first, check traditional tokens
+    key_token = Token.filter_not_expired(
+        key=auth_credentials, intent=TokenIntents.INTENT_API
+    ).first()
+    if key_token:
         LOCAL.authentik[KEY_AUTH_VIA] = "api_token"
-    return tokens.first().user
+        return key_token.user
+    # then try to auth via JWT
+    jwt_token = RefreshToken.filter_not_expired(
+        refresh_token=auth_credentials, _scope__icontains=SCOPE_AUTHENTIK_API
+    ).first()
+    if jwt_token:
+        # Double-check scopes, since they are saved in a single string
+        # we want to check the parsed version too
+        if SCOPE_AUTHENTIK_API not in jwt_token.scope:
+            raise AuthenticationFailed("Token invalid/expired")
+        LOCAL.authentik[KEY_AUTH_VIA] = "jwt"
+        return jwt_token.user
+    # then try to auth via secret key (for embedded outpost/etc)
+    user = token_secret_key(auth_credentials)
+    if user:
+        LOCAL.authentik[KEY_AUTH_VIA] = "secret_key"
+        return user
+    raise AuthenticationFailed("Token invalid/expired")
 
 
 def token_secret_key(value: str) -> Optional[User]:
@@ -60,8 +74,6 @@ def token_secret_key(value: str) -> Optional[User]:
     outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
     if not outposts:
         return None
-    if hasattr(LOCAL, "authentik"):
-        LOCAL.authentik[KEY_AUTH_VIA] = "secret_key"
     outpost = outposts.first()
     return outpost.user
 

authentik/api/authorization.py

@@ -12,6 +12,8 @@ class OwnerFilter(BaseFilterBackend):
     owner_key = "user"
 
     def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        if request.user.is_superuser:
+            return queryset
         return queryset.filter(**{self.owner_key: request.user})
 
 

authentik/api/templates/api/browser.html

@@ -8,9 +8,6 @@ API Browser - {{ tenant.branding_title }}
 
 {% block head %}
 <script type="module" src="{% static 'dist/rapidoc-min.js' %}"></script>
-{% endblock %}
-
-{% block body %}
 <script>
 function getCookie(name) {
     let cookieValue = "";
@@ -30,20 +27,62 @@ function getCookie(name) {
 window.addEventListener('DOMContentLoaded', (event) => {
     const rapidocEl = document.querySelector('rapi-doc');
     rapidocEl.addEventListener('before-try', (e) => {
-        e.detail.request.headers.append('X-CSRFToken', getCookie("authentik_csrf"));
+        e.detail.request.headers.append('X-authentik-CSRF', getCookie("authentik_csrf"));
     });
 });
 </script>
+<style>
+    img.logo {
+        width: 100%;
+        padding: 1rem 0.5rem 1.5rem 0.5rem;
+        min-height: 48px;
+    }
+</style>
+{% endblock %}
+
+{% block body %}
 <rapi-doc
     spec-url="{{ path }}"
-    heading-text="authentik"
-    theme="dark"
-    render-style="view"
+    heading-text=""
+    theme="light"
+    render-style="read"
+    default-schema-tab="schema"
     primary-color="#fd4b2d"
+    nav-bg-color="#212427"
+    bg-color="#000000"
+    text-color="#000000"
+    nav-text-color="#ffffff"
+    nav-hover-bg-color="#3c3f42"
+    nav-accent-color="#4f5255"
+    nav-hover-text-color="#ffffff"
+    use-path-in-nav-bar="true"
+    nav-item-spacing="relaxed"
+    allow-server-selection="false"
+    show-header="false"
     allow-spec-url-load="false"
     allow-spec-file-load="false">
-    <div slot="logo">
-        <img src="{% static 'dist/assets/icons/icon.png' %}" style="width:50px; height:50px" />
+    <div slot="nav-logo">
+        <img class="logo" src="{% static 'dist/assets/icons/icon_left_brand.png' %}" />
     </div>
 </rapi-doc>
+<script>
+const rapidoc = document.querySelector("rapi-doc");
+const matcher = window.matchMedia("(prefers-color-scheme: light)");
+const changer = (ev) => {
+    const style = getComputedStyle(document.documentElement);
+    let bg, text = "";
+    if (matcher.matches) {
+        bg = style.getPropertyValue('--pf-global--BackgroundColor--light-300');
+        text = style.getPropertyValue('--pf-global--Color--300');
+    } else {
+        bg = style.getPropertyValue('--ak-dark-background');
+        text = style.getPropertyValue('--ak-dark-foreground');
+    }
+    rapidoc.attributes.getNamedItem("bg-color").value = bg.trim();
+    rapidoc.attributes.getNamedItem("text-color").value = text.trim();
+    rapidoc.requestUpdate();
+};
+matcher.addEventListener("change", changer);
+window.addEventListener("load", changer);
+</script>
 {% endblock %}

authentik/api/tests/test_auth.py

@@ -8,37 +8,25 @@ from rest_framework.exceptions import AuthenticationFailed
 
 from authentik.api.authentication import bearer_auth
 from authentik.core.models import USER_ATTRIBUTE_SA, Token, TokenIntents
+from authentik.core.tests.utils import create_test_flow
+from authentik.lib.generators import generate_id
 from authentik.outposts.managed import OutpostManager
+from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
+from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken
 
 
 class TestAPIAuth(TestCase):
     """Test API Authentication"""
 
-    def test_valid_basic(self):
-        """Test valid token"""
-        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
-        auth = b64encode(f":{token.key}".encode()).decode()
-        self.assertEqual(bearer_auth(f"Basic {auth}".encode()), token.user)
-
-    def test_valid_bearer(self):
-        """Test valid token"""
-        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
-        self.assertEqual(bearer_auth(f"Bearer {token.key}".encode()), token.user)
-
     def test_invalid_type(self):
         """Test invalid type"""
         with self.assertRaises(AuthenticationFailed):
             bearer_auth("foo bar".encode())
 
-    def test_invalid_decode(self):
-        """Test invalid bas64"""
-        with self.assertRaises(AuthenticationFailed):
-            bearer_auth("Basic bar".encode())
-
-    def test_invalid_empty_password(self):
-        """Test invalid with empty password"""
-        with self.assertRaises(AuthenticationFailed):
-            bearer_auth("Basic :".encode())
+    def test_invalid_empty(self):
+        """Test invalid type"""
+        self.assertIsNone(bearer_auth("Bearer ".encode()))
+        self.assertIsNone(bearer_auth("".encode()))
 
     def test_invalid_no_token(self):
         """Test invalid with no token"""
@@ -46,6 +34,11 @@ class TestAPIAuth(TestCase):
             auth = b64encode(":abc".encode()).decode()
             self.assertIsNone(bearer_auth(f"Basic :{auth}".encode()))
 
+    def test_bearer_valid(self):
+        """Test valid token"""
+        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
+        self.assertEqual(bearer_auth(f"Bearer {token.key}".encode()), token.user)
+
     def test_managed_outpost(self):
         """Test managed outpost"""
         with self.assertRaises(AuthenticationFailed):
@@ -54,3 +47,30 @@ class TestAPIAuth(TestCase):
         OutpostManager().run()
         user = bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
         self.assertEqual(user.attributes[USER_ATTRIBUTE_SA], True)
+
+    def test_jwt_valid(self):
+        """Test valid JWT"""
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
+        )
+        refresh = RefreshToken.objects.create(
+            user=get_anonymous_user(),
+            provider=provider,
+            refresh_token=generate_id(),
+            _scope=SCOPE_AUTHENTIK_API,
+        )
+        self.assertEqual(bearer_auth(f"Bearer {refresh.refresh_token}".encode()), refresh.user)
+
+    def test_jwt_missing_scope(self):
+        """Test valid JWT"""
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
+        )
+        refresh = RefreshToken.objects.create(
+            user=get_anonymous_user(),
+            provider=provider,
+            refresh_token=generate_id(),
+            _scope="",
+        )
+        with self.assertRaises(AuthenticationFailed):
+            self.assertEqual(bearer_auth(f"Bearer {refresh.refresh_token}".encode()), refresh.user)

authentik/api/tests/test_viewsets.py

@@ -0,0 +1,29 @@
+"""authentik API Modelviewset tests"""
+from typing import Callable
+
+from django.test import TestCase
+from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
+
+from authentik.api.v3.urls import router
+
+
+class TestModelViewSets(TestCase):
+    """Test Viewset"""
+
+
+def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
+    """Test Viewset"""
+
+    def tester(self: TestModelViewSets):
+        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
+        filterset_class = getattr(test_viewset, "filterset_class", None)
+        if not filterset_class:
+            self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))
+
+    return tester
+
+
+for _, viewset, _ in router.registry:
+    if not issubclass(viewset, (ModelViewSet, ReadOnlyModelViewSet)):
+        continue
+    setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))

authentik/api/urls.py

@@ -4,7 +4,5 @@ from django.urls import include, path
 from authentik.api.v3.urls import urlpatterns as v3_urls
 
 urlpatterns = [
-    # TODO: Remove in 2022.1
-    path("v2beta/", include(v3_urls)),
     path("v3/", include(v3_urls)),
 ]

authentik/api/v3/config.py

@@ -1,10 +1,9 @@
 """core Configs API"""
-from os import environ, path
+from os import path
 
 from django.conf import settings
 from django.db import models
 from drf_spectacular.utils import extend_schema
-from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
 from rest_framework.fields import (
     BooleanField,
     CharField,
@@ -28,7 +27,7 @@ class Capabilities(models.TextChoices):
 
     CAN_SAVE_MEDIA = "can_save_media"
     CAN_GEO_IP = "can_geo_ip"
-    CAN_BACKUP = "can_backup"
+    CAN_IMPERSONATE = "can_impersonate"
 
 
 class ErrorReportingConfigSerializer(PassiveSerializer):
@@ -65,13 +64,8 @@ class ConfigView(APIView):
             caps.append(Capabilities.CAN_SAVE_MEDIA)
         if GEOIP_READER.enabled:
             caps.append(Capabilities.CAN_GEO_IP)
-        if SERVICE_HOST_ENV_NAME in environ:
-            # Running in k8s, only s3 backup is supported
-            if CONFIG.y("postgresql.s3_backup"):
-                caps.append(Capabilities.CAN_BACKUP)
-        else:
-            # Running in compose, backup is always supported
-            caps.append(Capabilities.CAN_BACKUP)
+        if CONFIG.y_bool("impersonation"):
+            caps.append(Capabilities.CAN_IMPERSONATE)
         return caps
 
     @extend_schema(responses={200: ConfigSerializer(many=False)})

authentik/api/v3/urls.py

@@ -22,11 +22,11 @@ from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSe
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.users import UserViewSet
 from authentik.crypto.api import CertificateKeyPairViewSet
-from authentik.events.api.event import EventViewSet
-from authentik.events.api.notification import NotificationViewSet
-from authentik.events.api.notification_mapping import NotificationWebhookMappingViewSet
-from authentik.events.api.notification_rule import NotificationRuleViewSet
-from authentik.events.api.notification_transport import NotificationTransportViewSet
+from authentik.events.api.events import EventViewSet
+from authentik.events.api.notification_mappings import NotificationWebhookMappingViewSet
+from authentik.events.api.notification_rules import NotificationRuleViewSet
+from authentik.events.api.notification_transports import NotificationTransportViewSet
+from authentik.events.api.notifications import NotificationViewSet
 from authentik.flows.api.bindings import FlowStageBindingViewSet
 from authentik.flows.api.flows import FlowViewSet
 from authentik.flows.api.stages import StageViewSet

authentik/core/api/applications.py

@@ -1,4 +1,6 @@
 """Application API Views"""
+from typing import Optional
+
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.http.response import HttpResponseBadRequest
@@ -7,7 +9,7 @@ from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import ReadOnlyField
+from rest_framework.fields import ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -15,6 +17,7 @@ from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
 from structlog.stdlib import get_logger
+from structlog.testing import capture_logs
 
