cleanup and fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.4.4
+current_version = 2024.4.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/actions/docker-push-variables/push_vars.py

@@ -12,7 +12,7 @@ should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
     branch_name = os.environ["GITHUB_HEAD_REF"]
-safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-").replace("'", "-")
+safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
 
 image_names = os.getenv("IMAGE_NAME").split(",")
 image_arch = os.getenv("IMAGE_ARCH") or None

.github/workflows/ci-main.yml

@@ -130,7 +130,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.9.0
+        uses: helm/kind-action@v1.10.0
       - name: run integration
         run: |
           poetry run coverage run manage.py test tests/integration

.github/workflows/ci-outpost.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v5
         with:
           version: v1.54.2
           args: --timeout 5000s --verbose

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.4.4"
+__version__ = "2024.4.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/core/api/groups.py

@@ -154,18 +154,12 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
 
         pk = IntegerField(required=True)
 
-    queryset = Group.objects.none()
+    queryset = Group.objects.all().select_related("parent").prefetch_related("users")
     serializer_class = GroupSerializer
     search_fields = ["name", "is_superuser"]
     filterset_class = GroupFilter
     ordering = ["name"]
 
-    def get_queryset(self):
-        base_qs = Group.objects.all().select_related("parent").prefetch_related("roles")
-        if self.serializer_class(context={"request": self.request})._should_include_users:
-            base_qs = base_qs.prefetch_related("users")
-        return base_qs
-
     @extend_schema(
         parameters=[
             OpenApiParameter("include_users", bool, default=True),

authentik/core/api/tokens.py

@@ -45,13 +45,6 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["key"] = CharField(required=False)
 
-    def validate_user(self, user: User):
-        """Ensure user of token cannot be changed"""
-        if self.instance and self.instance.user_id:
-            if user.pk != self.instance.user_id:
-                raise ValidationError("User cannot be changed")
-        return user
-
     def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
         """Ensure only API or App password tokens are created."""
         request: Request = self.context.get("request")

authentik/core/api/used_by.py

@@ -14,7 +14,6 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 
 from authentik.core.api.utils import PassiveSerializer
-from authentik.rbac.filters import ObjectFilter
 
 
 class DeleteAction(Enum):
@@ -54,7 +53,7 @@ class UsedByMixin:
     @extend_schema(
         responses={200: UsedBySerializer(many=True)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
+    @action(detail=True, pagination_class=None, filter_backends=[])
     def used_by(self, request: Request, *args, **kwargs) -> Response:
         """Get a list of all objects that use this object"""
         model: Model = self.get_object()

authentik/core/api/users.py

@@ -407,11 +407,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     search_fields = ["username", "name", "is_active", "email", "uuid"]
     filterset_class = UsersFilter
 
-    def get_queryset(self):
-        base_qs = User.objects.all().exclude_anonymous()
-        if self.serializer_class(context={"request": self.request})._should_include_groups:
-            base_qs = base_qs.prefetch_related("ak_groups")
-        return base_qs
+    def get_queryset(self):  # pragma: no cover
+        return User.objects.all().exclude_anonymous().prefetch_related("ak_groups")
 
     @extend_schema(
         parameters=[

authentik/core/models.py

@@ -632,7 +632,7 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         raise NotImplementedError
 
     def __str__(self) -> str:
-        return f"User-source connection (user={self.user_id}, source={self.source_id})"
+        return f"User-source connection (user={self.user.username}, source={self.source.slug})"
 
     class Meta:
         unique_together = (("user", "source"),)

authentik/core/sources/flow_manager.py

@@ -13,7 +13,7 @@ from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
 from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
-from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostSourceStage
+from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostUserEnrollmentStage
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
@@ -100,6 +100,8 @@ class SourceFlowManager:
         if self.request.user.is_authenticated:
             new_connection.user = self.request.user
             new_connection = self.update_connection(new_connection, **kwargs)
+
+            new_connection.save()
             return Action.LINK, new_connection
 
         existing_connections = self.connection_type.objects.filter(
@@ -146,6 +148,7 @@ class SourceFlowManager:
         ]:
             new_connection.user = user
             new_connection = self.update_connection(new_connection, **kwargs)
+            new_connection.save()
             return Action.LINK, new_connection
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.EMAIL_DENY,
@@ -206,9 +209,13 @@ class SourceFlowManager:
 
     def get_stages_to_append(self, flow: Flow) -> list[Stage]:
         """Hook to override stages which are appended to the flow"""
-        return [
-            in_memory_stage(PostSourceStage),
-        ]
+        if not self.source.enrollment_flow:
+            return []
+        if flow.slug == self.source.enrollment_flow.slug:
+            return [
+                in_memory_stage(PostUserEnrollmentStage),
+            ]
+        return []
 
     def _prepare_flow(
         self,
@@ -262,9 +269,6 @@ class SourceFlowManager:
             )
         # We run the Flow planner here so we can pass the Pending user in the context
         planner = FlowPlanner(flow)
-        # We append some stages so the initial flow we get might be empty
-        planner.allow_empty_flows = True
-        planner.use_cache = False
         plan = planner.plan(self.request, kwargs)
         for stage in self.get_stages_to_append(flow):
             plan.append_stage(stage)
@@ -323,7 +327,7 @@ class SourceFlowManager:
             reverse(
                 "authentik_core:if-user",
             )
-            + "#/settings;page-sources"
+            + f"#/settings;page-{self.source.slug}"
         )
 
     def handle_enroll(

authentik/core/sources/stage.py

@@ -10,7 +10,7 @@ from authentik.flows.stage import StageView
 PLAN_CONTEXT_SOURCES_CONNECTION = "goauthentik.io/sources/connection"
 
 
-class PostSourceStage(StageView):
+class PostUserEnrollmentStage(StageView):
     """Dynamically injected stage which saves the Connection after
     the user has been enrolled."""
 
@@ -21,12 +21,10 @@ class PostSourceStage(StageView):
         ]
         user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
         connection.user = user
-        linked = connection.pk is None
         connection.save()
-        if linked:
-            Event.new(
-                EventAction.SOURCE_LINKED,
-                message="Linked Source",
-                source=connection.source,
-            ).from_http(self.request)
+        Event.new(
+            EventAction.SOURCE_LINKED,
+            message="Linked Source",
+            source=connection.source,
+        ).from_http(self.request)
         return self.executor.stage_ok()

authentik/core/tasks.py

@@ -2,9 +2,7 @@
 
 from datetime import datetime, timedelta
 
-from django.conf import ImproperlyConfigured
 from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.contrib.sessions.backends.db import SessionStore as DBSessionStore
 from django.core.cache import cache
 from django.utils.timezone import now
 from structlog.stdlib import get_logger
@@ -17,7 +15,6 @@ from authentik.core.models import (
     User,
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
-from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -42,31 +39,16 @@ def clean_expired_models(self: SystemTask):
     amount = 0
 
     for session in AuthenticatedSession.objects.all():
-        match CONFIG.get("session_storage", "cache"):
-            case "cache":
-                cache_key = f"{KEY_PREFIX}{session.session_key}"
-                value = None
-                try:
-                    value = cache.get(cache_key)
+        cache_key = f"{KEY_PREFIX}{session.session_key}"
+        value = None
+        try:
+            value = cache.get(cache_key)
 
-                except Exception as exc:
-                    LOGGER.debug("Failed to get session from cache", exc=exc)
-                if not value:
-                    session.delete()
-                    amount += 1
-            case "db":
-                if not (
-                    DBSessionStore.get_model_class()
-                    .objects.filter(session_key=session.session_key, expire_date__gt=now())
-                    .exists()
-                ):
-                    session.delete()
-                    amount += 1
-            case _:
-                # Should never happen, as we check for other values in authentik/root/settings.py
-                raise ImproperlyConfigured(
-                    "Invalid session_storage setting, allowed values are db and cache"
-                )
+        except Exception as exc:
+            LOGGER.debug("Failed to get session from cache", exc=exc)
+        if not value:
+            session.delete()
+            amount += 1
     LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
 
     messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")

authentik/core/tests/test_groups_api.py

@@ -5,7 +5,7 @@ from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
 from authentik.core.models import Group, User
-from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.core.tests.utils import create_test_user
 from authentik.lib.generators import generate_id
 
 
@@ -16,13 +16,6 @@ class TestGroupsAPI(APITestCase):
         self.login_user = create_test_user()
         self.user = User.objects.create(username="test-user")
 
-    def test_list_with_users(self):
-        """Test listing with users"""
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-        response = self.client.get(reverse("authentik_api:group-list"), {"include_users": "true"})
-        self.assertEqual(response.status_code, 200)
-
     def test_add_user(self):
         """Test add_user"""
         group = Group.objects.create(name=generate_id())

authentik/core/tests/test_source_flow_manager.py

@@ -2,15 +2,11 @@
 
 from django.contrib.auth.models import AnonymousUser
 from django.test import TestCase
-from django.urls import reverse
 from guardian.utils import get_anonymous_user
 
 from authentik.core.models import SourceUserMatchingModes, User
 from authentik.core.sources.flow_manager import Action
-from authentik.core.sources.stage import PostSourceStage
 from authentik.core.tests.utils import create_test_flow
-from authentik.flows.planner import FlowPlan
-from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
 from authentik.policies.denied import AccessDeniedResponse
@@ -25,62 +21,42 @@ class TestSourceFlowManager(TestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.authentication_flow = create_test_flow()
-        self.enrollment_flow = create_test_flow()
-        self.source: OAuthSource = OAuthSource.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-            authentication_flow=self.authentication_flow,
-            enrollment_flow=self.enrollment_flow,
-        )
+        self.source: OAuthSource = OAuthSource.objects.create(name="test")
         self.identifier = generate_id()
 
     def test_unauthenticated_enroll(self):
         """Test un-authenticated user enrolling"""
-        request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
-        response = flow_manager.get_flow()
-        self.assertEqual(response.status_code, 302)
-        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
-        self.assertEqual(flow_plan.bindings[0].stage.view, PostSourceStage)
+        flow_manager.get_flow()
 
     def test_unauthenticated_auth(self):
         """Test un-authenticated user authenticating"""
         UserOAuthSourceConnection.objects.create(
             user=get_anonymous_user(), source=self.source, identifier=self.identifier
         )
-        request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.AUTH)
-        response = flow_manager.get_flow()
-        self.assertEqual(response.status_code, 302)
-        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
-        self.assertEqual(flow_plan.bindings[0].stage.view, PostSourceStage)
+        flow_manager.get_flow()
 
     def test_authenticated_link(self):
         """Test authenticated user linking"""
-        user = User.objects.create(username="foo", email="foo@bar.baz")
-        request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
-        action, connection = flow_manager.get_action()
-        self.assertEqual(action, Action.LINK)
-        self.assertIsNone(connection.pk)
-        response = flow_manager.get_flow()
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse("authentik_core:if-user") + "#/settings;page-sources",
+        UserOAuthSourceConnection.objects.create(
+            user=get_anonymous_user(), source=self.source, identifier=self.identifier
         )
-
-    def test_unauthenticated_link(self):
-        """Test un-authenticated user linking"""
-        flow_manager = OAuthSourceFlowManager(self.source, get_request("/"), self.identifier, {})
-        action, connection = flow_manager.get_action()
+        user = User.objects.create(username="foo", email="foo@bar.baz")
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/", user=user), self.identifier, {}
+        )
+        action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
-        self.assertIsNone(connection.pk)
         flow_manager.get_flow()
 
     def test_unauthenticated_enroll_email(self):

authentik/core/tests/test_token_api.py

@@ -13,8 +13,9 @@ from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
     Token,
     TokenIntents,
+    User,
 )
-from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 
 
@@ -23,7 +24,7 @@ class TestTokenAPI(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.user = create_test_user()
+        self.user = User.objects.create(username="testuser")
         self.admin = create_test_admin_user()
         self.client.force_login(self.user)
 
@@ -153,24 +154,6 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(token.expiring, True)
         self.assertNotEqual(token.expires.timestamp(), expires.timestamp())
 
-    def test_token_change_user(self):
-        """Test creating a token and then changing the user"""
-        ident = generate_id()
-        response = self.client.post(reverse("authentik_api:token-list"), {"identifier": ident})
-        self.assertEqual(response.status_code, 201)
-        token = Token.objects.get(identifier=ident)
-        self.assertEqual(token.user, self.user)
-        self.assertEqual(token.intent, TokenIntents.INTENT_API)
-        self.assertEqual(token.expiring, True)
-        self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
-        response = self.client.put(
-            reverse("authentik_api:token-detail", kwargs={"identifier": ident}),
-            data={"identifier": "user_token_poc_v3", "intent": "api", "user": self.admin.pk},
-        )
-        self.assertEqual(response.status_code, 400)
-        token.refresh_from_db()
-        self.assertEqual(token.user, self.user)
-
     def test_list(self):
         """Test Token List (Test normal authentication)"""
         Token.objects.all().delete()

authentik/core/tests/test_users_api.py

@@ -41,12 +41,6 @@ class TestUsersAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 200)
 
-    def test_list_with_groups(self):
-        """Test listing with groups"""
-        self.client.force_login(self.admin)
-        response = self.client.get(reverse("authentik_api:user-list"), {"include_groups": "true"})
-        self.assertEqual(response.status_code, 200)
-
     def test_metrics(self):
         """Test user's metrics"""
         self.client.force_login(self.admin)

authentik/core/tests/test_users_avatars.py

@@ -8,6 +8,7 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.config import CONFIG
 from authentik.tenants.utils import get_current_tenant
 
 
@@ -24,6 +25,7 @@ class TestUsersAvatars(APITestCase):
         tenant.avatars = mode
         tenant.save()
 
+    @CONFIG.patch("avatars", "none")
     def test_avatars_none(self):
         """Test avatars none"""
         self.set_avatar_mode("none")

authentik/core/tests/utils.py

@@ -4,7 +4,7 @@ from django.utils.text import slugify
 
 from authentik.brands.models import Brand
 from authentik.core.models import Group, User
-from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
+from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.lib.generators import generate_id
@@ -50,10 +50,12 @@ def create_test_brand(**kwargs) -> Brand:
     return Brand.objects.create(domain=uid, default=True, **kwargs)
 
