release: 2022.1.1

website/docs: update 2022.1
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-01-22 18:28:40 +01:00 · 2022-01-22 12:29:20 +01:00 · 2022-01-21 23:22:59 +01:00 · 2022-01-21 23:11:17 +01:00 · 2022-01-21 13:51:34 +01:00 · 2022-01-21 13:43:16 +01:00
404 changed files with 20204 additions and 7883 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.12.1-rc5
+current_version = 2022.1.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
@ -17,7 +17,7 @@ values =
 	beta
 	stable
-[bumpversion:file:website/docs/installation/docker-compose.md]
+[bumpversion:file:pyproject.toml]
 [bumpversion:file:docker-compose.yml]
@ -30,7 +30,3 @@ values =
 [bumpversion:file:internal/constants/constants.go]
 [bumpversion:file:web/src/constants.ts]
 [bumpversion:file:website/docs/outposts/manual-deploy-docker-compose.md]
 [bumpversion:file:website/docs/outposts/manual-deploy-kubernetes.md]
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -33,40 +33,36 @@ jobs:
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
-      - id: cache-pipenv
+      - id: cache-poetry
        uses: actions/cache@v2.1.7
        with:
-          path: ~/.local/share/virtualenvs
+          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
-          INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
-      - name: run pylint
+      - name: run job
-        run: pipenv run make ci-${{ matrix.job }}
+        run: poetry run make ci-${{ matrix.job }}
  test-migrations:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
-        with:
+      - id: cache-poetry
          python-version: '3.9'
      - id: cache-pipenv
        uses: actions/cache@v2.1.7
        with:
-          path: ~/.local/share/virtualenvs
+          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
-          INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run migrations
-        run: pipenv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
  test-migrations-from-stable:
    runs-on: ubuntu-latest
    steps:
@ -74,71 +70,69 @@ jobs:
        with:
          fetch-depth: 0
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      - name: prepare variables
        id: ev
        run: |
          python ./scripts/gh_env.py
-      - id: cache-pipenv
+          sudo pip install -U pipenv
      - id: cache-poetry
        uses: actions/cache@v2.1.7
        with:
-          path: ~/.local/share/virtualenvs
+          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
      - name: checkout stable
        run: |
          # Copy current, latest config to local
          cp authentik/lib/default.yml local.env.yml
          cp -R .github ..
          cp -R scripts ..
          cp -R poetry.lock pyproject.toml ..
          git checkout $(git describe --abbrev=0 --match 'version/*')
          rm -rf .github/ scripts/
-          mv ../.github ../scripts .
+          mv ../.github ../scripts ../poetry.lock ../pyproject.toml .
      - name: prepare
        env:
-          INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
        run: |
          scripts/ci_prepare.sh
-          # Sync anyways since stable will have different dependencies
+          # install anyways since stable will have different dependencies
-          pipenv sync --dev
+          poetry install
      - name: run migrations to stable
-        run: pipenv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
          git fetch
          git reset --hard HEAD
-          git checkout $GITHUB_HEAD_REF
+          git checkout $GITHUB_SHA
-          pipenv sync --dev
+          poetry install
      - name: prepare
        env:
-          INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: migrate to latest
-        run: pipenv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
  test-unittest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
-        with:
+      - id: cache-poetry
          python-version: '3.9'
      - id: cache-pipenv
        uses: actions/cache@v2.1.7
        with:
-          path: ~/.local/share/virtualenvs
+          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
-          INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - uses: testspace-com/setup-testspace@v1
        with:
          domain: ${{github.repository_owner}}
      - name: run unittest
        run: |
-          pipenv run make test
+          poetry run make test
-          pipenv run coverage xml
+          poetry run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
@ -150,16 +144,14 @@ jobs:
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
-        with:
+      - id: cache-poetry
          python-version: '3.9'
      - id: cache-pipenv
        uses: actions/cache@v2.1.7
        with:
-          path: ~/.local/share/virtualenvs
+          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
-          INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - uses: testspace-com/setup-testspace@v1
        with:
@ -168,21 +160,19 @@ jobs:
        uses: helm/kind-action@v1.2.0
      - name: run integration
        run: |
-          pipenv run make test-integration
+          poetry run make test-integration
-          pipenv run coverage xml
+          poetry run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
          testspace [integration]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v2
-  test-e2e:
+  test-e2e-provider:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
@ -191,14 +181,14 @@ jobs:
      - uses: testspace-com/setup-testspace@v1
        with:
          domain: ${{github.repository_owner}}
-      - id: cache-pipenv
+      - id: cache-poetry
        uses: actions/cache@v2.1.7
        with:
-          path: ~/.local/share/virtualenvs
+          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
-          INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
        run: |
          scripts/ci_prepare.sh
          docker-compose -f tests/e2e/docker-compose.yml up -d
@ -215,12 +205,57 @@ jobs:
          npm run build
      - name: run e2e
        run: |
-          pipenv run make test-e2e
+          poetry run make test-e2e-provider
-          pipenv run coverage xml
+          poetry run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
-          testspace [e2e]unittest.xml --link=codecov
+          testspace [e2e-provider]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v2
  test-e2e-rest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - uses: testspace-com/setup-testspace@v1
        with:
          domain: ${{github.repository_owner}}
      - id: cache-poetry
        uses: actions/cache@v2.1.7
        with:
          path: ~/.cache/pypoetry/virtualenvs
          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
        run: |
          scripts/ci_prepare.sh
          docker-compose -f tests/e2e/docker-compose.yml up -d
      - id: cache-web
        uses: actions/cache@v2.1.7
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        run: |
          cd web
          npm i
          npm run build
      - name: run e2e
        run: |
          poetry run make test-e2e-rest
          poetry run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
          testspace [e2e-rest]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v2
  ci-core-mark:
@ -230,7 +265,8 @@ jobs:
      - test-migrations-from-stable
      - test-unittest
      - test-integration
-      - test-e2e
+      - test-e2e-rest
      - test-e2e-provider
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
@ -252,7 +288,7 @@ jobs:
      - name: prepare variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        run: |
          python ./scripts/gh_env.py
      - name: Login to Container Registry
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -17,7 +17,7 @@ jobs:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
-          go-version: '^1.16.3'
+          go-version: "^1.17"
      - name: Run linter
        run: |
          # Create folder structure for go embeds
@ -28,7 +28,7 @@ jobs:
            --rm \
            -v $(pwd):/app \
            -w /app \
-            golangci/golangci-lint:v1.39.0 \
+            golangci/golangci-lint:v1.43 \
            golangci-lint run -v --timeout 200s
  ci-outpost-mark:
    needs:
@ -58,7 +58,7 @@ jobs:
      - name: prepare variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        run: |
          python ./scripts/gh_env.py
      - name: Login to Container Registry
@ -80,3 +80,41 @@ jobs:
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          platforms: ${{ matrix.arch }}
  build-outpost-binary:
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        type:
          - proxy
          - ldap
        goos: [linux]
        goarch: [amd64, arm64]
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.17"
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - name: Build web
        run: |
          cd web
          npm install
          npm run build-proxy
      - name: Build outpost
        run: |
          set -x
          export GOOS=${{ matrix.goos }}
          export GOARCH=${{ matrix.goarch }}
          go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
      - uses: actions/upload-artifact@v2
        with:
          name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          path: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -30,14 +30,14 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik:2021.12.1-rc5,
+            beryju/authentik:2022.1.1,
            beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.12.1-rc5,
+            ghcr.io/goauthentik/server:2022.1.1,
            ghcr.io/goauthentik/server:latest
          platforms: linux/amd64,linux/arm64
          context: .
      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.12.1-rc5', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2022.1.1', 'rc') }}
        run: |
          docker pull beryju/authentik:latest
          docker tag beryju/authentik:latest beryju/authentik:stable
@ -57,7 +57,7 @@ jobs:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
-          go-version: "^1.15"
+          go-version: "^1.17"
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
@ -78,14 +78,14 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-${{ matrix.type }}:2021.12.1-rc5,
+            beryju/authentik-${{ matrix.type }}:2022.1.1,
            beryju/authentik-${{ matrix.type }}:latest,
-            ghcr.io/goauthentik/${{ matrix.type }}:2021.12.1-rc5,
+            ghcr.io/goauthentik/${{ matrix.type }}:2022.1.1,
            ghcr.io/goauthentik/${{ matrix.type }}:latest
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.12.1-rc5', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2022.1.1', 'rc') }}
        run: |
          docker pull beryju/authentik-${{ matrix.type }}:latest
          docker tag beryju/authentik-${{ matrix.type }}:latest beryju/authentik-${{ matrix.type }}:stable
@ -93,10 +93,50 @@ jobs:
          docker pull ghcr.io/goauthentik/${{ matrix.type }}:latest
          docker tag ghcr.io/goauthentik/${{ matrix.type }}:latest ghcr.io/goauthentik/${{ matrix.type }}:stable
          docker push ghcr.io/goauthentik/${{ matrix.type }}:stable
  build-outpost-binary:
    timeout-minutes: 120
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        type:
          - proxy
          - ldap
        goos: [linux, darwin]
        goarch: [amd64, arm64]
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.17"
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - name: Build web