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.decorators import permission_required
@@ -23,6 +26,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import FilePathSerializer, FileUploadSerializer
 from authentik.core.models import Application, User
 from authentik.events.models import EventAction
+from authentik.events.utils import sanitize_dict
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyResult
@@ -39,11 +43,16 @@ def user_app_cache_key(user_pk: str) -> str:
 class ApplicationSerializer(ModelSerializer):
     """Application Serializer"""
 
-    launch_url = ReadOnlyField(source="get_launch_url")
-    provider_obj = ProviderSerializer(source="get_provider", required=False)
+    launch_url = SerializerMethodField()
+    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
 
     meta_icon = ReadOnlyField(source="get_meta_icon")
 
+    def get_launch_url(self, app: Application) -> Optional[str]:
+        """Allow formatting of launch URL"""
+        user = self.context["request"].user
+        return app.get_launch_url(user)
+
     class Meta:
 
         model = Application
@@ -54,11 +63,13 @@ class ApplicationSerializer(ModelSerializer):
             "provider",
             "provider_obj",
             "launch_url",
+            "open_in_new_tab",
             "meta_launch_url",
             "meta_icon",
             "meta_description",
             "meta_publisher",
             "policy_engine_mode",
+            "group",
         ]
         extra_kwargs = {
             "meta_icon": {"read_only": True},
@@ -76,8 +87,18 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         "meta_launch_url",
         "meta_description",
         "meta_publisher",
+        "group",
+    ]
+    filterset_fields = [
+        "name",
+        "slug",
+        "meta_launch_url",
+        "meta_description",
+        "meta_publisher",
+        "group",
     ]
     lookup_field = "slug"
+    filterset_fields = ["name", "slug"]
     ordering = ["name"]
 
     def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
@@ -125,12 +146,19 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 return HttpResponseBadRequest("for_user must be numerical")
         engine = PolicyEngine(application, for_user, request)
         engine.use_cache = False
-        engine.build()
-        result = engine.result
+        with capture_logs() as logs:
+            engine.build()
+            result = engine.result
         response = PolicyTestResultSerializer(PolicyResult(False))
         if result.passing:
             response = PolicyTestResultSerializer(PolicyResult(True))
         if request.user.is_superuser:
+            log_messages = []
+            for log in logs:
+                if log.get("process", "") == "PolicyProcess":
+                    continue
+                log_messages.append(sanitize_dict(log))
+            result.log_messages = log_messages
             response = PolicyTestResultSerializer(result)
         return Response(response.data)
 

authentik/core/api/groups.py

@@ -4,7 +4,7 @@ from json import loads
 from django.db.models.query import QuerySet
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from rest_framework.fields import CharField, JSONField
+from rest_framework.fields import CharField, IntegerField, JSONField
 from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
@@ -46,11 +46,14 @@ class GroupSerializer(ModelSerializer):
     )
     parent_name = CharField(source="parent.name", read_only=True)
 
+    num_pk = IntegerField(read_only=True)
+
     class Meta:
 
         model = Group
         fields = [
             "pk",
+            "num_pk",
             "name",
             "is_superuser",
             "parent",

authentik/core/api/sources.py

@@ -8,11 +8,11 @@ from rest_framework.decorators import action
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
+from rest_framework.serializers import ModelSerializer, ReadOnlyField, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
-from authentik.api.authorization import OwnerFilter, OwnerPermissions
+from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Source, UserSourceConnection
@@ -26,6 +26,7 @@ LOGGER = get_logger()
 class SourceSerializer(ModelSerializer, MetaNameSerializer):
     """Source Serializer"""
 
+    managed = ReadOnlyField()
     component = SerializerMethodField()
 
     def get_component(self, obj: Source) -> str:
@@ -51,6 +52,8 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "meta_model_name",
             "policy_engine_mode",
             "user_matching_mode",
+            "managed",
+            "user_path_template",
         ]
 
 
@@ -66,6 +69,8 @@ class SourceViewSet(
     queryset = Source.objects.none()
     serializer_class = SourceSerializer
     lookup_field = "slug"
+    search_fields = ["slug", "name"]
+    filterset_fields = ["slug", "name", "managed"]
 
     def get_queryset(self):  # pragma: no cover
         return Source.objects.select_subclasses()
@@ -150,6 +155,6 @@ class UserSourceConnectionViewSet(
 
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
-    permission_classes = [OwnerPermissions]
+    permission_classes = [OwnerSuperuserPermissions]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
     ordering = ["pk"]

authentik/core/api/tokens.py

@@ -1,10 +1,9 @@
 """Tokens API Viewset"""
 from typing import Any
 
-from django.http.response import Http404
 from django_filters.rest_framework import DjangoFilterBackend
-from drf_spectacular.utils import OpenApiResponse, extend_schema
-from guardian.shortcuts import get_anonymous_user
+from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
+from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
@@ -21,13 +20,14 @@ from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents
 from authentik.events.models import Event, EventAction
+from authentik.events.utils import model_to_dict
 from authentik.managed.api import ManagedSerializer
 
 
 class TokenSerializer(ManagedSerializer, ModelSerializer):
     """Token Serializer"""
 
-    user_obj = UserSerializer(required=False, source="user")
+    user_obj = UserSerializer(required=False, source="user", read_only=True)
 
     def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
         """Ensure only API or App password tokens are created."""
@@ -96,10 +96,12 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
 
     def perform_create(self, serializer: TokenSerializer):
         if not self.request.user.is_superuser:
-            return serializer.save(
+            instance = serializer.save(
                 user=self.request.user,
                 expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True),
             )
+            assign_perm("authentik_core.view_token_key", self.request.user, instance)
+            return instance
         return super().perform_create(serializer)
 
     @permission_required("authentik_core.view_token_key")
@@ -109,12 +111,39 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
             404: OpenApiResponse(description="Token not found or expired"),
         }
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[], methods=["GET"])
     # pylint: disable=unused-argument
     def view_key(self, request: Request, identifier: str) -> Response:
         """Return token key and log access"""
         token: Token = self.get_object()
-        if token.is_expired:
-            raise Http404
         Event.new(EventAction.SECRET_VIEW, secret=token).from_http(request)  # noqa # nosec
         return Response(TokenViewSerializer({"key": token.key}).data)
+
+    @permission_required("authentik_core.set_token_key")
+    @extend_schema(
+        request=inline_serializer(
+            "TokenSetKey",
+            {
+                "key": CharField(),
+            },
+        ),
+        responses={
+            204: OpenApiResponse(description="Successfully changed key"),
+            400: OpenApiResponse(description="Missing key"),
+            404: OpenApiResponse(description="Token not found or expired"),
+        },
+    )
+    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
+    # pylint: disable=unused-argument
+    def set_key(self, request: Request, identifier: str) -> Response:
+        """Return token key and log access"""
+        token: Token = self.get_object()
+        key = request.POST.get("key")
+        if not key:
+            return Response(status=400)
+        token.key = key
+        token.save()
+        Event.new(EventAction.MODEL_UPDATED, model=model_to_dict(token)).from_http(
+            request
+        )  # noqa # nosec
+        return Response(status=204)

authentik/core/api/users.py

@@ -1,7 +1,7 @@
 """User API Views"""
 from datetime import timedelta
 from json import loads
-from typing import Optional
+from typing import Any, Optional
 
 from django.contrib.auth import update_session_auth_hash
 from django.db.models.query import QuerySet
@@ -17,14 +17,20 @@ from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
     OpenApiParameter,
+    OpenApiResponse,
     extend_schema,
     extend_schema_field,
     inline_serializer,
 )
 from guardian.shortcuts import get_anonymous_user, get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, DictField, JSONField, SerializerMethodField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.fields import (
+    CharField,
+    IntegerField,
+    JSONField,
+    ListField,
+    SerializerMethodField,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
@@ -32,7 +38,6 @@ from rest_framework.serializers import (
     ListSerializer,
     ModelSerializer,
     PrimaryKeyRelatedField,
-    Serializer,
     ValidationError,
 )
 from rest_framework.viewsets import ModelViewSet
@@ -44,20 +49,23 @@ from authentik.api.decorators import permission_required
 from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
-from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
+from authentik.core.middleware import (
+    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
+    SESSION_KEY_IMPERSONATE_USER,
+)
 from authentik.core.models import (
-    USER_ATTRIBUTE_CHANGE_EMAIL,
-    USER_ATTRIBUTE_CHANGE_NAME,
-    USER_ATTRIBUTE_CHANGE_USERNAME,
     USER_ATTRIBUTE_SA,
     USER_ATTRIBUTE_TOKEN_EXPIRING,
+    USER_PATH_SERVICE_ACCOUNT,
     Group,
     Token,
     TokenIntents,
     User,
 )
 from authentik.events.models import EventAction
-from authentik.lib.config import CONFIG
+from authentik.flows.models import FlowToken
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
+from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -77,6 +85,16 @@ class UserSerializer(ModelSerializer):
     )
     groups_obj = ListSerializer(child=GroupSerializer(), read_only=True, source="ak_groups")
     uid = CharField(read_only=True)
+    username = CharField(max_length=150)
+
+    def validate_path(self, path: str) -> str:
+        """Validate path"""
+        if path[:1] == "/" or path[-1] == "/":
+            raise ValidationError(_("No leading or trailing slashes allowed."))
+        for segment in path.split("/"):
+            if segment == "":
+                raise ValidationError(_("No empty segments in user path allowed."))
+        return path
 
     class Meta:
 
@@ -94,6 +112,7 @@ class UserSerializer(ModelSerializer):
             "avatar",
             "attributes",
             "uid",
+            "path",
         ]
         extra_kwargs = {
             "name": {"allow_blank": True},
@@ -101,14 +120,13 @@ class UserSerializer(ModelSerializer):
 
 
 class UserSelfSerializer(ModelSerializer):
-    """User Serializer for information a user can retrieve about themselves and
-    update about themselves"""
+    """User Serializer for information a user can retrieve about themselves"""
 
     is_superuser = BooleanField(read_only=True)
     avatar = CharField(read_only=True)
     groups = SerializerMethodField()
     uid = CharField(read_only=True)
-    settings = DictField(source="attributes.settings", default=dict)
+    settings = SerializerMethodField()
 
     @extend_schema_field(
         ListSerializer(
@@ -126,42 +144,9 @@ class UserSelfSerializer(ModelSerializer):
                 "pk": group.pk,
             }
 
-    def validate_email(self, email: str):
-        """Check if the user is allowed to change their email"""
-        if self.instance.group_attributes().get(
-            USER_ATTRIBUTE_CHANGE_EMAIL, CONFIG.y_bool("default_user_change_email", True)
-        ):
-            return email
-        if email != self.instance.email:
-            raise ValidationError("Not allowed to change email.")
-        return email
-
-    def validate_name(self, name: str):
-        """Check if the user is allowed to change their name"""
-        if self.instance.group_attributes().get(
-            USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
-        ):
-            return name
-        if name != self.instance.name:
-            raise ValidationError("Not allowed to change name.")
-        return name
-
-    def validate_username(self, username: str):
-        """Check if the user is allowed to change their username"""
-        if self.instance.group_attributes().get(
-            USER_ATTRIBUTE_CHANGE_USERNAME, CONFIG.y_bool("default_user_change_username", True)
-        ):
-            return username
-        if username != self.instance.username:
-            raise ValidationError("Not allowed to change username.")
-        return username
-
-    def save(self, **kwargs):
-        if self.instance:
-            attributes: dict = self.instance.attributes
-            attributes.update(self.validated_data.get("attributes", {}))
-            self.validated_data["attributes"] = attributes
-        return super().save(**kwargs)
+    def get_settings(self, user: User) -> dict[str, Any]:
+        """Get user settings with tenant and group settings applied"""
+        return user.group_attributes(self._context["request"]).get("settings", {})
 
     class Meta:
 