 
-def create_test_cert(alg=PrivateKeyAlg.RSA) -> CertificateKeyPair:
+def create_test_cert(use_ec_private_key=False) -> CertificateKeyPair:
     """Generate a certificate for testing"""
-    builder = CertificateBuilder(f"{generate_id()}.self-signed.goauthentik.io")
-    builder.alg = alg
+    builder = CertificateBuilder(
+        name=f"{generate_id()}.self-signed.goauthentik.io",
+        use_ec_private_key=use_ec_private_key,
+    )
     builder.build(
         subject_alt_names=[f"{generate_id()}.self-signed.goauthentik.io"],
         validity_days=360,

authentik/crypto/api.py

@@ -14,13 +14,7 @@ from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import (
-    CharField,
-    ChoiceField,
-    DateTimeField,
-    IntegerField,
-    SerializerMethodField,
-)
+from rest_framework.fields import CharField, DateTimeField, IntegerField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -32,11 +26,10 @@ from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
-from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
+from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
@@ -185,7 +178,6 @@ class CertificateGenerationSerializer(PassiveSerializer):
     common_name = CharField()
     subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
     validity_days = IntegerField(initial=365)
-    alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
 
 
 class CertificateKeyPairFilter(FilterSet):
@@ -248,7 +240,6 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         raw_san = data.validated_data.get("subject_alt_name", "")
         sans = raw_san.split(",") if raw_san != "" else []
         builder = CertificateBuilder(data.validated_data["common_name"])
-        builder.alg = data.validated_data["alg"]
         builder.build(
             subject_alt_names=sans,
             validity_days=int(data.validated_data["validity_days"]),
@@ -267,7 +258,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
+    @action(detail=True, pagination_class=None, filter_backends=[])
     def view_certificate(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs certificate and log access"""
         certificate: CertificateKeyPair = self.get_object()
@@ -297,7 +288,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
+    @action(detail=True, pagination_class=None, filter_backends=[])
     def view_private_key(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs private key and log access"""
         certificate: CertificateKeyPair = self.get_object()

authentik/crypto/builder.py

@@ -9,28 +9,20 @@ from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ec, rsa
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from cryptography.x509.oid import NameOID
-from django.db import models
-from django.utils.translation import gettext_lazy as _
 
 from authentik import __version__
 from authentik.crypto.models import CertificateKeyPair
 
 
-class PrivateKeyAlg(models.TextChoices):
-    """Algorithm to create private key with"""
-
-    RSA = "rsa", _("rsa")
-    ECDSA = "ecdsa", _("ecdsa")
-
-
 class CertificateBuilder:
     """Build self-signed certificates"""
 
     common_name: str
-    alg: PrivateKeyAlg
 
-    def __init__(self, name: str):
-        self.alg = PrivateKeyAlg.RSA
+    _use_ec_private_key: bool
+
+    def __init__(self, name: str, use_ec_private_key=False):
+        self._use_ec_private_key = use_ec_private_key
         self.__public_key = None
         self.__private_key = None
         self.__builder = None
@@ -50,13 +42,11 @@ class CertificateBuilder:
 
     def generate_private_key(self) -> PrivateKeyTypes:
         """Generate private key"""
-        if self.alg == PrivateKeyAlg.ECDSA:
+        if self._use_ec_private_key:
             return ec.generate_private_key(curve=ec.SECP256R1())
-        if self.alg == PrivateKeyAlg.RSA:
-            return rsa.generate_private_key(
-                public_exponent=65537, key_size=4096, backend=default_backend()
-            )
-        raise ValueError(f"Invalid alg: {self.alg}")
+        return rsa.generate_private_key(
+            public_exponent=65537, key_size=4096, backend=default_backend()
+        )
 
     def build(
         self,

authentik/crypto/tests.py

@@ -214,46 +214,6 @@ class TestCrypto(APITestCase):
         self.assertEqual(200, response.status_code)
         self.assertIn("Content-Disposition", response)
 
-    def test_certificate_download_denied(self):
-        """Test certificate export (download)"""
-        self.client.logout()
-        keypair = create_test_cert()
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-view-certificate",
-                kwargs={"pk": keypair.pk},
-            )
-        )
-        self.assertEqual(403, response.status_code)
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-view-certificate",
-                kwargs={"pk": keypair.pk},
-            ),
-            data={"download": True},
-        )
-        self.assertEqual(403, response.status_code)
-
-    def test_private_key_download_denied(self):
-        """Test private_key export (download)"""
-        self.client.logout()
-        keypair = create_test_cert()
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-view-private-key",
-                kwargs={"pk": keypair.pk},
-            )
-        )
-        self.assertEqual(403, response.status_code)
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-view-private-key",
-                kwargs={"pk": keypair.pk},
-            ),
-            data={"download": True},
-        )
-        self.assertEqual(403, response.status_code)
-
     def test_used_by(self):
         """Test used_by endpoint"""
         self.client.force_login(create_test_admin_user())
@@ -286,26 +246,6 @@ class TestCrypto(APITestCase):
             ],
         )
 
-    def test_used_by_denied(self):
-        """Test used_by endpoint"""
-        self.client.logout()
-        keypair = create_test_cert()
-        OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            client_secret=generate_key(),
-            authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
-            signing_key=keypair,
-        )
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-used-by",
-                kwargs={"pk": keypair.pk},
-            )
-        )
-        self.assertEqual(403, response.status_code)
-
     def test_discovery(self):
         """Test certificate discovery"""
         name = generate_id()

authentik/enterprise/audit/middleware.py

@@ -2,12 +2,11 @@
 
 from copy import deepcopy
 from functools import partial
-from typing import Any
 
 from django.apps.registry import apps
 from django.core.files import File
 from django.db import connection
-from django.db.models import ManyToManyRel, Model
+from django.db.models import Model
 from django.db.models.expressions import BaseExpression, Combinable
 from django.db.models.signals import post_init
 from django.http import HttpRequest
@@ -45,7 +44,7 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
         post_init.disconnect(dispatch_uid=request.request_id)
 
     def serialize_simple(self, model: Model) -> dict:
-        """Serialize a model in a very simple way. No ForeignKeys or other relationships are
+        """Serialize a model in a very simple way. No ForeginKeys or other relationships are
         resolved"""
         data = {}
         deferred_fields = model.get_deferred_fields()
@@ -71,9 +70,6 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
         for key, value in before.items():
             if after.get(key) != value:
                 diff[key] = {"previous_value": value, "new_value": after.get(key)}
-        for key, value in after.items():
-            if key not in before and key not in diff and before.get(key) != value:
-                diff[key] = {"previous_value": before.get(key), "new_value": value}
         return sanitize_item(diff)
 
     def post_init_handler(self, request: HttpRequest, sender, instance: Model, **_):
@@ -102,37 +98,8 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
         thread_kwargs = {}
         if hasattr(instance, "_previous_state") or created:
             prev_state = getattr(instance, "_previous_state", {})
-            if created:
-                prev_state = {}
             # Get current state
             new_state = self.serialize_simple(instance)
             diff = self.diff(prev_state, new_state)
             thread_kwargs["diff"] = diff
         return super().post_save_handler(request, sender, instance, created, thread_kwargs, **_)
-
-    def m2m_changed_handler(  # noqa: PLR0913
-        self,
-        request: HttpRequest,
-        sender,
-        instance: Model,
-        action: str,
-        pk_set: set[Any],
-        thread_kwargs: dict | None = None,
-        **_,
-    ):
-        thread_kwargs = {}
-        m2m_field = None
-        # For the audit log we don't care about `pre_` or `post_` so we trim that part off
-        _, _, action_direction = action.partition("_")
-        # resolve the "through" model to an actual field
-        for field in instance._meta.get_fields():
-            if not isinstance(field, ManyToManyRel):
-                continue
-            if field.through == sender:
-                m2m_field = field
-        if m2m_field:
-            # If we're clearing we just set the "flag" to True
-            if action_direction == "clear":
-                pk_set = True
-            thread_kwargs["diff"] = {m2m_field.related_name: {action_direction: pk_set}}
-        return super().m2m_changed_handler(request, sender, instance, action, thread_kwargs)

authentik/enterprise/audit/tests.py

@@ -1,22 +1,9 @@
-from unittest.mock import PropertyMock, patch
-
 from django.apps import apps
 from django.conf import settings
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Group, User
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.events.models import Event, EventAction
-from authentik.events.utils import sanitize_item
-from authentik.lib.generators import generate_id
+from django.test import TestCase
 
 
-class TestEnterpriseAudit(APITestCase):
-    """Test audit middleware"""
-
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
+class TestEnterpriseAudit(TestCase):
 
     def test_import(self):
         """Ensure middleware is imported when app.ready is called"""
@@ -29,182 +16,3 @@ class TestEnterpriseAudit(APITestCase):
         self.assertIn(
             "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware", settings.MIDDLEWARE
         )
-
-    @patch(
-        "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
-        PropertyMock(return_value=True),
-    )
-    def test_create(self):
-        """Test create audit log"""
-        self.client.force_login(self.user)
-        username = generate_id()
-        response = self.client.post(
-            reverse("authentik_api:user-list"),
-            data={"name": generate_id(), "username": username, "groups": [], "path": "foo"},
-        )
-        user = User.objects.get(username=username)
-        self.assertEqual(response.status_code, 201)
-        events = Event.objects.filter(
-            action=EventAction.MODEL_CREATED,
-            context__model__model_name="user",
-            context__model__app="authentik_core",
-            context__model__pk=user.pk,
-        )
-        event = events.first()
-        self.assertIsNotNone(event)
-        self.assertIsNotNone(event.context["diff"])
-        diff = event.context["diff"]
-        self.assertEqual(
-            diff,
-            {
-                "name": {
-                    "new_value": user.name,
-                    "previous_value": None,
-                },
-                "path": {"new_value": "foo", "previous_value": None},
-                "type": {"new_value": "internal", "previous_value": None},
-                "uuid": {
-                    "new_value": user.uuid.hex,
-                    "previous_value": None,
-                },
-                "email": {"new_value": "", "previous_value": None},
-                "username": {
-                    "new_value": user.username,
-                    "previous_value": None,
-                },
-                "is_active": {"new_value": True, "previous_value": None},
-                "attributes": {"new_value": {}, "previous_value": None},
-                "date_joined": {
-                    "new_value": sanitize_item(user.date_joined),
-                    "previous_value": None,
-                },
-                "first_name": {"new_value": "", "previous_value": None},
-                "id": {"new_value": user.pk, "previous_value": None},
-                "last_name": {"new_value": "", "previous_value": None},
-                "password": {"new_value": "********************", "previous_value": None},
-                "password_change_date": {
-                    "new_value": sanitize_item(user.password_change_date),
-                    "previous_value": None,
-                },
-            },
-        )
-
-    @patch(
-        "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
-        PropertyMock(return_value=True),
-    )
-    def test_update(self):
-        """Test update audit log"""
-        self.client.force_login(self.user)
-        user = create_test_admin_user()
-        current_name = user.name
-        new_name = generate_id()
-        response = self.client.patch(
-            reverse("authentik_api:user-detail", kwargs={"pk": user.id}),
-            data={"name": new_name},
-        )
-        user.refresh_from_db()
-        self.assertEqual(response.status_code, 200)
-        events = Event.objects.filter(
-            action=EventAction.MODEL_UPDATED,
-            context__model__model_name="user",
-            context__model__app="authentik_core",
-            context__model__pk=user.pk,
-        )
-        event = events.first()
-        self.assertIsNotNone(event)
-        self.assertIsNotNone(event.context["diff"])
-        diff = event.context["diff"]
-        self.assertEqual(
-            diff,
-            {
-                "name": {
-                    "new_value": new_name,
-                    "previous_value": current_name,
-                },
-            },
-        )
-
-    @patch(
-        "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
-        PropertyMock(return_value=True),
-    )
-    def test_delete(self):
-        """Test delete audit log"""
-        self.client.force_login(self.user)
-        user = create_test_admin_user()
-        response = self.client.delete(
-            reverse("authentik_api:user-detail", kwargs={"pk": user.id}),
-        )
-        self.assertEqual(response.status_code, 204)
-        events = Event.objects.filter(
-            action=EventAction.MODEL_DELETED,
-            context__model__model_name="user",
-            context__model__app="authentik_core",
-            context__model__pk=user.pk,
-        )
-        event = events.first()
-        self.assertIsNotNone(event)
-        self.assertNotIn("diff", event.context)
-
-    @patch(
-        "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
-        PropertyMock(return_value=True),
-    )
-    def test_m2m_add(self):
-        """Test m2m add audit log"""
-        self.client.force_login(self.user)
-        user = create_test_admin_user()
-        group = Group.objects.create(name=generate_id())
-        response = self.client.post(
-            reverse("authentik_api:group-add-user", kwargs={"pk": group.group_uuid}),
-            data={
-                "pk": user.pk,
-            },
-        )
-        self.assertEqual(response.status_code, 204)
-        events = Event.objects.filter(
-            action=EventAction.MODEL_UPDATED,
-            context__model__model_name="group",
-            context__model__app="authentik_core",
-            context__model__pk=group.pk.hex,
-        )
-        event = events.first()
-        self.assertIsNotNone(event)
-        self.assertIsNotNone(event.context["diff"])
-        diff = event.context["diff"]
-        self.assertEqual(
-            diff,
-            {"users": {"add": [user.pk]}},
-        )
-
-    @patch(
-        "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
-        PropertyMock(return_value=True),
-    )
-    def test_m2m_remove(self):
-        """Test m2m remove audit log"""
-        self.client.force_login(self.user)
-        user = create_test_admin_user()
-        group = Group.objects.create(name=generate_id())
-        response = self.client.post(
-            reverse("authentik_api:group-remove-user", kwargs={"pk": group.group_uuid}),
-            data={
-                "pk": user.pk,
-            },
-        )
-        self.assertEqual(response.status_code, 204)
-        events = Event.objects.filter(
-            action=EventAction.MODEL_UPDATED,
-            context__model__model_name="group",
-            context__model__app="authentik_core",
-            context__model__pk=group.pk.hex,
-        )
-        event = events.first()
-        self.assertIsNotNone(event)
-        self.assertIsNotNone(event.context["diff"])
-        diff = event.context["diff"]
-        self.assertEqual(
-            diff,
-            {"users": {"remove": [user.pk]}},
-        )

authentik/enterprise/providers/rac/models.py

@@ -201,7 +201,10 @@ class ConnectionToken(ExpiringModel):
         return settings
 
     def __str__(self):
-        return f"RAC Connection token {self.session_id} to {self.provider_id}/{self.endpoint_id}"
+        return (
+            f"RAC Connection token {self.session.user} to "
+            f"{self.endpoint.provider.name}/{self.endpoint.name}"
+        )
 
     class Meta:
         verbose_name = _("RAC Connection token")

authentik/events/middleware.py

@@ -116,12 +116,12 @@ class AuditMiddleware:
             return user
         user = getattr(request, "user", self.anonymous_user)
         if not user.is_authenticated:
-            self._ensure_fallback_user()
             return self.anonymous_user
         return user
 
     def connect(self, request: HttpRequest):
         """Connect signal for automatic logging"""
+        self._ensure_fallback_user()
         if not hasattr(request, "request_id"):
             return
         post_save.connect(
@@ -214,15 +214,7 @@ class AuditMiddleware:
             model=model_to_dict(instance),
         ).run()
 
