don't overwrite connections for other sources

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.8.7
+current_version = 2023.8.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.dockerignore

@@ -1,10 +1,11 @@
-env
 htmlcov
 *.env.yml
 **/node_modules
 dist/**
 build/**
 build_docs/**
-Dockerfile
-authentik/enterprise
+*Dockerfile
 blueprints/local
+.git
+!gen-ts-api/node_modules
+!gen-ts-api/dist/**

.github/actions/setup/action.yml

@@ -23,7 +23,7 @@ runs:
     - name: Setup node
       uses: actions/setup-node@v3
       with:
-        node-version: "20.5"
+        node-version: "20"
         cache: "npm"
         cache-dependency-path: web/package-lock.json
     - name: Setup dependencies

.github/workflows/ci-main.yml

@@ -11,7 +11,6 @@ on:
   pull_request:
     branches:
       - main
-      - version-*
 
 env:
   POSTGRES_DB: authentik
@@ -34,7 +33,7 @@ jobs:
           - ruff
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run job
@@ -42,7 +41,7 @@ jobs:
   test-migrations:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run migrations
@@ -51,7 +50,7 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup authentik env
@@ -92,7 +91,7 @@ jobs:
           - 12-alpine
           - 15-alpine
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
@@ -109,7 +108,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
@@ -145,7 +144,7 @@ jobs:
           - name: flows
             glob: tests/e2e/test_flows*
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
@@ -185,33 +184,33 @@ jobs:
   build:
     needs: ci-core-mark
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload contianer images to ghcr.io
-      packages: write
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
       - name: Login to Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - name: generate ts client
+        run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
+          context: .
           secrets: |
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
@@ -224,6 +223,8 @@ jobs:
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
             VERSION=${{ steps.ev.outputs.version }}
             VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
       - name: Comment on PR
         if: github.event_name == 'pull_request'
         continue-on-error: true
@@ -233,33 +234,33 @@ jobs:
   build-arm64:
     needs: ci-core-mark
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload contianer images to ghcr.io
-      packages: write
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
       - name: Login to Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - name: generate ts client
+        run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
+          context: .
           secrets: |
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
@@ -273,3 +274,5 @@ jobs:
             VERSION=${{ steps.ev.outputs.version }}
             VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
           platforms: linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/ci-outpost.yml

@@ -9,13 +9,12 @@ on:
   pull_request:
     branches:
       - main
-      - version-*
 
 jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
@@ -32,14 +31,16 @@ jobs:
         with:
           version: v1.52.2
           args: --timeout 5000s --verbose
-          skip-pkg-cache: true
+          skip-cache: true
   test-unittest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
       - name: Generate API
         run: make gen-client-go
       - name: Go unittests
@@ -64,24 +65,21 @@ jobs:
           - ldap
           - radius
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload contianer images to ghcr.io
-      packages: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
       - name: Login to Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
           registry: ghcr.io
@@ -90,7 +88,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           tags: |
@@ -103,6 +101,8 @@ jobs:
             VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
           platforms: linux/amd64,linux/arm64
           context: .
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
   build-binary:
     timeout-minutes: 120
     needs:
@@ -118,7 +118,7 @@ jobs:
         goos: [linux]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - uses: actions/setup-go@v4
@@ -126,7 +126,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Generate API

.github/workflows/ci-web.yml

@@ -9,7 +9,6 @@ on:
   pull_request:
     branches:
       - main
-      - version-*
 
 jobs:
   lint-eslint:
@@ -18,7 +17,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -34,7 +33,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -50,7 +49,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -66,7 +65,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -98,7 +97,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/

.github/workflows/ci-website.yml

@@ -9,7 +9,6 @@ on:
   pull_request:
     branches:
       - main
-      - version-*
 
 jobs:
   lint-prettier:
@@ -18,7 +17,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -32,7 +31,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -53,7 +52,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/

.github/workflows/codeql-analysis.yml

@@ -23,7 +23,7 @@ jobs:
         language: ["go", "javascript", "python"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL

.github/workflows/gha-cache-cleanup.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Cleanup
         run: |

.github/workflows/ghcr-retention.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/image-compress.yml

@@ -29,11 +29,11 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images

.github/workflows/publish-source-docs.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: generate docs

.github/workflows/release-next-branch.yml

@@ -6,7 +6,6 @@ on:
   workflow_dispatch:
 
 permissions:
-  # Needed to be able to push to the next branch
   contents: write
 
 jobs:
@@ -14,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     environment: internal-production
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: main
       - run: |

.github/workflows/release-publish.yml

@@ -7,32 +7,32 @@ on:
 jobs:
   build-server:
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload contianer images to ghcr.io
-      packages: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
       - name: Docker Login Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty ts client
+        run: mkdir -p ./gen-ts-client
       - name: Build Docker Image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
+          context: .
           push: ${{ github.event_name == 'release' }}
           secrets: |
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
@@ -50,9 +50,6 @@ jobs:
             VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
   build-outpost:
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload contianer images to ghcr.io
-      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -61,30 +58,30 @@ jobs:
           - ldap
           - radius
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
       - name: Docker Login Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
@@ -102,9 +99,6 @@ jobs:
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload binaries to the release
-      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -115,13 +109,13 @@ jobs:
         goos: [linux, darwin]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Build web
@@ -150,7 +144,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Run test suite in final docker images
         run: |
           echo "PG_PASS=$(openssl rand -base64 32)" >> .env
@@ -166,7 +160,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev

.github/workflows/release-tag.yml

@@ -10,7 +10,7 @@ jobs:
     name: Create Release from Tag
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Pre-release test
         run: |
           echo "PG_PASS=$(openssl rand -base64 32)" >> .env
@@ -23,7 +23,7 @@ jobs:
           docker-compose start postgresql redis
           docker-compose run -u root server test-all
       - id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/repo-stale.yml

@@ -6,15 +6,15 @@ on:
   workflow_dispatch:
 
 permissions:
-  # Needed to update issues and PRs
   issues: write
+  pull-requests: write
 
 jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/translation-compile.yml

@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env

.github/workflows/translation-rename.yml

@@ -12,7 +12,7 @@ jobs:
     if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/web-api-publish.yml

@@ -10,16 +10,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v3
         with:
-          node-version: "20.5"
+          node-version: "20"
           registry-url: "https://registry.npmjs.org"
       - name: Generate API Client
         run: make gen-client-ts

CODEOWNERS

@@ -1,2 +1,23 @@
-*   @goauthentik/core
-website/docs/security/**    @goauthentik/security
+# Fallback
+*                               @goauthentik/backend @goauthentik/frontend
+# Backend
+authentik/                      @goauthentik/backend
+blueprints/                     @goauthentik/backend
+cmd/                            @goauthentik/backend
+internal/                       @goauthentik/backend
+lifecycle/                      @goauthentik/backend
+schemas/                        @goauthentik/backend
+scripts/                        @goauthentik/backend
+tests/                          @goauthentik/backend
+# Infrastructure
+.github/                        @goauthentik/infrastructure
+Dockerfile                      @goauthentik/infrastructure
+*Dockerfile                     @goauthentik/infrastructure
+.dockerignore                   @goauthentik/infrastructure
+docker-compose.yml              @goauthentik/infrastructure
+# Web
+web/                            @goauthentik/frontend
+# Docs & Website
+website/                        @goauthentik/docs
+# Security
+website/docs/security/          @goauthentik/security

Dockerfile

@@ -1,53 +1,65 @@
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:20.5 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:20 as website-builder
+
+ENV NODE_ENV=production
+
+WORKDIR /work/website
+
+RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
+    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
+    --mount=type=cache,target=/root/.npm \
+    npm ci --include=dev
 
 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
 COPY ./SECURITY.md /work/
 
-ENV NODE_ENV=production
-WORKDIR /work/website
-RUN npm ci --include=dev && npm run build-docs-only
+RUN npm run build-docs-only
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:20.5 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:20 as web-builder
+
+ENV NODE_ENV=production
+
+WORKDIR /work/web
+
+RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
+    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=cache,target=/root/.npm \
+    npm ci --include=dev
 
 COPY ./web /work/web/
 COPY ./website /work/website/
+COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 
-ENV NODE_ENV=production
-WORKDIR /work/web
-RUN npm ci --include=dev && npm run build
+RUN npm run build
 
-# Stage 3: Poetry to requirements.txt export
-FROM docker.io/python:3.11.5-slim-bookworm AS poetry-locker
+# Stage 3: Build go proxy
+FROM docker.io/golang:1.21.1-bookworm AS go-builder
 
-WORKDIR /work
-COPY ./pyproject.toml /work
-COPY ./poetry.lock /work
+WORKDIR /go/src/goauthentik.io
 
-RUN pip install --no-cache-dir poetry && \
-    poetry export -f requirements.txt --output requirements.txt && \
-    poetry export -f requirements.txt --dev --output requirements-dev.txt
+RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
+    --mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \
+    --mount=type=cache,target=/go/pkg/mod \
+    go mod download
 
-# Stage 4: Build go proxy
-FROM docker.io/golang:1.21.0-bookworm AS go-builder
+COPY ./cmd /go/src/goauthentik.io/cmd
+COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
+COPY ./web/static.go /go/src/goauthentik.io/web/static.go
+COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY ./internal /go/src/goauthentik.io/internal
+COPY ./go.mod /go/src/goauthentik.io/go.mod
+COPY ./go.sum /go/src/goauthentik.io/go.sum
 
-WORKDIR /work
+ENV CGO_ENABLED=0
 
-COPY --from=web-builder /work/web/robots.txt /work/web/robots.txt
-COPY --from=web-builder /work/web/security.txt /work/web/security.txt
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go build -o /go/authentik ./cmd/server
 
-COPY ./cmd /work/cmd
-COPY ./authentik/lib /work/authentik/lib
-COPY ./web/static.go /work/web/static.go
-COPY ./internal /work/internal
-COPY ./go.mod /work/go.mod
-COPY ./go.sum /work/go.sum
-
-RUN go build -o /work/bin/authentik ./cmd/server/
-
-# Stage 5: MaxMind GeoIP
+# Stage 4: MaxMind GeoIP
 FROM ghcr.io/maxmind/geoipupdate:v6.0 as geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
@@ -61,6 +73,29 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     mkdir -p /usr/share/GeoIP && \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
+# Stage 5: Python dependencies
+FROM docker.io/python:3.11.5-bookworm AS python-deps
+
+WORKDIR /ak-root/poetry
+
+ENV VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
+    PATH="/ak-root/venv/bin:$PATH"
+
+RUN --mount=type=cache,target=/var/cache/apt \
+    apt-get update && \
+    # Required for installing pip packages
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev
+
+RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
+    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
+    --mount=type=cache,target=/root/.cache/pip \
+    --mount=type=cache,target=/root/.cache/pypoetry \
+    python -m venv /ak-root/venv/ && \
+    pip3 install --upgrade pip && \
+    pip3 install poetry && \
+    poetry install --only=main --no-ansi --no-interaction
+
 # Stage 6: Run
 FROM docker.io/python:3.11.5-slim-bookworm AS final-image
 
@@ -76,46 +111,45 @@ LABEL org.opencontainers.image.revision ${GIT_BUILD_HASH}
 
 WORKDIR /
 
-COPY --from=poetry-locker /work/requirements.txt /
-COPY --from=poetry-locker /work/requirements-dev.txt /
-COPY --from=geoip /usr/share/GeoIP /geoip
-
+# We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
-    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev python3-dev && \
     # Required for runtime
     apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
-    pip install --no-cache-dir -r /requirements.txt && \
-    apt-get remove --purge -y build-essential pkg-config libxmlsec1-dev libpq-dev python3-dev && \
-    apt-get autoremove --purge -y && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
     mkdir -p /certs /media /blueprints && \
     mkdir -p /authentik/.ssh && \
-    chown authentik:authentik /certs /media /authentik/.ssh
+    mkdir -p /ak-root && \
+    chown authentik:authentik /certs /media /authentik/.ssh /ak-root
 
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
+COPY ./poetry.lock /
 COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
-COPY --from=go-builder /work/bin/authentik /bin/authentik
+COPY --from=go-builder /go/authentik /bin/authentik
+COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/help/ /website/help/
+COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000
 
-ENV TMPDIR /dev/shm/
-ENV PYTHONUNBUFFERED 1
-ENV PATH "/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/lifecycle"
+ENV TMPDIR=/dev/shm/ \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PATH="/ak-root/venv/bin:$PATH" \
+    VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "/lifecycle/ak", "healthcheck" ]
 
-ENTRYPOINT [ "/usr/local/bin/dumb-init", "--", "/lifecycle/ak" ]
+ENTRYPOINT [ "dumb-init", "--", "/lifecycle/ak" ]

Makefile

@@ -1,9 +1,16 @@
-.SHELLFLAGS += -x -e
+.PHONY: gen dev-reset all clean test web website
+
+.SHELLFLAGS += ${SHELLFLAGS} -e
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
 PY_SOURCES = authentik tests scripts lifecycle
+DOCKER_IMAGE ?= "authentik:test"
+
+pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
@@ -19,57 +26,78 @@ CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		website/integrations \
 		website/src
 
-all: lint-fix lint test gen web
+all: lint-fix lint test gen web  ## Lint, build, and test everything
+
+help:  ## Show this help
+	@echo "\nSpecify a command. The choices are:\n"
+	@grep -E '^[0-9a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \
+		awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[0;36m%-24s\033[m %s\n", $$1, $$2}' | \
+		sort
+	@echo ""
 
 test-go:
 	go test -timeout 0 -v -race -cover ./...
 
-test-docker:
+test-docker:  ## Run all tests in a docker-compose
 	echo "PG_PASS=$(openssl rand -base64 32)" >> .env
 	echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
 	docker-compose pull -q
 	docker-compose up --no-start
 	docker-compose start postgresql redis
-	docker-compose run -u root server test
+	docker-compose run -u root server test-all
 	rm -f .env
 
-test:
+test: ## Run the server tests and produce a coverage report (locally)
 	coverage run manage.py test --keepdb authentik
 	coverage html
 	coverage report
 
-lint-fix:
+lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	isort authentik $(PY_SOURCES)
 	black authentik $(PY_SOURCES)
 	ruff authentik $(PY_SOURCES)
 	codespell -w $(CODESPELL_ARGS)
 
-lint:
+lint: ## Lint the python and golang sources
 	pylint $(PY_SOURCES)
 	bandit -r $(PY_SOURCES) -x node_modules
 	golangci-lint run -v
 
-migrate:
+migrate: ## Run the Authentik Django server's migrations
 	python -m lifecycle.migrate
 
-i18n-extract: i18n-extract-core web-i18n-extract
+i18n-extract: i18n-extract-core web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
 i18n-extract-core:
 	ak makemessages --ignore web --ignore internal --ignore web --ignore web-api --ignore website -l en
 
+install: web-install website-install  ## Install all requires dependencies for `web`, `website` and `core`
+	poetry install
+
+dev-drop-db:
+	echo dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
+	# Also remove the test-db if it exists
+	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
+	echo redis-cli -n 0 flushall
+
+dev-create-db:
+	createdb -U ${pg_user} -h ${pg_host} ${pg_name}
+
+dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
+
 #########################
 ## API Schema
 #########################
 
-gen-build:
+gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true ak spectacular --file schema.yml
 
-gen-changelog:
+gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
 	npx prettier --write changelog.md
 
-gen-diff:
+gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
 	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > old_schema.yml
 	docker run \
 		--rm -v ${PWD}:/local \
@@ -84,7 +112,7 @@ gen-clean:
 	rm -rf web/api/src/
 	rm -rf api/
 
-gen-client-ts:
+gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
@@ -100,7 +128,7 @@ gen-client-ts:
 	cd gen-ts-api && npm i
 	\cp -rfv gen-ts-api/* web/node_modules/@goauthentik/api
 
-gen-client-go:
+gen-client-go:  ## Build and install the authentik API for Golang
 	mkdir -p ./gen-go-api ./gen-go-api/templates
 	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./gen-go-api/config.yaml
 	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./gen-go-api/templates/README.mustache
@@ -117,7 +145,7 @@ gen-client-go:
 	go mod edit -replace goauthentik.io/api/v3=./gen-go-api
 	rm -rf ./gen-go-api/config.yaml ./gen-go-api/templates/
 
-gen-dev-config:
+gen-dev-config:  ## Generate a local development config file
 	python -m scripts.generate_config
 
 gen: gen-build gen-clean gen-client-ts
@@ -126,21 +154,21 @@ gen: gen-build gen-clean gen-client-ts
 ## Web
 #########################
 
-web-build: web-install
+web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build
 
-web: web-lint-fix web-lint web-check-compile
+web: web-lint-fix web-lint web-check-compile web-i18n-extract  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
-web-install:
+web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci
 
-web-watch:
+web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
 	rm -rf web/dist/
 	mkdir web/dist/
 	touch web/dist/.gitkeep
 	cd web && npm run watch
 
-web-storybook-watch:
+web-storybook-watch:  ## Build and run the storybook documentation server
 	cd web && npm run storybook
 
 web-lint-fix:
@@ -160,7 +188,7 @@ web-i18n-extract:
 ## Website
 #########################
 
-website: website-lint-fix website-build
+website: website-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it
 
 website-install:
 	cd website && npm ci
@@ -171,11 +199,22 @@ website-lint-fix:
 website-build:
 	cd website && npm run build
 
-website-watch:
+website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch
 
+#########################
+## Docker
+#########################
+
+docker:  ## Build a docker image of the current source tree
+	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
+
+#########################
+## CI
+#########################
 # These targets are use by GitHub actions to allow usage of matrix
 # which makes the YAML File a lot smaller
+
 ci--meta-debug:
 	python -V
 	node --version
@@ -203,14 +242,3 @@ ci-pyright: ci--meta-debug
 
 ci-pending-migrations: ci--meta-debug
 	ak makemigrations --check
-
-install: web-install website-install
-	poetry install
-
-dev-reset:
-	dropdb -U postgres -h localhost authentik
-	# Also remove the test-db if it exists
-	dropdb -U postgres -h localhost test_authentik || true
-	createdb -U postgres -h localhost authentik
-	redis-cli -n 0 flushall
-	make migrate

README.md

@@ -41,15 +41,3 @@ See [SECURITY.md](SECURITY.md)
 ## Adoption and Contributions
 
 Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
-
-## Sponsors
-
-This project is proudly sponsored by:
-
-<p>
-    <a href="https://www.digitalocean.com/?utm_medium=opensource&utm_source=goauthentik.io">
-        <img src="https://opensource.nyc3.cdn.digitaloceanspaces.com/attribution/assets/SVG/DO_Logo_horizontal_blue.svg" width="201px">
-    </a>
-</p>
-
-DigitalOcean provides development and testing resources for authentik.