@@ -241,6 +226,12 @@ class UsersFilter(FilterSet):
     )
 
     is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
+    uuid = CharFilter(field_name="uuid")
+
+    path = CharFilter(
+        field_name="path",
+    )
+    path_startswith = CharFilter(field_name="path", lookup_expr="startswith")
 
     groups_by_name = ModelMultipleChoiceFilter(
         field_name="ak_groups__name",
@@ -290,7 +281,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     queryset = User.objects.none()
     ordering = ["username"]
     serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email"]
+    search_fields = ["username", "name", "is_active", "email", "uuid"]
     filterset_class = UsersFilter
 
     def get_queryset(self):  # pragma: no cover
@@ -306,12 +297,23 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             LOGGER.debug("No recovery flow set")
             return None, None
         user: User = self.get_object()
-        token, __ = Token.objects.get_or_create(
-            identifier=f"{user.uid}-password-reset",
-            user=user,
-            intent=TokenIntents.INTENT_RECOVERY,
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        plan = planner.plan(
+            self.request._request,
+            {
+                PLAN_CONTEXT_PENDING_USER: user,
+            },
         )
-        querystring = urlencode({"token": token.key})
+        token, __ = FlowToken.objects.update_or_create(
+            identifier=f"{user.uid}-password-reset",
+            defaults={
+                "user": user,
+                "flow": flow,
+                "_plan": FlowToken.pickle(plan),
+            },
+        )
+        querystring = urlencode({QS_KEY_TOKEN: token.key})
         link = self.request.build_absolute_uri(
             reverse_lazy("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
             + f"?{querystring}"
@@ -333,6 +335,9 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                 {
                     "username": CharField(required=True),
                     "token": CharField(required=True),
+                    "user_uid": CharField(required=True),
+                    "user_pk": IntegerField(required=True),
+                    "group_pk": CharField(required=False),
                 },
             )
         },
@@ -348,19 +353,27 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                     username=username,
                     name=username,
                     attributes={USER_ATTRIBUTE_SA: True, USER_ATTRIBUTE_TOKEN_EXPIRING: False},
+                    path=USER_PATH_SERVICE_ACCOUNT,
                 )
+                response = {
+                    "username": user.username,
+                    "user_uid": user.uid,
+                    "user_pk": user.pk,
+                }
                 if create_group and self.request.user.has_perm("authentik_core.add_group"):
                     group = Group.objects.create(
                         name=username,
                     )
                     group.users.add(user)
+                    response["group_pk"] = str(group.pk)
                 token = Token.objects.create(
                     identifier=slugify(f"service-account-{username}-password"),
                     intent=TokenIntents.INTENT_APP_PASSWORD,
                     user=user,
                     expires=now() + timedelta(days=360),
                 )
-                return Response({"username": user.username, "token": token.key})
+                response["token"] = token.key
+                return Response(response)
             except (IntegrityError) as exc:
                 return Response(data={"non_field_errors": [str(exc)]}, status=400)
 
@@ -369,13 +382,16 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     # pylint: disable=invalid-name
     def me(self, request: Request) -> Response:
         """Get information about current user"""
+        context = {"request": request}
         serializer = SessionUserSerializer(
-            data={"user": UserSelfSerializer(instance=request.user).data}
+            data={"user": UserSelfSerializer(instance=request.user, context=context).data}
         )
-        if SESSION_IMPERSONATE_USER in request._request.session:
+        if SESSION_KEY_IMPERSONATE_USER in request._request.session:
             serializer.initial_data["original"] = UserSelfSerializer(
-                instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
+                instance=request._request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER],
+                context=context,
             ).data
+        self.request.session.modified = True
         return Response(serializer.initial_data)
 
     @permission_required("authentik_core.reset_user_password")
@@ -387,8 +403,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             },
         ),
         responses={
-            204: "",
-            400: "",
+            204: OpenApiResponse(description="Successfully changed password"),
+            400: OpenApiResponse(description="Bad request"),
         },
     )
     @action(detail=True, methods=["POST"])
@@ -402,31 +418,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         except (ValidationError, IntegrityError) as exc:
             LOGGER.debug("Failed to set password", exc=exc)
             return Response(status=400)
-        if user.pk == request.user.pk and SESSION_IMPERSONATE_USER not in self.request.session:
+        if user.pk == request.user.pk and SESSION_KEY_IMPERSONATE_USER not in self.request.session:
             LOGGER.debug("Updating session hash after password change")
             update_session_auth_hash(self.request, user)
         return Response(status=204)
 
-    @extend_schema(request=UserSelfSerializer, responses={200: SessionUserSerializer(many=False)})
-    @action(
-        methods=["PUT"],
-        detail=False,
-        pagination_class=None,
-        filter_backends=[],
-        permission_classes=[IsAuthenticated],
-    )
-    def update_self(self, request: Request) -> Response:
-        """Allow users to change information on their own profile"""
-        data = UserSelfSerializer(instance=User.objects.get(pk=request.user.pk), data=request.data)
-        if not data.is_valid():
-            return Response(data.errors, status=400)
-        new_user = data.save()
-        # If we're impersonating, we need to update that user object
-        # since it caches the full object
-        if SESSION_IMPERSONATE_USER in request.session:
-            request.session[SESSION_IMPERSONATE_USER] = new_user
-        return Response({"user": data.data})
-
     @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
     @extend_schema(responses={200: UserMetricsSerializer(many=False)})
     @action(detail=True, pagination_class=None, filter_backends=[])
@@ -466,8 +462,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             )
         ],
         responses={
-            "204": Serializer(),
-            "404": Serializer(),
+            "204": OpenApiResponse(description="Successfully sent recover email"),
+            "404": OpenApiResponse(description="Bad request"),
         },
     )
     @action(detail=True, pagination_class=None, filter_backends=[])
@@ -515,3 +511,32 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if self.request.user.has_perm("authentik_core.view_user"):
             return self._filter_queryset_for_list(queryset)
         return super().filter_queryset(queryset)
+
+    @extend_schema(
+        responses={
+            200: inline_serializer(
+                "UserPathSerializer", {"paths": ListField(child=CharField(), read_only=True)}
+            )
+        },
+        parameters=[
+            OpenApiParameter(
+                name="search",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.STR,
+            )
+        ],
+    )
+    @action(detail=False, pagination_class=None)
+    def paths(self, request: Request) -> Response:
+        """Get all user paths"""
+        return Response(
+            data={
+                "paths": list(
+                    self.filter_queryset(self.get_queryset())
+                    .values("path")
+                    .distinct()
+                    .order_by("path")
+                    .values_list("path", flat=True)
+                )
+            }
+        )

authentik/core/apps.py

@@ -2,10 +2,7 @@
 from importlib import import_module
 
 from django.apps import AppConfig
-from django.db import ProgrammingError
-
-from authentik.core.signals import GAUGE_MODELS
-from authentik.lib.utils.reflection import get_apps
+from django.conf import settings
 
 
 class AuthentikCoreConfig(AppConfig):
@@ -19,12 +16,7 @@ class AuthentikCoreConfig(AppConfig):
     def ready(self):
         import_module("authentik.core.signals")
         import_module("authentik.core.managed")
-        try:
-            for app in get_apps():
-                for model in app.get_models():
-                    GAUGE_MODELS.labels(
-                        model_name=model._meta.model_name,
-                        app=model._meta.app_label,
-                    ).set(model.objects.count())
-        except ProgrammingError:
-            pass
+        if settings.DEBUG:
+            from authentik.root.celery import worker_ready_hook
+
+            worker_ready_hook()

authentik/core/auth.py

@@ -30,7 +30,7 @@ class InbuiltBackend(ModelBackend):
             return
         # Since we can't directly pass other variables to signals, and we want to log the method
         # and the token used, we assume we're running in a flow and set a variable in the context
-        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
+        flow_plan: FlowPlan = request.session.get(SESSION_KEY_PLAN, FlowPlan(""))
         flow_plan.context[PLAN_CONTEXT_METHOD] = method
         flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = cleanse_dict(sanitize_dict(kwargs))
         request.session[SESSION_KEY_PLAN] = flow_plan
@@ -49,6 +49,7 @@ class TokenBackend(InbuiltBackend):
             # difference between an existing and a nonexistent user (#20760).
             User().set_password(password)
             return None
+        # pylint: disable=no-member
         tokens = Token.filter_not_expired(
             user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
         )

authentik/core/managed.py

@@ -12,5 +12,6 @@ class CoreManager(ObjectManager):
                 Source,
                 "goauthentik.io/sources/inbuilt",
                 name="authentik Built-in",
+                slug="authentik-built-in",
             ),
         ]

authentik/core/management/commands/bootstrap_tasks.py

@@ -0,0 +1,13 @@
+"""Run bootstrap tasks"""
+from django.core.management.base import BaseCommand
+
+from authentik.root.celery import _get_startup_tasks
+
+
+class Command(BaseCommand):  # pragma: no cover
+    """Run bootstrap tasks to ensure certain objects are created"""
+
+    def handle(self, **options):
+        tasks = _get_startup_tasks()
+        for task in tasks:
+            task()

authentik/core/management/commands/repair_permissions.py

@@ -2,6 +2,7 @@
 from django.apps import apps
 from django.contrib.auth.management import create_permissions
 from django.core.management.base import BaseCommand, no_translations
+from guardian.management import create_anonymous_user
 
 
 class Command(BaseCommand):  # pragma: no cover
@@ -13,3 +14,4 @@ class Command(BaseCommand):  # pragma: no cover
         for app in apps.get_app_configs():
             self.stdout.write(f"Checking app {app.name} ({app.label})\n")
             create_permissions(app, verbosity=0)
+        create_anonymous_user(None, using="default")

authentik/core/management/commands/shell.py

@@ -0,0 +1,106 @@
+"""authentik shell command"""
+import code
+import platform
+
+from django.apps import apps
+from django.core.management.base import BaseCommand
+from django.db.models import Model
+from django.db.models.signals import post_save, pre_delete
+
+from authentik import __version__
+from authentik.core.models import User
+from authentik.events.middleware import IGNORED_MODELS
+from authentik.events.models import Event, EventAction
+from authentik.events.utils import model_to_dict
+
+BANNER_TEXT = """### authentik shell ({authentik})
+### Node {node} | Arch {arch} | Python {python} """.format(
+    node=platform.node(),
+    python=platform.python_version(),
+    arch=platform.machine(),
+    authentik=__version__,
+)
+
+
+class Command(BaseCommand):  # pragma: no cover
+    """Start the Django shell with all authentik models already imported"""
+
+    django_models = {}
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-c",
+            "--command",
+            help="Python code to execute (instead of starting an interactive shell)",
+        )
+
+    def get_namespace(self):
+        """Prepare namespace with all models"""
+        namespace = {}
+
+        # Gather Django models and constants from each app
+        for app in apps.get_app_configs():
+            if not app.name.startswith("authentik"):
+                continue
+
+            # Load models from each app
+            for model in app.get_models():
+                namespace[model.__name__] = model
+
+        return namespace
+
+    @staticmethod
+    # pylint: disable=unused-argument
+    def post_save_handler(sender, instance: Model, created: bool, **_):
+        """Signal handler for all object's post_save"""
+        if isinstance(instance, IGNORED_MODELS):
+            return
+
+        action = EventAction.MODEL_CREATED if created else EventAction.MODEL_UPDATED
+        Event.new(action, model=model_to_dict(instance)).set_user(
+            User(
+                username="authentik-shell",
+                pk=0,
+                email="",
+            )
+        ).save()
+
+    @staticmethod
+    # pylint: disable=unused-argument
+    def pre_delete_handler(sender, instance: Model, **_):
+        """Signal handler for all object's pre_delete"""
+        if isinstance(instance, IGNORED_MODELS):  # pragma: no cover
+            return
+
+        Event.new(EventAction.MODEL_DELETED, model=model_to_dict(instance)).set_user(
+            User(
+                username="authentik-shell",
+                pk=0,
+                email="",
+            )
+        ).save()
+
+    def handle(self, **options):
+        namespace = self.get_namespace()
+
+        post_save.connect(Command.post_save_handler)
+        pre_delete.connect(Command.pre_delete_handler)
+
+        # If Python code has been passed, execute it and exit.
+        if options["command"]:
+            # pylint: disable=exec-used
+            exec(options["command"], namespace)  # nosec # noqa
+            return
+
+        # Try to enable tab-complete
+        try:
+            import readline
+            import rlcompleter
+        except ModuleNotFoundError:
+            pass
+        else:
+            readline.set_completer(rlcompleter.Completer(namespace).complete)
+            readline.parse_and_bind("tab: complete")
+
+        # Run interactive shell
+        code.interact(banner=BANNER_TEXT, local=namespace)

authentik/core/middleware.py

@@ -7,8 +7,8 @@ from uuid import uuid4
 from django.http import HttpRequest, HttpResponse
 from sentry_sdk.api import set_tag
 