-    def m2m_changed_handler(
-        self,
-        request: HttpRequest,
-        sender,
-        instance: Model,
-        action: str,
-        thread_kwargs: dict | None = None,
-        **_,
-    ):
+    def m2m_changed_handler(self, request: HttpRequest, sender, instance: Model, action: str, **_):
         """Signal handler for all object's m2m_changed"""
         if action not in ["pre_add", "pre_remove", "post_clear"]:
             return
@@ -237,5 +229,4 @@ class AuditMiddleware:
             request,
             user=user,
             model=model_to_dict(instance),
-            **thread_kwargs,
         ).run()

authentik/events/models.py

@@ -556,7 +556,7 @@ class Notification(SerializerModel):
             if len(self.body) > NOTIFICATION_SUMMARY_LENGTH
             else self.body
         )
-        return f"Notification for user {self.user_id}: {body_trunc}"
+        return f"Notification for user {self.user}: {body_trunc}"
 
     class Meta:
         verbose_name = _("Notification")

authentik/events/system_tasks.py

@@ -119,7 +119,7 @@ class SystemTask(TenantTask):
                 "task_call_kwargs": sanitize_item(kwargs),
                 "status": self._status,
                 "messages": sanitize_item(self._messages),
-                "expires": now() + timedelta(hours=self.result_timeout_hours + 3),
+                "expires": now() + timedelta(hours=self.result_timeout_hours),
                 "expiring": True,
             },
         )

authentik/events/tests/test_models.py

@@ -1,35 +0,0 @@
-"""authentik event models tests"""
-
-from collections.abc import Callable
-
-from django.db.models import Model
-from django.test import TestCase
-
-from authentik.core.models import default_token_key
-from authentik.lib.utils.reflection import get_apps
-
-
-class TestModels(TestCase):
-    """Test Models"""
-
-
-def model_tester_factory(test_model: type[Model]) -> Callable:
-    """Test models' __str__ and __repr__"""
-
-    def tester(self: TestModels):
-        allowed = 0
-        # Token-like objects need to lookup the current tenant to get the default token length
-        for field in test_model._meta.fields:
-            if field.default == default_token_key:
-                allowed += 1
-        with self.assertNumQueries(allowed):
-            str(test_model())
-        with self.assertNumQueries(allowed):
-            repr(test_model())
-
-    return tester
-
-
-for app in get_apps():
-    for model in app.get_models():
-        setattr(TestModels, f"test_{app.label}_{model.__name__}", model_tester_factory(model))

authentik/flows/api/flows.py

@@ -33,7 +33,6 @@ from authentik.lib.utils.file import (
 )
 from authentik.lib.views import bad_request_message
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
@@ -278,8 +277,8 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
             400: OpenApiResponse(description="Flow not applicable"),
         },
     )
-    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
-    def execute(self, request: Request, slug: str):
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    def execute(self, request: Request, _slug: str):
         """Execute flow for current user"""
         # Because we pre-plan the flow here, and not in the planner, we need to manually clear
         # the history of the inspector

authentik/flows/planner.py

@@ -203,8 +203,7 @@ class FlowPlanner:
                 "f(plan): building plan",
             )
             plan = self._build_plan(user, request, default_context)
-            if self.use_cache:
-                cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
+            cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
             if not plan.bindings and not self.allow_empty_flows:
                 raise EmptyFlowException()
             return plan

authentik/flows/tests/test_api.py

@@ -6,7 +6,6 @@ from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.flows.api.stages import StageSerializer, StageViewSet
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage
-from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.stages.dummy.models import DummyStage
@@ -102,21 +101,3 @@ class TestFlowsAPI(APITestCase):
             reverse("authentik_api:stage-types"),
         )
         self.assertEqual(response.status_code, 200)
-
-    def test_execute(self):
-        """Test execute endpoint"""
-        user = create_test_admin_user()
-        self.client.force_login(user)
-
-        flow = Flow.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-            designation=FlowDesignation.AUTHENTICATION,
-        )
-        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-execute", kwargs={"slug": flow.slug})
-        )
-        self.assertEqual(response.status_code, 200)

authentik/lib/default.yml

@@ -53,7 +53,6 @@ cache:
 
 # result_backend:
 #   url: ""
-#   transport_options: ""
 
 debug: false
 remote_debug: false

authentik/outposts/api/service_connections.py

@@ -23,7 +23,6 @@ from authentik.outposts.models import (
     KubernetesServiceConnection,
     OutpostServiceConnection,
 )
-from authentik.rbac.filters import ObjectFilter
 
 
 class ServiceConnectionSerializer(ModelSerializer, MetaNameSerializer):
@@ -89,7 +88,7 @@ class ServiceConnectionViewSet(
         return Response(TypeCreateSerializer(data, many=True).data)
 
     @extend_schema(responses={200: ServiceConnectionStateSerializer(many=False)})
-    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
+    @action(detail=True, pagination_class=None, filter_backends=[])
     def state(self, request: Request, pk: str) -> Response:
         """Get the service connection's state"""
         connection = self.get_object()

authentik/providers/oauth2/models.py

@@ -326,7 +326,7 @@ class AuthorizationCode(SerializerModel, ExpiringModel, BaseGrantModel):
         verbose_name_plural = _("Authorization Codes")
 
     def __str__(self):
-        return f"Authorization code for {self.provider_id} for user {self.user_id}"
+        return f"Authorization code for {self.provider} for user {self.user}"
 
     @property
     def serializer(self) -> Serializer:
@@ -356,7 +356,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
         verbose_name_plural = _("OAuth2 Access Tokens")
 
     def __str__(self):
-        return f"Access Token for {self.provider_id} for user {self.user_id}"
+        return f"Access Token for {self.provider} for user {self.user}"
 
     @property
     def id_token(self) -> IDToken:
@@ -399,7 +399,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
         verbose_name_plural = _("OAuth2 Refresh Tokens")
 
     def __str__(self):
-        return f"Refresh Token for {self.provider_id} for user {self.user_id}"
+        return f"Refresh Token for {self.provider} for user {self.user}"
 
     @property
     def id_token(self) -> IDToken:
@@ -443,4 +443,4 @@ class DeviceToken(ExpiringModel):
         verbose_name_plural = _("Device Tokens")
 
     def __str__(self):
-        return f"Device Token for {self.provider_id}"
+        return f"Device Token for {self.provider}"

authentik/providers/oauth2/tests/test_device_init.py

@@ -4,10 +4,9 @@ from urllib.parse import urlencode
 
 from django.urls import reverse
 
-from authentik.core.models import Application, Group
+from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 from authentik.providers.oauth2.views.device_init import QS_KEY_CODE
@@ -78,23 +77,3 @@ class TesOAuth2DeviceInit(OAuthTestCase):
             + "?"
             + urlencode({QS_KEY_CODE: token.user_code}),
         )
-
-    def test_device_init_denied(self):
-        """Test device init"""
-        group = Group.objects.create(name="foo")
-        PolicyBinding.objects.create(
-            group=group,
-            target=self.application,
-            order=0,
-        )
-        token = DeviceToken.objects.create(
-            user_code="foo",
-            provider=self.provider,
-        )
-        res = self.client.get(
-            reverse("authentik_providers_oauth2_root:device-login")
-            + "?"
-            + urlencode({QS_KEY_CODE: token.user_code})
-        )
-        self.assertEqual(res.status_code, 200)
-        self.assertIn(b"Permission denied", res.content)

authentik/providers/oauth2/tests/test_jwks.py

@@ -10,7 +10,6 @@ from jwt import PyJWKSet
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert, create_test_flow
-from authentik.crypto.builder import PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider
@@ -83,7 +82,7 @@ class TestJWKS(OAuthTestCase):
             client_id="test",
             authorization_flow=create_test_flow(),
             redirect_uris="http://local.invalid",
-            signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
+            signing_key=create_test_cert(use_ec_private_key=True),
         )
         app = Application.objects.create(name="test", slug="test", provider=provider)
         response = self.client.get(

authentik/providers/oauth2/views/device_backchannel.py

@@ -11,11 +11,10 @@ from django.views.decorators.csrf import csrf_exempt
 from rest_framework.throttling import AnonRateThrottle
 from structlog.stdlib import get_logger
 
-from authentik.core.models import Application
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
-from authentik.providers.oauth2.views.device_init import QS_KEY_CODE
+from authentik.providers.oauth2.views.device_init import QS_KEY_CODE, get_application
 
 LOGGER = get_logger()
 
@@ -38,9 +37,7 @@ class DeviceView(View):
         ).first()
         if not provider:
             return HttpResponseBadRequest()
-        try:
-            _ = provider.application
-        except Application.DoesNotExist:
+        if not get_application(provider):
             return HttpResponseBadRequest()
         self.provider = provider
         self.client_id = client_id

authentik/providers/oauth2/views/device_init.py

@@ -1,9 +1,8 @@
 """Device flow views"""
 
-from typing import Any
-
 from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
+from django.views import View
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, IntegerField
 from structlog.stdlib import get_logger
@@ -17,8 +16,7 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO,
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
-from authentik.policies.views import PolicyAccessView
-from authentik.providers.oauth2.models import DeviceToken
+from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
 from authentik.providers.oauth2.views.device_finish import (
     PLAN_CONTEXT_DEVICE,
     OAuthDeviceCodeFinishStage,
@@ -33,52 +31,60 @@ LOGGER = get_logger()
 QS_KEY_CODE = "code"  # nosec
 
 
-class CodeValidatorView(PolicyAccessView):
-    """Helper to validate frontside token"""
-
-    def __init__(self, code: str, **kwargs: Any) -> None:
-        super().__init__(**kwargs)
-        self.code = code
-
-    def resolve_provider_application(self):
-        self.token = DeviceToken.objects.filter(user_code=self.code).first()
-        if not self.token:
-            raise Application.DoesNotExist
-        self.provider = self.token.provider
-        self.application = self.token.provider.application
-
-    def get(self, request: HttpRequest, *args, **kwargs):
-        scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider)
-        planner = FlowPlanner(self.provider.authorization_flow)
-        planner.allow_empty_flows = True
-        planner.use_cache = False
-        try:
-            plan = planner.plan(
-                request,
-                {
-                    PLAN_CONTEXT_SSO: True,
-                    PLAN_CONTEXT_APPLICATION: self.application,
-                    # OAuth2 related params
-                    PLAN_CONTEXT_DEVICE: self.token,
-                    # Consent related params
-                    PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
-                    % {"application": self.application.name},
-                    PLAN_CONTEXT_CONSENT_PERMISSIONS: scope_descriptions,
-                },
-            )
-        except FlowNonApplicableException:
-            LOGGER.warning("Flow not applicable to user")
+def get_application(provider: OAuth2Provider) -> Application | None:
+    """Get application from provider"""
+    try:
+        app = provider.application
+        if not app:
             return None
-        plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
-        request.session[SESSION_KEY_PLAN] = plan
-        return redirect_with_qs(
-            "authentik_core:if-flow",
-            request.GET,
-            flow_slug=self.token.provider.authorization_flow.slug,
+        return app
+    except Application.DoesNotExist:
+        return None
+
+
+def validate_code(code: int, request: HttpRequest) -> HttpResponse | None:
+    """Validate user token"""
+    token = DeviceToken.objects.filter(
+        user_code=code,
+    ).first()
+    if not token:
+        return None
+
+    app = get_application(token.provider)
+    if not app:
+        return None
+
+    scope_descriptions = UserInfoView().get_scope_descriptions(token.scope, token.provider)
+    planner = FlowPlanner(token.provider.authorization_flow)
+    planner.allow_empty_flows = True
+    planner.use_cache = False
+    try:
+        plan = planner.plan(
+            request,
+            {
+                PLAN_CONTEXT_SSO: True,
+                PLAN_CONTEXT_APPLICATION: app,
+                # OAuth2 related params
+                PLAN_CONTEXT_DEVICE: token,
+                # Consent related params
+                PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
+                % {"application": app.name},
+                PLAN_CONTEXT_CONSENT_PERMISSIONS: scope_descriptions,
+            },
         )
+    except FlowNonApplicableException:
+        LOGGER.warning("Flow not applicable to user")
+        return None
+    plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
+    request.session[SESSION_KEY_PLAN] = plan
+    return redirect_with_qs(
+        "authentik_core:if-flow",
+        request.GET,
+        flow_slug=token.provider.authorization_flow.slug,
+    )
 
 
-class DeviceEntryView(PolicyAccessView):
+class DeviceEntryView(View):
     """View used to initiate the device-code flow, url entered by endusers"""
 
     def dispatch(self, request: HttpRequest) -> HttpResponse:
@@ -88,9 +94,7 @@ class DeviceEntryView(PolicyAccessView):
             LOGGER.info("Brand has no device code flow configured", brand=brand)
             return HttpResponse(status=404)
         if QS_KEY_CODE in request.GET:
-            validation = CodeValidatorView(request.GET[QS_KEY_CODE], request=request).dispatch(
-                request
-            )
+            validation = validate_code(request.GET[QS_KEY_CODE], request)
             if validation:
                 return validation
             LOGGER.info("Got code from query parameter but no matching token found")
@@ -127,7 +131,7 @@ class OAuthDeviceCodeChallengeResponse(ChallengeResponse):
 
     def validate_code(self, code: int) -> HttpResponse | None:
         """Validate code and save the returned http response"""
-        response = CodeValidatorView(code, request=self.stage.request).dispatch(self.stage.request)
+        response = validate_code(code, self.stage.request)
         if not response:
             raise ValidationError(_("Invalid code"), "invalid")
         return response

authentik/providers/saml/migrations/0014_alter_samlprovider_digest_algorithm_and_more.py