        run: |
          cd web
          npm install
          npm run build-proxy
      - name: Build outpost
        run: |
          set -x
          export GOOS=${{ matrix.goos }}
          export GOARCH=${{ matrix.goarch }}
          go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
      - name: Upload binaries to release
        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          tag: ${{ github.ref }}
  test-release:
    needs:
      - build-server
      - build-outpost
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
@ -110,7 +150,9 @@ jobs:
          docker-compose run -u root server test
  sentry-release:
    needs:
-      - test-release
+      - build-server
      - build-outpost
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
@ -128,7 +170,7 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          version: authentik@2021.12.1-rc5
+          version: authentik@2022.1.1
          environment: beryjuorg-prod
          sourcemaps: './web/dist'
          url_prefix: '~/static/dist'
--- a/.github/workflows/translation-compile.yml
+++ b/.github/workflows/translation-compile.yml
@ -22,22 +22,20 @@ jobs:
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
-        with:
+      - id: cache-poetry
          python-version: '3.9'
      - id: cache-pipenv
        uses: actions/cache@v2.1.7
        with:
-          path: ~/.local/share/virtualenvs
+          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
-          INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
        run: |
          sudo apt-get update
          sudo apt-get install -y gettext
          scripts/ci_prepare.sh
      - name: run compile
-        run: pipenv run ./manage.py compilemessages
+        run: poetry run ./manage.py compilemessages
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v3
        id: cpr
--- a/.python-version
+++ b/.python-version
@ -1 +0,0 @@
 3.9.7
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -11,7 +11,8 @@
        "saml",
        "totp",
        "webauthn",
-        "traefik"
+        "traefik",
        "passwordless"
    ],
    "python.linting.pylintEnabled": true,
    "todo-tree.tree.showCountsInTree": true,
--- a/41
+++ b/41
@ -1,16 +1,4 @@
-# Stage 1: Lock python dependencies
+# Stage 1: Build website
 FROM docker.io/python:3.10.1-slim-bullseye as locker
 COPY ./Pipfile /app/
 COPY ./Pipfile.lock /app/
 WORKDIR /app/
 RUN pip install pipenv && \
    pipenv lock -r > requirements.txt && \
    pipenv lock -r --dev-only > requirements-dev.txt
 # Stage 2: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/node:16 as website-builder
 COPY ./website /work/website/
@ -18,7 +6,7 @@ COPY ./website /work/website/
 ENV NODE_ENV=production
 RUN cd /work/website && npm i && npm run build-docs-only
-# Stage 3: Build webui
+# Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/node:16 as web-builder
 COPY ./web /work/web/
@ -27,8 +15,8 @@ COPY ./website /work/website/
 ENV NODE_ENV=production
 RUN cd /work/web && npm i && npm run build
-# Stage 4: Build go proxy
+# Stage 3: Build go proxy
-FROM docker.io/golang:1.17.5-bullseye AS builder
+FROM docker.io/golang:1.17.6-bullseye AS builder
 WORKDIR /work
@ -43,29 +31,38 @@ COPY ./go.sum /work/go.sum
 RUN go build -o /work/authentik ./cmd/server/main.go
-# Stage 5: Run
+# Stage 4: Run
-FROM docker.io/python:3.10.1-slim-bullseye
+FROM docker.io/python:3.10.2-slim-bullseye
 LABEL org.opencontainers.image.url https://goauthentik.io
 LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
 LABEL org.opencontainers.image.source https://github.com/goauthentik/authentik
 WORKDIR /
 COPY --from=locker /app/requirements.txt /
 COPY --from=locker /app/requirements-dev.txt /
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 COPY ./pyproject.toml /
 COPY ./poetry.lock /
 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        curl ca-certificates gnupg git runit libpq-dev \
        postgresql-client build-essential libxmlsec1-dev \
        pkg-config libmaxminddb0 && \
-    pip install -r /requirements.txt --no-cache-dir && \
+    pip install poetry && \
    poetry config virtualenvs.create false && \
    poetry install --no-dev && \
    rm -rf ~/.cache/pypoetry && \
    apt-get remove --purge -y build-essential git && \
    apt-get autoremove --purge -y && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
    mkdir -p /backups /certs /media && \
-    chown authentik:authentik /backups /certs /media
+    mkdir -p /authentik/.ssh && \
    chown authentik:authentik /backups /certs /media /authentik/.ssh
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
--- a/24
+++ b/24
@ -9,8 +9,11 @@ all: lint-fix lint test gen web
 test-integration:
 	coverage run manage.py test tests/integration
-test-e2e:
+test-e2e-provider:
-	coverage run manage.py test tests/e2e
+	coverage run manage.py test tests/e2e/test_provider*
 test-e2e-rest:
 	coverage run manage.py test tests/e2e/test_flows* tests/e2e/test_source*
 test:
 	coverage run manage.py test authentik
@ -32,6 +35,7 @@ lint-fix:
 lint:
 	bandit -r authentik tests lifecycle -x node_modules
 	pylint authentik tests lifecycle
 	golangci-lint run -v
 i18n-extract: i18n-extract-core web-extract
@ -102,20 +106,24 @@ web-extract:
 # These targets are use by GitHub actions to allow usage of matrix
 # which makes the YAML File a lot smaller
-ci-pylint:
+ci--meta-debug:
 	python -V
 	node --version
 ci-pylint: ci--meta-debug
 	pylint authentik tests lifecycle
-ci-black:
+ci-black: ci--meta-debug
 	black --check authentik tests lifecycle
-ci-isort:
+ci-isort: ci--meta-debug
 	isort --check authentik tests lifecycle
-ci-bandit:
+ci-bandit: ci--meta-debug
 	bandit -r authentik tests lifecycle
-ci-pyright:
+ci-pyright: ci--meta-debug
 	pyright e2e lifecycle
-ci-pending-migrations:
+ci-pending-migrations: ci--meta-debug
 	./manage.py makemigrations --check
--- a/68
+++ b/68
@ -1,68 +0,0 @@
 [[source]]
 name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 [packages]
 boto3 = "*"
 celery = "*"
 channels = "*"
 channels-redis = "*"
 codespell = "*"
 colorama = "*"
 dacite = "*"
 deepmerge = "*"
 defusedxml = "*"
 django = "*"
 django-dbbackup = { git = 'https://github.com/django-dbbackup/django-dbbackup.git', ref = '9d1909c30a3271c8c9c8450add30d6e0b996e145' }
 django-filter = "*"
 django-guardian = "*"
 django-model-utils = "*"
 django-otp = "*"
 django-prometheus = "*"
 django-redis = "*"
 django-storages = "*"
 djangorestframework = "*"
 djangorestframework-guardian = "*"
 docker = "*"
 drf-spectacular = "*"
 duo-client = "*"
 facebook-sdk = "*"
 geoip2 = "*"
 gunicorn = "*"
 kubernetes = "==v19.15.0"
 ldap3 = "*"
 lxml = "*"
 packaging = "*"
 psycopg2-binary = "*"
 pycryptodome = "*"
 pyjwt = "*"
 pyyaml = "*"
 requests-oauthlib = "*"
 sentry-sdk = { git = 'https://github.com/beryju/sentry-python.git', ref = '379aee28b15d3b87b381317746c4efd24b3d7bc3' }
 service_identity = "*"
 structlog = "*"
 swagger-spec-validator = "*"
 twisted = "==21.7.0"
 ua-parser = "*"
 urllib3 = {extras = ["secure"],version = "*"}
 uvicorn = {extras = ["standard"],version = "*"}
 webauthn = "*"
 xmlsec = "*"
 flower = "*"
 wsproto = "*"
 [dev-packages]
 bandit = "*"
 black = "==21.11b1"
 bump2version = "*"
 colorama = "*"
 coverage = {extras = ["toml"],version = "*"}
 pylint = "*"
 pylint-django = "*"
 pytest = "*"
 pytest-django = "*"
 pytest-randomly = "*"
 requests-mock = "*"
 selenium = "*"
 importlib-metadata = "*"
--- a/Pipfile.lock
+++ b/Pipfile.lock
--- a/README.md
+++ b/README.md
@ -38,3 +38,23 @@ See [Development Documentation](https://goauthentik.io/developer-docs/?utm_sourc
 ## Security
 See [SECURITY.md](SECURITY.md)
 ## Sponsors
 This project is proudly sponsored by:
 <p>
    <a href="https://www.digitalocean.com/?utm_medium=opensource&utm_source=goauthentik.io">
        <img src="https://opensource.nyc3.cdn.digitaloceanspaces.com/attribution/assets/SVG/DO_Logo_horizontal_blue.svg" width="201px">
    </a>
 </p>
 DigitalOcean provides development and testing resources for authentik.
 <p>
    <a href="https://www.netlify.com">
        <img src="https://www.netlify.com/img/global/badges/netlify-color-accent.svg" alt="Deploys by Netlify" />
    </a>
 </p>
 Netlify hosts the [goauthentik.io](goauthentik.io) site.
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,8 +6,8 @@
 | Version    | Supported          |
 | ---------- | ------------------ |
 | 2021.9.x   | :white_check_mark: |
 | 2021.10.x  | :white_check_mark: |
 | 2021.12.x  | :white_check_mark: |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -1,3 +1,19 @@
 """authentik"""
-__version__ = "2021.12.1-rc5"
+from os import environ
 from typing import Optional
 __version__ = "2022.1.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 def get_build_hash(fallback: Optional[str] = None) -> str:
    """Get build hash"""
    return environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
 def get_full_version() -> str:
    """Get full version, with build hash appended"""
    version = __version__
    if (build_hash := get_build_hash()) != "":
        version += "." + build_hash
    return version
--- a/authentik/admin/api/tasks.py
+++ b/authentik/admin/api/tasks.py
@ -95,7 +95,7 @@ class TaskViewSet(ViewSet):
                _("Successfully re-scheduled Task %(name)s!" % {"name": task.task_name}),
            )
            return Response(status=204)
-        except ImportError:  # pragma: no cover
+        except (ImportError, AttributeError):  # pragma: no cover
            # if we get an import error, the module path has probably changed
            task.delete()
            return Response(status=500)
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@ -1,6 +1,4 @@
 """authentik administration overview"""
 from os import environ
 from django.core.cache import cache
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
@ -10,7 +8,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
@ -25,7 +23,7 @@ class VersionSerializer(PassiveSerializer):
    def get_build_hash(self, _) -> str:
        """Get build hash, if version is not latest or released"""
-        return environ.get(ENV_GIT_HASH_KEY, "")
+        return get_build_hash()
    def get_version_current(self, _) -> str:
        """Get current version"""
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@ -1,4 +1,6 @@
 """authentik admin app config"""
 from importlib import import_module
 from django.apps import AppConfig
@ -13,3 +15,4 @@ class AuthentikAdminConfig(AppConfig):
        from authentik.admin.tasks import clear_update_notifications
        clear_update_notifications.delay()
        import_module("authentik.admin.signals")
--- a/authentik/admin/signals.py
+++ b/authentik/admin/signals.py
@ -0,0 +1,23 @@
 """admin signals"""
 from django.dispatch import receiver
 from authentik.admin.api.tasks import TaskInfo
 from authentik.admin.api.workers import GAUGE_WORKERS
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set
@receiver(monitoring_set)
 # pylint: disable=unused-argument
 def monitoring_set_workers(sender, **kwargs):
    """Set worker gauge"""
    count = len(CELERY_APP.control.ping(timeout=0.5))
    GAUGE_WORKERS.set(count)
@receiver(monitoring_set)
 # pylint: disable=unused-argument
 def monitoring_set_tasks(sender, **kwargs):
    """Set task gauges"""
    for task in TaskInfo.all().values():
        task.set_prom_metrics()
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -1,6 +1,5 @@
 """authentik admin tasks"""
 import re