-SESSION_IMPERSONATE_USER = "authentik_impersonate_user"
-SESSION_IMPERSONATE_ORIGINAL_USER = "authentik_impersonate_original_user"
+SESSION_KEY_IMPERSONATE_USER = "authentik/impersonate/user"
+SESSION_KEY_IMPERSONATE_ORIGINAL_USER = "authentik/impersonate/original_user"
 LOCAL = local()
 RESPONSE_HEADER_ID = "X-authentik-id"
 KEY_AUTH_VIA = "auth_via"
@@ -25,10 +25,10 @@ class ImpersonateMiddleware:
 
     def __call__(self, request: HttpRequest) -> HttpResponse:
         # No permission checks are done here, they need to be checked before
-        # SESSION_IMPERSONATE_USER is set.
+        # SESSION_KEY_IMPERSONATE_USER is set.
 
-        if SESSION_IMPERSONATE_USER in request.session:
-            request.user = request.session[SESSION_IMPERSONATE_USER]
+        if SESSION_KEY_IMPERSONATE_USER in request.session:
+            request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
             # Ensure that the user is active, otherwise nothing will work
             request.user.is_active = True
 
@@ -56,7 +56,7 @@ class RequestIDMiddleware:
         response[RESPONSE_HEADER_ID] = request.request_id
         setattr(response, "ak_context", {})
         response.ak_context.update(LOCAL.authentik)
-        response.ak_context[KEY_USER] = request.user.username
+        response.ak_context.setdefault(KEY_USER, request.user.username)
         for key in list(LOCAL.authentik.keys()):
             del LOCAL.authentik[key]
         return response

authentik/core/migrations/0002_auto_20200523_1133_squashed_0011_provider_name_temp.py

@@ -12,18 +12,25 @@ import authentik.core.models
 
 
 def create_default_user(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    # We have to use a direct import here, otherwise we get an object manager error
-    from authentik.core.models import User
+    from django.contrib.auth.hashers import make_password
 
+    User = apps.get_model("authentik_core", "User")
     db_alias = schema_editor.connection.alias
 
     akadmin, _ = User.objects.using(db_alias).get_or_create(
         username="akadmin", email="root@localhost", name="authentik Default Admin"
     )
-    if "TF_BUILD" in environ or "AK_ADMIN_PASS" in environ or settings.TEST:
-        akadmin.set_password(environ.get("AK_ADMIN_PASS", "akadmin"), signal=False)  # noqa # nosec
+    password = None
+    if "TF_BUILD" in environ or settings.TEST:
+        password = "akadmin"  # noqa # nosec
+    if "AK_ADMIN_PASS" in environ:
+        password = environ["AK_ADMIN_PASS"]
+    if "AUTHENTIK_BOOTSTRAP_PASSWORD" in environ:
+        password = environ["AUTHENTIK_BOOTSTRAP_PASSWORD"]
+    if password:
+        akadmin.password = make_password(password)
     else:
-        akadmin.set_unusable_password()
+        akadmin.password = make_password(None)
     akadmin.save()
 
 

authentik/core/migrations/0003_default_user.py

@@ -8,18 +8,25 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def create_default_user(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    # We have to use a direct import here, otherwise we get an object manager error
-    from authentik.core.models import User
+    from django.contrib.auth.hashers import make_password
 
+    User = apps.get_model("authentik_core", "User")
     db_alias = schema_editor.connection.alias
 
     akadmin, _ = User.objects.using(db_alias).get_or_create(
         username="akadmin", email="root@localhost", name="authentik Default Admin"
     )
-    if "TF_BUILD" in environ or "AK_ADMIN_PASS" in environ or settings.TEST:
-        akadmin.set_password(environ.get("AK_ADMIN_PASS", "akadmin"), signal=False)  # noqa # nosec
+    password = None
+    if "TF_BUILD" in environ or settings.TEST:
+        password = "akadmin"  # noqa # nosec
+    if "AK_ADMIN_PASS" in environ:
+        password = environ["AK_ADMIN_PASS"]
+    if "AUTHENTIK_BOOTSTRAP_PASSWORD" in environ:
+        password = environ["AUTHENTIK_BOOTSTRAP_PASSWORD"]
+    if password:
+        akadmin.password = make_password(password)
     else:
-        akadmin.set_unusable_password()
+        akadmin.password = make_password(None)
     akadmin.save()
 
 

authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py

@@ -36,22 +36,29 @@ def fix_duplicates(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
 
 
 def create_default_user_token(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    # We have to use a direct import here, otherwise we get an object manager error
-    from authentik.core.models import Token, TokenIntents, User
+    from authentik.core.models import TokenIntents
+
+    User = apps.get_model("authentik_core", "User")
+    Token = apps.get_model("authentik_core", "Token")
 
     db_alias = schema_editor.connection.alias
 
     akadmin = User.objects.using(db_alias).filter(username="akadmin")
     if not akadmin.exists():
         return
-    if "AK_ADMIN_TOKEN" not in environ:
+    key = None
+    if "AK_ADMIN_TOKEN" in environ:
+        key = environ["AK_ADMIN_TOKEN"]
+    if "AUTHENTIK_BOOTSTRAP_TOKEN" in environ:
+        key = environ["AUTHENTIK_BOOTSTRAP_TOKEN"]
+    if not key:
         return
     Token.objects.using(db_alias).create(
-        identifier="authentik-boostrap-token",
+        identifier="authentik-bootstrap-token",
         user=akadmin.first(),
         intent=TokenIntents.INTENT_API,
         expiring=False,
-        key=environ["AK_ADMIN_TOKEN"],
+        key=key,
     )
 
 

authentik/core/migrations/0019_application_group.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.0.3 on 2022-04-02 19:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0018_auto_20210330_1345_squashed_0028_alter_token_intent"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="application",
+            name="group",
+            field=models.TextField(blank=True, default=""),
+        ),
+    ]

authentik/core/migrations/0020_application_open_in_new_tab.py

@@ -0,0 +1,20 @@
+# Generated by Django 4.0.5 on 2022-06-04 06:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0019_application_group"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="application",
+            name="open_in_new_tab",
+            field=models.BooleanField(
+                default=False, help_text="Open launch URL in a new browser tab or window."
+            ),
+        ),
+    ]

authentik/core/migrations/0021_source_user_path_user_path.py

@@ -0,0 +1,23 @@
+# Generated by Django 4.0.5 on 2022-06-13 18:51
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0020_application_open_in_new_tab"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="user_path_template",
+            field=models.TextField(default="goauthentik.io/sources/%(slug)s"),
+        ),
+        migrations.AddField(
+            model_name="user",
+            name="path",
+            field=models.TextField(default="users"),
+        ),
+    ]

authentik/core/migrations/0027_bootstrap_token.py

@@ -7,22 +7,29 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def create_default_user_token(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    # We have to use a direct import here, otherwise we get an object manager error
-    from authentik.core.models import Token, TokenIntents, User
+    from authentik.core.models import TokenIntents
+
+    User = apps.get_model("authentik_core", "User")
+    Token = apps.get_model("authentik_core", "Token")
 
     db_alias = schema_editor.connection.alias
 
     akadmin = User.objects.using(db_alias).filter(username="akadmin")
     if not akadmin.exists():
         return
-    if "AK_ADMIN_TOKEN" not in environ:
+    key = None
+    if "AK_ADMIN_TOKEN" in environ:
+        key = environ["AK_ADMIN_TOKEN"]
+    if "AUTHENTIK_BOOTSTRAP_TOKEN" in environ:
+        key = environ["AUTHENTIK_BOOTSTRAP_TOKEN"]
+    if not key:
         return
     Token.objects.using(db_alias).create(
-        identifier="authentik-boostrap-token",
+        identifier="authentik-bootstrap-token",
         user=akadmin.first(),
         intent=TokenIntents.INTENT_API,
         expiring=False,
-        key=environ["AK_ADMIN_TOKEN"],
+        key=key,
     )
 
 

authentik/core/models.py

@@ -14,7 +14,7 @@ from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.http import HttpRequest
 from django.templatetags.static import static
-from django.utils.functional import cached_property
+from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@@ -36,6 +36,9 @@ from authentik.policies.models import PolicyBindingModel
 LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
 USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
+USER_ATTRIBUTE_GENERATED = "goauthentik.io/user/generated"
+USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
+USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
 USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
 USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
 USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
@@ -43,6 +46,9 @@ USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
 
+USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
+USER_PATH_SERVICE_ACCOUNT = USER_PATH_SYSTEM_PREFIX + "/service-accounts"
+
 GRAVATAR_URL = "https://secure.gravatar.com"
 DEFAULT_AVATAR = static("dist/assets/images/user_default.png")
 
@@ -59,7 +65,7 @@ def default_token_key():
     """Default token key"""
     # We use generate_id since the chars in the key should be easy
     # to use in Emails (for verification) and URLs (for recovery)
-    return generate_id(128)
+    return generate_id(int(CONFIG.y("default_token_length")))
 
 
 class Group(models.Model):
@@ -81,6 +87,13 @@ class Group(models.Model):
     )
     attributes = models.JSONField(default=dict, blank=True)
 
+    @property
+    def num_pk(self) -> int:
+        """Get a numerical, int32 ID for the group"""
+        # int max is 2147483647 (10 digits) so 9 is the max usable
+        # in the LDAP Outpost we use the last 5 chars so match here
+        return int(str(self.pk.int)[:5])
+
     def is_member(self, user: "User") -> bool:
         """Recursively check if `user` is member of us, or any parent."""
         query = """
@@ -93,7 +106,10 @@ class Group(models.Model):
 
             SELECT authentik_core_group.*, parents.relative_depth - 1
             FROM authentik_core_group,parents
-            WHERE authentik_core_group.parent_id = parents.group_uuid
+            WHERE (
+                authentik_core_group.parent_id = parents.group_uuid and
+                parents.relative_depth > -20
+            )
         )
         SELECT group_uuid
         FROM parents
@@ -128,6 +144,7 @@ class User(GuardianUserMixin, AbstractUser):
 
     uuid = models.UUIDField(default=uuid4, editable=False)
     name = models.TextField(help_text=_("User's display name."))
+    path = models.TextField(default="users")
 
     sources = models.ManyToManyField("Source", through="UserSourceConnection")
     ak_groups = models.ManyToManyField("Group", related_name="users")
@@ -137,10 +154,17 @@ class User(GuardianUserMixin, AbstractUser):
 
     objects = UserManager()
 
-    def group_attributes(self) -> dict[str, Any]:
+    @staticmethod
+    def default_path() -> str:
+        """Get the default user path"""
+        return User._meta.get_field("path").default
+
+    def group_attributes(self, request: Optional[HttpRequest] = None) -> dict[str, Any]:
         """Get a dictionary containing the attributes from all groups the user belongs to,
         including the users attributes"""
         final_attributes = {}
+        if request and hasattr(request, "tenant"):
+            always_merger.merge(final_attributes, request.tenant.attributes)
         for group in self.ak_groups.all().order_by("name"):
             always_merger.merge(final_attributes, group.attributes)
         always_merger.merge(final_attributes, self.attributes)
@@ -156,11 +180,11 @@ class User(GuardianUserMixin, AbstractUser):
         """superuser == staff user"""
         return self.is_superuser  # type: ignore
 