@@ -1,44 +0,0 @@
-# Generated by Django 5.0.4 on 2024-05-01 15:32
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_saml", "0013_samlprovider_default_relay_state"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="samlprovider",
-            name="digest_algorithm",
-            field=models.TextField(
-                choices=[
-                    ("http://www.w3.org/2000/09/xmldsig#sha1", "SHA1"),
-                    ("http://www.w3.org/2001/04/xmlenc#sha256", "SHA256"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#sha384", "SHA384"),
-                    ("http://www.w3.org/2001/04/xmlenc#sha512", "SHA512"),
-                ],
-                default="http://www.w3.org/2001/04/xmlenc#sha256",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="samlprovider",
-            name="signature_algorithm",
-            field=models.TextField(
-                choices=[
-                    ("http://www.w3.org/2000/09/xmldsig#rsa-sha1", "RSA-SHA1"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "RSA-SHA256"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "RSA-SHA384"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "RSA-SHA512"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1", "ECDSA-SHA1"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "ECDSA-SHA256"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "ECDSA-SHA384"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "ECDSA-SHA512"),
-                    ("http://www.w3.org/2000/09/xmldsig#dsa-sha1", "DSA-SHA1"),
-                ],
-                default="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-            ),
-        ),
-    ]

authentik/providers/saml/models.py

@@ -11,10 +11,6 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.sources.saml.processors.constants import (
     DSA_SHA1,
-    ECDSA_SHA1,
-    ECDSA_SHA256,
-    ECDSA_SHA384,
-    ECDSA_SHA512,
     RSA_SHA1,
     RSA_SHA256,
     RSA_SHA384,
@@ -96,7 +92,8 @@ class SAMLProvider(Provider):
         ),
     )
 
-    digest_algorithm = models.TextField(
+    digest_algorithm = models.CharField(
+        max_length=50,
         choices=(
             (SHA1, _("SHA1")),
             (SHA256, _("SHA256")),
@@ -105,16 +102,13 @@ class SAMLProvider(Provider):
         ),
         default=SHA256,
     )
-    signature_algorithm = models.TextField(
+    signature_algorithm = models.CharField(
+        max_length=50,
         choices=(
             (RSA_SHA1, _("RSA-SHA1")),
             (RSA_SHA256, _("RSA-SHA256")),
             (RSA_SHA384, _("RSA-SHA384")),
             (RSA_SHA512, _("RSA-SHA512")),
-            (ECDSA_SHA1, _("ECDSA-SHA1")),
-            (ECDSA_SHA256, _("ECDSA-SHA256")),
-            (ECDSA_SHA384, _("ECDSA-SHA384")),
-            (ECDSA_SHA512, _("ECDSA-SHA512")),
             (DSA_SHA1, _("DSA-SHA1")),
         ),
         default=RSA_SHA256,

authentik/providers/saml/tests/test_metadata.py

@@ -7,14 +7,13 @@ from lxml import etree  # nosec
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert, create_test_flow
-from authentik.crypto.builder import PrivateKeyAlg
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.metadata import MetadataProcessor
 from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser
-from authentik.sources.saml.processors.constants import ECDSA_SHA256, NS_MAP, NS_SAML_METADATA
+from authentik.sources.saml.processors.constants import NS_MAP, NS_SAML_METADATA
 
 
 class TestServiceProviderMetadataParser(TestCase):
@@ -108,41 +107,12 @@ class TestServiceProviderMetadataParser(TestCase):
                 load_fixture("fixtures/cert.xml").replace("/apps/user_saml", "")
             )
 
-    def test_signature_rsa(self):
-        """Test signature validation (RSA)"""
+    def test_signature(self):
+        """Test signature validation"""
         provider = SAMLProvider.objects.create(
             name=generate_id(),
             authorization_flow=self.flow,
-            signing_kp=create_test_cert(PrivateKeyAlg.RSA),
-        )
-        Application.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-            provider=provider,
-        )
-        request = self.factory.get("/")
-        metadata = MetadataProcessor(provider, request).build_entity_descriptor()
-
-        root = fromstring(metadata.encode())
-        xmlsec.tree.add_ids(root, ["ID"])
-        signature_nodes = root.xpath("/md:EntityDescriptor/ds:Signature", namespaces=NS_MAP)
-        signature_node = signature_nodes[0]
-        ctx = xmlsec.SignatureContext()
-        key = xmlsec.Key.from_memory(
-            provider.signing_kp.certificate_data,
-            xmlsec.constants.KeyDataFormatCertPem,
-            None,
-        )
-        ctx.key = key
-        ctx.verify(signature_node)
-
-    def test_signature_ecdsa(self):
-        """Test signature validation (ECDSA)"""
-        provider = SAMLProvider.objects.create(
-            name=generate_id(),
-            authorization_flow=self.flow,
-            signing_kp=create_test_cert(PrivateKeyAlg.ECDSA),
-            signature_algorithm=ECDSA_SHA256,
+            signing_kp=create_test_cert(),
         )
         Application.objects.create(
             name=generate_id(),

authentik/providers/scim/clients/group.py

@@ -41,7 +41,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
         if not scim_group:
             self.logger.debug("Group does not exist in SCIM, skipping")
             return None
-        response = self._request("DELETE", f"/Groups/{scim_group.scim_id}")
+        response = self._request("DELETE", f"/Groups/{scim_group.id}")
         scim_group.delete()
         return response
 
@@ -89,7 +89,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
         for user in connections:
             members.append(
                 GroupMember(
-                    value=user.scim_id,
+                    value=user.id,
                 )
             )
         if members:
@@ -107,19 +107,16 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
                 exclude_unset=True,
             ),
         )
-        scim_id = response.get("id")
-        if not scim_id or scim_id == "":
-            raise StopSync("SCIM Response with missing or invalid `id`")
-        SCIMGroup.objects.create(provider=self.provider, group=group, scim_id=scim_id)
+        SCIMGroup.objects.create(provider=self.provider, group=group, id=response["id"])
 
     def _update(self, group: Group, connection: SCIMGroup):
         """Update existing group"""
         scim_group = self.to_scim(group)
-        scim_group.id = connection.scim_id
+        scim_group.id = connection.id
         try:
             return self._request(
                 "PUT",
-                f"/Groups/{connection.scim_id}",
+                f"/Groups/{scim_group.id}",
                 json=scim_group.model_dump(
                     mode="json",
                     exclude_unset=True,
@@ -188,13 +185,13 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
             return
         user_ids = list(
             SCIMUser.objects.filter(user__pk__in=users_set, provider=self.provider).values_list(
-                "scim_id", flat=True
+                "id", flat=True
             )
         )
         if len(user_ids) < 1:
             return
         self._patch(
-            scim_group.scim_id,
+            scim_group.id,
             PatchOperation(
                 op=PatchOp.add,
                 path="members",
@@ -214,13 +211,13 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
             return
         user_ids = list(
             SCIMUser.objects.filter(user__pk__in=users_set, provider=self.provider).values_list(
-                "scim_id", flat=True
+                "id", flat=True
             )
         )
         if len(user_ids) < 1:
             return
         self._patch(
-            scim_group.scim_id,
+            scim_group.id,
             PatchOperation(
                 op=PatchOp.remove,
                 path="members",

authentik/providers/scim/clients/schema.py

@@ -9,14 +9,13 @@ from pydanticscim.service_provider import (
 )
 from pydanticscim.user import User as BaseUser
 
-SCIM_USER_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:User"
-SCIM_GROUP_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Group"
-
 
 class User(BaseUser):
     """Modified User schema with added externalId field"""
 
-    schemas: list[str] = [SCIM_USER_SCHEMA]
+    schemas: list[str] = [
+        "urn:ietf:params:scim:schemas:core:2.0:User",
+    ]
     externalId: str | None = None
     meta: dict | None = None
 
@@ -24,7 +23,9 @@ class User(BaseUser):
 class Group(BaseGroup):
     """Modified Group schema with added externalId field"""
 
-    schemas: list[str] = [SCIM_GROUP_SCHEMA]
+    schemas: list[str] = [
+        "urn:ietf:params:scim:schemas:core:2.0:Group",
+    ]
     externalId: str | None = None
     meta: dict | None = None
 

authentik/providers/scim/clients/user.py

@@ -34,7 +34,7 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
         if not scim_user:
             self.logger.debug("User does not exist in SCIM, skipping")
             return None
-        response = self._request("DELETE", f"/Users/{scim_user.scim_id}")
+        response = self._request("DELETE", f"/Users/{scim_user.id}")
         scim_user.delete()
         return response
 
@@ -85,18 +85,15 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
                 exclude_unset=True,
             ),
         )
-        scim_id = response.get("id")
-        if not scim_id or scim_id == "":
-            raise StopSync("SCIM Response with missing or invalid `id`")
-        SCIMUser.objects.create(provider=self.provider, user=user, scim_id=scim_id)
+        SCIMUser.objects.create(provider=self.provider, user=user, id=response["id"])
 
     def _update(self, user: User, connection: SCIMUser):
         """Update existing user"""
         scim_user = self.to_scim(user)
-        scim_user.id = connection.scim_id
+        scim_user.id = connection.id
         self._request(
             "PUT",
-            f"/Users/{connection.scim_id}",
+            f"/Users/{connection.id}",
             json=scim_user.model_dump(
                 mode="json",
                 exclude_unset=True,

authentik/providers/scim/management/commands/scim_sync.py

@@ -3,7 +3,7 @@
 from structlog.stdlib import get_logger
 
 from authentik.providers.scim.models import SCIMProvider
-from authentik.providers.scim.tasks import scim_task_wrapper
+from authentik.providers.scim.tasks import scim_sync
 from authentik.tenants.management import TenantCommand
 
 LOGGER = get_logger()
@@ -21,4 +21,4 @@ class Command(TenantCommand):
             if not provider:
                 LOGGER.warning("Provider does not exist", name=provider_name)
                 continue
-            scim_task_wrapper(provider.pk).get()
+            scim_sync.delay(provider.pk).get()

authentik/providers/scim/migrations/0007_scimgroup_scim_id_scimuser_scim_id_and_more.py

@@ -1,76 +0,0 @@
-# Generated by Django 5.0.4 on 2024-05-03 12:38
-
-import uuid
-from django.db import migrations, models
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-from authentik.lib.migrations import progress_bar
-
-
-def fix_scim_user_group_pk(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    SCIMUser = apps.get_model("authentik_providers_scim", "SCIMUser")
-    SCIMGroup = apps.get_model("authentik_providers_scim", "SCIMGroup")
-    db_alias = schema_editor.connection.alias
-    print("\nFixing primary key for SCIM users, this might take a couple of minutes...")
-    for user in progress_bar(SCIMUser.objects.using(db_alias).all()):
-        SCIMUser.objects.using(db_alias).filter(
-            pk=user.pk, user=user.user_id, provider=user.provider_id
-        ).update(scim_id=user.pk, id=uuid.uuid4())
-
-    print("\nFixing primary key for SCIM groups, this might take a couple of minutes...")
-    for group in progress_bar(SCIMGroup.objects.using(db_alias).all()):
-        SCIMGroup.objects.using(db_alias).filter(
-            pk=group.pk, group=group.group_id, provider=group.provider_id
-        ).update(scim_id=group.pk, id=uuid.uuid4())
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_providers_scim",
-            "0001_squashed_0006_rename_parent_group_scimprovider_filter_group",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="scimgroup",
-            name="scim_id",
-            field=models.TextField(default="temp"),
-            preserve_default=False,
-        ),
-        migrations.AddField(
-            model_name="scimuser",
-            name="scim_id",
-            field=models.TextField(default="temp"),
-            preserve_default=False,
-        ),
-        migrations.RunPython(fix_scim_user_group_pk),
-        migrations.AlterField(
-            model_name="scimgroup",
-            name="id",
-            field=models.UUIDField(
-                default=uuid.uuid4, editable=False, primary_key=True, serialize=False
-            ),
-        ),
-        migrations.AlterField(
-            model_name="scimuser",
-            name="id",
-            field=models.UUIDField(
-                default=uuid.uuid4, editable=False, primary_key=True, serialize=False
-            ),
-        ),
-        migrations.AlterField(model_name="scimuser", name="scim_id", field=models.TextField()),
-        migrations.AlterField(model_name="scimgroup", name="scim_id", field=models.TextField()),
-        migrations.AlterUniqueTogether(
-            name="scimgroup",
-            unique_together={("scim_id", "group", "provider")},
-        ),
-        migrations.AlterUniqueTogether(
-            name="scimuser",
-            unique_together={("scim_id", "user", "provider")},
-        ),
-    ]

authentik/providers/scim/models.py

@@ -1,7 +1,5 @@
 """SCIM Provider models"""
 
-from uuid import uuid4
-
 from django.core.cache import cache
 from django.db import models
 from django.db.models import QuerySet
@@ -99,28 +97,26 @@ class SCIMMapping(PropertyMapping):
 class SCIMUser(models.Model):
     """Mapping of a user and provider to a SCIM user ID"""
 
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    scim_id = models.TextField()
+    id = models.TextField(primary_key=True)
     user = models.ForeignKey(User, on_delete=models.CASCADE)
     provider = models.ForeignKey(SCIMProvider, on_delete=models.CASCADE)
 
     class Meta:
-        unique_together = (("scim_id", "user", "provider"),)
+        unique_together = (("id", "user", "provider"),)
 
     def __str__(self) -> str:
-        return f"SCIM User {self.user_id} to {self.provider_id}"
+        return f"SCIM User {self.user.username} to {self.provider.name}"
 
 
 class SCIMGroup(models.Model):
     """Mapping of a group and provider to a SCIM user ID"""
 
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    scim_id = models.TextField()
+    id = models.TextField(primary_key=True)
     group = models.ForeignKey(Group, on_delete=models.CASCADE)
     provider = models.ForeignKey(SCIMProvider, on_delete=models.CASCADE)
 
     class Meta:
-        unique_together = (("scim_id", "group", "provider"),)
+        unique_together = (("id", "group", "provider"),)
 
     def __str__(self) -> str:
-        return f"SCIM Group {self.group_id} to {self.provider_id}"
+        return f"SCIM Group {self.group.name} to {self.provider.name}"

authentik/providers/scim/signals.py

@@ -9,7 +9,7 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Group, User
 from authentik.lib.utils.reflection import class_to_path
 from authentik.providers.scim.models import SCIMProvider
-from authentik.providers.scim.tasks import scim_signal_direct, scim_signal_m2m, scim_task_wrapper
+from authentik.providers.scim.tasks import scim_signal_direct, scim_signal_m2m, scim_sync
 