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.8.7"
+__version__ = "2023.8.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/api.py

@@ -49,7 +49,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
         if content == "":
             return content
         context = self.instance.context if self.instance else {}
-        valid, logs = Importer(content, context).validate()
+        valid, logs = Importer.from_string(content, context).validate()
         if not valid:
             text_logs = "\n".join([x["event"] for x in logs])
             raise ValidationError(_("Failed to validate blueprint: %(logs)s" % {"logs": text_logs}))

authentik/blueprints/management/commands/apply_blueprint.py

@@ -18,7 +18,7 @@ class Command(BaseCommand):
         """Apply all blueprints in order, abort when one fails to import"""
         for blueprint_path in options.get("blueprints", []):
             content = BlueprintInstance(path=blueprint_path).retrieve()
-            importer = Importer(content)
+            importer = Importer.from_string(content)
             valid, _ = importer.validate()
             if not valid:
                 self.stderr.write("blueprint invalid")

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -9,6 +9,7 @@ from rest_framework.fields import Field, JSONField, UUIDField
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
+from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
 from authentik.lib.models import SerializerModel
@@ -110,7 +111,7 @@ class Command(BaseCommand):
                 "id": {"type": "string"},
                 "state": {
                     "type": "string",
-                    "enum": ["absent", "present", "created"],
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},

authentik/blueprints/tests/__init__.py

@@ -20,7 +20,7 @@ def apply_blueprint(*files: str):
         def wrapper(*args, **kwargs):
             for file in files:
                 content = BlueprintInstance(path=file).retrieve()
-                Importer(content).apply()
+                Importer.from_string(content).apply()
             return func(*args, **kwargs)
 
         return wrapper

authentik/blueprints/tests/test_packaged.py

@@ -25,7 +25,7 @@ def blueprint_tester(file_name: Path) -> Callable:
     def tester(self: TestPackaged):
         base = Path("blueprints/")
         rel_path = Path(file_name).relative_to(base)
-        importer = Importer(BlueprintInstance(path=str(rel_path)).retrieve())
+        importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
 

authentik/blueprints/tests/test_v1.py

@@ -21,14 +21,14 @@ class TestBlueprintsV1(TransactionTestCase):
 
     def test_blueprint_invalid_format(self):
         """Test blueprint with invalid format"""
-        importer = Importer('{"version": 3}')
+        importer = Importer.from_string('{"version": 3}')
         self.assertFalse(importer.validate()[0])
-        importer = Importer(
+        importer = Importer.from_string(
             '{"version": 1,"entries":[{"identifiers":{},"attrs":{},'
             '"model": "authentik_core.User"}]}'
         )
         self.assertFalse(importer.validate()[0])
-        importer = Importer(
+        importer = Importer.from_string(
             '{"version": 1, "entries": [{"attrs": {"name": "test"}, '
             '"identifiers": {}, '
             '"model": "authentik_core.Group"}]}'
@@ -54,7 +54,7 @@ class TestBlueprintsV1(TransactionTestCase):
             },
         )
 
-        importer = Importer(
+        importer = Importer.from_string(
             '{"version": 1, "entries": [{"attrs": {"name": "test999", "attributes": '
             '{"key": ["updated_value"]}}, "identifiers": {"attributes": {"other_key": '
             '["other_value"]}}, "model": "authentik_core.Group"}]}'
@@ -103,7 +103,7 @@ class TestBlueprintsV1(TransactionTestCase):
             self.assertEqual(len(export.entries), 3)
             export_yaml = exporter.export_to_string()
 
-        importer = Importer(export_yaml)
+        importer = Importer.from_string(export_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
 
@@ -113,14 +113,14 @@ class TestBlueprintsV1(TransactionTestCase):
         """Test export and import it twice"""
         count_initial = Prompt.objects.filter(field_key="username").count()
 
-        importer = Importer(load_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer.from_string(load_fixture("fixtures/static_prompt_export.yaml"))
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
 
         count_before = Prompt.objects.filter(field_key="username").count()
         self.assertEqual(count_initial + 1, count_before)
 
-        importer = Importer(load_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer.from_string(load_fixture("fixtures/static_prompt_export.yaml"))
         self.assertTrue(importer.apply())
 
         self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)
@@ -130,7 +130,7 @@ class TestBlueprintsV1(TransactionTestCase):
         ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").delete()
         Group.objects.filter(name="test").delete()
         environ["foo"] = generate_id()
-        importer = Importer(load_fixture("fixtures/tags.yaml"), {"bar": "baz"})
+        importer = Importer.from_string(load_fixture("fixtures/tags.yaml"), {"bar": "baz"})
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         policy = ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").first()
@@ -248,7 +248,7 @@ class TestBlueprintsV1(TransactionTestCase):
             exporter = FlowExporter(flow)
             export_yaml = exporter.export_to_string()
 
-        importer = Importer(export_yaml)
+        importer = Importer.from_string(export_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         self.assertTrue(UserLoginStage.objects.filter(name=stage_name).exists())
@@ -297,7 +297,7 @@ class TestBlueprintsV1(TransactionTestCase):
             exporter = FlowExporter(flow)
             export_yaml = exporter.export_to_string()
 
-        importer = Importer(export_yaml)
+        importer = Importer.from_string(export_yaml)
 
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())

authentik/blueprints/tests/test_v1_conditional_fields.py

@@ -18,7 +18,7 @@ class TestBlueprintsV1ConditionalFields(TransactionTestCase):
         self.uid = generate_id()
         import_yaml = load_fixture("fixtures/conditional_fields.yaml", uid=self.uid, user=user.pk)
 
-        importer = Importer(import_yaml)
+        importer = Importer.from_string(import_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
 

authentik/blueprints/tests/test_v1_conditions.py

@@ -18,7 +18,7 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
             "fixtures/conditions_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
         )
 
-        importer = Importer(import_yaml)
+        importer = Importer.from_string(import_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         # Ensure objects exist
@@ -35,7 +35,7 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
             "fixtures/conditions_not_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
         )
 
-        importer = Importer(import_yaml)
+        importer = Importer.from_string(import_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         # Ensure objects do not exist

authentik/blueprints/tests/test_v1_state.py

@@ -15,7 +15,7 @@ class TestBlueprintsV1State(TransactionTestCase):
         flow_slug = generate_id()
         import_yaml = load_fixture("fixtures/state_present.yaml", id=flow_slug)
 
-        importer = Importer(import_yaml)
+        importer = Importer.from_string(import_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         # Ensure object exists
@@ -30,7 +30,7 @@ class TestBlueprintsV1State(TransactionTestCase):
         self.assertEqual(flow.title, "bar")
 
         # Ensure importer updates it
-        importer = Importer(import_yaml)
+        importer = Importer.from_string(import_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         flow: Flow = Flow.objects.filter(slug=flow_slug).first()
@@ -41,7 +41,7 @@ class TestBlueprintsV1State(TransactionTestCase):
         flow_slug = generate_id()
         import_yaml = load_fixture("fixtures/state_created.yaml", id=flow_slug)
 
-        importer = Importer(import_yaml)
+        importer = Importer.from_string(import_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         # Ensure object exists
@@ -56,7 +56,7 @@ class TestBlueprintsV1State(TransactionTestCase):
         self.assertEqual(flow.title, "bar")
 
         # Ensure importer doesn't update it
-        importer = Importer(import_yaml)
+        importer = Importer.from_string(import_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         flow: Flow = Flow.objects.filter(slug=flow_slug).first()
@@ -67,7 +67,7 @@ class TestBlueprintsV1State(TransactionTestCase):
         flow_slug = generate_id()
         import_yaml = load_fixture("fixtures/state_created.yaml", id=flow_slug)
 
-        importer = Importer(import_yaml)
+        importer = Importer.from_string(import_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         # Ensure object exists
@@ -75,7 +75,7 @@ class TestBlueprintsV1State(TransactionTestCase):
         self.assertEqual(flow.slug, flow_slug)
 
         import_yaml = load_fixture("fixtures/state_absent.yaml", id=flow_slug)
-        importer = Importer(import_yaml)
+        importer = Importer.from_string(import_yaml)
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         flow: Flow = Flow.objects.filter(slug=flow_slug).first()

authentik/blueprints/v1/common.py

@@ -12,6 +12,7 @@ from uuid import UUID
 from deepmerge import always_merger
 from django.apps import apps
 from django.db.models import Model, Q
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import Field
 from rest_framework.serializers import Serializer
 from yaml import SafeDumper, SafeLoader, ScalarNode, SequenceNode
@@ -52,6 +53,7 @@ class BlueprintEntryDesiredState(Enum):
     ABSENT = "absent"
     PRESENT = "present"
     CREATED = "created"
+    MUST_CREATED = "must_created"
 
 
 @dataclass
@@ -206,8 +208,8 @@ class KeyOf(YAMLTag):
                 ):
                     return _entry._state.instance.pbm_uuid
                 return _entry._state.instance.pk
-        raise EntryInvalidError(
-            f"KeyOf: failed to find entry with `id` of `{self.id_from}` and a model instance"
+        raise EntryInvalidError.from_entry(
+            f"KeyOf: failed to find entry with `id` of `{self.id_from}` and a model instance", entry
         )
 
 
@@ -278,7 +280,7 @@ class Format(YAMLTag):
         try:
             return self.format_string % tuple(args)
         except TypeError as exc:
-            raise EntryInvalidError(exc)
+            raise EntryInvalidError.from_entry(exc, entry)
 
 
 class Find(YAMLTag):
@@ -355,13 +357,15 @@ class Condition(YAMLTag):
                 args.append(arg)
 
         if not args:
-            raise EntryInvalidError("At least one value is required after mode selection.")
+            raise EntryInvalidError.from_entry(
+                "At least one value is required after mode selection.", entry
+            )
 
         try:
             comparator = self._COMPARATORS[self.mode.upper()]
             return comparator(tuple(bool(x) for x in args))
         except (TypeError, KeyError) as exc:
-            raise EntryInvalidError(exc)
+            raise EntryInvalidError.from_entry(exc, entry)
 
 
 class If(YAMLTag):
@@ -393,7 +397,7 @@ class If(YAMLTag):
                 blueprint,
             )
         except TypeError as exc:
-            raise EntryInvalidError(exc)
+            raise EntryInvalidError.from_entry(exc, entry)
 
 
 class Enumerate(YAMLTag, YAMLTagContext):
@@ -425,9 +429,10 @@ class Enumerate(YAMLTag, YAMLTagContext):
 
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
         if isinstance(self.iterable, EnumeratedItem) and self.iterable.depth == 0:
-            raise EntryInvalidError(
+            raise EntryInvalidError.from_entry(
                 f"{self.__class__.__name__} tag's iterable references this tag's context. "
-                "This is a noop. Check you are setting depth bigger than 0."
+                "This is a noop. Check you are setting depth bigger than 0.",
+                entry,
             )
 
         if isinstance(self.iterable, YAMLTag):
@@ -436,9 +441,10 @@ class Enumerate(YAMLTag, YAMLTagContext):
             iterable = self.iterable
 
         if not isinstance(iterable, Iterable):
-            raise EntryInvalidError(
+            raise EntryInvalidError.from_entry(
                 f"{self.__class__.__name__}'s iterable must be an iterable "
-                "such as a sequence or a mapping"
+                "such as a sequence or a mapping",
+                entry,
             )
 
         if isinstance(iterable, Mapping):
@@ -449,7 +455,7 @@ class Enumerate(YAMLTag, YAMLTagContext):
         try:
             output_class, add_fn = self._OUTPUT_BODIES[self.output_body.upper()]
         except KeyError as exc:
-            raise EntryInvalidError(exc)
+            raise EntryInvalidError.from_entry(exc, entry)
 
         result = output_class()
 
@@ -461,8 +467,8 @@ class Enumerate(YAMLTag, YAMLTagContext):
                 resolved_body = entry.tag_resolver(self.item_body, blueprint)
                 result = add_fn(result, resolved_body)
                 if not isinstance(result, output_class):
-                    raise EntryInvalidError(
-                        f"Invalid {self.__class__.__name__} item found: {resolved_body}"
+                    raise EntryInvalidError.from_entry(
+                        f"Invalid {self.__class__.__name__} item found: {resolved_body}", entry
                     )
         finally:
             self.__current_context = tuple()
@@ -489,12 +495,13 @@ class EnumeratedItem(YAMLTag):
             )
         except ValueError as exc:
             if self.depth == 0:
-                raise EntryInvalidError(
+                raise EntryInvalidError.from_entry(
                     f"{self.__class__.__name__} tags are only usable "
-                    f"inside an {Enumerate.__name__} tag"
+                    f"inside an {Enumerate.__name__} tag",
+                    entry,
                 )
 
-            raise EntryInvalidError(f"{self.__class__.__name__} tag: {exc}")
+            raise EntryInvalidError.from_entry(f"{self.__class__.__name__} tag: {exc}", entry)
 
         return context_tag.get_context(entry, blueprint)
 
@@ -508,7 +515,7 @@ class Index(EnumeratedItem):
         try:
             return context[0]
         except IndexError:  # pragma: no cover
-            raise EntryInvalidError(f"Empty/invalid context: {context}")
+            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry)
 
 
 class Value(EnumeratedItem):
@@ -520,7 +527,7 @@ class Value(EnumeratedItem):
         try:
             return context[1]
         except IndexError:  # pragma: no cover
-            raise EntryInvalidError(f"Empty/invalid context: {context}")
+            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry)
 
 
 class BlueprintDumper(SafeDumper):
@@ -574,8 +581,26 @@ class BlueprintLoader(SafeLoader):
 class EntryInvalidError(SentryIgnoredException):
     """Error raised when an entry is invalid"""
 
-    serializer_errors: Optional[dict]
+    entry_model: Optional[str]
+    entry_id: Optional[str]
+    validation_error: Optional[ValidationError]
 
-    def __init__(self, *args: object, serializer_errors: Optional[dict] = None) -> None:
+    def __init__(self, *args: object, validation_error: Optional[ValidationError] = None) -> None:
         super().__init__(*args)
-        self.serializer_errors = serializer_errors
+        self.entry_model = None
+        self.entry_id = None
+        self.validation_error = validation_error
+
+    @staticmethod
+    def from_entry(
+        msg_or_exc: str | Exception, entry: BlueprintEntry, *args, **kwargs
+    ) -> "EntryInvalidError":
+        """Create EntryInvalidError with the context of an entry"""
+        error = EntryInvalidError(msg_or_exc, *args, **kwargs)
+        if isinstance(msg_or_exc, ValidationError):
+            error.validation_error = msg_or_exc
+        # Make sure the model and id are strings, depending where the error happens
+        # they might still be YAMLTag instances
+        error.entry_model = str(entry.model)
+        error.entry_id = str(entry.id)
+        return error

authentik/blueprints/v1/importer.py

@@ -8,9 +8,9 @@ from dacite.core import from_dict
 from dacite.exceptions import DaciteError
 from deepmerge import always_merger
 from django.core.exceptions import FieldError
-from django.db import transaction
 from django.db.models import Model
 from django.db.models.query_utils import Q
+from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
@@ -38,6 +38,7 @@ from authentik.core.models import (
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
+from authentik.lib.sentry import SentryIgnoredException
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 
@@ -72,41 +73,53 @@ def is_model_allowed(model: type[Model]) -> bool:
     return model not in excluded_models and issubclass(model, (SerializerModel, BaseMetaModel))
 