 from os import environ
 from django.core.cache import cache
 from django.core.validators import URLValidator
@ -9,7 +8,7 @@ from prometheus_client import Info
 from requests import RequestException
 from structlog.stdlib import get_logger
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__, get_build_hash
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.monitored_tasks import (
    MonitoredTask,
@ -36,7 +35,7 @@ def _set_prom_info():
        {
            "version": __version__,
            "latest": cache.get(VERSION_CACHE_KEY, ""),
-            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
+            "build_hash": get_build_hash(),
        }
    )
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -1,7 +1,7 @@
 """API Authentication"""
 from base64 import b64decode
 from binascii import Error
-from typing import Any, Optional, Union
+from typing import Any, Optional
 from django.conf import settings
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
@ -69,7 +69,7 @@ def token_secret_key(value: str) -> Optional[User]:
 class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""
-    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
+    def authenticate(self, request: Request) -> tuple[User, Any] | None:
        """Token-based authentication using HTTP Bearer authentication"""
        auth = get_authorization_header(request)
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -30,7 +30,7 @@ function getCookie(name) {
 window.addEventListener('DOMContentLoaded', (event) => {
    const rapidocEl = document.querySelector('rapi-doc');
    rapidocEl.addEventListener('before-try', (e) => {
-        e.detail.request.headers.append('X-CSRFToken', getCookie("authentik_csrf"));
+        e.detail.request.headers.append('X-authentik-CSRF', getCookie("authentik_csrf"));
    });
 });
 </script>
--- a/authentik/api/urls.py
+++ b/authentik/api/urls.py
@ -4,7 +4,5 @@ from django.urls import include, path
 from authentik.api.v3.urls import urlpatterns as v3_urls
 urlpatterns = [
    # TODO: Remove in 2022.1
    path("v2beta/", include(v3_urls)),
    path("v3/", include(v3_urls)),
 ]
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -80,7 +80,7 @@ class ConfigView(APIView):
        config = ConfigSerializer(
            {
                "error_reporting": {
-                    "enabled": CONFIG.y("error_reporting.enabled"),
+                    "enabled": CONFIG.y("error_reporting.enabled") and not settings.DEBUG,
                    "environment": CONFIG.y("error_reporting.environment"),
                    "send_pii": CONFIG.y("error_reporting.send_pii"),
                    "traces_sample_rate": float(CONFIG.y("error_reporting.sample_rate", 0.4)),
--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -46,11 +46,7 @@ from authentik.policies.expiry.api import PasswordExpiryPolicyViewSet
 from authentik.policies.expression.api import ExpressionPolicyViewSet
 from authentik.policies.hibp.api import HaveIBeenPwendPolicyViewSet
 from authentik.policies.password.api import PasswordPolicyViewSet
-from authentik.policies.reputation.api import (
+from authentik.policies.reputation.api import ReputationPolicyViewSet, ReputationViewSet
    IPReputationViewSet,
    ReputationPolicyViewSet,
    UserReputationViewSet,
 )
 from authentik.providers.ldap.api import LDAPOutpostConfigViewSet, LDAPProviderViewSet
 from authentik.providers.oauth2.api.provider import OAuth2ProviderViewSet
 from authentik.providers.oauth2.api.scope import ScopeMappingViewSet
@ -151,8 +147,7 @@ router.register("policies/event_matcher", EventMatcherPolicyViewSet)
 router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
 router.register("policies/password_expiry", PasswordExpiryPolicyViewSet)
 router.register("policies/password", PasswordPolicyViewSet)
-router.register("policies/reputation/users", UserReputationViewSet)
+router.register("policies/reputation/scores", ReputationViewSet)
 router.register("policies/reputation/ips", IPReputationViewSet)
 router.register("policies/reputation", ReputationPolicyViewSet)
 router.register("providers/all", ProviderViewSet)
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -1,7 +1,6 @@
 """Tokens API Viewset"""
 from typing import Any
 from django.http.response import Http404
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import get_anonymous_user
@ -114,7 +113,5 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
    def view_key(self, request: Request, identifier: str) -> Response:
        """Return token key and log access"""
        token: Token = self.get_object()
        if token.is_expired:
            raise Http404
        Event.new(EventAction.SECRET_VIEW, secret=token).from_http(request)  # noqa # nosec
        return Response(TokenViewSerializer({"key": token.key}).data)
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -3,6 +3,7 @@ from datetime import timedelta
 from json import loads
 from typing import Optional
 from django.contrib.auth import update_session_auth_hash
 from django.db.models.query import QuerySet
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -46,6 +47,7 @@ from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
 from authentik.core.models import (
    USER_ATTRIBUTE_CHANGE_EMAIL,
    USER_ATTRIBUTE_CHANGE_NAME,
    USER_ATTRIBUTE_CHANGE_USERNAME,
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
@ -134,6 +136,16 @@ class UserSelfSerializer(ModelSerializer):
            raise ValidationError("Not allowed to change email.")
        return email
    def validate_name(self, name: str):
        """Check if the user is allowed to change their name"""
        if self.instance.group_attributes().get(
            USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
        ):
            return name
        if name != self.instance.name:
            raise ValidationError("Not allowed to change name.")
        return name
    def validate_username(self, username: str):
        """Check if the user is allowed to change their username"""
        if self.instance.group_attributes().get(
@ -144,6 +156,13 @@ class UserSelfSerializer(ModelSerializer):
            raise ValidationError("Not allowed to change username.")
        return username
    def save(self, **kwargs):
        if self.instance:
            attributes: dict = self.instance.attributes
            attributes.update(self.validated_data.get("attributes", {}))
            self.validated_data["attributes"] = attributes
        return super().save(**kwargs)
    class Meta:
        model = User
@ -359,6 +378,35 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            ).data
        return Response(serializer.initial_data)
    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
        request=inline_serializer(
            "UserPasswordSetSerializer",
            {
                "password": CharField(required=True),
            },
        ),
        responses={
            204: "",
            400: "",
        },
    )
    @action(detail=True, methods=["POST"])
    # pylint: disable=invalid-name, unused-argument
    def set_password(self, request: Request, pk: int) -> Response:
        """Set password for user"""
        user: User = self.get_object()
        try:
            user.set_password(request.data.get("password"))
            user.save()
        except (ValidationError, IntegrityError) as exc:
            LOGGER.debug("Failed to set password", exc=exc)
            return Response(status=400)
        if user.pk == request.user.pk and SESSION_IMPERSONATE_USER not in self.request.session:
            LOGGER.debug("Updating session hash after password change")
            update_session_auth_hash(self.request, user)
        return Response(status=204)
    @extend_schema(request=UserSelfSerializer, responses={200: SessionUserSerializer(many=False)})
    @action(
        methods=["PUT"],
--- a/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
+++ b/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
@ -15,7 +15,6 @@ import authentik.lib.models
 def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    from django.contrib.sessions.backends.cache import KEY_PREFIX
    from django.core.cache import cache
--- a/authentik/core/migrations/0022_authenticatedsession.py
+++ b/authentik/core/migrations/0022_authenticatedsession.py
@ -12,7 +12,6 @@ import authentik.core.models
 def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    from django.contrib.sessions.backends.cache import KEY_PREFIX
    from django.core.cache import cache
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -1,12 +1,13 @@
 """authentik core models"""
 from datetime import timedelta
 from hashlib import md5, sha256
-from typing import Any, Optional, Type
+from typing import Any, Optional
 from urllib.parse import urlencode
 from uuid import uuid4
 from deepmerge import always_merger
 from django.conf import settings
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
@ -38,6 +39,7 @@ USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
 USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
 USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
 USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
 USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
@ -160,6 +162,22 @@ class User(GuardianUserMixin, AbstractUser):
        self.password_change_date = now()
        return super().set_password(password)
    def check_password(self, raw_password: str) -> bool:
        """
        Return a boolean of whether the raw_password was correct. Handles
        hashing formats behind the scenes.
        Slightly changed version which doesn't send a signal for such internal hash upgrades
        """
        def setter(raw_password):
            self.set_password(raw_password, signal=False)
            # Password hash upgrades shouldn't be considered password changes.
            self._password = None
            self.save(update_fields=["password"])
        return check_password(raw_password, self.password, setter)
    @property
    def uid(self) -> str:
        """Generate a globall unique UID, based on the user ID and the hashed secret key"""
@ -224,7 +242,7 @@ class Provider(SerializerModel):
        raise NotImplementedError
    @property
-    def serializer(self) -> Type[Serializer]:
+    def serializer(self) -> type[Serializer]:
        """Get serializer for this model"""
        raise NotImplementedError
@ -270,15 +288,21 @@ class Application(PolicyBindingModel):
        """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
        if self.meta_launch_url:
            return self.meta_launch_url
-        if self.provider:
+        if provider := self.get_provider():
-            return self.get_provider().launch_url
+            return provider.launch_url
        return None
    def get_provider(self) -> Optional[Provider]:
        """Get casted provider instance"""
        if not self.provider:
            return None
-        return Provider.objects.get_subclass(pk=self.provider.pk)
+        # if the Application class has been cache, self.provider is set
        # but doing a direct query lookup will fail.
        # In that case, just return None
        try:
            return Provider.objects.get_subclass(pk=self.provider.pk)
        except Provider.DoesNotExist:
            return None
    def __str__(self):
        return self.name
@ -450,6 +474,14 @@ class Token(ManagedModel, ExpiringModel):
        """Handler which is called when this object is expired."""