 LOGGER = get_logger()
 
@@ -17,7 +17,7 @@ LOGGER = get_logger()
 @receiver(post_save, sender=SCIMProvider)
 def post_save_provider(sender: type[Model], instance, created: bool, **_):
     """Trigger sync when SCIM provider is saved"""
-    scim_task_wrapper(instance.pk)
+    scim_sync.delay(instance.pk)
 
 
 @receiver(post_save, sender=User)

authentik/providers/scim/tasks.py

@@ -38,23 +38,7 @@ def client_for_model(provider: SCIMProvider, model: Model) -> SCIMClient:
 def scim_sync_all():
     """Run sync for all providers"""
     for provider in SCIMProvider.objects.filter(backchannel_application__isnull=False):
-        scim_task_wrapper(provider.pk)
-
-
-def scim_task_wrapper(provider_pk: int):
-    """Wrap scim_sync to set the correct timeouts"""
-    provider: SCIMProvider = SCIMProvider.objects.filter(
-        pk=provider_pk, backchannel_application__isnull=False
-    ).first()
-    if not provider:
-        return
-    users_paginator = Paginator(provider.get_user_qs(), PAGE_SIZE)
-    groups_paginator = Paginator(provider.get_group_qs(), PAGE_SIZE)
-    soft_time_limit = (users_paginator.num_pages + groups_paginator.num_pages) * PAGE_TIMEOUT
-    time_limit = soft_time_limit * 1.5
-    return scim_sync.apply_async(
-        (provider.pk,), time_limit=int(time_limit), soft_time_limit=int(soft_time_limit)
-    )
+        scim_sync.delay(provider.pk)
 
 
 @CELERY_APP.task(bind=True, base=SystemTask)
@@ -76,7 +60,7 @@ def scim_sync(self: SystemTask, provider_pk: int) -> None:
     users_paginator = Paginator(provider.get_user_qs(), PAGE_SIZE)
     groups_paginator = Paginator(provider.get_group_qs(), PAGE_SIZE)
     self.soft_time_limit = self.time_limit = (
-        users_paginator.num_pages + groups_paginator.num_pages
+        users_paginator.count + groups_paginator.count
     ) * PAGE_TIMEOUT
     with allow_join_result():
         try:

authentik/providers/scim/tests/test_membership.py

@@ -8,7 +8,7 @@ from authentik.core.models import Application, Group, User
 from authentik.lib.generators import generate_id
 from authentik.providers.scim.clients.schema import ServiceProviderConfiguration
 from authentik.providers.scim.models import SCIMMapping, SCIMProvider
-from authentik.providers.scim.tasks import scim_task_wrapper
+from authentik.providers.scim.tasks import scim_sync
 from authentik.tenants.models import Tenant
 
 
@@ -79,7 +79,7 @@ class SCIMMembershipTests(TestCase):
             )
 
             self.configure()
-            scim_task_wrapper(self.provider.pk).get()
+            scim_sync.delay(self.provider.pk).get()
 
             self.assertEqual(mocker.call_count, 6)
             self.assertEqual(mocker.request_history[0].method, "GET")
@@ -169,7 +169,7 @@ class SCIMMembershipTests(TestCase):
             )
 
             self.configure()
-            scim_task_wrapper(self.provider.pk).get()
+            scim_sync.delay(self.provider.pk).get()
 
             self.assertEqual(mocker.call_count, 6)
             self.assertEqual(mocker.request_history[0].method, "GET")

authentik/providers/scim/tests/test_user.py

@@ -10,7 +10,7 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, User
 from authentik.lib.generators import generate_id
 from authentik.providers.scim.models import SCIMMapping, SCIMProvider
-from authentik.providers.scim.tasks import scim_task_wrapper
+from authentik.providers.scim.tasks import scim_sync
 from authentik.tenants.models import Tenant
 
 
@@ -88,72 +88,6 @@ class SCIMUserTests(TestCase):
             },
         )
 
-    @Mocker()
-    def test_user_create_different_provider_same_id(self, mock: Mocker):
-        """Test user creation with multiple providers that happen
-        to return the same object ID"""
-        # Create duplicate provider
-        provider: SCIMProvider = SCIMProvider.objects.create(
-            name=generate_id(),
-            url="https://localhost",
-            token=generate_id(),
-            exclude_users_service_account=True,
-        )
-        app: Application = Application.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-        )
-        app.backchannel_providers.add(provider)
-        provider.property_mappings.add(
-            SCIMMapping.objects.get(managed="goauthentik.io/providers/scim/user")
-        )
-        provider.property_mappings_group.add(
-            SCIMMapping.objects.get(managed="goauthentik.io/providers/scim/group")
-        )
-
-        scim_id = generate_id()
-        mock.get(
-            "https://localhost/ServiceProviderConfig",
-            json={},
-        )
-        mock.post(
-            "https://localhost/Users",
-            json={
-                "id": scim_id,
-            },
-        )
-        uid = generate_id()
-        user = User.objects.create(
-            username=uid,
-            name=f"{uid} {uid}",
-            email=f"{uid}@goauthentik.io",
-        )
-        self.assertEqual(mock.call_count, 4)
-        self.assertEqual(mock.request_history[0].method, "GET")
-        self.assertEqual(mock.request_history[1].method, "POST")
-        self.assertJSONEqual(
-            mock.request_history[1].body,
-            {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
-                "active": True,
-                "emails": [
-                    {
-                        "primary": True,
-                        "type": "other",
-                        "value": f"{uid}@goauthentik.io",
-                    }
-                ],
-                "externalId": user.uid,
-                "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
-                    "givenName": uid,
-                },
-                "displayName": f"{uid} {uid}",
-                "userName": uid,
-            },
-        )
-
     @Mocker()
     def test_user_create_update(self, mock: Mocker):
         """Test user creation and update"""
@@ -302,7 +236,7 @@ class SCIMUserTests(TestCase):
             email=f"{uid}@goauthentik.io",
         )
 
-        scim_task_wrapper(self.provider.pk).get()
+        scim_sync.delay(self.provider.pk).get()
 
         self.assertEqual(mock.call_count, 5)
         self.assertEqual(mock.request_history[0].method, "GET")

authentik/rbac/filters.py

@@ -25,7 +25,7 @@ class ObjectFilter(ObjectPermissionsFilter):
         # Outposts (which are the only objects using internal service accounts)
         # except requests to return an empty list when they have no objects
         # assigned
-        if getattr(request.user, "type", UserTypes.INTERNAL) == UserTypes.INTERNAL_SERVICE_ACCOUNT:
+        if request.user.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
             return queryset
         if not queryset.exists():
             # User doesn't have direct permission to all objects

authentik/root/settings.py

@@ -376,13 +376,7 @@ CELERY = {
     "task_default_queue": "authentik",
     "broker_url": CONFIG.get("broker.url") or redis_url(CONFIG.get("redis.db")),
     "result_backend": CONFIG.get("result_backend.url") or redis_url(CONFIG.get("redis.db")),
-    "broker_transport_options": CONFIG.get_dict_from_b64_json(
-        "broker.transport_options", {"retry_policy": {"timeout": 5.0}}
-    ),
-    "result_backend_transport_options": CONFIG.get_dict_from_b64_json(
-        "result_backend.transport_options", {"retry_policy": {"timeout": 5.0}}
-    ),
-    "redis_retry_on_timeout": True,
+    "broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
 }
 
 # Sentry integration

authentik/sources/ldap/migrations/0001_squashed_0012_auto_20210812_1703.py

@@ -153,7 +153,7 @@ class Migration(migrations.Migration):
                 (
                     "object_uniqueness_field",
                     models.TextField(
-                        default="objectSid", help_text="Field which contains a unique Identifier."
+                        default="entryDN", help_text="Field which contains a unique Identifier."
                     ),
                 ),
                 ("sync_groups", models.BooleanField(default=True)),

authentik/sources/ldap/models.py

@@ -88,7 +88,7 @@ class LDAPSource(Source):
         help_text=_("Consider Objects matching this filter to be Groups."),
     )
     object_uniqueness_field = models.TextField(
-        default="objectSid", help_text=_("Field which contains a unique Identifier.")
+        default="entryDN", help_text=_("Field which contains a unique Identifier.")
     )
 
     property_mappings_group = models.ManyToManyField(

authentik/sources/ldap/sync/base.py

@@ -47,6 +47,15 @@ class BaseLDAPSynchronizer:
         """UI name for the type of object this class synchronizes"""
         raise NotImplementedError
 
+    def get_unique_identifier(self, ldap_object: dict) -> str | None:
+        """Get unique identifier"""
+        attributes = ldap_object.get("attributes", {})
+        if self._source.object_uniqueness_field in attributes:
+            return flatten(attributes[self._source.object_uniqueness_field])
+        if self._source.object_uniqueness_field in ldap_object:
+            return flatten(ldap_object.get(self._source.object_uniqueness_field))
+        return None
+
     def sync_full(self):
         """Run full sync, this function should only be used in tests"""
         if not settings.TEST:  # noqa
@@ -134,20 +143,22 @@ class BaseLDAPSynchronizer:
                 cookie = None
             yield self._connection.response
 
-    def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
+    def build_user_properties(self, user_dn: str, uniq: str, **kwargs) -> dict[str, Any]:
         """Build attributes for User object based on property mappings."""
-        props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
+        props = self._build_object_properties(
+            user_dn, self._source.property_mappings, uniq, **kwargs
+        )
         props.setdefault("path", self._source.get_user_path())
         return props
 
-    def build_group_properties(self, group_dn: str, **kwargs) -> dict[str, Any]:
+    def build_group_properties(self, group_dn: str, uniq: str, **kwargs) -> dict[str, Any]:
         """Build attributes for Group object based on property mappings."""
         return self._build_object_properties(
-            group_dn, self._source.property_mappings_group, **kwargs
+            group_dn, self._source.property_mappings_group, uniq, **kwargs
         )
 
     def _build_object_properties(
-        self, object_dn: str, mappings: QuerySet, **kwargs
+        self, object_dn: str, mappings: QuerySet, uniq: str, **kwargs
     ) -> dict[str, dict[Any, Any]]:
         properties = {"attributes": {}}
         for mapping in mappings.all().select_subclasses():
@@ -180,10 +191,7 @@ class BaseLDAPSynchronizer:
                 ).save()
                 self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
                 continue
-        if self._source.object_uniqueness_field in kwargs:
-            properties["attributes"][LDAP_UNIQUENESS] = flatten(
-                kwargs.get(self._source.object_uniqueness_field)
-            )
+        properties["attributes"][LDAP_UNIQUENESS] = uniq
         properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn
         return properties
 

authentik/sources/ldap/sync/groups.py

@@ -41,16 +41,16 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                 continue
             attributes = group.get("attributes", {})
             group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
-            if self._source.object_uniqueness_field not in attributes:
+            uniq = self.get_unique_identifier(group)
+            if not uniq:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{group_dn}'",
                     attributes=attributes.keys(),
                     dn=group_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
             try:
-                defaults = self.build_group_properties(group_dn, **attributes)
+                defaults = self.build_group_properties(group_dn, uniq, **attributes)
                 defaults["parent"] = self._source.sync_parent_group
                 if "name" not in defaults:
                     raise IntegrityError("Name was not set by propertymappings")

authentik/sources/ldap/sync/membership.py

@@ -4,7 +4,7 @@ from collections.abc import Generator
 from typing import Any
 
 from django.db.models import Q
-from ldap3 import SUBTREE
+from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import Group, User
 from authentik.sources.ldap.auth import LDAP_DISTINGUISHED_NAME
@@ -33,11 +33,7 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
             search_base=self.base_dn_groups,
             search_filter=self._source.group_object_filter,
             search_scope=SUBTREE,
-            attributes=[
-                self._source.group_membership_field,
-                self._source.object_uniqueness_field,
-                LDAP_DISTINGUISHED_NAME,
-            ],
+            attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES],
             **kwargs,
         )
 
@@ -80,7 +76,7 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
     def get_group(self, group_dict: dict[str, Any]) -> Group | None:
         """Check if we fetched the group already, and if not cache it for later"""
         group_dn = group_dict.get("attributes", {}).get(LDAP_DISTINGUISHED_NAME, [])
-        group_uniq = group_dict.get("attributes", {}).get(self._source.object_uniqueness_field, [])
+        group_uniq = self.get_unique_identifier(group_dict)
         # group_uniq might be a single string or an array with (hopefully) a single string
         if isinstance(group_uniq, list):
             if len(group_uniq) < 1:

authentik/sources/ldap/sync/users.py

@@ -43,16 +43,16 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                 continue
             attributes = user.get("attributes", {})
             user_dn = flatten(user.get("entryDN", user.get("dn")))
-            if self._source.object_uniqueness_field not in attributes:
+            uniq = self.get_unique_identifier(user)
+            if not uniq:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{user_dn}'",
                     attributes=attributes.keys(),
                     dn=user_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
             try:
-                defaults = self.build_user_properties(user_dn, **attributes)
+                defaults = self.build_user_properties(user_dn, uniq, **attributes)
                 self._logger.debug("Writing user with attributes", **defaults)
                 if "username" not in defaults:
                     raise IntegrityError("Username was not set by propertymappings")

authentik/sources/ldap/tests/mock_ad.py

@@ -41,7 +41,7 @@ def mock_ad_connection(password: str) -> Connection:
     connection.strategy.add_entry(
         "cn=group2,ou=groups,dc=goauthentik,dc=io",
         {
-            "name": "test-group",
+            "name": "test-group2",
             "objectClass": "group",
             "distinguishedName": "cn=group2,ou=groups,dc=goauthentik,dc=io",
         },
@@ -61,18 +61,6 @@ def mock_ad_connection(password: str) -> Connection:
             ),
         },
     )
-    # User without SID
-    connection.strategy.add_entry(
-        "cn=user1,ou=users,dc=goauthentik,dc=io",
-        {
-            "userPassword": "test1111",
-            "sAMAccountName": "user2_sn",
-            "name": "user1_sn",
-            "revision": 0,
-            "objectClass": "person",
-            "distinguishedName": "cn=user1,ou=users,dc=goauthentik,dc=io",
-        },
-    )
     # Duplicate users
     connection.strategy.add_entry(
         "cn=user2,ou=users,dc=goauthentik,dc=io",
@@ -87,7 +75,7 @@ def mock_ad_connection(password: str) -> Connection:
         },
     )
     connection.strategy.add_entry(
-        "cn=user3,ou=users,dc=goauthentik,dc=io",
+        "cn=user2,ou=users,dc=goauthentik,dc=io",
         {
             "userPassword": "test2222",
             "sAMAccountName": "user2_sn",
@@ -95,7 +83,7 @@ def mock_ad_connection(password: str) -> Connection:
             "revision": 0,
             "objectSid": "unique-test2222",
             "objectClass": "person",
-            "distinguishedName": "cn=user3,ou=users,dc=goauthentik,dc=io",
+            "distinguishedName": "cn=user2,ou=users,dc=goauthentik,dc=io",
         },
     )
     connection.bind()

authentik/sources/ldap/tests/test_sync.py

@@ -108,12 +108,7 @@ class LDAPSyncTests(TestCase):
         user = User.objects.create(
             username="user0_sn",
             attributes={
-                "ldap_uniq": (
-                    "S-117-6648368-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-"
-                    "0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-"
-                    "0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-"
-                    "0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0"
-                ),
+                "ldap_uniq": "cn=user0,ou=foo,ou=users,dc=goauthentik,dc=io",
                 "foo": "bar",
             },
         )

authentik/sources/oauth/clients/oauth2.py

@@ -80,7 +80,7 @@ class OAuth2Client(BaseOAuthClient):
             access_token_url = self.source.source_type.access_token_url or ""
             if self.source.source_type.urls_customizable and self.source.access_token_url:
                 access_token_url = self.source.access_token_url
-            response = self.do_request(
+            response = self.session.request(
                 "post", access_token_url, data=args, headers=self._default_headers, **request_kwargs
             )
             response.raise_for_status()

authentik/sources/saml/migrations/0014_alter_samlsource_digest_algorithm_and_more.py