 
+class DoRollback(SentryIgnoredException):
+    """Exception to trigger a rollback"""
+
+
 @contextmanager
 def transaction_rollback():
     """Enters an atomic transaction and always triggers a rollback at the end of the block."""
-    atomic = transaction.atomic()
-    # pylint: disable=unnecessary-dunder-call
-    atomic.__enter__()
+    try:
+        with atomic():
             yield
-    atomic.__exit__(IntegrityError, None, None)
+            raise DoRollback()
+    except DoRollback:
+        pass
 
 
 class Importer:
-    """Import Blueprint from YAML"""
+    """Import Blueprint from raw dict or YAML/JSON"""
 
     logger: BoundLogger
+    _import: Blueprint
 
-    def __init__(self, yaml_input: str, context: Optional[dict] = None):
+    def __init__(self, blueprint: Blueprint, context: Optional[dict] = None):
         self.__pk_map: dict[Any, Model] = {}
+        self._import = blueprint
         self.logger = get_logger()
+        ctx = {}
+        always_merger.merge(ctx, self._import.context)
+        if context:
+            always_merger.merge(ctx, context)
+        self._import.context = ctx
+
+    @staticmethod
+    def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
+        """Parse YAML string and create blueprint importer from it"""
         import_dict = load(yaml_input, BlueprintLoader)
         try:
-            self.__import = from_dict(
+            _import = from_dict(
                 Blueprint, import_dict, config=Config(cast=[BlueprintEntryDesiredState])
             )
         except DaciteError as exc:
             raise EntryInvalidError from exc
-        ctx = {}
-        always_merger.merge(ctx, self.__import.context)
-        if context:
-            always_merger.merge(ctx, context)
-        self.__import.context = ctx
+        return Importer(_import, context)
 
     @property
     def blueprint(self) -> Blueprint:
         """Get imported blueprint"""
-        return self.__import
+        return self._import
 
     def __update_pks_for_attrs(self, attrs: dict[str, Any]) -> dict[str, Any]:
         """Replace any value if it is a known primary key of an other object"""
@@ -152,19 +165,19 @@ class Importer:
     # pylint: disable-msg=too-many-locals
     def _validate_single(self, entry: BlueprintEntry) -> Optional[BaseSerializer]:
         """Validate a single entry"""
-        if not entry.check_all_conditions_match(self.__import):
+        if not entry.check_all_conditions_match(self._import):
             self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
             return None
 
-        model_app_label, model_name = entry.get_model(self.__import).split(".")
+        model_app_label, model_name = entry.get_model(self._import).split(".")
         model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
         # Don't use isinstance since we don't want to check for inheritance
         if not is_model_allowed(model):
-            raise EntryInvalidError(f"Model {model} not allowed")
+            raise EntryInvalidError.from_entry(f"Model {model} not allowed", entry)
         if issubclass(model, BaseMetaModel):
             serializer_class: type[Serializer] = model.serializer()
             serializer = serializer_class(
-                data=entry.get_attrs(self.__import),
+                data=entry.get_attrs(self._import),
                 context={
                     SERIALIZER_CONTEXT_BLUEPRINT: entry,
                 },
@@ -172,8 +185,10 @@ class Importer:
             try:
                 serializer.is_valid(raise_exception=True)
             except ValidationError as exc:
-                raise EntryInvalidError(
-                    f"Serializer errors {serializer.errors}", serializer_errors=serializer.errors
+                raise EntryInvalidError.from_entry(
+                    f"Serializer errors {serializer.errors}",
+                    validation_error=exc,
+                    entry=entry,
                 ) from exc
             return serializer
 
@@ -182,7 +197,7 @@ class Importer:
         # the full serializer for later usage
         # Because a model might have multiple unique columns, we chain all identifiers together
         # to create an OR query.
-        updated_identifiers = self.__update_pks_for_attrs(entry.get_identifiers(self.__import))
+        updated_identifiers = self.__update_pks_for_attrs(entry.get_identifiers(self._import))
         for key, value in list(updated_identifiers.items()):
             if isinstance(value, dict) and "pk" in value:
                 del updated_identifiers[key]
@@ -190,12 +205,12 @@ class Importer:
 
         query = self.__query_from_identifier(updated_identifiers)
         if not query:
-            raise EntryInvalidError("No or invalid identifiers")
+            raise EntryInvalidError.from_entry("No or invalid identifiers", entry)
 
         try:
             existing_models = model.objects.filter(query)
         except FieldError as exc:
-            raise EntryInvalidError(f"Invalid identifier field: {exc}") from exc
+            raise EntryInvalidError.from_entry(f"Invalid identifier field: {exc}", entry) from exc
 
         serializer_kwargs = {}
         model_instance = existing_models.first()
@@ -208,6 +223,14 @@ class Importer:
             )
             serializer_kwargs["instance"] = model_instance
             serializer_kwargs["partial"] = True
+        elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
+            raise EntryInvalidError.from_entry(
+                (
+                    f"state is set to {BlueprintEntryDesiredState.MUST_CREATED} "
+                    "and object exists already",
+                ),
+                entry,
+            )
         else:
             self.logger.debug(
                 "initialised new serializer instance",
@@ -220,9 +243,9 @@ class Importer:
                 model_instance.pk = updated_identifiers["pk"]
             serializer_kwargs["instance"] = model_instance
         try:
-            full_data = self.__update_pks_for_attrs(entry.get_attrs(self.__import))
+            full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
-            raise EntryInvalidError(exc) from exc
+            raise EntryInvalidError.from_entry(exc, entry) from exc
         always_merger.merge(full_data, updated_identifiers)
         serializer_kwargs["data"] = full_data
 
@@ -235,15 +258,17 @@ class Importer:
         try:
             serializer.is_valid(raise_exception=True)
         except ValidationError as exc:
-            raise EntryInvalidError(
-                f"Serializer errors {serializer.errors}", serializer_errors=serializer.errors
+            raise EntryInvalidError.from_entry(
+                f"Serializer errors {serializer.errors}",
+                validation_error=exc,
+                entry=entry,
             ) from exc
         return serializer
 
     def apply(self) -> bool:
         """Apply (create/update) models yaml, in database transaction"""
         try:
-            with transaction.atomic():
+            with atomic():
                 if not self._apply_models():
                     self.logger.debug("Reverting changes due to error")
                     raise IntegrityError
@@ -252,11 +277,11 @@ class Importer:
         self.logger.debug("Committing changes")
         return True
 
-    def _apply_models(self) -> bool:
+    def _apply_models(self, raise_errors=False) -> bool:
         """Apply (create/update) models yaml"""
         self.__pk_map = {}
-        for entry in self.__import.entries:
-            model_app_label, model_name = entry.get_model(self.__import).split(".")
+        for entry in self._import.entries:
+            model_app_label, model_name = entry.get_model(self._import).split(".")
             try:
                 model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
             except LookupError:
@@ -269,15 +294,21 @@ class Importer:
                 serializer = self._validate_single(entry)
             except EntryInvalidError as exc:
                 # For deleting objects we don't need the serializer to be valid
-                if entry.get_state(self.__import) == BlueprintEntryDesiredState.ABSENT:
+                if entry.get_state(self._import) == BlueprintEntryDesiredState.ABSENT:
                     continue
                 self.logger.warning(f"entry invalid: {exc}", entry=entry, error=exc)
+                if raise_errors:
+                    raise exc
                 return False
             if not serializer:
                 continue
 
-            state = entry.get_state(self.__import)
-            if state in [BlueprintEntryDesiredState.PRESENT, BlueprintEntryDesiredState.CREATED]:
+            state = entry.get_state(self._import)
+            if state in [
+                BlueprintEntryDesiredState.PRESENT,
+                BlueprintEntryDesiredState.CREATED,
+                BlueprintEntryDesiredState.MUST_CREATED,
+            ]:
                 instance = serializer.instance
                 if (
                     instance
@@ -305,23 +336,23 @@ class Importer:
                 self.logger.debug("entry to delete with no instance, skipping")
         return True
 
-    def validate(self) -> tuple[bool, list[EventDict]]:
+    def validate(self, raise_validation_errors=False) -> tuple[bool, list[EventDict]]:
         """Validate loaded blueprint export, ensure all models are allowed
         and serializers have no errors"""
         self.logger.debug("Starting blueprint import validation")
-        orig_import = deepcopy(self.__import)
-        if self.__import.version != 1:
+        orig_import = deepcopy(self._import)
+        if self._import.version != 1:
             self.logger.warning("Invalid blueprint version")
             return False, [{"event": "Invalid blueprint version"}]
         with (
             transaction_rollback(),
             capture_logs() as logs,
         ):
-            successful = self._apply_models()
+            successful = self._apply_models(raise_errors=raise_validation_errors)
             if not successful:
                 self.logger.debug("Blueprint validation failed")
         for log in logs:
             getattr(self.logger, log.get("log_level"))(**log)
         self.logger.debug("Finished blueprint import validation")
-        self.__import = orig_import
+        self._import = orig_import
         return successful, logs

authentik/blueprints/v1/tasks.py

@@ -190,7 +190,7 @@ def apply_blueprint(self: MonitoredTask, instance_pk: str):
         self.set_uid(slugify(instance.name))
         blueprint_content = instance.retrieve()
         file_hash = sha512(blueprint_content.encode()).hexdigest()
-        importer = Importer(blueprint_content, instance.context)
+        importer = Importer.from_string(blueprint_content, instance.context)
         if importer.blueprint.metadata:
             instance.metadata = asdict(importer.blueprint.metadata)
         valid, logs = importer.validate()

authentik/core/api/devices.py

@@ -1,6 +1,4 @@
 """Authenticator Devices API Views"""
-from django_otp import device_classes, devices_for_user
-from django_otp.models import Device
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from rest_framework.fields import BooleanField, CharField, IntegerField, SerializerMethodField
@@ -10,6 +8,8 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 
 from authentik.core.api.utils import MetaNameSerializer
+from authentik.stages.authenticator import device_classes, devices_for_user
+from authentik.stages.authenticator.models import Device
 
 
 class DeviceSerializer(MetaNameSerializer):

authentik/core/api/transactional_applications.py

@@ -0,0 +1,139 @@
+"""transactional application and provider creation"""
+from django.apps import apps
+from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+from yaml import ScalarNode
+
+from authentik.blueprints.v1.common import (
+    Blueprint,
+    BlueprintEntry,
+    BlueprintEntryDesiredState,
+    EntryInvalidError,
+    KeyOf,
+)
+from authentik.blueprints.v1.importer import Importer
+from authentik.core.api.applications import ApplicationSerializer
+from authentik.core.api.utils import PassiveSerializer
+from authentik.core.models import Provider
+from authentik.lib.utils.reflection import all_subclasses
+
+
+def get_provider_serializer_mapping():
+    """Get a mapping of all providers' model names and their serializers"""
+    mapping = {}
+    for model in all_subclasses(Provider):
+        if model._meta.abstract:
+            continue
+        mapping[f"{model._meta.app_label}.{model._meta.model_name}"] = model().serializer
+    return mapping
+
+
+@extend_schema_field(
+    PolymorphicProxySerializer(
+        component_name="model",
+        serializers=get_provider_serializer_mapping,
+        resource_type_field_name="provider_model",
+    )
+)
+class TransactionProviderField(DictField):
+    """Dictionary field which can hold provider creation data"""
+
+
+class TransactionApplicationSerializer(PassiveSerializer):
+    """Serializer for creating a provider and an application in one transaction"""
+
+    app = ApplicationSerializer()
+    provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
+    provider = TransactionProviderField()
+
+    _provider_model: type[Provider] = None
+
+    def validate_provider_model(self, fq_model_name: str) -> str:
+        """Validate that the model exists and is a provider"""
+        if "." not in fq_model_name:
+            raise ValidationError("Invalid provider model")
+        try:
+            app, _, model_name = fq_model_name.partition(".")
+            model = apps.get_model(app, model_name)
+            if not issubclass(model, Provider):
+                raise ValidationError("Invalid provider model")
+            self._provider_model = model
+        except LookupError:
+            raise ValidationError("Invalid provider model")
+        return fq_model_name
+
+    def validate(self, attrs: dict) -> dict:
+        blueprint = Blueprint()
+        blueprint.entries.append(
+            BlueprintEntry(
+                model=attrs["provider_model"],
+                state=BlueprintEntryDesiredState.MUST_CREATED,
+                identifiers={
+                    "name": attrs["provider"]["name"],
+                },
+                # Must match the name of the field on `self`
+                id="provider",
+                attrs=attrs["provider"],
+            )
+        )
+        app_data = attrs["app"]
+        app_data["provider"] = KeyOf(None, ScalarNode(tag="", value="provider"))
+        blueprint.entries.append(
+            BlueprintEntry(
+                model="authentik_core.application",
+                state=BlueprintEntryDesiredState.MUST_CREATED,
+                identifiers={
+                    "slug": attrs["app"]["slug"],
+                },
+                attrs=app_data,
+                # Must match the name of the field on `self`
+                id="app",
+            )
+        )
+        importer = Importer(blueprint, {})
+        try:
+            valid, _ = importer.validate(raise_validation_errors=True)
+            if not valid:
+                raise ValidationError("Invalid blueprint")
+        except EntryInvalidError as exc:
+            raise ValidationError(
+                {
+                    exc.entry_id: exc.validation_error.detail,
+                }
+            )
+        return blueprint
+
+
+class TransactionApplicationResponseSerializer(PassiveSerializer):
+    """Transactional creation response"""
+
+    applied = BooleanField()
+    logs = ListField(child=CharField())
+
+
+class TransactionalApplicationView(APIView):
+    """Create provider and application and attach them in a single transaction"""
+
+    permission_classes = [IsAdminUser]
+
+    @extend_schema(
+        request=TransactionApplicationSerializer(),
+        responses={
+            200: TransactionApplicationResponseSerializer(),
+        },
+    )
+    def put(self, request: Request) -> Response:
+        """Convert data into a blueprint, validate it and apply it"""
+        data = TransactionApplicationSerializer(data=request.data)
+        data.is_valid(raise_exception=True)
+
+        importer = Importer(data.validated_data, {})
+        applied = importer.apply()
+        response = {"applied": False, "logs": []}
+        response["applied"] = applied
+        return Response(response, status=200)

authentik/core/api/users.py

@@ -616,8 +616,10 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if not request.user.has_perm("impersonate"):
             LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
             return Response(status=401)
-
         user_to_be = self.get_object()
+        if user_to_be.pk == self.request.user.pk:
+            LOGGER.debug("User attempted to impersonate themselves", user=request.user)
+            return Response(status=401)
 
         request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
         request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be

authentik/core/management/commands/dev_server.py

@@ -0,0 +1,9 @@
+"""custom runserver command"""
+from daphne.management.commands.runserver import Command as RunServer
+
+
+class Command(RunServer):
+    """custom runserver command, which doesn't show the misleading django startup message"""
+
+    def on_bind(self, server_port):
+        pass

authentik/core/management/commands/worker.py

@@ -16,6 +16,9 @@ LOGGER = get_logger()
 class Command(BaseCommand):
     """Run worker"""
 
+    def add_arguments(self, parser):
+        parser.add_argument("-b", "--beat", action="store_true")
+
     def handle(self, **options):
         close_old_connections()
         if CONFIG.get_bool("remote_debug"):
@@ -26,9 +29,9 @@ class Command(BaseCommand):
             no_color=False,
             quiet=True,
             optimization="fair",
-            autoscale=(3, 1),
+            autoscale=(CONFIG.get_int("worker.concurrency"), 1),
             task_events=True,
-            beat=True,
+            beat=options.get("beat", True),
             schedule_filename=f"{tempdir}/celerybeat-schedule",
             queues=["authentik", "authentik_scheduled", "authentik_events"],
         )

authentik/core/migrations/0032_groupsourceconnection.py

@@ -0,0 +1,41 @@
+# Generated by Django 4.2.5 on 2023-09-27 10:44
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_core", "0031_alter_user_type"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="GroupSourceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                (
+                    "group",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
+                    ),
+                ),
+                (
+                    "source",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.source"
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("group", "source")},
+            },
+        ),
+    ]

authentik/core/models.py

@@ -575,6 +575,23 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         unique_together = (("user", "source"),)
 
 
+class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
+    """Connection between Group and Source."""
+
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    source = models.ForeignKey(Source, on_delete=models.CASCADE)
+
+    objects = InheritanceManager()
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        """Get serializer for this model"""
+        raise NotImplementedError
+
+    class Meta:
+        unique_together = (("group", "source"),)
+
+
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 

authentik/core/sources/flow_manager.py

@@ -48,7 +48,7 @@ class Action(Enum):
 class MessageStage(StageView):
     """Show a pre-configured message after the flow is done"""
 
-    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+    def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         """Show a pre-configured message after the flow is done"""
         message = getattr(self.executor.current_stage, "message", "")
         level = getattr(self.executor.current_stage, "level", messages.SUCCESS)
@@ -59,10 +59,6 @@ class MessageStage(StageView):
         )
         return self.executor.stage_ok()
 
-    def post(self, request: HttpRequest) -> HttpResponse:
-        """Wrapper for post requests"""
-        return self.get(request)
-
 
 class SourceFlowManager:
     """Help sources decide what they should do after authorization. Based on source settings and

authentik/core/sources/stage.py

@@ -13,7 +13,7 @@ class PostUserEnrollmentStage(StageView):
     """Dynamically injected stage which saves the Connection after
     the user has been enrolled."""
 