        from authentik.events.models import Event, EventAction
        if self.intent in [
            TokenIntents.INTENT_RECOVERY,
            TokenIntents.INTENT_VERIFICATION,
            TokenIntents.INTENT_APP_PASSWORD,
        ]:
            super().expire_action(*args, **kwargs)
            return
        self.key = default_token_key()
        self.expires = default_token_duration()
        self.save(*args, **kwargs)
@ -491,7 +523,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
        raise NotImplementedError
    @property
-    def serializer(self) -> Type[Serializer]:
+    def serializer(self) -> type[Serializer]:
        """Get serializer for this model"""
        raise NotImplementedError
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,6 +1,7 @@
 """authentik core signals"""
-from typing import TYPE_CHECKING, Type
+from typing import TYPE_CHECKING
 from django.apps import apps
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
@ -11,6 +12,8 @@ from django.dispatch import receiver
 from django.http.request import HttpRequest
 from prometheus_client import Gauge
 from authentik.root.monitoring import monitoring_set
 # Arguments: user: User, password: str
 password_changed = Signal()
@ -20,6 +23,17 @@ if TYPE_CHECKING:
    from authentik.core.models import AuthenticatedSession, User
@receiver(monitoring_set)
 # pylint: disable=unused-argument
 def monitoring_set_models(sender, **kwargs):
    """set models gauges"""
    for model in apps.get_models():
        GAUGE_MODELS.labels(
            model_name=model._meta.model_name,
            app=model._meta.app_label,
        ).set(model.objects.count())
@receiver(post_save)
 # pylint: disable=unused-argument
 def post_save_application(sender: type[Model], instance, created: bool, **_):
@ -27,11 +41,6 @@ def post_save_application(sender: type[Model], instance, created: bool, **_):
    from authentik.core.api.applications import user_app_cache_key
    from authentik.core.models import Application
    GAUGE_MODELS.labels(
        model_name=sender._meta.model_name,
        app=sender._meta.app_label,
    ).set(sender.objects.count())
    if sender != Application:
        return
    if not created:  # pragma: no cover
@ -62,7 +71,7 @@ def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
@receiver(pre_delete)
-def authenticated_session_delete(sender: Type[Model], instance: "AuthenticatedSession", **_):
+def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
    from authentik.core.models import AuthenticatedSession
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -1,6 +1,6 @@
 """Source decision helper"""
 from enum import Enum
-from typing import Any, Optional, Type
+from typing import Any, Optional
 from django.contrib import messages
 from django.db import IntegrityError
@ -14,6 +14,7 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostUserEnrollmentStage
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, Stage, in_memory_stage
 from authentik.flows.planner import (
    PLAN_CONTEXT_PENDING_USER,
@ -24,6 +25,8 @@ from authentik.flows.planner import (
 )
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.types import PolicyResult
 from authentik.policies.utils import delete_none_keys
 from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
@ -50,7 +53,10 @@ class SourceFlowManager:
    identifier: str
-    connection_type: Type[UserSourceConnection] = UserSourceConnection
+    connection_type: type[UserSourceConnection] = UserSourceConnection
    enroll_info: dict[str, Any]
    policy_context: dict[str, Any]
    def __init__(
        self,
@ -64,6 +70,7 @@ class SourceFlowManager:
        self.identifier = identifier
        self.enroll_info = enroll_info
        self._logger = get_logger().bind(source=source, identifier=identifier)
        self.policy_context = {}
    # pylint: disable=too-many-return-statements
    def get_action(self, **kwargs) -> tuple[Action, Optional[UserSourceConnection]]:
@ -144,20 +151,23 @@ class SourceFlowManager:
        except IntegrityError as exc:
            self._logger.warning("failed to get action", exc=exc)
            return redirect("/")
-        self._logger.debug("get_action() says", action=action, connection=connection)
+        self._logger.debug("get_action", action=action, connection=connection)
-        if connection:
+        try:
-            if action == Action.LINK:
+            if connection:
-                self._logger.debug("Linking existing user")
+                if action == Action.LINK:
-                return self.handle_existing_user_link(connection)
+                    self._logger.debug("Linking existing user")
-            if action == Action.AUTH:
+                    return self.handle_existing_user_link(connection)
-                self._logger.debug("Handling auth user")
+                if action == Action.AUTH:
-                return self.handle_auth_user(connection)
+                    self._logger.debug("Handling auth user")
-            if action == Action.ENROLL:
+                    return self.handle_auth_user(connection)
-                self._logger.debug("Handling enrollment of new user")
+                if action == Action.ENROLL:
-                return self.handle_enroll(connection)
+                    self._logger.debug("Handling enrollment of new user")
                    return self.handle_enroll(connection)
        except FlowNonApplicableException as exc:
            self._logger.warning("Flow non applicable", exc=exc)
            return self.error_handler(exc, exc.policy_result)
        # Default case, assume deny
-        messages.error(
+        error = (
            self.request,
            _(
                (
                    "Request to authenticate with %(source)s has been denied. Please authenticate "
@ -166,7 +176,17 @@ class SourceFlowManager:
                % {"source": self.source.name}
            ),
        )
-        return redirect(reverse("authentik_core:root-redirect"))
+        return self.error_handler(error)
    def error_handler(
        self, error: Exception, policy_result: Optional[PolicyResult] = None
    ) -> HttpResponse:
        """Handle any errors by returning an access denied stage"""
        response = AccessDeniedResponse(self.request)
        response.error_message = str(error)
        if policy_result:
            response.policy_result = policy_result
        return response
    # pylint: disable=unused-argument
    def get_stages_to_append(self, flow: Flow) -> list[Stage]:
@ -179,7 +199,9 @@ class SourceFlowManager:
            ]
        return []
-    def _handle_login_flow(self, flow: Flow, **kwargs) -> HttpResponse:
+    def _handle_login_flow(
        self, flow: Flow, connection: UserSourceConnection, **kwargs
    ) -> HttpResponse:
        """Prepare Authentication Plan, redirect user FlowExecutor"""
        # Ensure redirect is carried through when user was trying to
        # authorize application
@ -193,8 +215,10 @@ class SourceFlowManager:
                PLAN_CONTEXT_SSO: True,
                PLAN_CONTEXT_SOURCE: self.source,
                PLAN_CONTEXT_REDIRECT: final_redirect,
                PLAN_CONTEXT_SOURCES_CONNECTION: connection,
            }
        )
        kwargs.update(self.policy_context)
        if not flow:
            return HttpResponseBadRequest()
        # We run the Flow planner here so we can pass the Pending user in the context
@ -220,7 +244,7 @@ class SourceFlowManager:
            _("Successfully authenticated with %(source)s!" % {"source": self.source.name}),
        )
        flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user}
-        return self._handle_login_flow(self.source.authentication_flow, **flow_kwargs)
+        return self._handle_login_flow(self.source.authentication_flow, connection, **flow_kwargs)
    def handle_existing_user_link(
        self,
@ -264,8 +288,8 @@ class SourceFlowManager:
            return HttpResponseBadRequest()
        return self._handle_login_flow(
            self.source.enrollment_flow,
            connection,
            **{
                PLAN_CONTEXT_PROMPT: delete_none_keys(self.enroll_info),
                PLAN_CONTEXT_SOURCES_CONNECTION: connection,
            },
        )
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -6,7 +6,6 @@ from os import environ
 from boto3.exceptions import Boto3Error
 from botocore.exceptions import BotoCoreError, ClientError
 from dbbackup.db.exceptions import CommandConnectorError
 from django.conf import settings
 from django.contrib.humanize.templatetags.humanize import naturaltime
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core import management
@ -63,8 +62,6 @@ def should_backup() -> bool:
        return False
    if not CONFIG.y_bool("postgresql.backup.enabled"):
        return False
    if settings.DEBUG:
        return False
    return True
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -5,6 +5,8 @@
 {% block head %}
 <script src="{% static 'dist/admin/AdminInterface.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% endblock %}
 {% block body %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -5,6 +5,8 @@
 {% block head %}
 <script src="{% static 'dist/user/UserInterface.js' %}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
 {% block body %}
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -1,6 +1,5 @@
 """Test Applications API"""
 from django.urls import reverse
 from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 from authentik.core.models import Application
@ -32,7 +31,7 @@ class TestApplicationsAPI(APITestCase):
            )
        )
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(force_str(response.content), {"messages": [], "passing": True})
+        self.assertJSONEqual(response.content.decode(), {"messages": [], "passing": True})
        response = self.client.get(
            reverse(
                "authentik_api:application-check-access",
@ -40,14 +39,14 @@ class TestApplicationsAPI(APITestCase):
            )
        )
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(force_str(response.content), {"messages": ["dummy"], "passing": False})
+        self.assertJSONEqual(response.content.decode(), {"messages": ["dummy"], "passing": False})
    def test_list(self):
        """Test list operation without superuser_full_list"""
        self.client.force_login(self.user)
        response = self.client.get(reverse("authentik_api:application-list"))
        self.assertJSONEqual(
-            force_str(response.content),
+            response.content.decode(),
            {
                "pagination": {
                    "next": 0,
@ -83,7 +82,7 @@ class TestApplicationsAPI(APITestCase):
            reverse("authentik_api:application-list") + "?superuser_full_list=true"
        )
        self.assertJSONEqual(
-            force_str(response.content),
+            response.content.decode(),
            {
                "pagination": {
                    "next": 0,
--- a/authentik/core/tests/test_authenticated_sessions_api.py
+++ b/authentik/core/tests/test_authenticated_sessions_api.py
@ -2,7 +2,6 @@
 from json import loads
 from django.urls.base import reverse
 from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 from authentik.core.models import User
@ -28,5 +27,5 @@ class TestAuthenticatedSessionsAPI(APITestCase):
        self.client.force_login(self.other_user)
        response = self.client.get(reverse("authentik_api:authenticatedsession-list"))
        self.assertEqual(response.status_code, 200)
-        body = loads(force_str(response.content))
+        body = loads(response.content.decode())
        self.assertEqual(body["pagination"]["count"], 1)
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@ -1,6 +1,6 @@
 """authentik core models tests"""
 from time import sleep
-from typing import Callable, Type
+from typing import Callable
 from django.test import RequestFactory, TestCase
 from django.utils.timezone import now
@ -27,7 +27,7 @@ class TestModels(TestCase):
        self.assertFalse(token.is_expired)
-def source_tester_factory(test_model: Type[Stage]) -> Callable:
+def source_tester_factory(test_model: type[Stage]) -> Callable:
    """Test source"""
    factory = RequestFactory()
@ -47,7 +47,7 @@ def source_tester_factory(test_model: Type[Stage]) -> Callable:
    return tester
-def provider_tester_factory(test_model: Type[Stage]) -> Callable:
+def provider_tester_factory(test_model: type[Stage]) -> Callable:
    """Test provider"""
    def tester(self: TestModels):
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@ -6,8 +6,12 @@ from guardian.utils import get_anonymous_user
 from authentik.core.models import SourceUserMatchingModes, User
 from authentik.core.sources.flow_manager import Action
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
 from authentik.sources.oauth.views.callback import OAuthSourceFlowManager
@ -17,7 +21,7 @@ class TestSourceFlowManager(TestCase):
    def setUp(self) -> None:
        super().setUp()
-        self.source = OAuthSource.objects.create(name="test")
+        self.source: OAuthSource = OAuthSource.objects.create(name="test")
        self.factory = RequestFactory()
        self.identifier = generate_id()
@ -143,3 +147,34 @@ class TestSourceFlowManager(TestCase):
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.ENROLL)
        flow_manager.get_flow()
    def test_error_non_applicable_flow(self):
        """Test error handling when a source selected flow is non-applicable due to a policy"""
        self.source.user_matching_mode = SourceUserMatchingModes.USERNAME_LINK
        flow = Flow.objects.create(
            name="test", slug="test", title="test", designation=FlowDesignation.ENROLLMENT
        )
        policy = ExpressionPolicy.objects.create(
            name="false", expression="""ak_message("foo");return False"""
        )
        PolicyBinding.objects.create(
            policy=policy,
            target=flow,
            order=0,
        )
        self.source.enrollment_flow = flow
        self.source.save()
        flow_manager = OAuthSourceFlowManager(
            self.source,
            get_request("/", user=AnonymousUser()),
            self.identifier,
            {"username": "foo"},
        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.ENROLL)
        response = flow_manager.get_flow()
        self.assertIsInstance(response, AccessDeniedResponse)
        # pylint: disable=no-member
        self.assertEqual(response.error_message, "foo")
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@ -54,7 +54,9 @@ class TestTokenAPI(APITestCase):
    def test_token_expire(self):
        """Test Token expire task"""
-        token: Token = Token.objects.create(expires=now(), user=get_anonymous_user())
+        token: Token = Token.objects.create(
            expires=now(), user=get_anonymous_user(), intent=TokenIntents.INTENT_API
        )
        key = token.key
        clean_expired_models.delay().get()
        token.refresh_from_db()
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -2,9 +2,15 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
-from authentik.core.models import USER_ATTRIBUTE_CHANGE_EMAIL, USER_ATTRIBUTE_CHANGE_USERNAME, User
+from authentik.core.models import (
    USER_ATTRIBUTE_CHANGE_EMAIL,
    USER_ATTRIBUTE_CHANGE_NAME,
    USER_ATTRIBUTE_CHANGE_USERNAME,
    User,
 )
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
 from authentik.lib.generators import generate_key
 from authentik.stages.email.models import EmailStage
 from authentik.tenants.models import Tenant
@ -18,11 +24,28 @@ class TestUsersAPI(APITestCase):
    def test_update_self(self):
        """Test update_self"""
        self.admin.attributes["foo"] = "bar"
        self.admin.save()
        self.admin.refresh_from_db()
        self.client.force_login(self.admin)
        response = self.client.put(
            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
        )
        self.admin.refresh_from_db()
        self.assertEqual(response.status_code, 200)
        self.assertEqual(self.admin.attributes["foo"], "bar")
        self.assertEqual(self.admin.username, "foo")
        self.assertEqual(self.admin.name, "foo")
    def test_update_self_name_denied(self):
        """Test update_self"""
        self.admin.attributes[USER_ATTRIBUTE_CHANGE_NAME] = False
        self.admin.save()
        self.client.force_login(self.admin)
        response = self.client.put(
            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
        )
        self.assertEqual(response.status_code, 400)
    def test_update_self_username_denied(self):
        """Test update_self"""
@ -68,6 +91,18 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 404)
    def test_set_password(self):
        """Test Direct password set"""
        self.client.force_login(self.admin)
        new_pw = generate_key()
        response = self.client.post(
            reverse("authentik_api:user-set-password", kwargs={"pk": self.admin.pk}),
            data={"password": new_pw},
        )
        self.assertEqual(response.status_code, 204)
        self.admin.refresh_from_db()
        self.assertTrue(self.admin.check_password(new_pw))
    def test_recovery(self):
        """Test user recovery link (no recovery flow set)"""
        flow = create_test_flow(FlowDesignation.RECOVERY)
--- a/authentik/core/types.py
+++ b/authentik/core/types.py
@ -29,3 +29,4 @@ class UserSettingSerializer(PassiveSerializer):
    component = CharField()
    title = CharField()
    configure_url = CharField(required=False)
    icon_url = CharField()
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -1,4 +1,6 @@
 """Crypto API Views"""
 from typing import Optional
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import load_pem_x509_certificate
@ -15,6 +17,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
@ -24,6 +27,8 @@ from authentik.crypto.managed import MANAGED_KEY
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 LOGGER = get_logger()
 class CertificateKeyPairSerializer(ModelSerializer):
    """CertificateKeyPair Serializer"""
@ -31,6 +36,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
    cert_expiry = DateTimeField(source="certificate.not_valid_after", read_only=True)
    cert_subject = SerializerMethodField()
    private_key_available = SerializerMethodField()
    private_key_type = SerializerMethodField()
    certificate_download_url = SerializerMethodField()
    private_key_download_url = SerializerMethodField()
@ -43,6 +49,13 @@ class CertificateKeyPairSerializer(ModelSerializer):
        """Show if this keypair has a private key configured or not"""
        return instance.key_data != "" and instance.key_data is not None
    def get_private_key_type(self, instance: CertificateKeyPair) -> Optional[str]:
        """Get the private key's type, if set"""
        key = instance.private_key
        if key:
            return key.__class__.__name__.replace("_", "").lower().replace("privatekey", "")
        return None
    def get_certificate_download_url(self, instance: CertificateKeyPair) -> str:
        """Get URL to download certificate"""
        return (
@ -66,22 +79,30 @@ class CertificateKeyPairSerializer(ModelSerializer):
    def validate_certificate_data(self, value: str) -> str:
        """Verify that input is a valid PEM x509 Certificate"""
        try:
-            load_pem_x509_certificate(value.encode("utf-8"), default_backend())
+            # Cast to string to fully load and parse certificate
-        except ValueError:
+            # Prevents issues like https://github.com/goauthentik/authentik/issues/2082
            str(load_pem_x509_certificate(value.encode("utf-8"), default_backend()))
        except ValueError as exc:
            LOGGER.warning("Failed to load certificate", exc=exc)
            raise ValidationError("Unable to load certificate.")