-    def set_password(self, password, signal=True):
+    def set_password(self, raw_password, signal=True):
         if self.pk and signal:
-            password_changed.send(sender=self, user=self, password=password)
+            password_changed.send(sender=self, user=self, password=raw_password)
         self.password_change_date = now()
-        return super().set_password(password)
+        return super().set_password(raw_password)
 
     def check_password(self, raw_password: str) -> bool:
         """
@@ -180,7 +204,7 @@ class User(GuardianUserMixin, AbstractUser):
 
     @property
     def uid(self) -> str:
-        """Generate a globall unique UID, based on the user ID and the hashed secret key"""
+        """Generate a globally unique UID, based on the user ID and the hashed secret key"""
         return sha256(f"{self.id}-{settings.SECRET_KEY}".encode("ascii")).hexdigest()
 
     @property
@@ -257,6 +281,8 @@ class Application(PolicyBindingModel):
 
     name = models.TextField(help_text=_("Application's display Name."))
     slug = models.SlugField(help_text=_("Internal application name, used in URLs."), unique=True)
+    group = models.TextField(blank=True, default="")
+
     provider = models.OneToOneField(
         "Provider", null=True, blank=True, default=None, on_delete=models.SET_DEFAULT
     )
@@ -264,6 +290,11 @@ class Application(PolicyBindingModel):
     meta_launch_url = models.TextField(
         default="", blank=True, validators=[DomainlessURLValidator()]
     )
+
+    open_in_new_tab = models.BooleanField(
+        default=False, help_text=_("Open launch URL in a new browser tab or window.")
+    )
+
     # For template applications, this can be set to /static/authentik/applications/*
     meta_icon = models.FileField(
         upload_to="application-icons/",
@@ -284,13 +315,24 @@ class Application(PolicyBindingModel):
             return self.meta_icon.name
         return self.meta_icon.url
 
-    def get_launch_url(self) -> Optional[str]:
+    def get_launch_url(self, user: Optional["User"] = None) -> Optional[str]:
         """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
-        if self.meta_launch_url:
-            return self.meta_launch_url
+        url = None
         if provider := self.get_provider():
-            return provider.launch_url
-        return None
+            url = provider.launch_url
+        if self.meta_launch_url:
+            url = self.meta_launch_url
+        if user and url:
+            if isinstance(user, SimpleLazyObject):
+                user._setup()
+                user = user._wrapped
+            try:
+                return url % user.__dict__
+            # pylint: disable=broad-except
+            except Exception as exc:
+                LOGGER.warning("Failed to format launch url", exc=exc)
+                return url
+        return url
 
     def get_provider(self) -> Optional[Provider]:
         """Get casted provider instance"""
@@ -343,6 +385,8 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     name = models.TextField(help_text=_("Source's display Name."))
     slug = models.SlugField(help_text=_("Internal source name, used in URLs."), unique=True)
 
+    user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")
+
     enabled = models.BooleanField(default=True)
     property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
 
@@ -378,6 +422,17 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
 
     objects = InheritanceManager()
 
+    def get_user_path(self) -> str:
+        """Get user path, fallback to default for formatting errors"""
+        try:
+            return self.user_path_template % {
+                "slug": self.slug,
+            }
+        # pylint: disable=broad-except
+        except Exception as exc:
+            LOGGER.warning("Failed to template user path", exc=exc, source=self)
+            return User.default_path()
+
     @property
     def component(self) -> str:
         """Return component used to edit this object"""
@@ -427,8 +482,9 @@ class ExpiringModel(models.Model):
     def filter_not_expired(cls, **kwargs) -> QuerySet:
         """Filer for tokens which are not expired yet or are not expiring,
         and match filters in `kwargs`"""
-        expired = Q(expires__lt=now(), expiring=True)
-        return cls.objects.exclude(expired).filter(**kwargs)
+        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
+            obj.delete()
+        return cls.objects.filter(**kwargs)
 
     @property
     def is_expired(self) -> bool:

authentik/core/signals.py

@@ -9,12 +9,11 @@ from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http.request import HttpRequest
-from prometheus_client import Gauge
 
 # Arguments: user: User, password: str
 password_changed = Signal()
-
-GAUGE_MODELS = Gauge("authentik_models", "Count of various objects", ["model_name", "app"])
+# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
+login_failed = Signal()
 
 if TYPE_CHECKING:
     from authentik.core.models import AuthenticatedSession, User
@@ -27,11 +26,6 @@ def post_save_application(sender: type[Model], instance, created: bool, **_):
     from authentik.core.api.applications import user_app_cache_key
     from authentik.core.models import Application
 
-    GAUGE_MODELS.labels(
-        model_name=sender._meta.model_name,
-        app=sender._meta.app_label,
-    ).set(sender.objects.count())
-
     if sender != Application:
         return
     if not created:  # pragma: no cover

authentik/core/sources/flow_manager.py

@@ -26,11 +26,11 @@ from authentik.flows.planner import (
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.denied import AccessDeniedResponse
-from authentik.policies.types import PolicyResult
 from authentik.policies.utils import delete_none_keys
 from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
 
 class Action(Enum):
@@ -165,9 +165,9 @@ class SourceFlowManager:
                     return self.handle_enroll(connection)
         except FlowNonApplicableException as exc:
             self._logger.warning("Flow non applicable", exc=exc)
-            return self.error_handler(exc, exc.policy_result)
+            return self.error_handler(exc)
         # Default case, assume deny
-        error = (
+        error = Exception(
             _(
                 (
                     "Request to authenticate with %(source)s has been denied. Please authenticate "
@@ -178,14 +178,13 @@ class SourceFlowManager:
         )
         return self.error_handler(error)
 
-    def error_handler(
-        self, error: Exception, policy_result: Optional[PolicyResult] = None
-    ) -> HttpResponse:
+    def error_handler(self, error: Exception) -> HttpResponse:
         """Handle any errors by returning an access denied stage"""
         response = AccessDeniedResponse(self.request)
         response.error_message = str(error)
-        if policy_result:
-            response.policy_result = policy_result
+        if isinstance(error, FlowNonApplicableException):
+            response.policy_result = error.policy_result
+            response.error_message = error.messages
         return response
 
     # pylint: disable=unused-argument
@@ -291,5 +290,6 @@ class SourceFlowManager:
             connection,
             **{
                 PLAN_CONTEXT_PROMPT: delete_none_keys(self.enroll_info),
+                PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
             },
         )

authentik/core/tasks.py

@@ -1,27 +1,24 @@
 """authentik core tasks"""
-from datetime import datetime
-from io import StringIO
-from os import environ
+from datetime import datetime, timedelta
 
-from boto3.exceptions import Boto3Error
-from botocore.exceptions import BotoCoreError, ClientError
-from dbbackup.db.exceptions import CommandConnectorError
-from django.contrib.humanize.templatetags.humanize import naturaltime
 from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.core import management
 from django.core.cache import cache
 from django.utils.timezone import now
-from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
 from structlog.stdlib import get_logger
 
-from authentik.core.models import AuthenticatedSession, ExpiringModel
+from authentik.core.models import (
+    USER_ATTRIBUTE_EXPIRES,
+    USER_ATTRIBUTE_GENERATED,
+    AuthenticatedSession,
+    ExpiringModel,
+    User,
+)
 from authentik.events.monitored_tasks import (
     MonitoredTask,
     TaskResult,
     TaskResultStatus,
     prefill_task,
 )
-from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -37,9 +34,9 @@ def clean_expired_models(self: MonitoredTask):
         objects = (
             cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
         )
+        amount = objects.count()
         for obj in objects:
             obj.expire_action()
-        amount = objects.count()
         LOGGER.debug("Expired models", model=cls, amount=amount)
         messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
     # Special case
@@ -55,44 +52,22 @@ def clean_expired_models(self: MonitoredTask):
     self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL, messages))
 
 
-def should_backup() -> bool:
-    """Check if we should be doing backups"""
-    if SERVICE_HOST_ENV_NAME in environ and not CONFIG.y("postgresql.s3_backup.bucket"):
-        LOGGER.info("Running in k8s and s3 backups are not configured, skipping")
-        return False
-    if not CONFIG.y_bool("postgresql.backup.enabled"):
-        return False
-    return True
-
-
 @CELERY_APP.task(bind=True, base=MonitoredTask)
 @prefill_task
-def backup_database(self: MonitoredTask):  # pragma: no cover
-    """Database backup"""
-    self.result_timeout_hours = 25
-    if not should_backup():
-        self.set_status(TaskResult(TaskResultStatus.UNKNOWN, ["Backups are not configured."]))
-        return
-    try:
-        start = datetime.now()
-        out = StringIO()
-        management.call_command("dbbackup", quiet=True, stdout=out)
-        self.set_status(
-            TaskResult(
-                TaskResultStatus.SUCCESSFUL,
-                [
-                    f"Successfully finished database backup {naturaltime(start)} {out.getvalue()}",
-                ],
-            )
+def clean_temporary_users(self: MonitoredTask):
+    """Remove temporary users created by SAML Sources"""
+    _now = datetime.now()
+    messages = []
+    deleted_users = 0
+    for user in User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_GENERATED}": True}):
+        if not user.attributes.get(USER_ATTRIBUTE_EXPIRES):
+            continue
+        delta: timedelta = _now - datetime.fromtimestamp(
+            user.attributes.get(USER_ATTRIBUTE_EXPIRES)
         )
-        LOGGER.info("Successfully backed up database.")
-    except (
-        IOError,
-        BotoCoreError,
-        ClientError,
-        Boto3Error,
-        PermissionError,
-        CommandConnectorError,
-        ValueError,
-    ) as exc:
-        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
+        if delta.total_seconds() > 0:
+            LOGGER.debug("User is expired and will be deleted.", user=user, delta=delta)
+            user.delete()
+            deleted_users += 1
+    messages.append(f"Successfully deleted {deleted_users} users.")
+    self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL, messages))

authentik/core/templates/base/skeleton.html

@@ -16,6 +16,7 @@
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}">
         <script src="{% static 'dist/poly.js' %}" type="module"></script>
         {% block head %}
         {% endblock %}

authentik/core/templates/if/admin.html

@@ -10,8 +10,8 @@
 {% endblock %}
 
 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-interface-admin>
+<ak-message-container data-refresh-on-locale="true"></ak-message-container>
+<ak-interface-admin data-refresh-on-locale="true">
     <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
         <div class="pf-c-empty-state" style="height: 100vh;">
             <div class="pf-c-empty-state__content">

authentik/core/templates/if/flow.html

@@ -5,23 +5,32 @@
 
 {% block head_before %}
 {{ block.super }}
+<link rel="prefetch" href="{{ flow.background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
+<script>
+window.authentik = {
+    "locale": "{{ tenant.default_locale }}",
+};
+window.authentik.flow = {
+    "layout": "{{ flow.layout }}",
+};
+</script>
 {% endblock %}
 
 {% block head %}
 <script src="{% static 'dist/flow/FlowInterface.js' %}" type="module"></script>
 <style>
-.pf-c-background-image::before {
+:root {
     --ak-flow-background: url("{{ flow.background_url }}");
 }
 </style>
 {% endblock %}
 
 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-flow-executor>
+<ak-message-container data-refresh-on-locale="true"></ak-message-container>
+<ak-flow-executor data-refresh-on-locale="true">
     <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
         <div class="pf-c-empty-state" style="height: 100vh;">
             <div class="pf-c-empty-state__content">

authentik/core/templates/if/user.html

@@ -10,8 +10,8 @@
 {% endblock %}
 
 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-interface-user>
+<ak-message-container data-refresh-on-locale="true"></ak-message-container>
+<ak-interface-user data-refresh-on-locale="true">
     <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
         <div class="pf-c-empty-state" style="height: 100vh;">
             <div class="pf-c-empty-state__content">

authentik/core/templates/login/base_full.html

@@ -4,13 +4,38 @@
 {% load i18n %}
 
 {% block head_before %}
+<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 {% endblock %}
 