-    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+    def dispatch(self, request: HttpRequest) -> HttpResponse:
         """Stage used after the user has been enrolled"""
         connection: UserSourceConnection = self.executor.plan.context[
             PLAN_CONTEXT_SOURCES_CONNECTION
@@ -27,7 +27,3 @@ class PostUserEnrollmentStage(StageView):
             source=connection.source,
         ).from_http(self.request)
         return self.executor.stage_ok()
-
-    def post(self, request: HttpRequest) -> HttpResponse:
-        """Wrapper for post requests"""
-        return self.get(request)

authentik/core/tests/test_impersonation.py

@@ -6,6 +6,7 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.config import CONFIG
 
 
 class TestImpersonation(APITestCase):
@@ -46,12 +47,42 @@ class TestImpersonation(APITestCase):
         """test impersonation without permissions"""
         self.client.force_login(self.other_user)
 
-        self.client.get(reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}))
+        response = self.client.post(
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
+        )
+        self.assertEqual(response.status_code, 403)
 
         response = self.client.get(reverse("authentik_api:user-me"))
         response_body = loads(response.content.decode())
         self.assertEqual(response_body["user"]["username"], self.other_user.username)
 
+    @CONFIG.patch("impersonation", False)
+    def test_impersonate_disabled(self):
+        """test impersonation that is disabled"""
+        self.client.force_login(self.user)
+
+        response = self.client.post(
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
+        )
+        self.assertEqual(response.status_code, 401)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.user.username)
+
+    def test_impersonate_self(self):
+        """test impersonation that user can't impersonate themselves"""
+        self.client.force_login(self.user)
+
+        response = self.client.post(
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
+        )
+        self.assertEqual(response.status_code, 401)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.user.username)
+
     def test_un_impersonate_empty(self):
         """test un-impersonation without impersonating first"""
         self.client.force_login(self.other_user)

authentik/core/tests/test_transactional_applications_api.py

@@ -0,0 +1,64 @@
+"""Test Transactional API"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import OAuth2Provider
+
+
+class TestTransactionalApplicationsAPI(APITestCase):
+    """Test Transactional API"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+
+    def test_create_transactional(self):
+        """Test transactional Application + provider creation"""
+        self.client.force_login(self.user)
+        uid = generate_id()
+        authorization_flow = create_test_flow()
+        response = self.client.put(
+            reverse("authentik_api:core-transactional-application"),
+            data={
+                "app": {
+                    "name": uid,
+                    "slug": uid,
+                },
+                "provider_model": "authentik_providers_oauth2.oauth2provider",
+                "provider": {
+                    "name": uid,
+                    "authorization_flow": str(authorization_flow.pk),
+                },
+            },
+        )
+        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
+        provider = OAuth2Provider.objects.filter(name=uid).first()
+        self.assertIsNotNone(provider)
+        app = Application.objects.filter(slug=uid).first()
+        self.assertIsNotNone(app)
+        self.assertEqual(app.provider.pk, provider.pk)
+
+    def test_create_transactional_invalid(self):
+        """Test transactional Application + provider creation"""
+        self.client.force_login(self.user)
+        uid = generate_id()
+        response = self.client.put(
+            reverse("authentik_api:core-transactional-application"),
+            data={
+                "app": {
+                    "name": uid,
+                    "slug": uid,
+                },
+                "provider_model": "authentik_providers_oauth2.oauth2provider",
+                "provider": {
+                    "name": uid,
+                    "authorization_flow": "",
+                },
+            },
+        )
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"provider": {"authorization_flow": ["This field may not be null."]}},
+        )

authentik/core/tests/utils.py

@@ -25,10 +25,10 @@ def create_test_admin_user(name: Optional[str] = None, **kwargs) -> User:
     """Generate a test-admin user"""
     uid = generate_id(20) if not name else name
     group = Group.objects.create(name=uid, is_superuser=True)
+    kwargs.setdefault("email", f"{uid}@goauthentik.io")
+    kwargs.setdefault("username", uid)
     user: User = User.objects.create(
-        username=uid,
         name=uid,
-        email=f"{uid}@goauthentik.io",
         **kwargs,
     )
     user.set_password(uid)

authentik/core/urls.py

@@ -15,6 +15,7 @@ from authentik.core.api.propertymappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
 from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSet
 from authentik.core.api.tokens import TokenViewSet
+from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
 from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
@@ -70,6 +71,11 @@ urlpatterns = [
 api_urlpatterns = [
     ("core/authenticated_sessions", AuthenticatedSessionViewSet),
     ("core/applications", ApplicationViewSet),
+    path(
+        "core/transactional/applications/",
+        TransactionalApplicationView.as_view(),
+        name="core-transactional-application",
+    ),
     ("core/groups", GroupViewSet),
     ("core/users", UserViewSet),
     ("core/tokens", TokenViewSet),

authentik/enterprise/policy.py

@@ -1,44 +1,30 @@
 """Enterprise license policies"""
 from typing import Optional
 
-from rest_framework.serializers import BaseSerializer
-
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.models import LicenseKey
-from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.policies.views import PolicyAccessView
 
 
-class EnterprisePolicy(Policy):
-    """Check that a user is correctly licensed for the request"""
-
-    @property
-    def component(self) -> str:
-        return ""
-
-    @property
-    def serializer(self) -> type[BaseSerializer]:
-        raise NotImplementedError
-
-    def passes(self, request: PolicyRequest) -> PolicyResult:
-        if not LicenseKey.get_total().is_valid():
-            return PolicyResult(False)
-        if request.user.type != UserTypes.INTERNAL:
-            return PolicyResult(False)
-        return PolicyResult(True)
-
-
 class EnterprisePolicyAccessView(PolicyAccessView):
     """PolicyAccessView which also checks enterprise licensing"""
 
+    def check_license(self):
+        """Check license"""
+        if not LicenseKey.get_total().is_valid():
+            return False
+        if self.request.user.type != UserTypes.INTERNAL:
+            return False
+        return True
+
     def user_has_access(self, user: Optional[User] = None) -> PolicyResult:
         user = user or self.request.user
         request = PolicyRequest(user)
         request.http_request = self.request
         result = super().user_has_access(user)
-        enterprise_result = EnterprisePolicy().passes(request)
-        if not enterprise_result.passing:
+        enterprise_result = self.check_license()
+        if not enterprise_result:
             return enterprise_result
         return result
 

authentik/events/middleware.py

@@ -9,7 +9,6 @@ from django.core.exceptions import SuspiciousOperation
 from django.db.models import Model
 from django.db.models.signals import m2m_changed, post_save, pre_delete
 from django.http import HttpRequest, HttpResponse
-from django_otp.plugins.otp_static.models import StaticToken
 from guardian.models import UserObjectPermission
 
 from authentik.core.models import (
@@ -30,6 +29,7 @@ from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
+from authentik.stages.authenticator_static.models import StaticToken
 
 IGNORED_MODELS = (
     Event,

authentik/flows/api/flows.py

@@ -181,7 +181,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
         if not file:
             return Response(data=import_response.initial_data, status=400)
 
-        importer = Importer(file.read().decode())
+        importer = Importer.from_string(file.read().decode())
         valid, logs = importer.validate()
         import_response.initial_data["logs"] = [sanitize_dict(log) for log in logs]
         import_response.initial_data["success"] = valid

authentik/flows/exceptions.py

@@ -26,3 +26,8 @@ class EmptyFlowException(SentryIgnoredException):
 
 class FlowSkipStageException(SentryIgnoredException):
     """Exception to skip a stage"""
+
+
+class StageInvalidException(SentryIgnoredException):
+    """Exception can be thrown in a `Challenge` or `ChallengeResponse` serializer's
+    validation to trigger a `executor.stage_invalid()` response"""

authentik/flows/migrations/0026_alter_flow_options.py

@@ -1,25 +0,0 @@
-# Generated by Django 4.2.6 on 2023-10-10 17:18
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_flows", "0025_alter_flowstagebinding_evaluate_on_plan_and_more"),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name="flow",
-            options={
-                "permissions": [
-                    ("export_flow", "Can export a Flow"),
-                    ("inspect_flow", "Can inspect a Flow's execution"),
-                    ("view_flow_cache", "View Flow's cache metrics"),
-                    ("clear_flow_cache", "Clear Flow's cache metrics"),
-                ],
-                "verbose_name": "Flow",
-                "verbose_name_plural": "Flows",
-            },
-        ),
-    ]

authentik/flows/migrations/0027_auto_20231028_1424.py

@@ -1,34 +0,0 @@
-# Generated by Django 4.2.6 on 2023-10-28 14:24
-
-from django.apps.registry import Apps
-from django.db import migrations
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from guardian.shortcuts import get_anonymous_user
-
-    Flow = apps.get_model("authentik_flows", "Flow")
-    User = apps.get_model("authentik_core", "User")
-
-    db_alias = schema_editor.connection.alias
-
-    users = User.objects.using(db_alias).exclude(username="akadmin")
-    try:
-        users = users.exclude(pk=get_anonymous_user().pk)
-    # pylint: disable=broad-except
-    except Exception:  # nosec
-        pass
-
-    if users.exists():
-        Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_flows", "0026_alter_flow_options"),
-    ]
-
-    operations = [
-        migrations.RunPython(set_oobe_flow_authentication),
-    ]

authentik/flows/stage.py

@@ -23,6 +23,7 @@ from authentik.flows.challenge import (
     RedirectChallenge,
     WithUserInfoChallenge,
 )
+from authentik.flows.exceptions import StageInvalidException
 from authentik.flows.models import InvalidResponseAction
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_PENDING_USER
 from authentik.lib.avatars import DEFAULT_AVATAR
@@ -100,8 +101,14 @@ class ChallengeStageView(StageView):
 
     def post(self, request: Request, *args, **kwargs) -> HttpResponse:
         """Handle challenge response"""
+        valid = False
+        try:
             challenge: ChallengeResponse = self.get_response_instance(data=request.data)
-        if not challenge.is_valid():
+            valid = challenge.is_valid()
+        except StageInvalidException as exc:
+            self.logger.debug("Got StageInvalidException", exc=exc)
+            return self.executor.stage_invalid()
+        if not valid:
             if self.executor.current_binding.invalid_response_action in [
                 InvalidResponseAction.RESTART,
                 InvalidResponseAction.RESTART_WITH_CONTEXT,

authentik/flows/tests/test_stage_views.py

@@ -21,6 +21,7 @@ def view_tester_factory(view_class: type[StageView]) -> Callable:
 
     def tester(self: TestViews):
         model_class = view_class(self.exec)
+        if not hasattr(model_class, "dispatch"):
             self.assertIsNotNone(model_class.post)
             self.assertIsNotNone(model_class.get)
 

authentik/flows/views/executor.py

@@ -42,6 +42,7 @@ from authentik.flows.models import (
     FlowDesignation,
     FlowStageBinding,
     FlowToken,
+    InvalidResponseAction,
     Stage,
 )
 from authentik.flows.planner import (
@@ -73,40 +74,23 @@ QS_QUERY = "query"
 
 
 def challenge_types():
-    """This is a workaround for PolymorphicProxySerializer not accepting a callable for
-    `serializers`. This function returns a class which is an iterator, which returns the
+    """This function returns a mapping which contains all subclasses of challenges
     subclasses of Challenge, and Challenge itself."""
-
-    class Inner(dict):
-        """dummy class with custom callback on .items()"""
-
-        def items(self):
     mapping = {}
-            classes = all_subclasses(Challenge)
-            classes.remove(WithUserInfoChallenge)
-            for cls in classes:
+    for cls in all_subclasses(Challenge):
+        if cls == WithUserInfoChallenge:
+            continue
         mapping[cls().fields["component"].default] = cls
-            return mapping.items()
-
-    return Inner()
+    return mapping
 
 
 def challenge_response_types():
-    """This is a workaround for PolymorphicProxySerializer not accepting a callable for
-    `serializers`. This function returns a class which is an iterator, which returns the
+    """This function returns a mapping which contains all subclasses of challenges
     subclasses of Challenge, and Challenge itself."""
-
-    class Inner(dict):
-        """dummy class with custom callback on .items()"""
-
-        def items(self):
     mapping = {}
-            classes = all_subclasses(ChallengeResponse)
-            for cls in classes:
+    for cls in all_subclasses(ChallengeResponse):
         mapping[cls(stage=None).fields["component"].default] = cls
-            return mapping.items()
-
-    return Inner()
+    return mapping
 
 
 class InvalidStageError(SentryIgnoredException):
@@ -122,7 +106,7 @@ class FlowExecutorView(APIView):
     flow: Flow
 
     plan: Optional[FlowPlan] = None
-    current_binding: FlowStageBinding
+    current_binding: Optional[FlowStageBinding] = None
     current_stage: Stage
     current_stage_view: View
 
@@ -264,7 +248,7 @@ class FlowExecutorView(APIView):
         responses={
             200: PolymorphicProxySerializer(
                 component_name="ChallengeTypes",
-                serializers=challenge_types(),
+                serializers=challenge_types,
                 resource_type_field_name="component",
             ),
         },
@@ -295,7 +279,7 @@ class FlowExecutorView(APIView):
                 span.set_data("Method", "GET")
                 span.set_data("authentik Stage", self.current_stage_view)
                 span.set_data("authentik Flow", self.flow.slug)
-                stage_response = self.current_stage_view.get(request, *args, **kwargs)
+                stage_response = self.current_stage_view.dispatch(request)
                 return to_stage_response(request, stage_response)
         except Exception as exc:  # pylint: disable=broad-except
             return self.handle_exception(exc)
@@ -304,13 +288,13 @@ class FlowExecutorView(APIView):
         responses={
             200: PolymorphicProxySerializer(
                 component_name="ChallengeTypes",
-                serializers=challenge_types(),
+                serializers=challenge_types,
                 resource_type_field_name="component",
             ),
         },
         request=PolymorphicProxySerializer(
             component_name="FlowChallengeResponse",
-            serializers=challenge_response_types(),
+            serializers=challenge_response_types,
             resource_type_field_name="component",
         ),
         parameters=[
@@ -339,7 +323,7 @@ class FlowExecutorView(APIView):
                 span.set_data("Method", "POST")
                 span.set_data("authentik Stage", self.current_stage_view)
                 span.set_data("authentik Flow", self.flow.slug)
-                stage_response = self.current_stage_view.post(request, *args, **kwargs)
+                stage_response = self.current_stage_view.dispatch(request)
                 return to_stage_response(request, stage_response)
         except Exception as exc:  # pylint: disable=broad-except
             return self.handle_exception(exc)
@@ -362,10 +346,15 @@ class FlowExecutorView(APIView):
     def restart_flow(self, keep_context=False) -> HttpResponse:
         """Restart the currently active flow, optionally keeping the current context"""
         planner = FlowPlanner(self.flow)
+        planner.use_cache = False
         default_context = None
         if keep_context:
             default_context = self.plan.context
+        try:
             plan = planner.plan(self.request, default_context)
+        except FlowNonApplicableException as exc:
+            self._logger.warning("f(exec): Flow restart not applicable to current user", exc=exc)
+            return self.handle_invalid_flow(exc)
         self.request.session[SESSION_KEY_PLAN] = plan
         kwargs = self.kwargs
         kwargs.update({"flow_slug": self.flow.slug})
@@ -423,6 +412,19 @@ class FlowExecutorView(APIView):
         Optionally, an exception can be passed, which will be shown if the current user
         is a superuser."""
         self._logger.debug("f(exec): Stage invalid")
+        if self.current_binding and self.current_binding.invalid_response_action in [
+            InvalidResponseAction.RESTART,
+            InvalidResponseAction.RESTART_WITH_CONTEXT,
+        ]:
+            keep_context = (
+                self.current_binding.invalid_response_action
+                == InvalidResponseAction.RESTART_WITH_CONTEXT
+            )
+            self._logger.debug(
+                "f(exec): Invalid response, restarting flow",
+                keep_context=keep_context,
+            )
+            return self.restart_flow(keep_context)
         self.cancel()
         challenge_view = AccessDeniedChallengeView(self, error_message)
         challenge_view.request = self.request

authentik/lib/default.yml

@@ -1,4 +1,4 @@
-# update website/docs/installation/configuration.md
+# update website/docs/installation/configuration.mdx
 # This is the default configuration file
 postgresql:
   host: localhost
@@ -7,6 +7,7 @@ postgresql:
   port: 5432
   password: "env://POSTGRES_PASSWORD"
   use_pgbouncer: false
+  use_pgpool: false
 
 listen:
   listen_http: 0.0.0.0:9000
@@ -110,3 +111,6 @@ web:
   # No default here as it's set dynamically
   # workers: 2
   threads: 4
+
+worker:
+  concurrency: 2

authentik/lib/expression/evaluator.py

@@ -7,7 +7,6 @@ from typing import Any, Iterable, Optional
 
 from cachetools import TLRUCache, cached
 from django.core.exceptions import FieldError
-from django_otp import devices_for_user
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.serializers import ValidationError
 from sentry_sdk.hub import Hub
@@ -20,6 +19,7 @@ from authentik.lib.utils.http import get_http_session
 from authentik.policies.models import Policy, PolicyBinding
 from authentik.policies.process import PolicyProcess
 from authentik.policies.types import PolicyRequest, PolicyResult
+from authentik.stages.authenticator import devices_for_user
 