        return value
    def validate_key_data(self, value: str) -> str:
-        """Verify that input is a valid PEM RSA Key"""
+        """Verify that input is a valid PEM Key"""
        # Since this field is optional, data can be empty.
        if value != "":
            try:
-                load_pem_private_key(
+                # Cast to string to fully load and parse certificate
-                    str.encode("\n".join([x.strip() for x in value.split("\n")])),
+                # Prevents issues like https://github.com/goauthentik/authentik/issues/2082
-                    password=None,
+                str(
-                    backend=default_backend(),
+                    load_pem_private_key(
                        str.encode("\n".join([x.strip() for x in value.split("\n")])),
                        password=None,
                        backend=default_backend(),
                    )
                )
-            except (ValueError, TypeError):
+            except (ValueError, TypeError) as exc:
                LOGGER.warning("Failed to load private key", exc=exc)
                raise ValidationError("Unable to load private key (possibly encrypted?).")
        return value
@ -98,6 +119,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
            "cert_expiry",
            "cert_subject",
            "private_key_available",
            "private_key_type",
            "certificate_download_url",
            "private_key_download_url",
            "managed",
--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@ -44,7 +44,7 @@ class CertificateBuilder:
        """Build self-signed certificate"""
        one_day = datetime.timedelta(1, 0, 0)
        self.__private_key = rsa.generate_private_key(
-            public_exponent=65537, key_size=2048, backend=default_backend()
+            public_exponent=65537, key_size=4096, backend=default_backend()
        )
        self.__public_key = self.__private_key.public_key()
        alt_names: list[x509.GeneralName] = [x509.DNSName(x) for x in subject_alt_names or []]
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@ -6,6 +6,11 @@ from uuid import uuid4
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric.ec import (
    EllipticCurvePrivateKey,
    EllipticCurvePublicKey,
 )
 from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import Certificate, load_pem_x509_certificate
@ -36,8 +41,8 @@ class CertificateKeyPair(ManagedModel, CreatedUpdatedModel):
    )
    _cert: Optional[Certificate] = None
-    _private_key: Optional[RSAPrivateKey] = None
+    _private_key: Optional[RSAPrivateKey | EllipticCurvePrivateKey | Ed25519PrivateKey] = None
-    _public_key: Optional[RSAPublicKey] = None
+    _public_key: Optional[RSAPublicKey | EllipticCurvePublicKey | Ed25519PublicKey] = None
    @property
    def certificate(self) -> Certificate:
@ -49,14 +54,16 @@ class CertificateKeyPair(ManagedModel, CreatedUpdatedModel):
        return self._cert
    @property
-    def public_key(self) -> Optional[RSAPublicKey]:
+    def public_key(self) -> Optional[RSAPublicKey | EllipticCurvePublicKey | Ed25519PublicKey]:
        """Get public key of the private key"""
        if not self._public_key:
            self._public_key = self.private_key.public_key()
        return self._public_key
    @property
-    def private_key(self) -> Optional[RSAPrivateKey]:
+    def private_key(
        self,
    ) -> Optional[RSAPrivateKey | EllipticCurvePrivateKey | Ed25519PrivateKey]:
        """Get python cryptography PrivateKey instance"""
        if not self._private_key and self.key_data != "":
            try:
--- a/authentik/crypto/tasks.py
+++ b/authentik/crypto/tasks.py
@ -24,7 +24,7 @@ MANAGED_DISCOVERED = "goauthentik.io/crypto/discovered/%s"
 def ensure_private_key_valid(body: str):
-    """Attempt loading of an RSA Private key without password"""
+    """Attempt loading of a PEM Private key without password"""
    load_pem_private_key(
        str.encode("\n".join([x.strip() for x in body.split("\n")])),
        password=None,
@ -42,7 +42,7 @@ def ensure_certificate_valid(body: str):
@CELERY_APP.task(bind=True, base=MonitoredTask)
@prefill_task
 def certificate_discovery(self: MonitoredTask):
-    """Discover and update certificates form the filesystem"""
+    """Discover, import and update certificates from the filesystem"""
    certs = {}
    private_keys = {}
    discovered = 0
@ -52,6 +52,9 @@ def certificate_discovery(self: MonitoredTask):
            continue
        if path.is_dir():
            continue
        # For certbot setups, we want to ignore archive.
        if "archive" in file:
            continue
        # Support certbot's directory structure
        if path.name in ["fullchain.pem", "privkey.pem"]:
            cert_name = path.parent.name
@ -60,7 +63,7 @@ def certificate_discovery(self: MonitoredTask):
        try:
            with open(path, "r+", encoding="utf-8") as _file:
                body = _file.read()
-                if "BEGIN RSA PRIVATE KEY" in body:
+                if "PRIVATE KEY" in body:
                    private_keys[cert_name] = ensure_private_key_valid(body)
                else:
                    certs[cert_name] = ensure_certificate_valid(body)
@ -79,7 +82,7 @@ def certificate_discovery(self: MonitoredTask):
            cert.certificate_data = cert_data
            dirty = True
        if name in private_keys:
-            if cert.key_data == private_keys[name]:
+            if cert.key_data != private_keys[name]:
                cert.key_data = private_keys[name]
                dirty = True
        if dirty:
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -146,7 +146,7 @@ class TestCrypto(APITestCase):
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
            redirect_uris="http://localhost",
-            rsa_key=keypair,
+            signing_key=keypair,
        )
        response = self.client.get(
            reverse(
@ -191,9 +191,12 @@ class TestCrypto(APITestCase):
            with CONFIG.patch("cert_discovery_dir", temp_dir):
                # pyright: reportGeneralTypeIssues=false
                certificate_discovery()  # pylint: disable=no-value-for-parameter
-        self.assertTrue(
+        keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
-            CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "foo").exists()
+            managed=MANAGED_DISCOVERED % "foo"
-        )
+        ).first()
        self.assertIsNotNone(keypair)
        self.assertIsNotNone(keypair.certificate)
        self.assertIsNotNone(keypair.private_key)
        self.assertTrue(
            CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "foo.bar").exists()
        )
--- a/authentik/events/api/notification_transport.py
+++ b/authentik/events/api/notification_transport.py
@ -15,12 +15,14 @@ from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import (
    Event,
    Notification,
    NotificationSeverity,
    NotificationTransport,
    NotificationTransportError,
    TransportMode,
 )
 from authentik.events.utils import get_user
 class NotificationTransportSerializer(ModelSerializer):
@ -86,6 +88,12 @@ class NotificationTransportViewSet(UsedByMixin, ModelViewSet):
            severity=NotificationSeverity.NOTICE,
            body=f"Test Notification from transport {transport.name}",
            user=request.user,
            event=Event(
                action="Test",
                user=get_user(request.user),
                app=self.__class__.__module__,
                context={"foo": "bar"},
            ),
        )
        try:
            response = NotificationTransportTestSerializer(
--- a/authentik/events/geo.py
+++ b/authentik/events/geo.py
@ -35,12 +35,11 @@ class GeoIPReader:
    def __open(self):
        """Get GeoIP Reader, if configured, otherwise none"""
-        path = CONFIG.y("authentik.geoip")
+        path = CONFIG.y("geoip")
        if path == "" or not path:
            return
        try:
-            reader = Reader(path)
+            self.__reader = Reader(path)
            self.__reader = reader
            self.__last_mtime = stat(path).st_mtime
            LOGGER.info("Loaded GeoIP database", last_write=self.__last_mtime)
        except OSError as exc:
--- a/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
+++ b/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
@ -19,7 +19,7 @@ def convert_user_to_json(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    Event = apps.get_model("authentik_events", "Event")
    db_alias = schema_editor.connection.alias
-    for event in Event.objects.all():
+    for event in Event.objects.using(db_alias).all():
        event.delete()
        # Because event objects cannot be updated, we have to re-create them
        event.pk = None
--- a/authentik/events/migrations/0003_auto_20200917_1155.py
+++ b/authentik/events/migrations/0003_auto_20200917_1155.py
@ -10,7 +10,7 @@ def convert_user_to_json(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    Event = apps.get_model("authentik_events", "Event")
    db_alias = schema_editor.connection.alias
-    for event in Event.objects.all():
+    for event in Event.objects.using(db_alias).all():
        event.delete()
        # Because event objects cannot be updated, we have to re-create them
        event.pk = None
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -2,9 +2,9 @@
 import time
 from collections import Counter
 from datetime import timedelta
-from inspect import getmodule, stack
+from inspect import currentframe
 from smtplib import SMTPException
-from typing import TYPE_CHECKING, Optional, Type, Union
+from typing import TYPE_CHECKING, Optional
 from uuid import uuid4
 from django.conf import settings
@ -190,16 +190,17 @@ class Event(ExpiringModel):
    @staticmethod
    def new(
-        action: Union[str, EventAction],
+        action: str | EventAction,
        app: Optional[str] = None,
        _inspect_offset: int = 1,
        **kwargs,
    ) -> "Event":
        """Create new Event instance from arguments. Instance is NOT saved."""