@@ -1,44 +0,0 @@
-# Generated by Django 5.0.4 on 2024-05-01 15:44
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_sources_saml", "0013_samlsource_verification_kp_and_more"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="samlsource",
-            name="digest_algorithm",
-            field=models.TextField(
-                choices=[
-                    ("http://www.w3.org/2000/09/xmldsig#sha1", "SHA1"),
-                    ("http://www.w3.org/2001/04/xmlenc#sha256", "SHA256"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#sha384", "SHA384"),
-                    ("http://www.w3.org/2001/04/xmlenc#sha512", "SHA512"),
-                ],
-                default="http://www.w3.org/2001/04/xmlenc#sha256",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="samlsource",
-            name="signature_algorithm",
-            field=models.TextField(
-                choices=[
-                    ("http://www.w3.org/2000/09/xmldsig#rsa-sha1", "RSA-SHA1"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "RSA-SHA256"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "RSA-SHA384"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "RSA-SHA512"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1", "ECDSA-SHA1"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "ECDSA-SHA256"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "ECDSA-SHA384"),
-                    ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "ECDSA-SHA512"),
-                    ("http://www.w3.org/2000/09/xmldsig#dsa-sha1", "DSA-SHA1"),
-                ],
-                default="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-            ),
-        ),
-    ]

authentik/sources/saml/models.py

@@ -15,10 +15,6 @@ from authentik.flows.models import Flow
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.sources.saml.processors.constants import (
     DSA_SHA1,
-    ECDSA_SHA1,
-    ECDSA_SHA256,
-    ECDSA_SHA384,
-    ECDSA_SHA512,
     RSA_SHA1,
     RSA_SHA256,
     RSA_SHA384,
@@ -147,7 +143,8 @@ class SAMLSource(Source):
         verbose_name=_("Signing Keypair"),
     )
 
-    digest_algorithm = models.TextField(
+    digest_algorithm = models.CharField(
+        max_length=50,
         choices=(
             (SHA1, _("SHA1")),
             (SHA256, _("SHA256")),
@@ -156,16 +153,13 @@ class SAMLSource(Source):
         ),
         default=SHA256,
     )
-    signature_algorithm = models.TextField(
+    signature_algorithm = models.CharField(
+        max_length=50,
         choices=(
             (RSA_SHA1, _("RSA-SHA1")),
             (RSA_SHA256, _("RSA-SHA256")),
             (RSA_SHA384, _("RSA-SHA384")),
             (RSA_SHA512, _("RSA-SHA512")),
-            (ECDSA_SHA1, _("ECDSA-SHA1")),
-            (ECDSA_SHA256, _("ECDSA-SHA256")),
-            (ECDSA_SHA384, _("ECDSA-SHA384")),
-            (ECDSA_SHA512, _("ECDSA-SHA512")),
             (DSA_SHA1, _("DSA-SHA1")),
         ),
         default=RSA_SHA256,

authentik/sources/saml/processors/constants.py

@@ -26,16 +26,9 @@ SAML_BINDING_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 
 DSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
 RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
-# https://datatracker.ietf.org/doc/html/rfc4051#section-2.3.2
 RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
 RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
 RSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
-# https://datatracker.ietf.org/doc/html/rfc4051#section-2.3.6
-ECDSA_SHA1 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"
-ECDSA_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"
-ECDSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"
-ECDSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"
-ECDSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
 
 SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"
 SHA256 = "http://www.w3.org/2001/04/xmlenc#sha256"
@@ -48,11 +41,6 @@ SIGN_ALGORITHM_TRANSFORM_MAP = {
     RSA_SHA256: xmlsec.constants.TransformRsaSha256,
     RSA_SHA384: xmlsec.constants.TransformRsaSha384,
     RSA_SHA512: xmlsec.constants.TransformRsaSha512,
-    ECDSA_SHA1: xmlsec.constants.TransformEcdsaSha1,
-    ECDSA_SHA224: xmlsec.constants.TransformEcdsaSha224,
-    ECDSA_SHA256: xmlsec.constants.TransformEcdsaSha256,
-    ECDSA_SHA384: xmlsec.constants.TransformEcdsaSha384,
-    ECDSA_SHA512: xmlsec.constants.TransformEcdsaSha512,
 }
 
 DIGEST_ALGORITHM_TRANSLATION_MAP = {

authentik/sources/scim/models.py

@@ -60,7 +60,7 @@ class SCIMSourceUser(SerializerModel):
         unique_together = (("id", "user", "source"),)
 
     def __str__(self) -> str:
-        return f"SCIM User {self.user_id} to {self.source_id}"
+        return f"SCIM User {self.user.username} to {self.source.name}"
 
 
 class SCIMSourceGroup(SerializerModel):
@@ -81,4 +81,4 @@ class SCIMSourceGroup(SerializerModel):
         unique_together = (("id", "group", "source"),)
 
     def __str__(self) -> str:
-        return f"SCIM Group {self.group_id} to {self.source_id}"
+        return f"SCIM Group {self.group.name} to {self.source.name}"

authentik/sources/scim/signals.py

@@ -2,11 +2,9 @@ from django.db.models import Model
 from django.db.models.signals import pre_delete, pre_save
 from django.dispatch import receiver
 
-from authentik.core.models import USER_PATH_SYSTEM_PREFIX, Token, TokenIntents, User, UserTypes
+from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.sources.scim.models import SCIMSource
 
-USER_PATH_SOURCE_SCIM = USER_PATH_SYSTEM_PREFIX + "/sources/scim"
-
 
 @receiver(pre_save, sender=SCIMSource)
 def scim_source_pre_save(sender: type[Model], instance: SCIMSource, **_):
@@ -18,7 +16,6 @@ def scim_source_pre_save(sender: type[Model], instance: SCIMSource, **_):
         username=identifier,
         name=f"SCIM Source {instance.name} Service-Account",
         type=UserTypes.INTERNAL_SERVICE_ACCOUNT,
-        path=USER_PATH_SOURCE_SCIM,
     )
     token = Token.objects.create(
         user=user,

authentik/sources/scim/views/v2/groups.py

@@ -13,7 +13,6 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 
 from authentik.core.models import Group, User
-from authentik.providers.scim.clients.schema import SCIM_USER_SCHEMA
 from authentik.providers.scim.clients.schema import Group as SCIMGroupModel
 from authentik.sources.scim.models import SCIMSourceGroup
 from authentik.sources.scim.views.v2.base import SCIMView
@@ -27,11 +26,9 @@ class GroupsView(SCIMView):
     def group_to_scim(self, scim_group: SCIMSourceGroup) -> dict:
         """Convert Group to SCIM data"""
         payload = SCIMGroupModel(
-            schemas=[SCIM_USER_SCHEMA],
             id=str(scim_group.group.pk),
             externalId=scim_group.id,
             displayName=scim_group.group.name,
-            members=[],
             meta={
                 "resourceType": "Group",
                 "location": self.request.build_absolute_uri(
@@ -45,24 +42,28 @@ class GroupsView(SCIMView):
                 ),
             },
         )
-        for member in scim_group.group.users.order_by("pk"):
-            member: User
-            payload.members.append(GroupMember(value=str(member.uuid)))
-        return payload.model_dump(mode="json", exclude_unset=True)
+        return payload.model_dump(
+            mode="json",
+            exclude_unset=True,
+        )
 
     def get(self, request: Request, group_id: str | None = None, **kwargs) -> Response:
         """List Group handler"""
-        base_query = SCIMSourceGroup.objects.select_related("group").prefetch_related(
-            "group__users"
-        )
         if group_id:
-            connection = base_query.filter(source=self.source, group__group_uuid=group_id).first()
+            connection = (
+                SCIMSourceGroup.objects.filter(source=self.source, group__group_uuid=group_id)
+                .select_related("group")
+                .first()
+            )
             if not connection:
                 raise Http404
             return Response(self.group_to_scim(connection))
         connections = (
-            base_query.filter(source=self.source).order_by("pk").filter(self.filter_parse(request))
+            SCIMSourceGroup.objects.filter(source=self.source)
+            .select_related("group")
+            .order_by("pk")
         )
+        connections = connections.filter(self.filter_parse(request))
         page = self.paginate_query(connections)
         return Response(
             {
@@ -78,8 +79,6 @@ class GroupsView(SCIMView):
     def update_group(self, connection: SCIMSourceGroup | None, data: QueryDict):
         """Partial update a group"""
         group = connection.group if connection else Group()
-        if _group := Group.objects.filter(name=data.get("displayName")).first():
-            group = _group
         if "displayName" in data:
             group.name = data.get("displayName")
         if group.name == "":

authentik/sources/scim/views/v2/users.py

@@ -11,7 +11,6 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 
 from authentik.core.models import User
-from authentik.providers.scim.clients.schema import SCIM_USER_SCHEMA
 from authentik.providers.scim.clients.schema import User as SCIMUserModel
 from authentik.sources.scim.models import SCIMSourceUser
 from authentik.sources.scim.views.v2.base import SCIMView
@@ -34,7 +33,6 @@ class UsersView(SCIMView):
     def user_to_scim(self, scim_user: SCIMSourceUser) -> dict:
         """Convert User to SCIM data"""
         payload = SCIMUserModel(
-            schemas=[SCIM_USER_SCHEMA],
             id=str(scim_user.user.uuid),
             externalId=scim_user.id,
             userName=scim_user.user.username,
@@ -64,7 +62,10 @@ class UsersView(SCIMView):
                 ),
             },
         )
-        final_payload = payload.model_dump(mode="json", exclude_unset=True)
+        final_payload = payload.model_dump(
+            mode="json",
+            exclude_unset=True,
+        )
         final_payload.update(scim_user.attributes)
         return final_payload
 
@@ -98,8 +99,6 @@ class UsersView(SCIMView):
     def update_user(self, connection: SCIMSourceUser | None, data: QueryDict):
         """Partial update a user"""
         user = connection.user if connection else User()
-        if _user := User.objects.filter(username=data.get("userName")).first():
-            user = _user
         user.path = self.source.get_user_path()
         if "userName" in data:
             user.username = data.get("userName")

authentik/stages/authenticator_duo/models.py

@@ -96,7 +96,7 @@ class DuoDevice(SerializerModel, Device):
         return DuoDeviceSerializer
 
     def __str__(self):
-        return str(self.name) or str(self.user_id)
+        return str(self.name) or str(self.user)
 
     class Meta:
         verbose_name = _("Duo Device")

authentik/stages/authenticator_sms/models.py

@@ -221,7 +221,7 @@ class SMSDevice(SerializerModel, SideChannelDevice):
         return valid
 
     def __str__(self):
-        return str(self.name) or str(self.user_id)
+        return str(self.name) or str(self.user)
 
     class Meta:
         verbose_name = _("SMS Device")

authentik/stages/authenticator_webauthn/models.py

@@ -155,7 +155,7 @@ class WebAuthnDevice(SerializerModel, Device):
         return WebAuthnDeviceSerializer
 
     def __str__(self):
-        return str(self.name) or str(self.user_id)
+        return str(self.name) or str(self.user)
 
     class Meta:
         verbose_name = _("WebAuthn Device")

authentik/stages/consent/models.py

@@ -65,7 +65,7 @@ class UserConsent(SerializerModel, ExpiringModel):
         return UserConsentSerializer
 
     def __str__(self):
-        return f"User Consent {self.application_id} by {self.user_id}"
+        return f"User Consent {self.application} by {self.user}"
 
     class Meta:
         unique_together = (("user", "application", "permissions"),)

authentik/stages/invitation/models.py

@@ -79,7 +79,7 @@ class Invitation(SerializerModel, ExpiringModel):
         return InvitationSerializer
 
     def __str__(self):
-        return f"Invitation {str(self.invite_uuid)} created by {self.created_by_id}"
+        return f"Invitation {str(self.invite_uuid)} created by {self.created_by}"
 
     class Meta:
         verbose_name = _("Invitation")

authentik/tenants/migrations/0003_alter_tenant_default_token_duration.py

@@ -1,23 +0,0 @@
-# Generated by Django 5.0.4 on 2024-05-01 15:32
-
-import authentik.lib.utils.time
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_tenants", "0002_tenant_default_token_duration_and_more"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="tenant",
-            name="default_token_duration",
-            field=models.TextField(
-                default="days=1",
-                help_text="Default token duration",
-                validators=[authentik.lib.utils.time.timedelta_string_validator],
-            ),
-        ),
-    ]

authentik/tenants/scheduler.py

@@ -3,7 +3,6 @@
 from tenant_schemas_celery.scheduler import (
     TenantAwarePersistentScheduler as BaseTenantAwarePersistentScheduler,
 )
-from tenant_schemas_celery.scheduler import TenantAwareScheduleEntry
 
 
 class TenantAwarePersistentScheduler(BaseTenantAwarePersistentScheduler):
@@ -12,11 +11,3 @@ class TenantAwarePersistentScheduler(BaseTenantAwarePersistentScheduler):
     @classmethod
     def get_queryset(cls):
         return super().get_queryset().filter(ready=True)
-
-    def apply_entry(self, entry: TenantAwareScheduleEntry, producer=None):
-        # https://github.com/maciej-gol/tenant-schemas-celery/blob/master/tenant_schemas_celery/scheduler.py#L85
-        # When (as by default) no tenant schemas are set, the public schema is excluded
-        # so we need to explicitly include it here, otherwise the task is not executed
-        if entry.tenant_schemas is None:
-            entry.tenant_schemas = self.get_queryset().values_list("schema_name", flat=True)
-        return super().apply_entry(entry, producer)