 LOGGER = get_logger()
 

authentik/lib/logging.py

@@ -1,7 +1,112 @@
 """logging helpers"""
+import logging
 from logging import Logger
 from os import getpid
 
+import structlog
+
+from authentik.lib.config import CONFIG
+
+LOG_PRE_CHAIN = [
+    # Add the log level and a timestamp to the event_dict if the log entry
+    # is not from structlog.
+    structlog.stdlib.add_log_level,
+    structlog.stdlib.add_logger_name,
+    structlog.processors.TimeStamper(),
+    structlog.processors.StackInfoRenderer(),
+]
+
+
+def get_log_level():
+    """Get log level, clamp trace to debug"""
+    level = CONFIG.get("log_level").upper()
+    # We could add a custom level to stdlib logging and structlog, but it's not easy or clean
+    # https://stackoverflow.com/questions/54505487/custom-log-level-not-working-with-structlog
+    # Additionally, the entire code uses debug as highest level
+    # so that would have to be re-written too
+    if level == "TRACE":
+        level = "DEBUG"
+    return level
+
+
+def structlog_configure():
+    """Configure structlog itself"""
+    structlog.configure_once(
+        processors=[
+            structlog.stdlib.add_log_level,
+            structlog.stdlib.add_logger_name,
+            structlog.contextvars.merge_contextvars,
+            add_process_id,
+            structlog.stdlib.PositionalArgumentsFormatter(),
+            structlog.processors.TimeStamper(fmt="iso", utc=False),
+            structlog.processors.StackInfoRenderer(),
+            structlog.processors.dict_tracebacks,
+            structlog.stdlib.ProcessorFormatter.wrap_for_formatter,
+        ],
+        logger_factory=structlog.stdlib.LoggerFactory(),
+        wrapper_class=structlog.make_filtering_bound_logger(
+            getattr(logging, get_log_level(), logging.WARNING)
+        ),
+        cache_logger_on_first_use=True,
+    )
+
+
+def get_logger_config():
+    """Configure python stdlib's logging"""
+    debug = CONFIG.get_bool("debug")
+    global_level = get_log_level()
+    base_config = {
+        "version": 1,
+        "disable_existing_loggers": False,
+        "formatters": {
+            "json": {
+                "()": structlog.stdlib.ProcessorFormatter,
+                "processor": structlog.processors.JSONRenderer(sort_keys=True),
+                "foreign_pre_chain": LOG_PRE_CHAIN + [structlog.processors.dict_tracebacks],
+            },
+            "console": {
+                "()": structlog.stdlib.ProcessorFormatter,
+                "processor": structlog.dev.ConsoleRenderer(colors=debug),
+                "foreign_pre_chain": LOG_PRE_CHAIN,
+            },
+        },
+        "handlers": {
+            "console": {
+                "level": "DEBUG",
+                "class": "logging.StreamHandler",
+                "formatter": "console" if debug else "json",
+            },
+        },
+        "loggers": {},
+    }
+
+    handler_level_map = {
+        "": global_level,
+        "authentik": global_level,
+        "django": "WARNING",
+        "django.request": "ERROR",
+        "celery": "WARNING",
+        "selenium": "WARNING",
+        "docker": "WARNING",
+        "urllib3": "WARNING",
+        "websockets": "WARNING",
+        "daphne": "WARNING",
+        "kubernetes": "INFO",
+        "asyncio": "WARNING",
+        "redis": "WARNING",
+        "silk": "INFO",
+        "fsevents": "WARNING",
+        "uvicorn": "WARNING",
+        "gunicorn": "INFO",
+    }
+    for handler_name, level in handler_level_map.items():
+        base_config["loggers"][handler_name] = {
+            "handlers": ["console"],
+            "level": level,
+            "propagate": False,
+        }
+    return base_config
+
 
 def add_process_id(logger: Logger, method_name: str, event_dict):
     """Add the current process ID"""

authentik/policies/api/bindings.py

@@ -77,6 +77,7 @@ class PolicyBindingSerializer(ModelSerializer):
             "enabled",
             "order",
             "timeout",
+            "failure_result",
         ]
 
     def validate(self, attrs: OrderedDict) -> OrderedDict:

authentik/policies/migrations/0011_policybinding_failure_result_and_more.py

@@ -0,0 +1,26 @@
+# Generated by Django 4.2.5 on 2023-09-13 18:07
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_policies", "0010_alter_policy_name"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="policybinding",
+            name="failure_result",
+            field=models.BooleanField(
+                default=False, help_text="Result if the Policy execution fails."
+            ),
+        ),
+        migrations.AlterField(
+            model_name="policybinding",
+            name="timeout",
+            field=models.PositiveIntegerField(
+                default=30, help_text="Timeout after which Policy execution is terminated."
+            ),
+        ),
+    ]

authentik/policies/models.py

@@ -85,9 +85,12 @@ class PolicyBinding(SerializerModel):
         default=False,
         help_text=_("Negates the outcome of the policy. Messages are unaffected."),
     )
-    timeout = models.IntegerField(
+    timeout = models.PositiveIntegerField(
         default=30, help_text=_("Timeout after which Policy execution is terminated.")
     )
+    failure_result = models.BooleanField(
+        default=False, help_text=_("Result if the Policy execution fails.")
+    )
 
     order = models.IntegerField()
 

authentik/policies/process.py

@@ -98,8 +98,8 @@ class PolicyProcess(PROCESS_CLASS):
             # Create policy exception event, only when we're not debugging
             if not self.request.debug:
                 self.create_event(EventAction.POLICY_EXCEPTION, message=error_string)
-            LOGGER.debug("P_ENG(proc): error", exc=src_exc)
-            policy_result = PolicyResult(False, str(src_exc))
+            LOGGER.debug("P_ENG(proc): error, using failure result", exc=src_exc)
+            policy_result = PolicyResult(self.binding.failure_result, str(src_exc))
         policy_result.source_binding = self.binding
         should_cache = self.request.should_cache
         if should_cache:

authentik/policies/tests/test_engine.py

@@ -97,6 +97,17 @@ class TestPolicyEngine(TestCase):
         self.assertEqual(result.passing, False)
         self.assertEqual(result.messages, ("division by zero",))
 
+    def test_engine_policy_error_failure(self):
+        """Test policy raising an error flag"""
+        pbm = PolicyBindingModel.objects.create()
+        PolicyBinding.objects.create(
+            target=pbm, policy=self.policy_raises, order=0, failure_result=True
+        )
+        engine = PolicyEngine(pbm, self.user)
+        result = engine.build().result
+        self.assertEqual(result.passing, True)
+        self.assertEqual(result.messages, ("division by zero",))
+
     def test_engine_policy_type(self):
         """Test invalid policy type"""
         pbm = PolicyBindingModel.objects.create()

authentik/providers/oauth2/tests/test_authorize.py

@@ -85,25 +85,6 @@ class TestAuthorize(OAuthTestCase):
             )
             OAuthAuthorizationParams.from_request(request)
 
-    def test_blocked_redirect_uri(self):
-        """test missing/invalid redirect URI"""
-        OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris="data:local.invalid",
-        )
-        with self.assertRaises(RedirectUriError):
-            request = self.factory.get(
-                "/",
-                data={
-                    "response_type": "code",
-                    "client_id": "test",
-                    "redirect_uri": "data:localhost",
-                },
-            )
-            OAuthAuthorizationParams.from_request(request)
-
     def test_invalid_redirect_uri_empty(self):
         """test missing/invalid redirect URI"""
         provider = OAuth2Provider.objects.create(

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -1,258 +0,0 @@
-"""Test token view"""
-from base64 import b64encode, urlsafe_b64encode
-from hashlib import sha256
-
-from django.test import RequestFactory
-from django.urls import reverse
-
-from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.flows.challenge import ChallengeTypes
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
-from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
-from authentik.providers.oauth2.tests.utils import OAuthTestCase
-
-
-class TestTokenPKCE(OAuthTestCase):
-    """Test token view"""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.factory = RequestFactory()
-        self.app = Application.objects.create(name=generate_id(), slug="test")
-
-    def test_pkce_missing_in_authorize(self):
-        """Test PKCE with code_challenge in authorize request
-        and missing verifier in token request"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        challenge = generate_id()
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "code_challenge": challenge,
-                "code_challenge_method": "S256",
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                # Missing the code_verifier here
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertJSONEqual(
-            response.content,
-            {
-                "error": "invalid_grant",
-                "error_description": (
-                    "The provided authorization grant or refresh token is invalid, expired, "
-                    "revoked, does not match the redirection URI used in the authorization "
-                    "request, or was issued to another client"
-                ),
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_pkce_missing_in_token(self):
-        """Test PKCE with missing code_challenge in authorization request but verifier
-        set in token request"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                # "code_challenge": challenge,
-                # "code_challenge_method": "S256",
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                "code_verifier": generate_id(),
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertJSONEqual(
-            response.content,
-            {
-                "error": "invalid_grant",
-                "error_description": (
-                    "The provided authorization grant or refresh token is invalid, expired, "
-                    "revoked, does not match the redirection URI used in the authorization "
-                    "request, or was issued to another client"
-                ),
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_pkce_correct_s256(self):
-        """Test full with pkce"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        verifier = generate_id()
-        challenge = (
-            urlsafe_b64encode(sha256(verifier.encode("ascii")).digest())
-            .decode("utf-8")
-            .replace("=", "")
-        )
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "code_challenge": challenge,
-                "code_challenge_method": "S256",
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                "code_verifier": verifier,
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_pkce_correct_plain(self):
-        """Test full with pkce"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        verifier = generate_id()
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "code_challenge": verifier,
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                "code_verifier": verifier,
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertEqual(response.status_code, 200)

authentik/providers/oauth2/views/authorize.py

@@ -74,7 +74,6 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
 
 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
-FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
 
 
 @dataclass(slots=True)
@@ -175,10 +174,6 @@ class OAuthAuthorizationParams:
         self.check_scope()
         self.check_nonce()
         self.check_code_challenge()
-        if self.request:
-            raise AuthorizeError(
-                self.redirect_uri, "request_not_supported", self.grant_type, self.state
-            )
 
     def check_redirect_uri(self):
         """Redirect URI validation."""
@@ -216,9 +211,10 @@ class OAuthAuthorizationParams:
                     expected=allowed_redirect_urls,
                 )
                 raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-        # Check against forbidden schemes
-        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
+        if self.request:
+            raise AuthorizeError(
+                self.redirect_uri, "request_not_supported", self.grant_type, self.state
+            )
 
     def check_scope(self):
         """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""

authentik/providers/oauth2/views/token.py

@@ -6,7 +6,6 @@ from hashlib import sha256
 from re import error as RegexError
 from re import fullmatch
 from typing import Any, Optional
-from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone
@@ -54,7 +53,6 @@ from authentik.providers.oauth2.models import (
     RefreshToken,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
-from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
@@ -206,10 +204,6 @@ class TokenParams:
                 ).from_http(request)
                 raise TokenError("invalid_client")
 
-        # Check against forbidden schemes
-        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise TokenError("invalid_request")
-
         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
         if not self.authorization_code:
             LOGGER.warning("Code does not exist", code=raw_code)
@@ -227,10 +221,7 @@ class TokenParams:
             raise TokenError("invalid_grant")
 
         # Validate PKCE parameters.
-        if self.authorization_code.code_challenge:
-            # Authorization code had PKCE but we didn't get one
-            if not self.code_verifier:
-                raise TokenError("invalid_grant")
+        if self.code_verifier:
             if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
                 new_code_challenge = (
                     urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
@@ -243,10 +234,6 @@ class TokenParams:
             if new_code_challenge != self.authorization_code.code_challenge:
                 LOGGER.warning("Code challenge not matching")
                 raise TokenError("invalid_grant")
-        # Token request had a code_verifier but code did not have a code challenge
-        # Prevent downgrade
-        if not self.authorization_code.code_challenge and self.code_verifier:
-            raise TokenError("invalid_grant")
 
     def __post_init_refresh(self, raw_token: str, request: HttpRequest):
         if not raw_token:

authentik/root/middleware.py

@@ -172,7 +172,7 @@ class ChannelsLoggingMiddleware:
         LOGGER.info(
             scope["path"],
             scheme="ws",
-            remote=scope.get("client", [""])[0],
+            remote=headers.get(b"x-forwarded-for", b"").decode(),
             user_agent=headers.get(b"user-agent", b"").decode(),
             **kwargs,
         )

authentik/root/settings.py

@@ -1,25 +1,21 @@
 """root settings for authentik"""
 
 import importlib
-import logging
 import os
 from hashlib import sha512
 from pathlib import Path
 from urllib.parse import quote_plus
 
-import structlog
 from celery.schedules import crontab
 from sentry_sdk import set_tag
 
 from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.lib.config import CONFIG
-from authentik.lib.logging import add_process_id
+from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
 from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP
 
-LOGGER = structlog.get_logger()
-
 BASE_DIR = Path(__file__).absolute().parent.parent.parent
 STATICFILES_DIRS = [BASE_DIR / Path("web")]
 MEDIA_ROOT = BASE_DIR / Path("media")
@@ -41,6 +37,7 @@ CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF"
 LANGUAGE_COOKIE_NAME = "authentik_language"
 SESSION_COOKIE_NAME = "authentik_session"
 SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
+APPEND_SLASH = False
 
 AUTHENTICATION_BACKENDS = [
     "django.contrib.auth.backends.ModelBackend",
@@ -85,6 +82,7 @@ INSTALLED_APPS = [
     "authentik.sources.oauth",
     "authentik.sources.plex",
     "authentik.sources.saml",
+    "authentik.stages.authenticator",
     "authentik.stages.authenticator_duo",
     "authentik.stages.authenticator_sms",
     "authentik.stages.authenticator_static",
@@ -282,6 +280,9 @@ DATABASES = {
     }
 }
 
+if CONFIG.get_bool("postgresql.use_pgpool", False):
+    DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
+
 if CONFIG.get_bool("postgresql.use_pgbouncer", False):
     # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
     DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
@@ -332,7 +333,7 @@ LOCALE_PATHS = ["./locale"]
 CELERY = {
     "task_soft_time_limit": 600,
     "worker_max_tasks_per_child": 50,
-    "worker_concurrency": 2,
+    "worker_concurrency": CONFIG.get_int("worker.concurrency"),
     "beat_schedule": {
         "clean_expired_models": {
             "task": "authentik.core.tasks.clean_expired_models",
@@ -368,90 +369,9 @@ MEDIA_URL = "/media/"
 
 TEST = False
 TEST_RUNNER = "authentik.root.test_runner.PytestTestRunner"
-# We can't check TEST here as its set later by the test runner
-LOG_LEVEL = CONFIG.get("log_level").upper() if "TF_BUILD" not in os.environ else "DEBUG"
-# We could add a custom level to stdlib logging and structlog, but it's not easy or clean
-# https://stackoverflow.com/questions/54505487/custom-log-level-not-working-with-structlog
-# Additionally, the entire code uses debug as highest level so that would have to be re-written too
-if LOG_LEVEL == "TRACE":
-    LOG_LEVEL = "DEBUG"
 
-structlog.configure_once(
-    processors=[
-        structlog.stdlib.add_log_level,
-        structlog.stdlib.add_logger_name,
-        structlog.contextvars.merge_contextvars,
-        add_process_id,
-        structlog.stdlib.PositionalArgumentsFormatter(),
-        structlog.processors.TimeStamper(fmt="iso", utc=False),
-        structlog.processors.StackInfoRenderer(),
-        structlog.processors.dict_tracebacks,
-        structlog.stdlib.ProcessorFormatter.wrap_for_formatter,
-    ],
-    logger_factory=structlog.stdlib.LoggerFactory(),
-    wrapper_class=structlog.make_filtering_bound_logger(
-        getattr(logging, LOG_LEVEL, logging.WARNING)
-    ),
-    cache_logger_on_first_use=True,
-)
-
-LOG_PRE_CHAIN = [
-    # Add the log level and a timestamp to the event_dict if the log entry
-    # is not from structlog.
-    structlog.stdlib.add_log_level,
-    structlog.stdlib.add_logger_name,
-    structlog.processors.TimeStamper(),
-    structlog.processors.StackInfoRenderer(),
-]
-
-LOGGING = {
-    "version": 1,
-    "disable_existing_loggers": False,
-    "formatters": {
-        "json": {
-            "()": structlog.stdlib.ProcessorFormatter,
-            "processor": structlog.processors.JSONRenderer(sort_keys=True),
-            "foreign_pre_chain": LOG_PRE_CHAIN + [structlog.processors.dict_tracebacks],
-        },
-        "console": {
-            "()": structlog.stdlib.ProcessorFormatter,
-            "processor": structlog.dev.ConsoleRenderer(colors=DEBUG),
-            "foreign_pre_chain": LOG_PRE_CHAIN,
-        },
-    },
-    "handlers": {
-        "console": {
-            "level": "DEBUG",
-            "class": "logging.StreamHandler",
-            "formatter": "console" if DEBUG else "json",
-        },
-    },
-    "loggers": {},
-}
-
-_LOGGING_HANDLER_MAP = {
-    "": LOG_LEVEL,
-    "authentik": LOG_LEVEL,
-    "django": "WARNING",
-    "django.request": "ERROR",
-    "celery": "WARNING",
-    "selenium": "WARNING",
-    "docker": "WARNING",
-    "urllib3": "WARNING",
-    "websockets": "WARNING",
-    "daphne": "WARNING",
-    "kubernetes": "INFO",
-    "asyncio": "WARNING",
-    "redis": "WARNING",
-    "silk": "INFO",
-    "fsevents": "WARNING",
-}
-for handler_name, level in _LOGGING_HANDLER_MAP.items():
-    LOGGING["loggers"][handler_name] = {
-        "handlers": ["console"],
-        "level": level,
-        "propagate": False,
-    }
+structlog_configure()
+LOGGING = get_logger_config()
 