        if not isinstance(action, EventAction):
            action = EventAction.CUSTOM_PREFIX + action
        if not app:
-            app = getmodule(stack()[_inspect_offset][0]).__name__
+            current = currentframe()
            parent = current.f_back
            app = parent.f_globals["__name__"]
        cleaned_kwargs = cleanse_dict(sanitize_dict(kwargs))
        event = Event(action=action, app=app, context=cleaned_kwargs)
        return event
@ -516,7 +517,7 @@ class NotificationWebhookMapping(PropertyMapping):
        return "ak-property-mapping-notification-form"
    @property
-    def serializer(self) -> Type["Serializer"]:
+    def serializer(self) -> type["Serializer"]:
        from authentik.events.api.notification_mapping import NotificationWebhookMappingSerializer
        return NotificationWebhookMappingSerializer
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -72,7 +72,7 @@ class WithUserInfoChallenge(Challenge):
    pending_user_avatar = CharField()
-class AccessDeniedChallenge(Challenge):
+class AccessDeniedChallenge(WithUserInfoChallenge):
    """Challenge when a flow's active stage calls `stage_invalid()`."""
    error_message = CharField(required=False)
--- a/authentik/flows/exceptions.py
+++ b/authentik/flows/exceptions.py
@ -1,11 +1,14 @@
 """flow exceptions"""
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.types import PolicyResult
 class FlowNonApplicableException(SentryIgnoredException):
    """Flow does not apply to current user (denied by policy)."""
    policy_result: PolicyResult
 class EmptyFlowException(SentryIgnoredException):
    """Flow has no stages."""
--- a/authentik/flows/migrations/0011_flow_title.py
+++ b/authentik/flows/migrations/0011_flow_title.py
@ -10,8 +10,8 @@ def add_title_for_defaults(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
        "default-invalidation-flow": "Default Invalidation Flow",
        "default-source-enrollment": "Welcome to authentik! Please select a username.",
        "default-source-authentication": "Welcome to authentik!",
-        "default-provider-authorization-implicit-consent": "Default Provider Authorization Flow (implicit consent)",
+        "default-provider-authorization-implicit-consent": "Redirecting to %(app)s",
-        "default-provider-authorization-explicit-consent": "Default Provider Authorization Flow (explicit consent)",
+        "default-provider-authorization-explicit-consent": "Redirecting to %(app)s",
        "default-password-change": "Change password",
    }
    db_alias = schema_editor.connection.alias
--- a/authentik/flows/migrations/0021_auto_20211227_2103.py
+++ b/authentik/flows/migrations/0021_auto_20211227_2103.py
@ -0,0 +1,27 @@
 # Generated by Django 4.0 on 2021-12-27 21:03
 from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def update_title_for_defaults(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    slug_title_map = {
        "default-provider-authorization-implicit-consent": "Redirecting to %(app)s",
        "default-provider-authorization-explicit-consent": "Redirecting to %(app)s",
    }
    db_alias = schema_editor.connection.alias
    Flow = apps.get_model("authentik_flows", "Flow")
    for flow in Flow.objects.using(db_alias).all():
        if flow.slug not in slug_title_map:
            continue
        flow.title = slug_title_map[flow.slug]
        flow.save()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0020_flowtoken"),
    ]
    operations = [migrations.RunPython(update_title_for_defaults)]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -1,7 +1,7 @@
 """Flow models"""
 from base64 import b64decode, b64encode
 from pickle import dumps, loads  # nosec
-from typing import TYPE_CHECKING, Optional, Type
+from typing import TYPE_CHECKING, Optional
 from uuid import uuid4
 from django.db import models
@ -63,7 +63,7 @@ class Stage(SerializerModel):
    objects = InheritanceManager()
    @property
-    def type(self) -> Type["StageView"]:
+    def type(self) -> type["StageView"]:
        """Return StageView class that implements logic for this stage"""
        # This is a bit of a workaround, since we can't set class methods with setattr
        if hasattr(self, "__in_memory_type"):
@ -86,7 +86,7 @@ class Stage(SerializerModel):
        return f"Stage {self.name}"
-def in_memory_stage(view: Type["StageView"]) -> Stage:
+def in_memory_stage(view: type["StageView"]) -> Stage:
    """Creates an in-memory stage instance, based on a `view` as view."""
    stage = Stage()
    # Because we can't pickle a locally generated function,
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -4,7 +4,7 @@ from typing import Any, Optional
 from django.core.cache import cache
 from django.http import HttpRequest
-from prometheus_client import Histogram
+from prometheus_client import Gauge, Histogram
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
@ -16,7 +16,6 @@ from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import Flow, FlowStageBinding, Stage
 from authentik.lib.config import CONFIG
 from authentik.policies.engine import PolicyEngine
 from authentik.root.monitoring import UpdatingGauge
 LOGGER = get_logger()
 PLAN_CONTEXT_PENDING_USER = "pending_user"
@ -27,10 +26,9 @@ PLAN_CONTEXT_SOURCE = "source"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-GAUGE_FLOWS_CACHED = UpdatingGauge(
+GAUGE_FLOWS_CACHED = Gauge(
    "authentik_flows_cached",
    "Cached flows",
    update_func=lambda: len(cache.keys("flow_*") or []),
 )
 HIST_FLOWS_PLAN_TIME = Histogram(
    "authentik_flows_plan_time",
@ -152,7 +150,9 @@ class FlowPlanner:
            engine.build()
            result = engine.result
            if not result.passing:
-                raise FlowNonApplicableException(",".join(result.messages))
+                exc = FlowNonApplicableException(",".join(result.messages))
                exc.policy_result = result
                raise exc
            # User is passing so far, check if we have a cached plan
            cached_plan_key = cache_key(self.flow, user)
            cached_plan = cache.get(cached_plan_key, None)
@ -169,7 +169,6 @@ class FlowPlanner:
            )
            plan = self._build_plan(user, request, default_context)
            cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
            GAUGE_FLOWS_CACHED.update()
            if not plan.bindings and not self.allow_empty_flows:
                raise EmptyFlowException()
            return plan
--- a/authentik/flows/signals.py
+++ b/authentik/flows/signals.py
@ -4,6 +4,9 @@ from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from structlog.stdlib import get_logger
 from authentik.flows.planner import GAUGE_FLOWS_CACHED
 from authentik.root.monitoring import monitoring_set
 LOGGER = get_logger()
@ -14,6 +17,13 @@ def delete_cache_prefix(prefix: str) -> int:
    return len(keys)
@receiver(monitoring_set)
 # pylint: disable=unused-argument
 def monitoring_set_flows(sender, **kwargs):
    """set flow gauges"""
    GAUGE_FLOWS_CACHED.set(len(cache.keys("flow_*") or []))
@receiver(post_save)
@receiver(pre_delete)
 # pylint: disable=unused-argument
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -1,4 +1,6 @@
 """authentik stage Base view"""
 from typing import TYPE_CHECKING, Optional
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@ -11,15 +13,19 @@ from structlog.stdlib import get_logger
 from authentik.core.models import DEFAULT_AVATAR, User
 from authentik.flows.challenge import (
    AccessDeniedChallenge,
    Challenge,
    ChallengeResponse,
    ChallengeTypes,
    ContextualFlowInfo,
    HttpChallengeResponse,
    WithUserInfoChallenge,
 )
 from authentik.flows.models import InvalidResponseAction
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_PENDING_USER
-from authentik.flows.views.executor import FlowExecutorView
+
 if TYPE_CHECKING:
    from authentik.flows.views.executor import FlowExecutorView
 PLAN_CONTEXT_PENDING_USER_IDENTIFIER = "pending_user_identifier"
 LOGGER = get_logger()
@ -28,11 +34,11 @@ LOGGER = get_logger()
 class StageView(View):
    """Abstract Stage, inherits TemplateView but can be combined with FormView"""
-    executor: FlowExecutorView
+    executor: "FlowExecutorView"
    request: HttpRequest = None
-    def __init__(self, executor: FlowExecutorView, **kwargs):
+    def __init__(self, executor: "FlowExecutorView", **kwargs):
        self.executor = executor
        super().__init__(**kwargs)
@ -43,6 +49,8 @@ class StageView(View):
        other things besides the form display.
        If no user is pending, returns request.user"""
        if not self.executor.plan:
            return self.request.user
        if PLAN_CONTEXT_PENDING_USER_IDENTIFIER in self.executor.plan.context and for_display:
            return User(
                username=self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER_IDENTIFIER),
@ -108,9 +116,14 @@ class ChallengeStageView(StageView):
    def format_title(self) -> str:
        """Allow usage of placeholder in flow title."""
-        return self.executor.flow.title % {
+        if not self.executor.plan:
-            "app": self.executor.plan.context.get(PLAN_CONTEXT_APPLICATION, "")
+            return self.executor.flow.title
-        }
+        try:
            return self.executor.flow.title % {
                "app": self.executor.plan.context.get(PLAN_CONTEXT_APPLICATION, "")
            }
        except ValueError:
            return self.executor.flow.title
    def _get_challenge(self, *args, **kwargs) -> Challenge:
        with Hub.current.start_span(
@ -169,3 +182,27 @@ class ChallengeStageView(StageView):
                stage_view=self,
            )
        return HttpChallengeResponse(challenge_response)
 class AccessDeniedChallengeView(ChallengeStageView):
    """Used internally by FlowExecutor's stage_invalid()"""
    error_message: Optional[str]
    def __init__(self, executor: "FlowExecutorView", error_message: Optional[str] = None, **kwargs):
        super().__init__(executor, **kwargs)
        self.error_message = error_message
    def get_challenge(self, *args, **kwargs) -> Challenge:
        return AccessDeniedChallenge(
            data={
                "error_message": self.error_message or "Unknown error",
                "type": ChallengeTypes.NATIVE.value,
                "component": "ak-stage-access-denied",
            }
        )
    # This can never be reached since this challenge is created on demand and only the
    # .get() method is called
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:  # pragma: no cover
        return self.executor.cancel()
--- a/authentik/flows/tests/init.py
+++ b/authentik/flows/tests/init.py
@ -0,0 +1,51 @@
 """Test helpers"""
 from json import loads
 from typing import Any, Optional
 from django.http.response import HttpResponse
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import User
 from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow
 class FlowTestCase(APITestCase):
    """Helpers for testing flows and stages."""