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.4.4 Blueprint schema",
+    "title": "authentik 2024.4.0 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -4131,10 +4131,6 @@
                         "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
                         "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
                         "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
-                        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1",
-                        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
-                        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
-                        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512",
                         "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
                     ],
                     "title": "Signature algorithm"
@@ -4939,10 +4935,6 @@
                         "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
                         "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
                         "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
-                        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1",
-                        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
-                        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
-                        "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512",
                         "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
                     ],
                     "title": "Signature algorithm"

docker-compose.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.0}
     restart: unless-stopped
     command: server
     environment:
@@ -53,7 +53,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.0}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024023.2
+	goauthentik.io/api/v3 v3.2024040.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.19.0
 	golang.org/x/sync v0.7.0

go.sum

@@ -294,8 +294,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2024023.2 h1:lSVaZAKTpsDhtw11wnkGjPalkDzv9H2VKEJllBi2aXs=
-goauthentik.io/api/v3 v3.2024023.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024040.1 h1:0Mp8XLYuscQEWVTR2lNk74WLKDpOVHX0mlbvbvcC6fw=
+goauthentik.io/api/v3 v3.2024040.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.4.4"
+const VERSION = "2024.4.0"

lifecycle/migrate.py

@@ -117,8 +117,6 @@ def run_migrations():
         )
     finally:
         release_lock(curr)
-        curr.close()
-        conn.close()
 
 
 if __name__ == "__main__":

lifecycle/wait_for_db.py

@@ -3,6 +3,7 @@
 import authentik. This is done by the dockerfile."""
 from sys import exit as sysexit
 from time import sleep
+from urllib.parse import quote_plus
 
 from psycopg import OperationalError, connect
 from redis import Redis
@@ -34,7 +35,7 @@ def check_postgres():
 
 
 def check_redis():
-    url = CONFIG.get("cache.url") or redis_url(CONFIG.get("redis.db"))
+    url = redis_url(CONFIG.get("redis.db"))
     while True:
         try:
             redis = Redis.from_url(url)
@@ -42,7 +43,10 @@ def check_redis():
             break
         except RedisError as exc:
             sleep(1)
-            CONFIG.log("info", f"Redis Connection failed, retrying... ({exc})")
+            sanitized_url = url.replace(quote_plus(CONFIG.get("redis.password")), "******")
+            CONFIG.log(
+                "info", f"Redis Connection failed, retrying... ({exc})", redis_url=sanitized_url
+            )
     CONFIG.log("info", "Redis Connection successful")
 
 

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.4.4"
+version = "2024.4.0"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
@@ -89,7 +89,6 @@ channels = { version = "*", extras = ["daphne"] }
 channels-redis = "*"
 codespell = "*"
 colorama = "*"
-cryptography = "*"
 dacite = "*"
 deepmerge = "*"
 defusedxml = "*"
@@ -102,7 +101,7 @@ django-redis = "*"
 django-storages = { extras = ["s3"], version = "*" }
 # See https://github.com/django-tenants/django-tenants/pull/997
 django-tenants = { git = "https://github.com/rissson/django-tenants.git", branch="authentik-fixes" }
-djangorestframework = "3.14.0"
+djangorestframework = "*"
 djangorestframework-guardian = "*"
 docker = "*"
 drf-spectacular = "*"
@@ -116,11 +115,17 @@ gunicorn = "*"
 jsonpatch = "*"
 kubernetes = "*"
 ldap3 = "*"
-lxml = "*"
+lxml = [
+    # 5.0.0 works with libxml2 2.11.x, which is standard on brew
+    { version = "5.0.0", platform = "darwin" },
+    # 4.9.x works with previous libxml2 versions, which is what we get on linux
+    { version = "4.9.4", platform = "linux" },
+]
 opencontainers = { extras = ["reggie"], version = "*" }
 packaging = "*"
 paramiko = "*"
 psycopg = { extras = ["c"], version = "*" }
+pycryptodome = "*"
 pydantic = "*"
 pydantic-scim = "*"
 pyjwt = "*"

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.4.4
+  version: 2024.4.0
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -17051,10 +17051,6 @@ paths:
           enum:
           - http://www.w3.org/2000/09/xmldsig#dsa-sha1
           - http://www.w3.org/2000/09/xmldsig#rsa-sha1
-          - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
-          - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
-          - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
-          - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
           - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
           - http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
           - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
@@ -20914,10 +20910,6 @@ paths:
           enum:
           - http://www.w3.org/2000/09/xmldsig#dsa-sha1
           - http://www.w3.org/2000/09/xmldsig#rsa-sha1
-          - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
-          - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
-          - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
-          - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
           - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
           - http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
           - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
@@ -30458,11 +30450,6 @@ components:
       - pending_user
       - pending_user_avatar
       - type
-    AlgEnum:
-      enum:
-      - rsa
-      - ecdsa
-      type: string
     App:
       type: object
       description: Serialize Application info
@@ -32120,10 +32107,6 @@ components:
           type: string
         validity_days:
           type: integer
-        alg:
-          allOf:
-          - $ref: '#/components/schemas/AlgEnum'
-          default: rsa
       required:
       - common_name
       - validity_days
@@ -43675,10 +43658,6 @@ components:
       - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
       - http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
       - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
-      - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
-      - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
-      - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
-      - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
       - http://www.w3.org/2000/09/xmldsig#dsa-sha1
       type: string
     Source:

tests/wdio/package-lock.json

@@ -12,10 +12,10 @@
                 "@trivago/prettier-plugin-sort-imports": "^4.3.0",
                 "@typescript-eslint/eslint-plugin": "^7.5.0",
                 "@typescript-eslint/parser": "^7.5.0",
-                "@wdio/cli": "^8.36.0",
-                "@wdio/local-runner": "^8.36.0",
-                "@wdio/mocha-framework": "^8.36.0",
-                "@wdio/spec-reporter": "^8.36.0",
+                "@wdio/cli": "^8.36.1",
+                "@wdio/local-runner": "^8.36.1",
+                "@wdio/mocha-framework": "^8.36.1",
+                "@wdio/spec-reporter": "^8.36.1",
                 "eslint": "^8.57.0",
                 "eslint-config-google": "^0.14.0",
                 "eslint-plugin-sonarjs": "^0.25.1",
@@ -1189,19 +1189,19 @@
             }
         },
         "node_modules/@wdio/cli": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/cli/-/cli-8.36.0.tgz",
-            "integrity": "sha512-B8iEwz9DRzHquPihT74nKUzN9s+rCd1TkBp+JGmdgm7pJqiWTe4FORrzaxWjdiCO78jbYK9LgaMORpCcAzjwIA==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/cli/-/cli-8.36.1.tgz",
+            "integrity": "sha512-LZBZiwcvvv5P0HuRXt8IV09UiFT5dnDr1Ag5u2roJL2D7l8wDHHa70PXw9MmlbrnyFCUN3hO7FQVUi9MAsDbDQ==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.1",
                 "@vitest/snapshot": "^1.2.1",
-                "@wdio/config": "8.36.0",
-                "@wdio/globals": "8.36.0",
+                "@wdio/config": "8.36.1",
+                "@wdio/globals": "8.36.1",
                 "@wdio/logger": "8.28.0",
                 "@wdio/protocols": "8.32.0",
-                "@wdio/types": "8.36.0",
-                "@wdio/utils": "8.36.0",
+                "@wdio/types": "8.36.1",
+                "@wdio/utils": "8.36.1",
                 "async-exit-hook": "^2.0.1",
                 "chalk": "^5.2.0",
                 "chokidar": "^3.5.3",
@@ -1216,7 +1216,7 @@
                 "lodash.union": "^4.6.0",
                 "read-pkg-up": "10.0.0",
                 "recursive-readdir": "^2.2.3",
-                "webdriverio": "8.36.0",
+                "webdriverio": "8.36.1",
                 "yargs": "^17.7.2"
             },
             "bin": {
@@ -1239,14 +1239,14 @@
             }
         },
         "node_modules/@wdio/config": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/config/-/config-8.36.0.tgz",
-            "integrity": "sha512-sAbqnx/G+OsrMquIncFXjM4U0/E0ULMP0jDHZND75r0e1DYYCHmyacrvIHu3Jyxinl9f6+4XQdev6vqdTqPdNg==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/config/-/config-8.36.1.tgz",
+            "integrity": "sha512-yCENnym0CrYuLKMJ3fv00WkjCR8QpPqVohGBkq5FvZOZpVJEpoG86Q8l4HtyRnd6ggMTKCA1vTQ/myhbPmZmaQ==",
             "dev": true,
             "dependencies": {
                 "@wdio/logger": "8.28.0",
-                "@wdio/types": "8.36.0",
-                "@wdio/utils": "8.36.0",
+                "@wdio/types": "8.36.1",
+                "@wdio/utils": "8.36.1",
                 "decamelize": "^6.0.0",
                 "deepmerge-ts": "^5.0.0",
                 "glob": "^10.2.2",
@@ -1257,29 +1257,29 @@
             }
         },
         "node_modules/@wdio/globals": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/globals/-/globals-8.36.0.tgz",
-            "integrity": "sha512-vqMq1hR+iF0lqMNJpk9z+QB9l/QfL1DbvOfNhPtQ13NgctfNg42ffuhEObbzTLQN0MftcnPBu6O3pai79y8bUA==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/globals/-/globals-8.36.1.tgz",
+            "integrity": "sha512-Qpj6gZCRNxqdVkTwYyi4JdeYO4tLSUj3Ti6yxO0v9A4IRaKW1tS29KUcGgjL9CFSBKAOi2zRY8vvFz1u6ewxtQ==",
             "dev": true,
             "engines": {
                 "node": "^16.13 || >=18"
             },
             "optionalDependencies": {
                 "expect-webdriverio": "^4.11.2",
-                "webdriverio": "8.36.0"
+                "webdriverio": "8.36.1"
             }
         },
         "node_modules/@wdio/local-runner": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/local-runner/-/local-runner-8.36.0.tgz",
-            "integrity": "sha512-MIzbWcXgRQGQQK4H5N39/JFoikOg5cu34l1U6rgw74D6hO79L4RwBg2Oo4TJJYgHUL/4RbVwyeLdb5WDTdluTQ==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/local-runner/-/local-runner-8.36.1.tgz",
+            "integrity": "sha512-FYsTzbNGRnrniOsLWrZO7+DLecAS9W75AIzFZQVQxruiDFkGmKY5OV6gsuvMlasaqAQXW1s+w29bqrLY4DxdEw==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.28.0",
                 "@wdio/repl": "8.24.12",
-                "@wdio/runner": "8.36.0",
-                "@wdio/types": "8.36.0",
+                "@wdio/runner": "8.36.1",
+                "@wdio/types": "8.36.1",
                 "async-exit-hook": "^2.0.1",
                 "split2": "^4.1.0",
                 "stream-buffers": "^3.0.2"
@@ -1316,16 +1316,16 @@
             }
         },
         "node_modules/@wdio/mocha-framework": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/mocha-framework/-/mocha-framework-8.36.0.tgz",
-            "integrity": "sha512-5wZgh1apbSKTtgGwvd//L4kxdaXe30AQ3y9YeJD+OuAJUTYFRjTpMS13bO3pX518imQeB8HCm4aUc2kxs7J81Q==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/mocha-framework/-/mocha-framework-8.36.1.tgz",
+            "integrity": "sha512-G0h5AeneMNtoh9CcVQ82OCKj0axxUOEotEcInDu8V6UJbUywNJVL/bdTMKdaq5i84Hnc+s1LUKmLvN95F+lHGA==",
             "dev": true,
             "dependencies": {
                 "@types/mocha": "^10.0.0",
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.28.0",
-                "@wdio/types": "8.36.0",
-                "@wdio/utils": "8.36.0",
+                "@wdio/types": "8.36.1",
+                "@wdio/utils": "8.36.1",
                 "mocha": "^10.0.0"
             },
             "engines": {
@@ -1351,14 +1351,14 @@
             }
         },
         "node_modules/@wdio/reporter": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/reporter/-/reporter-8.36.0.tgz",
-            "integrity": "sha512-pkAxqiMC+ljmksOKlK9g6y2NRvrdQiKtxD11rsMwJ6CH4kVDSGIvENw7u3kxg7Qwp0j1rCKf5Hp51npqKQgeDQ==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/reporter/-/reporter-8.36.1.tgz",
+            "integrity": "sha512-HcXr9XKq/6kPC9nexMRXIc/ft3Lvp0yCaW5tps01Axus9wbi5ysLHi2z5sB84F2YdpM+aRf7Lac56xkc4Jldeg==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.28.0",
-                "@wdio/types": "8.36.0",
+                "@wdio/types": "8.36.1",
                 "diff": "^5.0.0",
                 "object-inspect": "^1.12.0"
             },
@@ -1367,35 +1367,35 @@
             }
         },
         "node_modules/@wdio/runner": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/runner/-/runner-8.36.0.tgz",
-            "integrity": "sha512-M2ZDL0gmR2VvVMchi3Pkonva6Gn6eFh6IwVCpT0np7zioaqOksy3IM7Aki8kPKKS88Osip5dAfoKIrY7JpHovA==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/runner/-/runner-8.36.1.tgz",
+            "integrity": "sha512-bLkxQ46MLEbzIf30adl2nyz8kxED/V0IjcQASm0VKfNmsG8LOf7iOIz+udOF4GkMoF++5JuONA5abUsyLvwatg==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.11.28",
-                "@wdio/config": "8.36.0",
-                "@wdio/globals": "8.36.0",
+                "@wdio/config": "8.36.1",
+                "@wdio/globals": "8.36.1",
                 "@wdio/logger": "8.28.0",
-                "@wdio/types": "8.36.0",
-                "@wdio/utils": "8.36.0",
+                "@wdio/types": "8.36.1",
+                "@wdio/utils": "8.36.1",
                 "deepmerge-ts": "^5.1.0",
                 "expect-webdriverio": "^4.12.0",
                 "gaze": "^1.1.3",
-                "webdriver": "8.36.0",
-                "webdriverio": "8.36.0"
+                "webdriver": "8.36.1",
+                "webdriverio": "8.36.1"
             },
             "engines": {
                 "node": "^16.13 || >=18"
             }
         },
         "node_modules/@wdio/spec-reporter": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/spec-reporter/-/spec-reporter-8.36.0.tgz",
-            "integrity": "sha512-GVOiWqVYvzoAo4/4hNVxvyVWVoHyEmAywYhkykyJGL05YpO0oDOZY2kINPePEX5Z+nIsXsiKPmtsGGqWsfQwTw==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/spec-reporter/-/spec-reporter-8.36.1.tgz",
+            "integrity": "sha512-VgAd8VQCfwKYz4A3BPDUYNIQxXhRSTaVNbmDzSlYfo5Jekygk7fz0LRFYBpJ69l7eQH0P5nzEyF92oW/rvE3VA==",
             "dev": true,
             "dependencies": {
-                "@wdio/reporter": "8.36.0",
-                "@wdio/types": "8.36.0",
+                "@wdio/reporter": "8.36.1",
+                "@wdio/types": "8.36.1",
                 "chalk": "^5.1.2",
                 "easy-table": "^1.2.0",
                 "pretty-ms": "^7.0.0"
@@ -1417,9 +1417,9 @@
             }
         },
         "node_modules/@wdio/types": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/types/-/types-8.36.0.tgz",
-            "integrity": "sha512-0hw/PaJHqDrbIMvU08w3oMDGg89udSkqWF2hFlGAjOc20quRrhn0F1L+NhFpYdezeRKz5gpgTDIqaQs9RWKq1A==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/types/-/types-8.36.1.tgz",
+            "integrity": "sha512-kKtyJbypasKo/VQuJ6dTQQwFtHE9qoygjoCZjrQCLGraRSjOEiqZHPR0497wbeCvcgHIYyImbmcylqZNGUE0CQ==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0"
@@ -1429,14 +1429,14 @@
             }
         },
         "node_modules/@wdio/utils": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/@wdio/utils/-/utils-8.36.0.tgz",
-            "integrity": "sha512-3VAbavN206qkvm6lITtOtTgscFChax7shzqHjUNln+QWMRyELtT81iw32ux2ld+Bg3F60LAmhbGodu0lJH7k2w==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/@wdio/utils/-/utils-8.36.1.tgz",
+            "integrity": "sha512-xmgPHU11/o9n2FeRmDFkPRC0okiwA1i2xOcR2c3aSpuk99XkAm9RaMn/6u9LFaqsCpgaVxazcYEGSceO7U4hZA==",
             "dev": true,
             "dependencies": {
                 "@puppeteer/browsers": "^1.6.0",
                 "@wdio/logger": "8.28.0",
-                "@wdio/types": "8.36.0",
+                "@wdio/types": "8.36.1",
                 "decamelize": "^6.0.0",
                 "deepmerge-ts": "^5.1.0",
                 "edgedriver": "^5.3.5",
@@ -8886,18 +8886,18 @@
             }
         },
         "node_modules/webdriver": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/webdriver/-/webdriver-8.36.0.tgz",
-            "integrity": "sha512-6fmZI1+OCGbhuGMLBLvA7m9TJvHU1Cyzxqd8rGzIyb8hocR53yh/olfOL1BPcjU1NXmKuU1BePSGF+yiKajiEA==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/webdriver/-/webdriver-8.36.1.tgz",
+            "integrity": "sha512-547RivYCHStVqtiGQBBcABAkzJbPnAWsxpXGzmj5KL+TOM2JF41N2iQRtUxXqr0jme1Nzzye7WS7Y7iSnK6i1g==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@types/ws": "^8.5.3",
-                "@wdio/config": "8.36.0",
+                "@wdio/config": "8.36.1",
                 "@wdio/logger": "8.28.0",
                 "@wdio/protocols": "8.32.0",
-                "@wdio/types": "8.36.0",
-                "@wdio/utils": "8.36.0",
+                "@wdio/types": "8.36.1",
+                "@wdio/utils": "8.36.1",
                 "deepmerge-ts": "^5.1.0",
                 "got": "^12.6.1",
                 "ky": "^0.33.0",
@@ -8908,18 +8908,18 @@
             }
         },
         "node_modules/webdriverio": {
-            "version": "8.36.0",
-            "resolved": "https://registry.npmjs.org/webdriverio/-/webdriverio-8.36.0.tgz",
-            "integrity": "sha512-4WnEI+OxslHpfSnDXuADaR6bL1M7QxBUEF1mTN56AroOCJelyPvt94yRhszwQnLcJJB2OLn49eUz8M4yBCB51w==",
+            "version": "8.36.1",
+            "resolved": "https://registry.npmjs.org/webdriverio/-/webdriverio-8.36.1.tgz",
+            "integrity": "sha512-vzE09oFQeMbOYJ/75jZ13sDIljzC3HH7uoUJKAMAEtyrn/bu1F9Sg/4IDEsvQaRD3pz3ae6SkRld33lcQk6HJA==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
-                "@wdio/config": "8.36.0",
+                "@wdio/config": "8.36.1",
                 "@wdio/logger": "8.28.0",
                 "@wdio/protocols": "8.32.0",
                 "@wdio/repl": "8.24.12",
-                "@wdio/types": "8.36.0",
-                "@wdio/utils": "8.36.0",
+                "@wdio/types": "8.36.1",
+                "@wdio/utils": "8.36.1",
                 "archiver": "^7.0.0",
                 "aria-query": "^5.0.0",
                 "css-shorthand-properties": "^1.1.1",
@@ -8936,7 +8936,7 @@
                 "resq": "^1.9.1",
                 "rgb2hex": "0.2.5",
                 "serialize-error": "^11.0.1",
-                "webdriver": "8.36.0"
+                "webdriver": "8.36.1"
             },
             "engines": {
                 "node": "^16.13 || >=18"