 {% block head %}
 <style>
-.pf-c-background-image::before {
+:root {
     --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
+    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
+}
+/* Form with user */
+.form-control-static {
+    margin-top: var(--pf-global--spacer--sm);
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+}
+.form-control-static .avatar {
+    display: flex;
+    align-items: center;
+}
+.form-control-static img {
+    margin-right: var(--pf-global--spacer--xs);
+}
+.form-control-static a {
+    padding-top: var(--pf-global--spacer--xs);
+    padding-bottom: var(--pf-global--spacer--xs);
+    line-height: var(--pf-global--spacer--xl);
 }
 </style>
 {% endblock %}
@@ -59,13 +84,11 @@
                     <a href="{{ link.href }}">{{ link.name }}</a>
                 </li>
                 {% endfor %}
-                {% if tenant.branding_title != "authentik" %}
                 <li>
                     <a href="https://goauthentik.io?utm_source=authentik">
                         {% trans 'Powered by authentik' %}
                     </a>
                 </li>
-                {% endif %}
             </ul>
         </footer>
     </div>

authentik/core/tests/test_applications_api.py

@@ -1,11 +1,15 @@
 """Test Applications API"""
+from json import loads
+
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.flows.models import Flow
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
+from authentik.providers.oauth2.models import OAuth2Provider
 
 
 class TestApplicationsAPI(APITestCase):
@@ -13,7 +17,21 @@ class TestApplicationsAPI(APITestCase):
 
     def setUp(self) -> None:
         self.user = create_test_admin_user()
-        self.allowed = Application.objects.create(name="allowed", slug="allowed")
+        self.provider = OAuth2Provider.objects.create(
+            name="test",
+            redirect_uris="http://some-other-domain",
+            authorization_flow=Flow.objects.create(
+                name="test",
+                slug="test",
+            ),
+        )
+        self.allowed = Application.objects.create(
+            name="allowed",
+            slug="allowed",
+            meta_launch_url="https://goauthentik.io/%(username)s",
+            open_in_new_tab=True,
+            provider=self.provider,
+        )
         self.denied = Application.objects.create(name="denied", slug="denied")
         PolicyBinding.objects.create(
             target=self.denied,
@@ -31,7 +49,10 @@ class TestApplicationsAPI(APITestCase):
             )
         )
         self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(response.content.decode(), {"messages": [], "passing": True})
+        body = loads(response.content.decode())
+        self.assertEqual(body["passing"], True)
+        self.assertEqual(body["messages"], [])
+        self.assertEqual(len(body["log_messages"]), 0)
         response = self.client.get(
             reverse(
                 "authentik_api:application-check-access",
@@ -39,7 +60,9 @@ class TestApplicationsAPI(APITestCase):
             )
         )
         self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(response.content.decode(), {"messages": ["dummy"], "passing": False})
+        body = loads(response.content.decode())
+        self.assertEqual(body["passing"], False)
+        self.assertEqual(body["messages"], ["dummy"])
 
     def test_list(self):
         """Test list operation without superuser_full_list"""
@@ -62,10 +85,23 @@ class TestApplicationsAPI(APITestCase):
                         "pk": str(self.allowed.pk),
                         "name": "allowed",
                         "slug": "allowed",
-                        "provider": None,
-                        "provider_obj": None,
-                        "launch_url": None,
-                        "meta_launch_url": "",
+                        "group": "",
+                        "provider": self.provider.pk,
+                        "provider_obj": {
+                            "assigned_application_name": "allowed",
+                            "assigned_application_slug": "allowed",
+                            "authorization_flow": str(self.provider.authorization_flow.pk),
+                            "component": "ak-provider-oauth2-form",
+                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
+                            "name": self.provider.name,
+                            "pk": self.provider.pk,
+                            "property_mappings": [],
+                            "verbose_name": "OAuth2/OpenID Provider",
+                            "verbose_name_plural": "OAuth2/OpenID Providers",
+                        },
+                        "launch_url": f"https://goauthentik.io/{self.user.username}",
+                        "meta_launch_url": "https://goauthentik.io/%(username)s",
+                        "open_in_new_tab": True,
                         "meta_icon": None,
                         "meta_description": "",
                         "meta_publisher": "",
@@ -98,10 +134,23 @@ class TestApplicationsAPI(APITestCase):
                         "pk": str(self.allowed.pk),
                         "name": "allowed",
                         "slug": "allowed",
-                        "provider": None,
-                        "provider_obj": None,
-                        "launch_url": None,
-                        "meta_launch_url": "",
+                        "group": "",
+                        "provider": self.provider.pk,
+                        "provider_obj": {
+                            "assigned_application_name": "allowed",
+                            "assigned_application_slug": "allowed",
+                            "authorization_flow": str(self.provider.authorization_flow.pk),
+                            "component": "ak-provider-oauth2-form",
+                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
+                            "name": self.provider.name,
+                            "pk": self.provider.pk,
+                            "property_mappings": [],
+                            "verbose_name": "OAuth2/OpenID Provider",
+                            "verbose_name_plural": "OAuth2/OpenID Providers",
+                        },
+                        "launch_url": f"https://goauthentik.io/{self.user.username}",
+                        "meta_launch_url": "https://goauthentik.io/%(username)s",
+                        "open_in_new_tab": True,
                         "meta_icon": None,
                         "meta_description": "",
                         "meta_publisher": "",
@@ -112,7 +161,9 @@ class TestApplicationsAPI(APITestCase):
                         "meta_description": "",
                         "meta_icon": None,
                         "meta_launch_url": "",
+                        "open_in_new_tab": False,
                         "meta_publisher": "",
+                        "group": "",
                         "name": "denied",
                         "pk": str(self.denied.pk),
                         "policy_engine_mode": "any",

authentik/core/tests/test_applications_views.py

@@ -0,0 +1,67 @@
+"""Test Applications API"""
+from unittest.mock import MagicMock, patch
+
+from django.urls import reverse
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_tenant
+from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.tests import FlowTestCase
+from authentik.tenants.models import Tenant
+
+
+class TestApplicationsViews(FlowTestCase):
+    """Test applications Views"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.allowed = Application.objects.create(
+            name="allowed", slug="allowed", meta_launch_url="https://goauthentik.io/%(username)s"
+        )
+
+    def test_check_redirect(self):
+        """Test redirect"""
+        empty_flow = Flow.objects.create(
+            name="foo",
+            slug="foo",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        tenant: Tenant = create_test_tenant()
+        tenant.flow_authentication = empty_flow
+        tenant.save()
+        response = self.client.get(
+            reverse(
+                "authentik_core:application-launch",
+                kwargs={"application_slug": self.allowed.slug},
+            ),
+            follow=True,
+        )
+        self.assertEqual(response.status_code, 200)
+        with patch(
+            "authentik.flows.stage.StageView.get_pending_user", MagicMock(return_value=self.user)
+        ):
+            response = self.client.post(
+                reverse("authentik_api:flow-executor", kwargs={"flow_slug": empty_flow.slug})
+            )
+            self.assertEqual(response.status_code, 200)
+            self.assertStageRedirects(response, f"https://goauthentik.io/{self.user.username}")
+
+    def test_check_redirect_auth(self):
+        """Test redirect"""
+        self.client.force_login(self.user)
+        empty_flow = Flow.objects.create(
+            name="foo",
+            slug="foo",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        tenant: Tenant = create_test_tenant()
+        tenant.flow_authentication = empty_flow
+        tenant.save()
+        response = self.client.get(
+            reverse(
+                "authentik_core:application-launch",
+                kwargs={"application_slug": self.allowed.slug},
+            ),
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, f"https://goauthentik.io/{self.user.username}")

authentik/core/tests/test_groups.py

@@ -2,6 +2,7 @@
 from django.test.testcases import TestCase
 
 from authentik.core.models import Group, User
+from authentik.lib.generators import generate_id
 
 
 class TestGroups(TestCase):
@@ -9,32 +10,43 @@ class TestGroups(TestCase):
 
     def test_group_membership_simple(self):
         """Test simple membership"""
-        user = User.objects.create(username="user")
-        user2 = User.objects.create(username="user2")
-        group = Group.objects.create(name="group")
+        user = User.objects.create(username=generate_id())
+        user2 = User.objects.create(username=generate_id())
+        group = Group.objects.create(name=generate_id())
         group.users.add(user)
         self.assertTrue(group.is_member(user))
         self.assertFalse(group.is_member(user2))
 
     def test_group_membership_parent(self):
         """Test parent membership"""
-        user = User.objects.create(username="user")
-        user2 = User.objects.create(username="user2")
-        first = Group.objects.create(name="first")
-        second = Group.objects.create(name="second", parent=first)
+        user = User.objects.create(username=generate_id())
+        user2 = User.objects.create(username=generate_id())
+        first = Group.objects.create(name=generate_id())
+        second = Group.objects.create(name=generate_id(), parent=first)
         second.users.add(user)
         self.assertTrue(first.is_member(user))
         self.assertFalse(first.is_member(user2))
 
     def test_group_membership_parent_extra(self):
         """Test parent membership"""
-        user = User.objects.create(username="user")
-        user2 = User.objects.create(username="user2")
-        first = Group.objects.create(name="first")
-        second = Group.objects.create(name="second", parent=first)
-        third = Group.objects.create(name="third", parent=second)
+        user = User.objects.create(username=generate_id())
+        user2 = User.objects.create(username=generate_id())
+        first = Group.objects.create(name=generate_id())
+        second = Group.objects.create(name=generate_id(), parent=first)
+        third = Group.objects.create(name=generate_id(), parent=second)
         second.users.add(user)
         self.assertTrue(first.is_member(user))
         self.assertFalse(first.is_member(user2))
         self.assertFalse(third.is_member(user))
         self.assertFalse(third.is_member(user2))
+
+    def test_group_membership_recursive(self):
+        """Test group membership (recursive)"""
+        user = User.objects.create(username=generate_id())
+        group = Group.objects.create(name=generate_id())
+        group2 = Group.objects.create(name=generate_id(), parent=group)
+        group.users.add(user)
+        group.parent = group2
+        group.save()
+        self.assertTrue(group.is_member(user))
+        self.assertTrue(group2.is_member(user))

authentik/core/tests/test_tasks.py

@@ -0,0 +1,50 @@
+"""Test tasks"""
+from time import mktime
+
+from django.utils.timezone import now
+from guardian.shortcuts import get_anonymous_user
+from rest_framework.test import APITestCase
+
+from authentik.core.models import (
+    USER_ATTRIBUTE_EXPIRES,
+    USER_ATTRIBUTE_GENERATED,
+    Token,
+    TokenIntents,
+    User,
+)
+from authentik.core.tasks import clean_expired_models, clean_temporary_users
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+
+
+class TestTasks(APITestCase):
+    """Test token API"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = User.objects.create(username="testuser")
+        self.admin = create_test_admin_user()
+        self.client.force_login(self.user)
+
+    def test_token_expire(self):
+        """Test Token expire task"""
+        token: Token = Token.objects.create(
+            expires=now(), user=get_anonymous_user(), intent=TokenIntents.INTENT_API
+        )
+        key = token.key
+        clean_expired_models.delay().get()
+        token.refresh_from_db()
+        self.assertNotEqual(key, token.key)
+
+    def test_clean_temporary_users(self):
+        """Test clean_temporary_users task"""
+        username = generate_id
+        User.objects.create(
+            username=username,
+            attributes={
+                USER_ATTRIBUTE_GENERATED: True,
+                USER_ATTRIBUTE_EXPIRES: mktime(now().timetuple()),
+            },
+        )
+        clean_temporary_users.delay().get()
+        self.assertFalse(User.objects.filter(username=username))

authentik/core/tests/test_token_api.py

@@ -2,12 +2,10 @@
 from json import loads
 
 from django.urls.base import reverse
-from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.test import APITestCase
 
 from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents, User
-from authentik.core.tasks import clean_expired_models
 from authentik.core.tests.utils import create_test_admin_user
 