 
 _DISALLOWED_ITEMS = [

authentik/root/test_runner.py

@@ -20,7 +20,7 @@ class PytestTestRunner:  # pragma: no cover
         self.failfast = failfast
         self.keepdb = keepdb
 
-        self.args = ["-vv", "--full-trace"]
+        self.args = []
         if self.failfast:
             self.args.append("--exitfirst")
         if self.keepdb:

authentik/sources/ldap/api/property_mappings.py

@@ -0,0 +1,40 @@
+"""Property mapping API Views"""
+from django_filters.filters import AllValuesMultipleFilter
+from django_filters.filterset import FilterSet
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import extend_schema_field
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.propertymappings import PropertyMappingSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.sources.ldap.models import LDAPPropertyMapping
+
+
+class LDAPPropertyMappingSerializer(PropertyMappingSerializer):
+    """LDAP PropertyMapping Serializer"""
+
+    class Meta:
+        model = LDAPPropertyMapping
+        fields = PropertyMappingSerializer.Meta.fields + [
+            "object_field",
+        ]
+
+
+class LDAPPropertyMappingFilter(FilterSet):
+    """Filter for LDAPPropertyMapping"""
+
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
+
+    class Meta:
+        model = LDAPPropertyMapping
+        fields = "__all__"
+
+
+class LDAPPropertyMappingViewSet(UsedByMixin, ModelViewSet):
+    """LDAP PropertyMapping Viewset"""
+
+    queryset = LDAPPropertyMapping.objects.all()
+    serializer_class = LDAPPropertyMappingSerializer
+    filterset_class = LDAPPropertyMappingFilter
+    search_fields = ["name"]
+    ordering = ["name"]

authentik/sources/ldap/api/source_connections.py

@@ -0,0 +1,32 @@
+"""LDAP Source Serializer"""
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
+from authentik.core.api.sources import UserSourceConnectionSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.sources.ldap.models import LDAPUserSourceConnection
+
+
+class LDAPUserSourceConnectionSerializer(UserSourceConnectionSerializer):
+    """LDAP Source Serializer"""
+
+    class Meta:
+        model = LDAPUserSourceConnection
+        fields = ["pk", "user", "source", "unique_identifier"]
+        extra_kwargs = {
+            "access_token": {"write_only": True},
+        }
+
+
+class LDAPUserSourceConnectionViewSet(UsedByMixin, ModelViewSet):
+    """Source Viewset"""
+
+    queryset = LDAPUserSourceConnection.objects.all()
+    serializer_class = LDAPUserSourceConnectionSerializer
+    filterset_fields = ["source__slug"]
+    search_fields = ["source__slug"]
+    permission_classes = [OwnerSuperuserPermissions]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    ordering = ["source__slug"]

authentik/sources/ldap/api/sources.py

@@ -1,10 +1,7 @@
 """Source API Views"""
 from typing import Any
 
-from django_filters.filters import AllValuesMultipleFilter
-from django_filters.filterset import FilterSet
-from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
+from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import DictField, ListField
@@ -14,12 +11,11 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.admin.api.tasks import TaskSerializer
-from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.monitored_tasks import TaskInfo
-from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
+from authentik.sources.ldap.models import LDAPSource
 from authentik.sources.ldap.tasks import SYNC_CLASSES
 
 
@@ -154,33 +150,3 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
                 obj.pop("raw_dn", None)
                 all_objects[class_name].append(obj)
         return Response(data=all_objects)
-
-
-class LDAPPropertyMappingSerializer(PropertyMappingSerializer):
-    """LDAP PropertyMapping Serializer"""
-
-    class Meta:
-        model = LDAPPropertyMapping
-        fields = PropertyMappingSerializer.Meta.fields + [
-            "object_field",
-        ]
-
-
-class LDAPPropertyMappingFilter(FilterSet):
-    """Filter for LDAPPropertyMapping"""
-
-    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
-
-    class Meta:
-        model = LDAPPropertyMapping
-        fields = "__all__"
-
-
-class LDAPPropertyMappingViewSet(UsedByMixin, ModelViewSet):
-    """LDAP PropertyMapping Viewset"""
-
-    queryset = LDAPPropertyMapping.objects.all()
-    serializer_class = LDAPPropertyMappingSerializer
-    filterset_class = LDAPPropertyMappingFilter
-    search_fields = ["name"]
-    ordering = ["name"]

authentik/sources/ldap/migrations/0004_ldapgroupsourceconnection_ldapusersourceconnection.py

@@ -0,0 +1,58 @@
+# Generated by Django 4.2.5 on 2023-09-27 10:44
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_core", "0032_groupsourceconnection"),
+        ("authentik_sources_ldap", "0003_ldapsource_client_certificate_ldapsource_sni_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="LDAPGroupSourceConnection",
+            fields=[
+                (
+                    "groupsourceconnection_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.groupsourceconnection",
+                    ),
+                ),
+                ("unique_identifier", models.TextField(unique=True)),
+            ],
+            options={
+                "verbose_name": "LDAP Group Source Connection",
+                "verbose_name_plural": "LDAP Group Source Connections",
+            },
+            bases=("authentik_core.groupsourceconnection",),
+        ),
+        migrations.CreateModel(
+            name="LDAPUserSourceConnection",
+            fields=[
+                (
+                    "usersourceconnection_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.usersourceconnection",
+                    ),
+                ),
+                ("unique_identifier", models.TextField(unique=True)),
+            ],
+            options={
+                "verbose_name": "LDAP User Source Connection",
+                "verbose_name_plural": "LDAP User Source Connections",
+            },
+            bases=("authentik_core.usersourceconnection",),
+        ),
+    ]

authentik/sources/ldap/models.py

@@ -10,7 +10,13 @@ from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
 from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from rest_framework.serializers import Serializer
 
-from authentik.core.models import Group, PropertyMapping, Source
+from authentik.core.models import (
+    Group,
+    GroupSourceConnection,
+    PropertyMapping,
+    Source,
+    UserSourceConnection,
+)
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.config import CONFIG
 from authentik.lib.models import DomainlessURLValidator
@@ -113,7 +119,7 @@ class LDAPSource(Source):
 
     @property
     def serializer(self) -> type[Serializer]:
-        from authentik.sources.ldap.api import LDAPSourceSerializer
+        from authentik.sources.ldap.api.sources import LDAPSourceSerializer
 
         return LDAPSourceSerializer
 
@@ -202,7 +208,7 @@ class LDAPPropertyMapping(PropertyMapping):
 
     @property
     def serializer(self) -> type[Serializer]:
-        from authentik.sources.ldap.api import LDAPPropertyMappingSerializer
+        from authentik.sources.ldap.api.property_mappings import LDAPPropertyMappingSerializer
 
         return LDAPPropertyMappingSerializer
 
@@ -212,3 +218,35 @@ class LDAPPropertyMapping(PropertyMapping):
     class Meta:
         verbose_name = _("LDAP Property Mapping")
         verbose_name_plural = _("LDAP Property Mappings")
+
+
+class LDAPUserSourceConnection(UserSourceConnection):
+    """Connection between an authentik user and an LDAP source."""
+
+    unique_identifier = models.TextField(unique=True)
+
+    @property
+    def serializer(self) -> Serializer:
+        from authentik.sources.ldap.api.source_connections import LDAPUserSourceConnectionSerializer
+
+        return LDAPUserSourceConnectionSerializer
+
+    class Meta:
+        verbose_name = _("LDAP User Source Connection")
+        verbose_name_plural = _("LDAP User Source Connections")
+
+
+class LDAPGroupSourceConnection(GroupSourceConnection):
+    """Connection between an authentik group and an LDAP source."""
+
+    unique_identifier = models.TextField(unique=True)
+
+    @property
+    def serializer(self) -> Serializer:
+        from authentik.sources.ldap.api.source_connections import LDAPUserSourceConnectionSerializer
+
+        return LDAPUserSourceConnectionSerializer
+
+    class Meta:
+        verbose_name = _("LDAP Group Source Connection")
+        verbose_name_plural = _("LDAP Group Source Connections")

authentik/sources/ldap/sync/base.py

@@ -133,7 +133,7 @@ class BaseLDAPSynchronizer:
     def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
         """Build attributes for User object based on property mappings."""
         props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
-        props["path"] = self._source.get_user_path()
+        props.setdefault("path", self._source.get_user_path())
         return props
 
     def build_group_properties(self, group_dn: str, **kwargs) -> dict[str, Any]:
@@ -151,10 +151,14 @@ class BaseLDAPSynchronizer:
                 continue
             mapping: LDAPPropertyMapping
             try:
-                value = mapping.evaluate(user=None, request=None, ldap=kwargs, dn=object_dn)
+                value = mapping.evaluate(
+                    user=None, request=None, ldap=kwargs, dn=object_dn, source=self._source
+                )
                 if value is None:
+                    self._logger.warning("property mapping returned None", mapping=mapping)
                     continue
                 if isinstance(value, (bytes)):
+                    self._logger.warning("property mapping returned bytes", mapping=mapping)
                     continue
                 object_field = mapping.object_field
                 if object_field.startswith("attributes."):

authentik/sources/ldap/sync/groups.py

@@ -7,6 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import Group
 from authentik.events.models import Event, EventAction
+from authentik.sources.ldap.models import LDAPGroupSourceConnection
 from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
 
 
@@ -63,7 +64,13 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                     },
                     defaults,
                 )
-                self._logger.debug("Created group with attributes", **defaults)
+                LDAPGroupSourceConnection.objects.update_or_create(
+                    defaults={
+                        "unique_identifier": uniq,
+                    },
+                    source=self._source,
+                    group=ak_group,
+                )
             except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,

authentik/sources/ldap/sync/users.py

@@ -7,6 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
+from authentik.sources.ldap.models import LDAPUserSourceConnection
 from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
 from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
 from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
@@ -58,6 +59,13 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                 ak_user, created = self.update_or_create_attributes(
                     User, {f"attributes__{LDAP_UNIQUENESS}": uniq}, defaults
                 )
+                LDAPUserSourceConnection.objects.update_or_create(
+                    defaults={
+                        "unique_identifier": uniq,
+                    },
+                    source=self._source,
+                    user=ak_user,
+                )
             except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,
@@ -72,6 +80,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
             else:
                 self._logger.debug("Synced User", user=ak_user.username, created=created)
                 user_count += 1
+                # TODO: Optimise vendor sync to not create a new connection
                 MicrosoftActiveDirectory(self._source).sync(attributes, ak_user, created)
                 FreeIPA(self._source).sync(attributes, ak_user, created)
         return user_count

authentik/sources/ldap/tasks.py

@@ -4,6 +4,8 @@ from uuid import uuid4
 from celery import chain, group
 from django.core.cache import cache
 from ldap3.core.exceptions import LDAPException
+from redis.exceptions import LockError
+from redis.lock import Lock
 from structlog.stdlib import get_logger
 
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
@@ -45,6 +47,12 @@ def ldap_sync_single(source_pk: str):
     source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
     if not source:
         return
+    lock = Lock(cache.client.get_client(), name=f"goauthentik.io/sources/ldap/sync-{source.slug}")
+    if lock.locked():
+        LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
+        return
+    try:
+        with lock:
             task = chain(
                 # User and group sync can happen at once, they have no dependencies on each other
                 group(
@@ -57,6 +65,10 @@ def ldap_sync_single(source_pk: str):
                 ),
             )
             task()
+    except LockError:
+        # This should never happen, we check if the lock is locked above so this
+        # would only happen if there was some other timeout
+        LOGGER.debug("Failed to acquire lock for LDAP sync", source=source.slug)
 
 
 def ldap_sync_paginator(source: LDAPSource, sync: type[BaseLDAPSynchronizer]) -> list:

authentik/sources/ldap/tests/mock_ad.py

@@ -55,7 +55,7 @@ def mock_ad_connection(password: str) -> Connection:
             "revision": 0,
             "objectSid": "user0",
             "objectClass": "person",
-            "distinguishedName": "cn=user0,ou=users,dc=goauthentik,dc=io",
+            "distinguishedName": "cn=user0,ou=foo,ou=users,dc=goauthentik,dc=io",
             "userAccountControl": (
                 UserAccountControl.ACCOUNTDISABLE + UserAccountControl.NORMAL_ACCOUNT
             ),

authentik/sources/ldap/tests/test_api.py

@@ -2,7 +2,7 @@
 from rest_framework.test import APITestCase
 
 from authentik.lib.generators import generate_key
-from authentik.sources.ldap.api import LDAPSourceSerializer
+from authentik.sources.ldap.api.sources import LDAPSourceSerializer
 from authentik.sources.ldap.models import LDAPSource
 
 LDAP_PASSWORD = generate_key()

authentik/sources/ldap/tests/test_sync.py

@@ -9,7 +9,7 @@ from authentik.core.models import Group, User
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
 from authentik.events.monitored_tasks import TaskInfo, TaskResultStatus
-from authentik.lib.generators import generate_key
+from authentik.lib.generators import generate_id, generate_key
 from authentik.lib.utils.reflection import class_to_path
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 from authentik.sources.ldap.sync.groups import GroupLDAPSynchronizer
@@ -71,6 +71,28 @@ class LDAPSyncTests(TestCase):
         )
         self.assertTrue(events.exists())
 
+    def test_sync_mapping(self):
+        """Test property mappings"""
+        none = LDAPPropertyMapping.objects.create(
+            name=generate_id(), object_field="none", expression="return None"
+        )
+        byte_mapping = LDAPPropertyMapping.objects.create(
+            name=generate_id(), object_field="bytes", expression="return b''"
+        )
+        self.source.property_mappings.set(
+            LDAPPropertyMapping.objects.filter(
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/ms")
+            )
+        )
+        self.source.property_mappings.add(none, byte_mapping)
+        connection = MagicMock(return_value=mock_ad_connection(LDAP_PASSWORD))
+
+        # we basically just test that the mappings don't throw errors
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            user_sync = UserLDAPSynchronizer(self.source)
+            user_sync.sync_full()
+
     def test_sync_users_ad(self):
         """Test user sync"""
         self.source.property_mappings.set(
@@ -79,7 +101,6 @@ class LDAPSyncTests(TestCase):
                 | Q(managed__startswith="goauthentik.io/sources/ldap/ms")
             )
         )
-        self.source.save()
         connection = MagicMock(return_value=mock_ad_connection(LDAP_PASSWORD))
 
         # Create the user beforehand so we can set attributes and check they aren't removed
@@ -102,6 +123,7 @@ class LDAPSyncTests(TestCase):
             user = User.objects.filter(username="user0_sn").first()
             self.assertEqual(user.attributes["foo"], "bar")
             self.assertFalse(user.is_active)
+            self.assertEqual(user.path, "goauthentik.io/sources/ldap/users/foo")
             self.assertFalse(User.objects.filter(username="user1_sn").exists())
 
     def test_sync_users_openldap(self):
@@ -113,7 +135,6 @@ class LDAPSyncTests(TestCase):
                 | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
             )
         )
-        self.source.save()
         connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
         with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
             user_sync = UserLDAPSynchronizer(self.source)
@@ -130,7 +151,6 @@ class LDAPSyncTests(TestCase):
                 | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
             )
         )
-        self.source.save()
         connection = MagicMock(return_value=mock_freeipa_connection(LDAP_PASSWORD))
         with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
             user_sync = UserLDAPSynchronizer(self.source)

authentik/sources/ldap/urls.py

@@ -1,7 +1,10 @@
 """API URLs"""
-from authentik.sources.ldap.api import LDAPPropertyMappingViewSet, LDAPSourceViewSet
+from authentik.sources.ldap.api.property_mappings import LDAPPropertyMappingViewSet
+from authentik.sources.ldap.api.source_connections import LDAPUserSourceConnectionViewSet
+from authentik.sources.ldap.api.sources import LDAPSourceViewSet
 
 api_urlpatterns = [
     ("propertymappings/ldap", LDAPPropertyMappingViewSet),
+    ("sources/user_connections/ldap", LDAPUserSourceConnectionViewSet),
     ("sources/ldap", LDAPSourceViewSet),
 ]

authentik/sources/oauth/models.py

@@ -68,7 +68,7 @@ class OAuthSource(Source):
     # we're using Type[] instead of type[] here since type[] interferes with the property above
     @property
     def serializer(self) -> Type[Serializer]:
-        from authentik.sources.oauth.api.source import OAuthSourceSerializer
+        from authentik.sources.oauth.api.sources import OAuthSourceSerializer
 
         return OAuthSourceSerializer
 
@@ -234,7 +234,7 @@ class UserOAuthSourceConnection(UserSourceConnection):
 