tests/wdio/package.json

@@ -6,10 +6,10 @@
         "@trivago/prettier-plugin-sort-imports": "^4.3.0",
         "@typescript-eslint/eslint-plugin": "^7.5.0",
         "@typescript-eslint/parser": "^7.5.0",
-        "@wdio/cli": "^8.36.0",
-        "@wdio/local-runner": "^8.36.0",
-        "@wdio/mocha-framework": "^8.36.0",
-        "@wdio/spec-reporter": "^8.36.0",
+        "@wdio/cli": "^8.36.1",
+        "@wdio/local-runner": "^8.36.1",
+        "@wdio/mocha-framework": "^8.36.1",
+        "@wdio/spec-reporter": "^8.36.1",
         "eslint": "^8.57.0",
         "eslint-config-google": "^0.14.0",
         "eslint-plugin-sonarjs": "^0.25.1",

web/package.json

@@ -38,7 +38,7 @@
         "@codemirror/theme-one-dark": "^6.1.2",
         "@formatjs/intl-listformat": "^7.5.5",
         "@fortawesome/fontawesome-free": "^6.5.2",
-        "@goauthentik/api": "^2024.4.1-1714655911",
+        "@goauthentik/api": "^2024.4.0-1713978791",
         "@lit-labs/task": "^3.1.0",
         "@lit/context": "^1.1.1",
         "@lit/localize": "^0.12.1",
@@ -46,7 +46,7 @@
         "@open-wc/lit-helpers": "^0.7.0",
         "@patternfly/elements": "^3.0.1",
         "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^7.111.0",
+        "@sentry/browser": "^7.112.2",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "chart.js": "^4.4.2",
@@ -81,13 +81,13 @@
         "@lit/localize-tools": "^0.7.2",
         "@rollup/plugin-replace": "^5.0.5",
         "@spotlightjs/spotlight": "^1.2.17",
-        "@storybook/addon-essentials": "^8.0.8",
-        "@storybook/addon-links": "^8.0.8",
+        "@storybook/addon-essentials": "^8.0.9",
+        "@storybook/addon-links": "^8.0.9",
         "@storybook/api": "^7.6.17",
         "@storybook/blocks": "^8.0.8",
-        "@storybook/manager-api": "^8.0.8",
-        "@storybook/web-components": "^8.0.8",
-        "@storybook/web-components-vite": "^8.0.8",
+        "@storybook/manager-api": "^8.0.9",
+        "@storybook/web-components": "^8.0.9",
+        "@storybook/web-components-vite": "^8.0.9",
         "@trivago/prettier-plugin-sort-imports": "^4.3.0",
         "@types/chart.js": "^2.9.41",
         "@types/codemirror": "5.60.15",
@@ -117,7 +117,7 @@
         "react-dom": "^18.2.0",
         "rollup-plugin-modify": "^3.0.0",
         "rollup-plugin-postcss-lit": "^2.1.0",
-        "storybook": "^8.0.8",
+        "storybook": "^8.0.9",
         "storybook-addon-mock": "^5.0.0",
         "ts-lit-plugin": "^2.0.2",
         "tslib": "^2.6.2",
@@ -129,9 +129,9 @@
         "@esbuild/darwin-arm64": "^0.20.1",
         "@esbuild/linux-amd64": "^0.18.11",
         "@esbuild/linux-arm64": "^0.20.1",
-        "@rollup/rollup-darwin-arm64": "4.14.3",
-        "@rollup/rollup-linux-arm64-gnu": "4.14.3",
-        "@rollup/rollup-linux-x64-gnu": "4.14.3"
+        "@rollup/rollup-darwin-arm64": "4.16.4",
+        "@rollup/rollup-linux-arm64-gnu": "4.16.4",
+        "@rollup/rollup-linux-x64-gnu": "4.16.4"
     },
     "engines": {
         "node": ">=20"

web/src/admin/applications/wizard/methods/saml/SamlProviderOptions.ts

@@ -29,9 +29,5 @@ export const signatureAlgorithmOptions = toOptions([
     ["RSA-SHA256", SignatureAlgorithmEnum._200104XmldsigMorersaSha256, true],
     ["RSA-SHA384", SignatureAlgorithmEnum._200104XmldsigMorersaSha384],
     ["RSA-SHA512", SignatureAlgorithmEnum._200104XmldsigMorersaSha512],
-    ["ECDSA-SHA1", SignatureAlgorithmEnum._200104XmldsigMoreecdsaSha1],
-    ["ECDSA-SHA256", SignatureAlgorithmEnum._200104XmldsigMoreecdsaSha256],
-    ["ECDSA-SHA384", SignatureAlgorithmEnum._200104XmldsigMoreecdsaSha384],
-    ["ECDSA-SHA512", SignatureAlgorithmEnum._200104XmldsigMoreecdsaSha512],
     ["DSA-SHA1", SignatureAlgorithmEnum._200009XmldsigdsaSha1],
 ]);

web/src/admin/crypto/CertificateGenerateForm.ts

@@ -6,12 +6,7 @@ import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";
 
-import {
-    AlgEnum,
-    CertificateGenerationRequest,
-    CertificateKeyPair,
-    CryptoApi,
-} from "@goauthentik/api";
+import { CertificateGenerationRequest, CertificateKeyPair, CryptoApi } from "@goauthentik/api";
 
 @customElement("ak-crypto-certificate-generate-form")
 export class CertificateKeyPairForm extends Form<CertificateGenerationRequest> {
@@ -45,29 +40,6 @@ export class CertificateKeyPairForm extends Form<CertificateGenerationRequest> {
                 ?required=${true}
             >
                 <input class="pf-c-form-control" type="number" value="365" />
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal
-                label=${msg("Private key Algorithm")}
-                ?required=${true}
-                name="alg"
-            >
-                <ak-radio
-                    .options=${[
-                        {
-                            label: msg("RSA"),
-                            value: AlgEnum.Rsa,
-                            default: true,
-                        },
-                        {
-                            label: msg("ECDSA"),
-                            value: AlgEnum.Ecdsa,
-                        },
-                    ]}
-                >
-                </ak-radio>
-                <p class="pf-c-form__helper-text">
-                    ${msg("Algorithm used to generate the private key.")}
-                </p>
-            </ak-form-element-horizontal> `;
+            </ak-form-element-horizontal>`;
     }
 }

web/src/admin/events/EventListPage.ts

@@ -97,7 +97,7 @@ export class EventListPage extends TablePage<Event> {
     }
 
     renderExpanded(item: Event): TemplateResult {
-        return html` <td role="cell" colspan="5">
+        return html` <td role="cell" colspan="3">
                 <div class="pf-c-table__expandable-row-content">
                     <ak-event-info .event=${item as EventWithContext}></ak-event-info>
                 </div>

web/src/admin/sources/ldap/LDAPSourceForm.ts

@@ -470,7 +470,7 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                     >
                         <input
                             type="text"
-                            value="${this.instance?.objectUniquenessField || "objectSid"}"
+                            value="${this.instance?.objectUniquenessField || "entryDN"}"
                             class="pf-c-form-control"
                             required
                         />

web/src/admin/users/UserForm.ts

@@ -128,14 +128,6 @@ export class UserForm extends ModelForm<User, number> {
                                 "Service accounts should be used for machine-to-machine authentication or other automations.",
                             )}`,
                         },
-                        {
-                            label: "Internal Service account",
-                            value: UserTypeEnum.InternalServiceAccount,
-                            disabled: true,
-                            description: html`${msg(
-                                "Internal Service accounts are created and managed by authentik and cannot be created manually.",
-                            )}`,
-                        },
                     ]}
                     .value=${this.instance?.type}
                 >

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.4.4";
+export const VERSION = "2024.4.0";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/common/styles/theme-dark.css

@@ -187,9 +187,6 @@ input[type="date"]::-webkit-calendar-picker-indicator {
 .pf-c-select__menu-item.pf-m-focus {
     --pf-c-select__menu-item--focus--BackgroundColor: var(--ak-dark-background-light-ish);
 }
-.pf-c-button:disabled {
-    color: var(--ak-dark-background-lighter);
-}
 .pf-c-button.pf-m-plain:hover {
     color: var(--ak-dark-foreground);
 }