 
@@ -30,6 +28,7 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(token.user, self.user)
         self.assertEqual(token.intent, TokenIntents.INTENT_API)
         self.assertEqual(token.expiring, True)
+        self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
 
     def test_token_create_invalid(self):
         """Test token creation endpoint (invalid data)"""
@@ -52,16 +51,6 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(token.intent, TokenIntents.INTENT_API)
         self.assertEqual(token.expiring, False)
 
-    def test_token_expire(self):
-        """Test Token expire task"""
-        token: Token = Token.objects.create(
-            expires=now(), user=get_anonymous_user(), intent=TokenIntents.INTENT_API
-        )
-        key = token.key
-        clean_expired_models.delay().get()
-        token.refresh_from_db()
-        self.assertNotEqual(key, token.key)
-
     def test_list(self):
         """Test Token List (Test normal authentication)"""
         token_should: Token = Token.objects.create(

authentik/core/tests/test_users_api.py

@@ -2,15 +2,10 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import (
-    USER_ATTRIBUTE_CHANGE_EMAIL,
-    USER_ATTRIBUTE_CHANGE_NAME,
-    USER_ATTRIBUTE_CHANGE_USERNAME,
-    User,
-)
+from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
-from authentik.lib.generators import generate_key
+from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.email.models import EmailStage
 from authentik.tenants.models import Tenant
 
@@ -22,51 +17,6 @@ class TestUsersAPI(APITestCase):
         self.admin = create_test_admin_user()
         self.user = User.objects.create(username="test-user")
 
-    def test_update_self(self):
-        """Test update_self"""
-        self.admin.attributes["foo"] = "bar"
-        self.admin.save()
-        self.admin.refresh_from_db()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
-        )
-        self.admin.refresh_from_db()
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(self.admin.attributes["foo"], "bar")
-        self.assertEqual(self.admin.username, "foo")
-        self.assertEqual(self.admin.name, "foo")
-
-    def test_update_self_name_denied(self):
-        """Test update_self"""
-        self.admin.attributes[USER_ATTRIBUTE_CHANGE_NAME] = False
-        self.admin.save()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_update_self_username_denied(self):
-        """Test update_self"""
-        self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False
-        self.admin.save()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_update_self_email_denied(self):
-        """Test update_self"""
-        self.admin.attributes[USER_ATTRIBUTE_CHANGE_EMAIL] = False
-        self.admin.save()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"email": "foo", "name": "foo"}
-        )
-        self.assertEqual(response.status_code, 400)
-
     def test_metrics(self):
         """Test user's metrics"""
         self.client.force_login(self.admin)
@@ -199,3 +149,65 @@ class TestUsersAPI(APITestCase):
             },
         )
         self.assertEqual(response.status_code, 400)
+
+    def test_paths(self):
+        """Test path"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse("authentik_api:user-paths"),
+        )
+        print(response.content)
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(response.content.decode(), {"paths": ["users"]})
+
+    def test_path_valid(self):
+        """Test path"""
+        self.client.force_login(self.admin)
+        response = self.client.post(
+            reverse("authentik_api:user-list"),
+            data={"name": generate_id(), "username": generate_id(), "groups": [], "path": "foo"},
+        )
+        self.assertEqual(response.status_code, 201)
+
+    def test_path_invalid(self):
+        """Test path (invalid)"""
+        self.client.force_login(self.admin)
+        response = self.client.post(
+            reverse("authentik_api:user-list"),
+            data={"name": generate_id(), "username": generate_id(), "groups": [], "path": "/foo"},
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content.decode(), {"path": ["No leading or trailing slashes allowed."]}
+        )
+
+        self.client.force_login(self.admin)
+        response = self.client.post(
+            reverse("authentik_api:user-list"),
+            data={"name": generate_id(), "username": generate_id(), "groups": [], "path": ""},
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(response.content.decode(), {"path": ["This field may not be blank."]})
+
+        response = self.client.post(
+            reverse("authentik_api:user-list"),
+            data={"name": generate_id(), "username": generate_id(), "groups": [], "path": "foo/"},
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content.decode(), {"path": ["No leading or trailing slashes allowed."]}
+        )
+
+        response = self.client.post(
+            reverse("authentik_api:user-list"),
+            data={
+                "name": generate_id(),
+                "username": generate_id(),
+                "groups": [],
+                "path": "fos//o",
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content.decode(), {"path": ["No empty segments in user path allowed."]}
+        )

authentik/core/tests/utils.py

@@ -11,14 +11,13 @@ from authentik.lib.generators import generate_id
 from authentik.tenants.models import Tenant
 
 
-def create_test_flow(designation: FlowDesignation = FlowDesignation.STAGE_CONFIGURATION) -> Flow:
+def create_test_flow(
+    designation: FlowDesignation = FlowDesignation.STAGE_CONFIGURATION, **kwargs
+) -> Flow:
     """Generate a flow that can be used for testing"""
     uid = generate_id(10)
     return Flow.objects.create(
-        name=uid,
-        title=uid,
-        slug=slugify(uid),
-        designation=designation,
+        name=uid, title=uid, slug=slugify(uid), designation=designation, **kwargs
     )
 
 
@@ -47,11 +46,11 @@ def create_test_tenant() -> Tenant:
 
 def create_test_cert() -> CertificateKeyPair:
     """Generate a certificate for testing"""
-    CertificateKeyPair.objects.filter(name="goauthentik.io").delete()
     builder = CertificateBuilder()
     builder.common_name = "goauthentik.io"
     builder.build(
         subject_alt_names=["goauthentik.io"],
         validity_days=360,
     )
+    builder.name = generate_id()
     return builder.save()

authentik/core/types.py

@@ -29,4 +29,4 @@ class UserSettingSerializer(PassiveSerializer):
     component = CharField()
     title = CharField()
     configure_url = CharField(required=False)
-    icon_url = CharField()
+    icon_url = CharField(required=False)

authentik/core/urls.py

@@ -1,20 +1,30 @@
 """authentik URL Configuration"""
+from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
 from django.views.generic import RedirectView
 from django.views.generic.base import TemplateView
 
-from authentik.core.views import impersonate
+from authentik.core.views import apps, impersonate
+from authentik.core.views.debug import AccessDeniedView
 from authentik.core.views.interface import FlowInterfaceView
 from authentik.core.views.session import EndSessionView
 
 urlpatterns = [
     path(
         "",
-        login_required(RedirectView.as_view(pattern_name="authentik_core:if-user")),
+        login_required(
+            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
+        ),
         name="root-redirect",
     ),
+    path(
+        # We have to use this format since everything else uses applications/o or applications/saml
+        "application/launch/<slug:application_slug>/",
+        apps.RedirectToAppLaunch.as_view(),
+        name="application-launch",
+    ),
     # Impersonation
     path(
         "-/impersonation/<int:user_id>/",
@@ -54,3 +64,8 @@ urlpatterns = [
         TemplateView.as_view(template_name="if/admin.html"),
     ),
 ]
+
+if settings.DEBUG:
+    urlpatterns += [
+        path("debug/policy/deny/", AccessDeniedView.as_view(), name="debug-policy-deny"),
+    ]

authentik/core/views/apps.py

@@ -0,0 +1,75 @@
+"""app views"""
+from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect
+from django.shortcuts import get_object_or_404
+from django.utils.translation import gettext_lazy as _
+from django.views import View
+
+from authentik.core.models import Application
+from authentik.flows.challenge import (
+    ChallengeResponse,
+    ChallengeTypes,
+    HttpChallengeResponse,
+    RedirectChallenge,
+)
+from authentik.flows.models import in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
+from authentik.flows.stage import ChallengeStageView
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.utils.urls import redirect_with_qs
+from authentik.stages.consent.stage import (
+    PLAN_CONTEXT_CONSENT_HEADER,
+    PLAN_CONTEXT_CONSENT_PERMISSIONS,
+)
+from authentik.tenants.models import Tenant
+
+
+class RedirectToAppLaunch(View):
+    """Application launch view, redirect to the launch URL"""
+
+    def dispatch(self, request: HttpRequest, application_slug: str) -> HttpResponse:
+        app = get_object_or_404(Application, slug=application_slug)
+        # Check here if the application has any launch URL set, if not 404
+        launch = app.get_launch_url()
+        if not launch:
+            raise Http404
+        # Check if we're authenticated already, saves us the flow run
+        if request.user.is_authenticated:
+            return HttpResponseRedirect(app.get_launch_url(request.user))
+        # otherwise, do a custom flow plan that includes the application that's
+        # being accessed, to improve usability
+        tenant: Tenant = request.tenant
+        flow = tenant.flow_authentication
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        plan = planner.plan(
+            request,
+            {
+                PLAN_CONTEXT_APPLICATION: app,
+                PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
+                % {"application": app.name},
+                PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
+            },
+        )
+        plan.insert_stage(in_memory_stage(RedirectToAppStage))
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
+
+
+class RedirectToAppStage(ChallengeStageView):
+    """Final stage to be inserted after the user logs in"""
+
+    def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
+        app = self.executor.plan.context[PLAN_CONTEXT_APPLICATION]
+        launch = app.get_launch_url(self.get_pending_user())
+        # sanity check to ensure launch is still set
+        if not launch:
+            raise Http404
+        return RedirectChallenge(
+            instance={
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": launch,
+            }
+        )
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        return HttpChallengeResponse(self.get_challenge())

authentik/core/views/debug.py

@@ -0,0 +1,12 @@
+"""debug view"""
+from django.http import HttpRequest, HttpResponse
+from django.views.generic import View
+
+from authentik.policies.denied import AccessDeniedResponse
+
+
+class AccessDeniedView(View):
+    """Easily access AccessDeniedResponse"""
+
+    def dispatch(self, request: HttpRequest) -> HttpResponse:
+        return AccessDeniedResponse(request)

authentik/core/views/impersonate.py

@@ -5,9 +5,13 @@ from django.shortcuts import get_object_or_404, redirect
 from django.views import View
 from structlog.stdlib import get_logger
 
-from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
+from authentik.core.middleware import (
+    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
+    SESSION_KEY_IMPERSONATE_USER,
+)
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
+from authentik.lib.config import CONFIG
 
 LOGGER = get_logger()
 
@@ -17,14 +21,17 @@ class ImpersonateInitView(View):
 
     def get(self, request: HttpRequest, user_id: int) -> HttpResponse:
         """Impersonation handler, checks permissions"""
+        if not CONFIG.y_bool("impersonation"):
+            LOGGER.debug("User attempted to impersonate", user=request.user)
+            return HttpResponse("Unauthorized", status=401)
         if not request.user.has_perm("impersonate"):
             LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
             return HttpResponse("Unauthorized", status=401)
 
         user_to_be = get_object_or_404(User, pk=user_id)
 
-        request.session[SESSION_IMPERSONATE_ORIGINAL_USER] = request.user
-        request.session[SESSION_IMPERSONATE_USER] = user_to_be
+        request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
+        request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
 
         Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
 
@@ -37,16 +44,16 @@ class ImpersonateEndView(View):
     def get(self, request: HttpRequest) -> HttpResponse:
         """End Impersonation handler"""
         if (
-            SESSION_IMPERSONATE_USER not in request.session
-            or SESSION_IMPERSONATE_ORIGINAL_USER not in request.session
+            SESSION_KEY_IMPERSONATE_USER not in request.session
+            or SESSION_KEY_IMPERSONATE_ORIGINAL_USER not in request.session
         ):
             LOGGER.debug("Can't end impersonation", user=request.user)
             return redirect("authentik_core:if-user")
 