    # pylint: disable=invalid-name
    def assertStageResponse(
        self,
        response: HttpResponse,
        flow: Optional[Flow] = None,
        user: Optional[User] = None,
        **kwargs,
    ) -> dict[str, Any]:
        """Assert various attributes of a stage response"""
        raw_response = loads(response.content.decode())
        self.assertIsNotNone(raw_response["component"])
        self.assertIsNotNone(raw_response["type"])
        if flow:
            self.assertIn("flow_info", raw_response)
            self.assertEqual(raw_response["flow_info"]["background"], flow.background_url)
            self.assertEqual(
                raw_response["flow_info"]["cancel_url"], reverse("authentik_flows:cancel")
            )
            # We don't check the flow title since it will most likely go
            # through ChallengeStageView.format_title() so might not match 1:1
            # self.assertEqual(raw_response["flow_info"]["title"], flow.title)
            self.assertIsNotNone(raw_response["flow_info"]["title"])
        if user:
            self.assertEqual(raw_response["pending_user"], user.username)
            self.assertEqual(raw_response["pending_user_avatar"], user.avatar)
        for key, expected in kwargs.items():
            self.assertEqual(raw_response[key], expected)
        return raw_response
    # pylint: disable=invalid-name
    def assertStageRedirects(self, response: HttpResponse, to: str) -> dict[str, Any]:
        """Wrapper around assertStageResponse that checks for a redirect"""
        return self.assertStageResponse(
            response, component="xak-flow-redirect", to=to, type=ChallengeTypes.REDIRECT.value
        )
--- a/authentik/flows/tests/test_executor.py
+++ b/authentik/flows/tests/test_executor.py
@ -4,16 +4,14 @@ from unittest.mock import MagicMock, PropertyMock, patch
 from django.http import HttpRequest, HttpResponse
 from django.test.client import RequestFactory
 from django.urls import reverse
 from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 from authentik.core.models import User
 from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, InvalidResponseAction
 from authentik.flows.planner import FlowPlan, FlowPlanner
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, StageView
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_PLAN, FlowExecutorView
 from authentik.lib.config import CONFIG
 from authentik.policies.dummy.models import DummyPolicy
@ -37,7 +35,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse):
 TO_STAGE_RESPONSE_MOCK = MagicMock(side_effect=to_stage_response)
-class TestFlowExecutor(APITestCase):
+class TestFlowExecutor(FlowTestCase):
    """Test executor"""
    def setUp(self):
@ -90,18 +88,11 @@ class TestFlowExecutor(APITestCase):
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
+        self.assertStageResponse(
-            force_str(response.content),
+            response,
-            {
+            flow=flow,
-                "component": "ak-stage-access-denied",
+            error_message=FlowNonApplicableException.__doc__,
-                "error_message": FlowNonApplicableException.__doc__,
+            component="ak-stage-access-denied",
                "flow_info": {
                    "background": flow.background_url,
                    "cancel_url": reverse("authentik_flows:cancel"),
                    "title": "",
                },
                "type": ChallengeTypes.NATIVE.value,
            },
        )
    @patch(
@ -283,14 +274,7 @@ class TestFlowExecutor(APITestCase):
        # We do this request without the patch, so the policy results in false
        response = self.client.post(exec_url)
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
+        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
            force_str(response.content),
            {
                "component": "xak-flow-redirect",
                "to": reverse("authentik_core:root-redirect"),
                "type": ChallengeTypes.REDIRECT.value,
            },
        )
    def test_reevaluate_keep(self):
        """Test planner with re-evaluate (everything is kept)"""
@ -360,14 +344,7 @@ class TestFlowExecutor(APITestCase):
        # We do this request without the patch, so the policy results in false
        response = self.client.post(exec_url)
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
+        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
            force_str(response.content),
            {
                "component": "xak-flow-redirect",
                "to": reverse("authentik_core:root-redirect"),
                "type": ChallengeTypes.REDIRECT.value,
            },
        )
    def test_reevaluate_remove_consecutive(self):
        """Test planner with re-evaluate (consecutive stages are removed)"""
@ -407,18 +384,7 @@ class TestFlowExecutor(APITestCase):
            # First request, run the planner
            response = self.client.get(exec_url)
            self.assertEqual(response.status_code, 200)
-            self.assertJSONEqual(
+            self.assertStageResponse(response, flow, component="ak-stage-dummy")
                force_str(response.content),
                {
                    "type": ChallengeTypes.NATIVE.value,
                    "component": "ak-stage-dummy",
                    "flow_info": {
                        "background": flow.background_url,
                        "cancel_url": reverse("authentik_flows:cancel"),
                        "title": "",
                    },
                },
            )
            plan: FlowPlan = self.client.session[SESSION_KEY_PLAN]
@ -441,31 +407,13 @@ class TestFlowExecutor(APITestCase):
        # but it won't save it, hence we can't check the plan
        response = self.client.get(exec_url)
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
+        self.assertStageResponse(response, flow, component="ak-stage-dummy")
            force_str(response.content),
            {
                "type": ChallengeTypes.NATIVE.value,
                "component": "ak-stage-dummy",
                "flow_info": {
                    "background": flow.background_url,
                    "cancel_url": reverse("authentik_flows:cancel"),
                    "title": "",
                },
            },
        )
        # fourth request, this confirms the last stage (dummy4)
        # We do this request without the patch, so the policy results in false
        response = self.client.post(exec_url)
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
+        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
            force_str(response.content),
            {
                "component": "xak-flow-redirect",
                "to": reverse("authentik_core:root-redirect"),
                "type": ChallengeTypes.REDIRECT.value,
            },
        )
    def test_stageview_user_identifier(self):
        """Test PLAN_CONTEXT_PENDING_USER_IDENTIFIER"""
@ -532,35 +480,16 @@ class TestFlowExecutor(APITestCase):
        # First request, run the planner
        response = self.client.get(exec_url)
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
+        self.assertStageResponse(
-            force_str(response.content),
+            response,
-            {
+            flow,
-                "type": ChallengeTypes.NATIVE.value,
+            component="ak-stage-identification",
-                "component": "ak-stage-identification",
+            password_fields=False,
-                "flow_info": {
+            primary_action="Log in",
-                    "background": flow.background_url,
+            sources=[],
-                    "cancel_url": reverse("authentik_flows:cancel"),
+            show_source_labels=False,
-                    "title": "",
+            user_fields=[UserFields.E_MAIL],
                },
                "password_fields": False,
                "primary_action": "Log in",
                "sources": [],
                "show_source_labels": False,
                "user_fields": [UserFields.E_MAIL],
            },
        )
        response = self.client.post(exec_url, {"uid_field": "invalid-string"}, follow=True)
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
+        self.assertStageResponse(response, flow, component="ak-stage-access-denied")
            force_str(response.content),
            {
                "component": "ak-stage-access-denied",
                "error_message": None,
                "flow_info": {
                    "background": flow.background_url,
                    "cancel_url": reverse("authentik_flows:cancel"),
                    "title": "",
                },
                "type": ChallengeTypes.NATIVE.value,
            },
        )
--- a/authentik/flows/tests/test_stage_model.py
+++ b/authentik/flows/tests/test_stage_model.py
@ -1,5 +1,5 @@
 """base model tests"""
-from typing import Callable, Type
+from typing import Callable
 from django.test import TestCase
@ -12,7 +12,7 @@ class TestModels(TestCase):
    """Generic model properties tests"""
-def model_tester_factory(test_model: Type[Stage]) -> Callable:
+def model_tester_factory(test_model: type[Stage]) -> Callable:
    """Test a form"""
    def tester(self: TestModels):
--- a/authentik/flows/tests/test_stage_views.py
+++ b/authentik/flows/tests/test_stage_views.py
@ -1,5 +1,5 @@
 """stage view tests"""
-from typing import Callable, Type
+from typing import Callable
 from django.test import RequestFactory, TestCase
@ -16,7 +16,7 @@ class TestViews(TestCase):
        self.exec = FlowExecutorView(request=self.factory.get("/"))
-def view_tester_factory(view_class: Type[StageView]) -> Callable:
+def view_tester_factory(view_class: type[StageView]) -> Callable:
    """Test a form"""
    def tester(self: TestViews):
--- a/authentik/flows/transfer/importer.py
+++ b/authentik/flows/transfer/importer.py
@ -2,7 +2,7 @@
 from contextlib import contextmanager
 from copy import deepcopy
 from json import loads
-from typing import Any, Type
+from typing import Any
 from dacite import from_dict
 from dacite.exceptions import DaciteError
@ -87,7 +87,7 @@ class FlowImporter:
    def _validate_single(self, entry: FlowBundleEntry) -> BaseSerializer:
        """Validate a single entry"""
        model_app_label, model_name = entry.model.split(".")
-        model: Type[SerializerModel] = apps.get_model(model_app_label, model_name)
+        model: type[SerializerModel] = apps.get_model(model_app_label, model_name)
        if not isinstance(model(), ALLOWED_MODELS):
            raise EntryInvalidError(f"Model {model} not allowed")
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -10,7 +10,6 @@ from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect
 from django.http.request import QueryDict
 from django.shortcuts import get_object_or_404, redirect
 from django.template.response import TemplateResponse
 from django.urls.base import reverse
 from django.utils.decorators import method_decorator
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.generic import View
@ -26,7 +25,6 @@ from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.models import USER_ATTRIBUTE_DEBUG
 from authentik.events.models import Event, EventAction, cleanse_dict
 from authentik.flows.challenge import (
    AccessDeniedChallenge,
    Challenge,
    ChallengeResponse,
    ChallengeTypes,
@ -51,6 +49,7 @@ from authentik.flows.planner import (
    FlowPlan,
    FlowPlanner,
 )
 from authentik.flows.stage import AccessDeniedChallengeView
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
@ -371,12 +370,6 @@ class FlowExecutorView(APIView):
            NEXT_ARG_NAME, "authentik_core:root-redirect"
        )
        self.cancel()
        Event.new(
            action=EventAction.FLOW_EXECUTION,
            flow=self.flow,
            designation=self.flow.designation,
            successful=True,
        ).from_http(self.request)
        return to_stage_response(self.request, redirect_with_qs(next_param))
    def stage_ok(self) -> HttpResponse:
@ -412,21 +405,9 @@ class FlowExecutorView(APIView):
        is a superuser."""