     @property
     def serializer(self) -> Serializer:
-        from authentik.sources.oauth.api.source_connection import (
+        from authentik.sources.oauth.api.source_connections import (
             UserOAuthSourceConnectionSerializer,
         )
 

authentik/sources/oauth/tests/test_views.py

@@ -3,7 +3,7 @@ from django.test import TestCase
 from django.urls import reverse
 from requests_mock import Mocker
 
-from authentik.sources.oauth.api.source import OAuthSourceSerializer
+from authentik.sources.oauth.api.sources import OAuthSourceSerializer
 from authentik.sources.oauth.models import OAuthSource
 
 

authentik/sources/oauth/urls.py

@@ -2,8 +2,8 @@
 
 from django.urls import path
 
-from authentik.sources.oauth.api.source import OAuthSourceViewSet
-from authentik.sources.oauth.api.source_connection import UserOAuthSourceConnectionViewSet
+from authentik.sources.oauth.api.source_connections import UserOAuthSourceConnectionViewSet
+from authentik.sources.oauth.api.sources import OAuthSourceViewSet
 from authentik.sources.oauth.types.registry import RequestKind
 from authentik.sources.oauth.views.dispatcher import DispatcherView
 

authentik/stages/authenticator/__init__.py

@@ -0,0 +1,129 @@
+"""Authenticator devices helpers"""
+from django.db import transaction
+
+
+def verify_token(user, device_id, token):
+    """
+    Attempts to verify a :term:`token` against a specific device, identified by
+    :attr:`~authentik.stages.authenticator.models.Device.persistent_id`.
+
+    This wraps the verification process in a transaction to ensure that things
+    like throttling polices are properly enforced.
+
+    :param user: The user supplying the token.
+    :type user: :class:`~django.contrib.auth.models.User`
+
+    :param str device_id: A device's persistent_id value.
+
+    :param str token: An OTP token to verify.
+
+    :returns: The device that accepted ``token``, if any.
+    :rtype: :class:`~authentik.stages.authenticator.models.Device` or ``None``
+
+    """
+    from authentik.stages.authenticator.models import Device
+
+    verified = None
+    with transaction.atomic():
+        device = Device.from_persistent_id(device_id, for_verify=True)
+        if (device is not None) and (device.user_id == user.pk) and device.verify_token(token):
+            verified = device
+
+    return verified
+
+
+def match_token(user, token):
+    """
+    Attempts to verify a :term:`token` on every device attached to the given
+    user until one of them succeeds.
+
+    .. warning::
+
+        This originally existed for more convenient integration with the admin
+        site. Its use is no longer recommended and it is not guaranteed to
+        interact well with more recent features (such as throttling). Tokens
+        should always be verified against specific devices.
+
+    :param user: The user supplying the token.
+    :type user: :class:`~django.contrib.auth.models.User`
+
+    :param str token: An OTP token to verify.
+
+    :returns: The device that accepted ``token``, if any.
+    :rtype: :class:`~authentik.stages.authenticator.models.Device` or ``None``
+    """
+    with transaction.atomic():
+        for device in devices_for_user(user, for_verify=True):
+            if device.verify_token(token):
+                break
+        else:
+            device = None
+
+    return device
+
+
+def devices_for_user(user, confirmed=True, for_verify=False):
+    """
+    Return an iterable of all devices registered to the given user.
+
+    Returns an empty iterable for anonymous users.
+
+    :param user: standard or custom user object.
+    :type user: :class:`~django.contrib.auth.models.User`
+
+    :param bool confirmed: If ``None``, all matching devices are returned.
+        Otherwise, this can be any true or false value to limit the query
+        to confirmed or unconfirmed devices, respectively.
+
+    :param bool for_verify: If ``True``, we'll load the devices with
+        :meth:`~django.db.models.query.QuerySet.select_for_update` to prevent
+        concurrent verifications from succeeding. In which case, this must be
+        called inside a transaction.
+
+    :rtype: iterable
+    """
+    if user.is_anonymous:
+        return
+
+    for model in device_classes():
+        device_set = model.objects.devices_for_user(user, confirmed=confirmed)
+        if for_verify:
+            device_set = device_set.select_for_update()
+
+        yield from device_set
+
+
+def user_has_device(user, confirmed=True):
+    """
+    Return ``True`` if the user has at least one device.
+
+    Returns ``False`` for anonymous users.
+
+    :param user: standard or custom user object.
+    :type user: :class:`~django.contrib.auth.models.User`
+
+    :param confirmed: If ``None``, all matching devices are considered.
+        Otherwise, this can be any true or false value to limit the query
+        to confirmed or unconfirmed devices, respectively.
+    """
+    try:
+        next(devices_for_user(user, confirmed=confirmed))
+    except StopIteration:
+        has_device = False
+    else:
+        has_device = True
+
+    return has_device
+
+
+def device_classes():
+    """
+    Returns an iterable of all loaded device models.
+    """
+    from django.apps import apps  # isort: skip
+    from authentik.stages.authenticator.models import Device
+
+    for config in apps.get_app_configs():
+        for model in config.get_models():
+            if issubclass(model, Device):
+                yield model

authentik/stages/authenticator/apps.py

@@ -0,0 +1,10 @@
+"""Authenticator"""
+from django.apps import AppConfig
+
+
+class AuthentikStageAuthenticatorConfig(AppConfig):
+    """Authenticator App config"""
+
+    name = "authentik.stages.authenticator"
+    label = "authentik_stages_authenticator"
+    verbose_name = "authentik Stages.Authenticator"

authentik/stages/authenticator/models.py

@@ -0,0 +1,401 @@
+"""Base authenticator models"""
+from datetime import timedelta
+
+from django.apps import apps
+from django.core.exceptions import ObjectDoesNotExist
+from django.db import models
+from django.utils import timezone
+from django.utils.functional import cached_property
+
+from authentik.core.models import User
+from authentik.stages.authenticator.util import random_number_token
+
+
+class DeviceManager(models.Manager):
+    """
+    The :class:`~django.db.models.Manager` object installed as
+    ``Device.objects``.
+    """
+
+    def devices_for_user(self, user, confirmed=None):
+        """
+        Returns a queryset for all devices of this class that belong to the
+        given user.
+
+        :param user: The user.
+        :type user: :class:`~django.contrib.auth.models.User`
+
+        :param confirmed: If ``None``, all matching devices are returned.
+            Otherwise, this can be any true or false value to limit the query
+            to confirmed or unconfirmed devices, respectively.
+        """
+        devices = self.model.objects.filter(user=user)
+        if confirmed is not None:
+            devices = devices.filter(confirmed=bool(confirmed))
+
+        return devices
+
+
+class Device(models.Model):
+    """
+    Abstract base model for a :term:`device` attached to a user. Plugins must
+    subclass this to define their OTP models.
+
+    .. _unsaved_device_warning:
+
+    .. warning::
+
+        OTP devices are inherently stateful. For example, verifying a token is
+        logically a mutating operation on the device, which may involve
+        incrementing a counter or otherwise consuming a token. A device must be
+        committed to the database before it can be used in any way.
+
+    .. attribute:: user
+
+        *ForeignKey*: Foreign key to your user model, as configured by
+        :setting:`AUTH_USER_MODEL` (:class:`~django.contrib.auth.models.User`
+        by default).
+
+    .. attribute:: name
+
+        *CharField*: A human-readable name to help the user identify their
+        devices.
+
+    .. attribute:: confirmed
+
+        *BooleanField*: A boolean value that tells us whether this device has
+        been confirmed as valid. It defaults to ``True``, but subclasses or
+        individual deployments can force it to ``False`` if they wish to create
+        a device and then ask the user for confirmation. As a rule, built-in
+        APIs that enumerate devices will only include those that are confirmed.
+
+    .. attribute:: objects
+
+        A :class:`~authentik.stages.authenticator.models.DeviceManager`.
+    """
+
+    user = models.ForeignKey(
+        User,
+        help_text="The user that this device belongs to.",
+        on_delete=models.CASCADE,
+    )
+
+    name = models.CharField(max_length=64, help_text="The human-readable name of this device.")
+
+    confirmed = models.BooleanField(default=True, help_text="Is this device ready for use?")
+
+    objects = DeviceManager()
+
+    class Meta:
+        abstract = True
+
+    def __str__(self):
+        try:
+            user = self.user
+        except ObjectDoesNotExist:
+            user = None
+
+        return "{0} ({1})".format(self.name, user)
+
+    @property
+    def persistent_id(self):
+        """
+        A stable device identifier for forms and APIs.
+        """
+        return "{0}/{1}".format(self.model_label(), self.id)
+
+    @classmethod
+    def model_label(cls):
+        """
+        Returns an identifier for this Django model class.
+
+        This is just the standard "<app_label>.<model_name>" form.
+
+        """
+        return "{0}.{1}".format(cls._meta.app_label, cls._meta.model_name)
+
+    @classmethod
+    def from_persistent_id(cls, persistent_id, for_verify=False):
+        """
+        Loads a device from its persistent id::
+
+            device == Device.from_persistent_id(device.persistent_id)
+
+        :param bool for_verify: If ``True``, we'll load the device with
+            :meth:`~django.db.models.query.QuerySet.select_for_update` to
+            prevent concurrent verifications from succeeding. In which case,
+            this must be called inside a transaction.
+
+        """
+        device = None
+
+        try:
+            model_label, device_id = persistent_id.rsplit("/", 1)
+            app_label, model_name = model_label.split(".")
+
+            device_cls = apps.get_model(app_label, model_name)
+            if issubclass(device_cls, Device):
+                device_set = device_cls.objects.filter(id=int(device_id))
+                if for_verify:
+                    device_set = device_set.select_for_update()
+                device = device_set.first()
+        except (ValueError, LookupError):
+            pass
+
+        return device
+
+    def is_interactive(self):
+        """
+        Returns ``True`` if this is an interactive device. The default
+        implementation returns ``True`` if
+        :meth:`~authentik.stages.authenticator.models.Device.generate_challenge` has been
+        overridden, but subclasses are welcome to provide smarter
+        implementations.
+
+        :rtype: bool
+        """
+        return not hasattr(self.generate_challenge, "stub")
+
+    def generate_challenge(self):
+        """
+        Generates a challenge value that the user will need to produce a token.
+        This method is permitted to have side effects, such as transmitting
+        information to the user through some other channel (email or SMS,
+        perhaps). And, of course, some devices may need to commit the
+        challenge to the database.
+
+        :returns: A message to the user. This should be a string that fits
+            comfortably in the template ``'OTP Challenge: {0}'``. This may
+            return ``None`` if this device is not interactive.
+        :rtype: string or ``None``
+
+        :raises: Any :exc:`~exceptions.Exception` is permitted. Callers should
+            trap ``Exception`` and report it to the user.
+        """
+        return None
+
+    generate_challenge.stub = True
+
+    def verify_is_allowed(self):
+        """
+        Checks whether it is permissible to call :meth:`verify_token`. If it is
+        allowed, returns ``(True, None)``. Otherwise returns ``(False,
+        data_dict)``, where ``data_dict`` contains extra information, defined
+        by the implementation.
+
+        This method can be used to implement throttling or locking, for
+        example. Client code should check this method before calling
+        :meth:`verify_token` and report problems to the user.
+
+        To report specific problems, the data dictionary can return include a
+        ``'reason'`` member with a value from the constants in
+        :class:`VerifyNotAllowed`. Otherwise, an ``'error_message'`` member
+        should be provided with an error message.
+
+        :meth:`verify_token` should also call this method and return False if
+        verification is not allowed.
+
+        :rtype: (bool, dict or ``None``)
+
+        """
+        return (True, None)
+
+    def verify_token(self, token):
+        """
+        Verifies a token. As a rule, the token should no longer be valid if
+        this returns ``True``.
+
+        :param str token: The OTP token provided by the user.
+        :rtype: bool
+        """
+        return False
+
+
+class SideChannelDevice(Device):
+    """
+    Abstract base model for a side-channel :term:`device` attached to a user.
+
+    This model implements token generation, verification and expiration, so the
+    concrete devices only have to implement delivery.
+
+    """
+
+    token = models.CharField(max_length=16, blank=True, null=True)
+
+    valid_until = models.DateTimeField(
+        default=timezone.now,
+        help_text="The timestamp of the moment of expiry of the saved token.",
+    )
+
+    class Meta:
+        abstract = True
+
+    def generate_token(self, length=6, valid_secs=300, commit=True):
+        """
+        Generates a token of the specified length, then sets it on the model
+        and sets the expiration of the token on the model.
+
+        Pass 'commit=False' to avoid calling self.save().
+
+        :param int length: Number of decimal digits in the generated token.
+        :param int valid_secs: Amount of seconds the token should be valid.
+        :param bool commit: Whether to autosave the generated token.
+
+        """
+        self.token = random_number_token(length)
+        self.valid_until = timezone.now() + timedelta(seconds=valid_secs)
+        if commit:
+            self.save()
+
+    def verify_token(self, token):
+        """
+        Verifies a token by content and expiry.
+
+        On success, the token is cleared and the device saved.
+
+        :param str token: The OTP token provided by the user.
+        :rtype: bool
+
+        """
+        _now = timezone.now()
+
+        if (self.token is not None) and (token == self.token) and (_now < self.valid_until):
+            self.token = None
+            self.valid_until = _now
+            self.save()
+
+            return True
+        return False
+
+
+class VerifyNotAllowed:
+    """
+    Constants that may be returned in the ``reason`` member of the extra
+    information dictionary returned by
+    :meth:`~authentik.stages.authenticator.models.Device.verify_is_allowed`
+
+    .. data:: N_FAILED_ATTEMPTS
+
+       Indicates that verification is disallowed because of ``n`` successive
+       failed attempts. The data dictionary should include the value of ``n``
+       in member ``failure_count``
+
+    """
+
+    N_FAILED_ATTEMPTS = "N_FAILED_ATTEMPTS"
+
+
+class ThrottlingMixin(models.Model):
+    """
+    Mixin class for models that want throttling behaviour.
+
+    This implements exponential back-off for verifying tokens. Subclasses must
+    implement :meth:`get_throttle_factor`, and must use the
+    :meth:`verify_is_allowed`, :meth:`throttle_reset` and
+    :meth:`throttle_increment` methods from within their verify_token() method.
+
+    See the implementation of
+    :class:`~authentik.stages.authenticator.plugins.otp_email.models.EmailDevice` for an example.
+
+    """
+
+    throttling_failure_timestamp = models.DateTimeField(
+        null=True,
+        blank=True,
+        default=None,
+        help_text=(
+            "A timestamp of the last failed verification attempt. "
+            "Null if last attempt succeeded."
+        ),
+    )
+
+    throttling_failure_count = models.PositiveIntegerField(
+        default=0, help_text="Number of successive failed attempts."
+    )
+
+    def verify_is_allowed(self):
+        """
+        If verification is allowed, returns ``(True, None)``.
+        Otherwise, returns ``(False, data_dict)``.
+
+        ``data_dict`` contains further information. Currently it can be::
+
+            {
+                'reason': VerifyNotAllowed.N_FAILED_ATTEMPTS,
+                'failure_count': n
+            }
+
+        where ``n`` is the number of successive failures. See
+        :class:`~authentik.stages.authenticator.models.VerifyNotAllowed`.
+
+        """
+        if (
+            self.throttling_enabled
+            and self.throttling_failure_count > 0
+            and self.throttling_failure_timestamp is not None
+        ):
+            now = timezone.now()
+            delay = (now - self.throttling_failure_timestamp).total_seconds()
+            # Required delays should be 1, 2, 4, 8 ...
+            delay_required = self.get_throttle_factor() * (2 ** (self.throttling_failure_count - 1))
+            if delay < delay_required:
+                return (
+                    False,
+                    {
+                        "reason": VerifyNotAllowed.N_FAILED_ATTEMPTS,
+                        "failure_count": self.throttling_failure_count,
+                        "locked_until": self.throttling_failure_timestamp
+                        + timedelta(seconds=delay_required),
+                    },
+                )
+
+        return super().verify_is_allowed()
+
+    def throttle_reset(self, commit=True):
+        """
+        Call this method to reset throttling (normally when a verify attempt
+        succeeded).
+
+        Pass 'commit=False' to avoid calling self.save().
+
+        """
+        self.throttling_failure_timestamp = None
+        self.throttling_failure_count = 0
+        if commit:
+            self.save()
+
+    def throttle_increment(self, commit=True):
+        """
+        Call this method to increase throttling (normally when a verify attempt
+        failed).
+
+        Pass 'commit=False' to avoid calling self.save().
+
+        """
+        self.throttling_failure_timestamp = timezone.now()
+        self.throttling_failure_count += 1
+        if commit:
+            self.save()
+
+    @cached_property
+    def throttling_enabled(self) -> bool:
+        """Check if throttling is enabled"""
+        return self.get_throttle_factor() > 0
+
+    def get_throttle_factor(self):  # pragma: no cover
+        """
+        This must be implemented to return the throttle factor.
+
+        The number of seconds required between verification attempts will be
+        :math:`c2^{n-1}` where `c` is this factor and `n` is the number of
+        previous failures. A factor of 1 translates to delays of 1, 2, 4, 8,
+        etc. seconds. A factor of 0 disables the throttling.
+
+        Normally this is just a wrapper for a plugin-specific setting like
+        :setting:`OTP_EMAIL_THROTTLE_FACTOR`.
+
+        """
+        raise NotImplementedError()
+
+    class Meta:
+        abstract = True