-        original_user = request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
+        original_user = request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER]
 
-        del request.session[SESSION_IMPERSONATE_USER]
-        del request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
+        del request.session[SESSION_KEY_IMPERSONATE_USER]
+        del request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER]
 
         Event.new(EventAction.IMPERSONATION_ENDED).from_http(request, original_user)
 

authentik/crypto/api.py

@@ -17,6 +17,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
+from structlog.stdlib import get_logger
 
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
@@ -26,6 +27,8 @@ from authentik.crypto.managed import MANAGED_KEY
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 
+LOGGER = get_logger()
+
 
 class CertificateKeyPairSerializer(ModelSerializer):
     """CertificateKeyPair Serializer"""
@@ -76,8 +79,11 @@ class CertificateKeyPairSerializer(ModelSerializer):
     def validate_certificate_data(self, value: str) -> str:
         """Verify that input is a valid PEM x509 Certificate"""
         try:
-            load_pem_x509_certificate(value.encode("utf-8"), default_backend())
-        except ValueError:
+            # Cast to string to fully load and parse certificate
+            # Prevents issues like https://github.com/goauthentik/authentik/issues/2082
+            str(load_pem_x509_certificate(value.encode("utf-8"), default_backend()))
+        except ValueError as exc:
+            LOGGER.warning("Failed to load certificate", exc=exc)
             raise ValidationError("Unable to load certificate.")
         return value
 
@@ -86,12 +92,17 @@ class CertificateKeyPairSerializer(ModelSerializer):
         # Since this field is optional, data can be empty.
         if value != "":
             try:
-                load_pem_private_key(
-                    str.encode("\n".join([x.strip() for x in value.split("\n")])),
-                    password=None,
-                    backend=default_backend(),
+                # Cast to string to fully load and parse certificate
+                # Prevents issues like https://github.com/goauthentik/authentik/issues/2082
+                str(
+                    load_pem_private_key(
+                        str.encode("\n".join([x.strip() for x in value.split("\n")])),
+                        password=None,
+                        backend=default_backend(),
+                    )
                 )
-            except (ValueError, TypeError):
+            except (ValueError, TypeError) as exc:
+                LOGGER.warning("Failed to load private key", exc=exc)
                 raise ValidationError("Unable to load private key (possibly encrypted?).")
         return value
 

authentik/crypto/builder.py

@@ -53,10 +53,7 @@ class CertificateBuilder:
             .subject_name(
                 x509.Name(
                     [
-                        x509.NameAttribute(
-                            NameOID.COMMON_NAME,
-                            self.common_name,
-                        ),
+                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name),
                         x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
                         x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"),
                     ]
@@ -65,10 +62,7 @@ class CertificateBuilder:
             .issuer_name(
                 x509.Name(
                     [
-                        x509.NameAttribute(
-                            NameOID.COMMON_NAME,
-                            f"authentik {__version__}",
-                        ),
+                        x509.NameAttribute(NameOID.COMMON_NAME, f"authentik {__version__}"),
                     ]
                 )
             )

authentik/crypto/migrations/0002_create_self_signed_kp.py

@@ -2,6 +2,8 @@
 
 from django.db import migrations
 
+from authentik.lib.generators import generate_id
+
 
 def create_self_signed(apps, schema_editor):
     CertificateKeyPair = apps.get_model("authentik_crypto", "CertificateKeyPair")
@@ -9,7 +11,7 @@ def create_self_signed(apps, schema_editor):
     from authentik.crypto.builder import CertificateBuilder
 
     builder = CertificateBuilder()
-    builder.build()
+    builder.build(subject_alt_names=[f"{generate_id()}.self-signed.goauthentik.io"])
     CertificateKeyPair.objects.using(db_alias).create(
         name="authentik Self-signed Certificate",
         certificate_data=builder.certificate,

authentik/crypto/settings.py

@@ -1,10 +1,12 @@
 """Crypto task Settings"""
 from celery.schedules import crontab
 
+from authentik.lib.utils.time import fqdn_rand
+
 CELERY_BEAT_SCHEDULE = {
     "crypto_certificate_discovery": {
         "task": "authentik.crypto.tasks.certificate_discovery",
-        "schedule": crontab(minute="*/5"),
+        "schedule": crontab(minute=fqdn_rand("crypto_certificate_discovery"), hour="*"),
         "options": {"queue": "authentik_scheduled"},
     },
 }

authentik/crypto/tasks.py

@@ -61,15 +61,15 @@ def certificate_discovery(self: MonitoredTask):
         else:
             cert_name = path.name.replace(path.suffix, "")
         try:
-            with open(path, "r+", encoding="utf-8") as _file:
+            with open(path, "r", encoding="utf-8") as _file:
                 body = _file.read()
                 if "PRIVATE KEY" in body:
                     private_keys[cert_name] = ensure_private_key_valid(body)
                 else:
                     certs[cert_name] = ensure_certificate_valid(body)
+            discovered += 1
         except (OSError, ValueError) as exc:
             LOGGER.warning("Failed to open file or invalid format", exc=exc, file=path)
-        discovered += 1
     for name, cert_data in certs.items():
         cert = CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % name).first()
         if not cert:

authentik/events/api/notification_mappings.py

@@ -26,3 +26,4 @@ class NotificationWebhookMappingViewSet(UsedByMixin, ModelViewSet):
     serializer_class = NotificationWebhookMappingSerializer
     filterset_fields = ["name"]
     ordering = ["name"]
+    search_fields = ["name"]

authentik/events/api/notification_rules.py

@@ -32,3 +32,4 @@ class NotificationRuleViewSet(UsedByMixin, ModelViewSet):
     serializer_class = NotificationRuleSerializer
     filterset_fields = ["name", "severity", "group__name"]
     ordering = ["name"]
+    search_fields = ["name", "group__name"]

authentik/events/api/notification_transports.py

@@ -68,6 +68,7 @@ class NotificationTransportViewSet(UsedByMixin, ModelViewSet):
     queryset = NotificationTransport.objects.all()
     serializer_class = NotificationTransportSerializer
     filterset_fields = ["name", "mode", "webhook_url", "send_once"]
+    search_fields = ["name", "mode", "webhook_url"]
     ordering = ["name"]
 
     @permission_required("authentik_events.change_notificationtransport")

authentik/events/api/notifications.py

@@ -13,7 +13,7 @@ from rest_framework.viewsets import GenericViewSet
 
 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
-from authentik.events.api.event import EventSerializer
+from authentik.events.api.events import EventSerializer
 from authentik.events.models import Notification
 
 
@@ -55,6 +55,7 @@ class NotificationViewSet(
         "created",
         "event",
         "seen",
+        "user",
     ]
     permission_classes = [OwnerPermissions]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]

authentik/events/apps.py

@@ -2,6 +2,13 @@
 from importlib import import_module
 
 from django.apps import AppConfig
+from prometheus_client import Gauge
+
+GAUGE_TASKS = Gauge(
+    "authentik_system_tasks",
+    "System tasks and their status",
+    ["task_name", "task_uid", "status"],
+)
 
 
 class AuthentikEventsConfig(AppConfig):

authentik/events/geo.py

@@ -1,7 +1,5 @@
 """events GeoIP Reader"""
-from datetime import datetime
 from os import stat
-from time import time
 from typing import Optional, TypedDict
 
 from geoip2.database import Reader
@@ -46,14 +44,18 @@ class GeoIPReader:
             LOGGER.warning("Failed to load GeoIP database", exc=exc)
 
     def __check_expired(self):
-        """Check if the geoip database has been opened longer than 8 hours,
-        and re-open it, as it will probably will have been re-downloaded"""
-        now = time()
-        diff = datetime.fromtimestamp(now) - datetime.fromtimestamp(self.__last_mtime)
-        diff_hours = diff.total_seconds() // 3600
-        if diff_hours >= 8:
-            LOGGER.info("GeoIP databased loaded too long, re-opening", diff=diff)
-            self.__open()
+        """Check if the modification date of the GeoIP database has
+        changed, and reload it if so"""
+        path = CONFIG.y("geoip")
+        try:
+            mtime = stat(path).st_mtime
+            diff = self.__last_mtime < mtime
+            if diff > 0:
+                LOGGER.info("Found new GeoIP Database, reopening", diff=diff)
+                self.__open()
+        except OSError as exc:
+            LOGGER.warning("Failed to check GeoIP age", exc=exc)
+            return
 
     @property
     def enabled(self) -> bool:
@@ -74,11 +76,8 @@ class GeoIPReader:
             except (GeoIP2Error, ValueError):
                 return None
 
-    def city_dict(self, ip_address: str) -> Optional[GeoIPDict]:
-        """Wrapper for self.city that returns a dict"""
-        city = self.city(ip_address)
-        if not city:
-            return None
+    def city_to_dict(self, city: City) -> GeoIPDict:
+        """Convert City to dict"""
         city_dict: GeoIPDict = {
             "continent": city.continent.code,
             "country": city.country.iso_code,
@@ -90,5 +89,12 @@ class GeoIPReader:
             city_dict["city"] = city.city.name
         return city_dict
 
+    def city_dict(self, ip_address: str) -> Optional[GeoIPDict]:
+        """Wrapper for self.city that returns a dict"""
+        city = self.city(ip_address)
+        if not city:
+            return None
+        return self.city_to_dict(city)
+
 
 GEOIP_READER = GeoIPReader()

authentik/events/middleware.py

@@ -3,6 +3,7 @@ from functools import partial
 from typing import Callable
 
 from django.conf import settings
+from django.contrib.sessions.models import Session
 from django.core.exceptions import SuspiciousOperation
 from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete
@@ -15,16 +16,24 @@ from authentik.core.models import AuthenticatedSession, User
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.signals import EventNewThread
 from authentik.events.utils import model_to_dict
+from authentik.flows.models import FlowToken
 from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
 
-IGNORED_MODELS = (
+IGNORED_MODELS = [
     Event,
     Notification,
     UserObjectPermission,
     AuthenticatedSession,
     StaticToken,
-)
+    Session,
+    FlowToken,
+]
+if settings.DEBUG:
+    from silk.models import Request, Response, SQLQuery
+
+    IGNORED_MODELS += [Request, Response, SQLQuery]
+IGNORED_MODELS = tuple(IGNORED_MODELS)
 
 
 class AuditMiddleware:

authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py

@@ -383,6 +383,7 @@ class Migration(migrations.Migration):
                     models.ManyToManyField(
                         help_text="Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI.",
                         to="authentik_events.NotificationTransport",
+                        blank=True,
                     ),
                 ),
             ],

authentik/events/migrations/0002_alter_notificationtransport_mode.py

@@ -0,0 +1,50 @@
+# Generated by Django 4.0.4 on 2022-05-30 18:08
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+from authentik.events.models import TransportMode
+
+
+def notify_local_transport(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+    NotificationTransport = apps.get_model("authentik_events", "NotificationTransport")
+    NotificationRule = apps.get_model("authentik_events", "NotificationRule")
+
+    local_transport, _ = NotificationTransport.objects.using(db_alias).update_or_create(
+        name="default-local-transport",
+        defaults={"mode": TransportMode.LOCAL},
+    )
+
+    for trigger in NotificationRule.objects.using(db_alias).filter(
+        name__in=[
+            "default-notify-configuration-error",
+            "default-notify-exception",
+            "default-notify-update",
+        ]
+    ):
+        trigger.transports.add(local_transport)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0001_squashed_0019_alter_notificationtransport_webhook_url"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="notificationtransport",
+            name="mode",
+            field=models.TextField(
+                choices=[
+                    ("local", "authentik inbuilt notifications"),
+                    ("webhook", "Generic Webhook"),
+                    ("webhook_slack", "Slack Webhook (Slack/Discord)"),
+                    ("email", "Email"),
+                ],
+                default="local",
+            ),
+        ),
+        migrations.RunPython(notify_local_transport),
+    ]