authentik/stages/authenticator/oath.py

@@ -0,0 +1,199 @@
+"""OATH helpers"""
+import hmac
+from hashlib import sha1
+from struct import pack
+from time import time
+
+
+# pylint: disable=invalid-name
+def hotp(key: bytes, counter: int, digits=6) -> int:
+    """
+    Implementation of the HOTP algorithm from `RFC 4226
+    <http://tools.ietf.org/html/rfc4226#section-5>`_.
+
+    :param bytes key: The shared secret. A 20-byte string is recommended.
+    :param int counter: The password counter.
+    :param int digits: The number of decimal digits to generate.
+
+    :returns: The HOTP token.
+    :rtype: int
+
+    >>> key = b'12345678901234567890'
+    >>> for c in range(10):
+    ...     hotp(key, c)
+    755224
+    287082
+    359152
+    969429
+    338314
+    254676
+    287922
+    162583
+    399871
+    520489
+    """
+    msg = pack(b">Q", counter)
+    hs = hmac.new(key, msg, sha1).digest()
+    hs = list(iter(hs))
+
+    offset = hs[19] & 0x0F
+    bin_code = (
+        (hs[offset] & 0x7F) << 24 | hs[offset + 1] << 16 | hs[offset + 2] << 8 | hs[offset + 3]
+    )
+    return bin_code % pow(10, digits)
+
+
+def totp(key: bytes, step=30, t0=0, digits=6, drift=0) -> int:
+    """
+    Implementation of the TOTP algorithm from `RFC 6238
+    <http://tools.ietf.org/html/rfc6238#section-4>`_.
+
+    :param bytes key: The shared secret. A 20-byte string is recommended.
+    :param int step: The time step in seconds. The time-based code changes
+        every ``step`` seconds.
+    :param int t0: The Unix time at which to start counting time steps.
+    :param int digits: The number of decimal digits to generate.
+    :param int drift: The number of time steps to add or remove. Delays and
+        clock differences might mean that you have to look back or forward a
+        step or two in order to match a token.
+
+    :returns: The TOTP token.
+    :rtype: int
+
+    >>> key = b'12345678901234567890'
+    >>> now = int(time())
+    >>> for delta in range(0, 200, 20):
+    ...     totp(key, t0=(now-delta))
+    755224
+    755224
+    287082
+    359152
+    359152
+    969429
+    338314
+    338314
+    254676
+    287922
+    """
+    return TOTP(key, step, t0, digits, drift).token()
+
+
+class TOTP:
+    """
+    An alternate TOTP interface.
+
+    This provides access to intermediate steps of the computation. This is a
+    living object: the return values of ``t`` and ``token`` will change along
+    with other properties and with the passage of time.
+
+    :param bytes key: The shared secret. A 20-byte string is recommended.
+    :param int step: The time step in seconds. The time-based code changes
+        every ``step`` seconds.
+    :param int t0: The Unix time at which to start counting time steps.
+    :param int digits: The number of decimal digits to generate.
+    :param int drift: The number of time steps to add or remove. Delays and
+        clock differences might mean that you have to look back or forward a
+        step or two in order to match a token.
+
+    >>> key = b'12345678901234567890'
+    >>> totp = TOTP(key)
+    >>> totp.time = 0
+    >>> totp.t()
+    0
+    >>> totp.token()
+    755224
+    >>> totp.time = 30
+    >>> totp.t()
+    1
+    >>> totp.token()
+    287082
+    >>> totp.verify(287082)
+    True
+    >>> totp.verify(359152)
+    False
+    >>> totp.verify(359152, tolerance=1)
+    True
+    >>> totp.drift
+    1
+    >>> totp.drift = 0
+    >>> totp.verify(359152, tolerance=1, min_t=3)
+    False
+    >>> totp.drift
+    0
+    >>> del totp.time
+    >>> totp.t0 = int(time()) - 60
+    >>> totp.t()
+    2
+    >>> totp.token()
+    359152
+    """
+
+    # pylint: disable=too-many-arguments
+    def __init__(self, key: bytes, step=30, t0=0, digits=6, drift=0):
+        self.key = key
+        self.step = step
+        self.t0 = t0
+        self.digits = digits
+        self.drift = drift
+        self._time = None
+
+    def token(self):
+        """The computed TOTP token."""
+        return hotp(self.key, self.t(), digits=self.digits)
+
+    def t(self):
+        """The computed time step."""
+        return ((int(self.time) - self.t0) // self.step) + self.drift
+
+    @property
+    def time(self):
+        """
+        The current time.
+
+        By default, this returns time.time() each time it is accessed. If you
+        want to generate a token at a specific time, you can set this property
+        to a fixed value instead. Deleting the value returns it to its 'live'
+        state.
+
+        """
+        return self._time if (self._time is not None) else time()
+
+    @time.setter
+    def time(self, value):
+        self._time = value
+
+    @time.deleter
+    def time(self):
+        self._time = None
+
+    def verify(self, token, tolerance=0, min_t=None):
+        """
+        A high-level verification helper.
+
+        :param int token: The provided token.
+        :param int tolerance: The amount of clock drift you're willing to
+            accommodate, in steps. We'll look for the token at t values in
+            [t - tolerance, t + tolerance].
+        :param int min_t: The minimum t value we'll accept. As a rule, this
+            should be one larger than the largest t value of any previously
+            accepted token.
+        :rtype: bool
+
+        Iff this returns True, `self.drift` will be updated to reflect the
+        drift value that was necessary to match the token.
+
+        """
+        drift_orig = self.drift
+        verified = False
+
+        for offset in range(-tolerance, tolerance + 1):
+            self.drift = drift_orig + offset
+            if (min_t is not None) and (self.t() < min_t):
+                continue
+            if self.token() == token:
+                verified = True
+                break
+        else:
+            self.drift = drift_orig
+
+        return verified

authentik/stages/authenticator/tests.py

@@ -0,0 +1,220 @@
+"""Base authenticator tests"""
+from datetime import timedelta
+from threading import Thread
+
+from django.contrib.auth.models import AnonymousUser
+from django.db import connection
+from django.test import TestCase, TransactionTestCase
+from django.test.utils import override_settings
+from django.utils import timezone
+from freezegun import freeze_time
+
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.stages.authenticator import match_token, user_has_device, verify_token
+from authentik.stages.authenticator.models import Device, VerifyNotAllowed
+
+
+class TestThread(Thread):
+    "Django testing quirk: threads have to close their DB connections."
+
+    __test__ = False
+
+    def run(self):
+        super().run()
+        connection.close()
+
+
+class ThrottlingTestMixin:
+    """
+    Generic tests for throttled devices.
+
+    Any concrete device implementation that uses throttling should define a
+    TestCase subclass that includes this as a base class. This will help verify
+    a correct integration of ThrottlingMixin.
+
+    Subclasses are responsible for populating self.device with a device to test
+    as well as implementing methods to generate tokens to test with.
+
+    """
+
+    device: Device
+
+    def valid_token(self):
+        """Returns a valid token to pass to our device under test."""
+        raise NotImplementedError()
+
+    def invalid_token(self):
+        """Returns an invalid token to pass to our device under test."""
+        raise NotImplementedError()
+
+    #
+    # Tests
+    #
+
+    def test_delay_imposed_after_fail(self):
+        """Test delay imposed after fail"""
+        verified1 = self.device.verify_token(self.invalid_token())
+        self.assertFalse(verified1)
+        verified2 = self.device.verify_token(self.valid_token())
+        self.assertFalse(verified2)
+
+    def test_delay_after_fail_expires(self):
+        """Test delay after fail expires"""
+        verified1 = self.device.verify_token(self.invalid_token())
+        self.assertFalse(verified1)
+        with freeze_time() as frozen_time:
+            # With default settings initial delay is 1 second
+            frozen_time.tick(delta=timedelta(seconds=1.1))
+            verified2 = self.device.verify_token(self.valid_token())
+            self.assertTrue(verified2)
+
+    def test_throttling_failure_count(self):
+        """Test throttling failure count"""
+        self.assertEqual(self.device.throttling_failure_count, 0)
+        for _ in range(0, 5):
+            self.device.verify_token(self.invalid_token())
+            # Only the first attempt will increase throttling_failure_count,
+            # the others will all be within 1 second of first
+            # and therefore not count as attempts.
+            self.assertEqual(self.device.throttling_failure_count, 1)
+
+    def test_verify_is_allowed(self):
+        """Test verify allowed"""
+        # Initially should be allowed
+        verify_is_allowed1, data1 = self.device.verify_is_allowed()
+        self.assertEqual(verify_is_allowed1, True)
+        self.assertEqual(data1, None)
+
+        # After failure, verify is not allowed
+        with freeze_time():
+            self.device.verify_token(self.invalid_token())
+            verify_is_allowed2, data2 = self.device.verify_is_allowed()
+            self.assertEqual(verify_is_allowed2, False)
+            self.assertEqual(
+                data2,
+                {
+                    "reason": VerifyNotAllowed.N_FAILED_ATTEMPTS,
+                    "failure_count": 1,
+                    "locked_until": timezone.now() + timezone.timedelta(seconds=1),
+                },
+            )
+
+        # After a successful attempt, should be allowed again
+        with freeze_time() as frozen_time:
+            frozen_time.tick(delta=timedelta(seconds=1.1))
+            self.device.verify_token(self.valid_token())
+
+            verify_is_allowed3, data3 = self.device.verify_is_allowed()
+            self.assertEqual(verify_is_allowed3, True)
+            self.assertEqual(data3, None)
+
+
+@override_settings(OTP_STATIC_THROTTLE_FACTOR=0)
+class APITestCase(TestCase):
+    """Test API"""
+
+    def setUp(self):
+        self.alice = create_test_admin_user("alice")
+        self.bob = create_test_admin_user("bob")
+        device = self.alice.staticdevice_set.create()
+        self.valid = generate_id(length=16)
+        device.token_set.create(token=self.valid)
+
+    def test_user_has_device(self):
+        """Test user_has_device"""
+        with self.subTest(user="anonymous"):
+            self.assertFalse(user_has_device(AnonymousUser()))
+        with self.subTest(user="alice"):
+            self.assertTrue(user_has_device(self.alice))
+        with self.subTest(user="bob"):
+            self.assertFalse(user_has_device(self.bob))
+
+    def test_verify_token(self):
+        """Test verify_token"""
+        device = self.alice.staticdevice_set.first()
+
+        verified = verify_token(self.alice, device.persistent_id, "bogus")
+        self.assertIsNone(verified)
+
+        verified = verify_token(self.alice, device.persistent_id, self.valid)
+        self.assertIsNotNone(verified)
+
+    def test_match_token(self):
+        """Test match_token"""
+        verified = match_token(self.alice, "bogus")
+        self.assertIsNone(verified)
+
+        verified = match_token(self.alice, self.valid)
+        self.assertEqual(verified, self.alice.staticdevice_set.first())
+
+
+@override_settings(OTP_STATIC_THROTTLE_FACTOR=0)
+class ConcurrencyTestCase(TransactionTestCase):
+    """Test concurrent verifications"""
+
+    def setUp(self):
+        self.alice = create_test_admin_user("alice")
+        self.bob = create_test_admin_user("bob")
+        self.valid = generate_id(length=16)
+        for user in [self.alice, self.bob]:
+            device = user.staticdevice_set.create()
+            device.token_set.create(token=self.valid)
+
+    def test_verify_token(self):
+        """Test verify_token in a thread"""
+
+        class VerifyThread(Thread):
+            """Verifier thread"""
+
+            __test__ = False
+
+            def __init__(self, user, device_id, token):
+                super().__init__()
+
+                self.user = user
+                self.device_id = device_id
+                self.token = token
+
+                self.verified = None
+
+            def run(self):
+                self.verified = verify_token(self.user, self.device_id, self.token)
+                connection.close()
+
+        device = self.alice.staticdevice_set.get()
+        threads = [VerifyThread(device.user, device.persistent_id, self.valid) for _ in range(10)]
+        for thread in threads:
+            thread.start()
+        for thread in threads:
+            thread.join()
+
+        self.assertEqual(sum(1 for t in threads if t.verified is not None), 1)
+
+    def test_match_token(self):
+        """Test match_token in a thread"""
+
+        class VerifyThread(Thread):
+            """Verifier thread"""
+
+            __test__ = False
+
+            def __init__(self, user, token):
+                super().__init__()
+
+                self.user = user
+                self.token = token
+
+                self.verified = None
+
+            def run(self):
+                self.verified = match_token(self.user, self.token)
+                connection.close()
+
+        threads = [VerifyThread(self.alice, self.valid) for _ in range(10)]
+        for thread in threads:
+            thread.start()
+        for thread in threads:
+            thread.join()
+
+        self.assertEqual(sum(1 for t in threads if t.verified is not None), 1)

authentik/stages/authenticator/util.py

@@ -0,0 +1,86 @@
+"""Authenticator utils"""
+import random
+import string
+from binascii import unhexlify
+from os import urandom
+
+from django.core.exceptions import ValidationError
+
+
+def hex_validator(length=0):
+    """
+    Returns a function to be used as a model validator for a hex-encoded
+    CharField. This is useful for secret keys of all kinds::
+
+        def key_validator(value):
+            return hex_validator(20)(value)
+
+        key = models.CharField(max_length=40,
+            validators=[key_validator], help_text='A hex-encoded 20-byte secret key')
+
+    :param int length: If greater than 0, validation will fail unless the
+        decoded value is exactly this number of bytes.
+
+    :rtype: function
+
+    >>> hex_validator()('0123456789abcdef')
+    >>> hex_validator(8)(b'0123456789abcdef')
+    >>> hex_validator()('phlebotinum')          # doctest: +IGNORE_EXCEPTION_DETAIL
+    Traceback (most recent call last):
+        ...
+    ValidationError: ['phlebotinum is not valid hex-encoded data.']
+    >>> hex_validator(9)('0123456789abcdef')    # doctest: +IGNORE_EXCEPTION_DETAIL
+    Traceback (most recent call last):
+        ...
+    ValidationError: ['0123456789abcdef does not represent exactly 9 bytes.']
+    """
+
+    def _validator(value):
+        try:
+            if isinstance(value, str):
+                value = value.encode()
+
+            unhexlify(value)
+        except Exception:
+            raise ValidationError("{0} is not valid hex-encoded data.".format(value))
+
+        if (length > 0) and (len(value) != length * 2):
+            raise ValidationError("{0} does not represent exactly {1} bytes.".format(value, length))
+
+    return _validator
+
+
+def random_hex(length=20):
+    """
+    Returns a string of random bytes encoded as hex.
+
+    This uses :func:`os.urandom`, so it should be suitable for generating
+    cryptographic keys.
+
+    :param int length: The number of (decoded) bytes to return.
+
+    :returns: A string of hex digits.
+    :rtype: str
+
+    """
+    return urandom(length).hex()
+
+
+def random_number_token(length=6):
+    """
+    Returns a string of random digits encoded as string.
+
+    :param int length: The number of digits to return.
+
+    :returns: A string of decimal digits.
+    :rtype: str
+
+    """
+    rand = random.SystemRandom()
+
+    if hasattr(rand, "choices"):
+        digits = rand.choices(string.digits, k=length)
+    else:
+        digits = (rand.choice(string.digits) for i in range(length))
+
+    return "".join(digits)

authentik/stages/authenticator_duo/models.py

@@ -5,7 +5,6 @@ from django.contrib.auth import get_user_model
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from django.views import View
-from django_otp.models import Device
 from duo_client.admin import Admin
 from duo_client.auth import Auth
 from rest_framework.serializers import BaseSerializer, Serializer
@@ -14,6 +13,7 @@ from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.http import authentik_user_agent
+from authentik.stages.authenticator.models import Device
 
 
 class AuthenticatorDuoStage(ConfigurableStage, FriendlyNamedStage, Stage):

authentik/stages/authenticator_sms/models.py

@@ -6,7 +6,6 @@ from django.contrib.auth import get_user_model
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from django.views import View
-from django_otp.models import SideChannelDevice
 from requests.exceptions import RequestException
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer
@@ -21,6 +20,7 @@ from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.http import get_http_session
+from authentik.stages.authenticator.models import SideChannelDevice
 
 LOGGER = get_logger()