        self._logger.debug("f(exec): Stage invalid")
        self.cancel()
-        response = HttpChallengeResponse(
+        challenge_view = AccessDeniedChallengeView(self, error_message)
-            AccessDeniedChallenge(
+        challenge_view.request = self.request
-                {
+        return to_stage_response(self.request, challenge_view.get(self.request))
                    "error_message": error_message,
                    "type": ChallengeTypes.NATIVE.value,
                    "component": "ak-stage-access-denied",
                    "flow_info": {
                        "title": self.flow.title,
                        "background": self.flow.background_url,
                        "cancel_url": reverse("authentik_flows:cancel"),
                    },
                }
            )
        )
        return to_stage_response(self.request, response)
    def cancel(self):
        """Cancel current execution and return a redirect"""
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -64,7 +64,7 @@ outposts:
  # %(type)s: Outpost type; proxy, ldap, etc
  # %(version)s: Current version; 2021.4.1
  # %(build_hash)s: Build hash if you're running a beta version
-  container_image_base: goauthentik.io/%(type)s:%(version)s
+  container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
 cookie_domain: null
 disable_update_check: false
@ -78,6 +78,7 @@ footer_links:
  - name: authentik Website
    href: https://goauthentik.io/?utm_source=authentik
 default_user_change_name: true
 default_user_change_email: true
 default_user_change_username: true
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -97,7 +97,7 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
    if "exc_info" in hint:
        _, exc_value, _ = hint["exc_info"]
        if isinstance(exc_value, ignored_classes):
-            LOGGER.debug("dropping exception", exception=exc_value)
+            LOGGER.debug("dropping exception", exc=exc_value)
            return None
    if "logger" in event:
        if event["logger"] in [
@ -108,9 +108,13 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
            "multiprocessing",
            "django_redis",
            "django.security.DisallowedHost",
            "django_redis.cache",
            "celery.backends.redis",
            "celery.worker",
            "paramiko.transport",
        ]:
            return None
    LOGGER.debug("sending event to sentry", exc=exc_value, source_logger=event.get("logger", None))
-    if settings.DEBUG:
+    if settings.DEBUG or settings.TEST:
        return None
    return event
--- a/authentik/lib/tests/test_sentry.py
+++ b/authentik/lib/tests/test_sentry.py
@ -13,4 +13,4 @@ class TestSentry(TestCase):
    def test_error_sent(self):
        """Test error sent"""
-        self.assertEqual({}, before_send({}, {"exc_info": (0, ValueError(), 0)}))
+        self.assertEqual(None, before_send({}, {"exc_info": (0, ValueError(), 0)}))
--- a/authentik/lib/tests/test_serializer_model.py
+++ b/authentik/lib/tests/test_serializer_model.py
@ -1,5 +1,5 @@
 """base model tests"""
-from typing import Callable, Type
+from typing import Callable
 from django.test import TestCase
 from rest_framework.serializers import BaseSerializer
@ -13,7 +13,7 @@ class TestModels(TestCase):
    """Generic model properties tests"""
-def model_tester_factory(test_model: Type[Stage]) -> Callable:
+def model_tester_factory(test_model: type[Stage]) -> Callable:
    """Test a form"""
    def tester(self: TestModels):
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -1,5 +1,4 @@
 """http helpers"""
 from os import environ
 from typing import Any, Optional
 from django.http import HttpRequest
@ -7,7 +6,7 @@ from requests.sessions import Session
 from sentry_sdk.hub import Hub
 from structlog.stdlib import get_logger
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import get_full_version
 OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP"
 OUTPOST_TOKEN_HEADER = "HTTP_X_AUTHENTIK_OUTPOST_TOKEN"  # nosec
@ -75,8 +74,7 @@ def get_client_ip(request: Optional[HttpRequest]) -> str:
 def authentik_user_agent() -> str:
    """Get a common user agent"""
-    build = environ.get(ENV_GIT_HASH_KEY, "tagged")
+    return f"authentik@{get_full_version()}"
    return f"authentik@{__version__} (build={build})"
 def get_http_session() -> Session:
--- a/authentik/lib/utils/reflection.py
+++ b/authentik/lib/utils/reflection.py
@ -2,7 +2,6 @@
 import os
 from importlib import import_module
 from pathlib import Path
 from typing import Union
 from django.conf import settings
 from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
@ -30,7 +29,7 @@ def class_to_path(cls: type) -> str:
    return f"{cls.__module__}.{cls.__name__}"
-def path_to_class(path: Union[str, None]) -> Union[type, None]:
+def path_to_class(path: str | None) -> type | None:
    """Import module and return class"""
    if not path:
        return None
@ -59,4 +58,6 @@ def get_env() -> str:
        return "compose"
    if CONFIG.y_bool("debug"):
        return "dev"
    if "AK_APPLIANCE" in os.environ:
        return os.environ["AK_APPLIANCE"]
    return "custom"
--- a/authentik/lib/utils/time.py
+++ b/authentik/lib/utils/time.py
@ -34,7 +34,7 @@ def timedelta_from_string(expr: str) -> datetime.timedelta:
        key, value = duration_pair.split("=")
        if key.lower() not in ALLOWED_KEYS:
            continue
-        kwargs[key.lower()] = float(value)
+        kwargs[key.lower()] = float(value.strip())
    if len(kwargs) < 1:
        raise ValueError("No valid keys to pass to timedelta")
    return datetime.timedelta(**kwargs)
--- a/authentik/managed/manager.py
+++ b/authentik/managed/manager.py
@ -1,5 +1,5 @@
 """Managed objects manager"""
-from typing import Callable, Optional, Type
+from typing import Callable, Optional
 from structlog.stdlib import get_logger
@ -11,11 +11,11 @@ LOGGER = get_logger()
 class EnsureOp:
    """Ensure operation, executed as part of an ObjectManager run"""
-    _obj: Type[ManagedModel]
+    _obj: type[ManagedModel]
    _managed_uid: str
    _kwargs: dict
-    def __init__(self, obj: Type[ManagedModel], managed_uid: str, **kwargs) -> None:
+    def __init__(self, obj: type[ManagedModel], managed_uid: str, **kwargs) -> None:
        self._obj = obj
        self._managed_uid = managed_uid
        self._kwargs = kwargs
@ -32,7 +32,7 @@ class EnsureExists(EnsureOp):
    def __init__(
        self,
-        obj: Type[ManagedModel],
+        obj: type[ManagedModel],
        managed_uid: str,
        created_callback: Optional[Callable] = None,
        **kwargs,
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -12,6 +12,7 @@ from rest_framework.response import Response
 from rest_framework.serializers import JSONField, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 from authentik import get_build_hash
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, is_dict
@ -98,8 +99,12 @@ class OutpostHealthSerializer(PassiveSerializer):
    last_seen = DateTimeField(read_only=True)
    version = CharField(read_only=True)
    version_should = CharField(read_only=True)
    version_outdated = BooleanField(read_only=True)
    build_hash = CharField(read_only=True, required=False)
    build_hash_should = CharField(read_only=True, required=False)
 class OutpostFilter(FilterSet):
    """Filter for Outposts"""
@ -116,6 +121,7 @@ class OutpostFilter(FilterSet):
            "providers": ["isnull"],
            "name": ["iexact", "icontains"],
            "service_connection__name": ["iexact", "icontains"],
            "managed": ["iexact", "icontains"],
        }
@ -145,6 +151,8 @@ class OutpostViewSet(UsedByMixin, ModelViewSet):
                    "version": state.version,
                    "version_should": state.version_should,
                    "version_outdated": state.version_outdated,
                    "build_hash": state.build_hash,
                    "build_hash_should": get_build_hash(),
                }
            )
        return Response(OutpostHealthSerializer(states, many=True).data)
--- a/authentik/outposts/controllers/base.py
+++ b/authentik/outposts/controllers/base.py
@ -1,15 +1,18 @@
 """Base Controller"""
 from dataclasses import dataclass
 from os import environ
 from typing import Optional
 from structlog.stdlib import get_logger
 from structlog.testing import capture_logs
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__, get_build_hash
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import SentryIgnoredException
-from authentik.outposts.models import Outpost, OutpostServiceConnection
+from authentik.outposts.models import (
    Outpost,
    OutpostServiceConnection,
    OutpostServiceConnectionState,
 )
 FIELD_MANAGER = "goauthentik.io"
@ -28,11 +31,25 @@ class DeploymentPort:
    inner_port: Optional[int] = None
 class BaseClient:
    """Base class for custom clients"""
    def fetch_state(self) -> OutpostServiceConnectionState:
        """Get state, version info"""
        raise NotImplementedError
    def __enter__(self):
        return self
    def __exit__(self, exc_type, exc_value, traceback):
        """Cleanup after usage"""
 class BaseController:
    """Base Outpost deployment controller"""
    deployment_ports: list[DeploymentPort]
-
+    client: BaseClient
    outpost: Outpost
    connection: OutpostServiceConnection
@ -63,6 +80,14 @@ class BaseController:
            self.down()
        return [x["event"] for x in logs]
    def __enter__(self):
        return self
    def __exit__(self, exc_type, exc_value, traceback):
        """Cleanup after usage"""
        if hasattr(self, "client"):
            self.client.__exit__(exc_type, exc_value, traceback)
    def get_static_deployment(self) -> str:
        """Return a static deployment configuration"""
        raise NotImplementedError
@ -76,5 +101,5 @@ class BaseController:
        return image_name_template % {
            "type": self.outpost.type,
            "version": __version__,
-            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
+            "build_hash": get_build_hash(),
        }
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -1,17 +1,79 @@
 """Docker controller"""
 from time import sleep
 from typing import Optional
 from urllib.parse import urlparse
 from django.conf import settings
 from django.utils.text import slugify
-from docker import DockerClient
+from docker import DockerClient as UpstreamDockerClient
 from docker.errors import DockerException, NotFound
 from docker.models.containers import Container
 from docker.utils.utils import kwargs_from_env
 from paramiko.ssh_exception import SSHException
 from structlog.stdlib import get_logger
 from yaml import safe_dump
 from authentik import __version__
-from authentik.outposts.controllers.base import BaseController, ControllerException
+from authentik.outposts.controllers.base import BaseClient, BaseController, ControllerException
 from authentik.outposts.docker_ssh import DockerInlineSSH
 from authentik.outposts.docker_tls import DockerInlineTLS
 from authentik.outposts.managed import MANAGED_OUTPOST
-from authentik.outposts.models import DockerServiceConnection, Outpost, ServiceConnectionInvalid
+from authentik.outposts.models import (
    DockerServiceConnection,
    Outpost,
    OutpostServiceConnectionState,
    ServiceConnectionInvalid,
 )
 class DockerClient(UpstreamDockerClient, BaseClient):
    """Custom docker client, which can handle TLS and SSH from a database."""
    tls: Optional[DockerInlineTLS]
    ssh: Optional[DockerInlineSSH]
    def __init__(self, connection: DockerServiceConnection):
        self.tls = None
        self.ssh = None
        if connection.local:
            # Same result as DockerClient.from_env
            super().__init__(**kwargs_from_env())
        else:
            parsed_url = urlparse(connection.url)
            tls_config = False
            if parsed_url.scheme == "ssh":
                self.ssh = DockerInlineSSH(parsed_url.hostname, connection.tls_authentication)
                self.ssh.write()
            else:
                self.tls = DockerInlineTLS(
                    verification_kp=connection.tls_verification,
                    authentication_kp=connection.tls_authentication,
                )
                tls_config = self.tls.write()
            try:
                super().__init__(
                    base_url=connection.url,
                    tls=tls_config,
                )
            except SSHException as exc:
                raise ServiceConnectionInvalid from exc
        self.logger = get_logger()
        # Ensure the client actually works
        self.containers.list()
    def fetch_state(self) -> OutpostServiceConnectionState:
        try:
            return OutpostServiceConnectionState(version=self.info()["ServerVersion"], healthy=True)
        except (ServiceConnectionInvalid, DockerException):
            return OutpostServiceConnectionState(version="", healthy=False)
    def __exit__(self, exc_type, exc_value, traceback):
        if self.tls:
            self.logger.debug("Cleaning up TLS")
            self.tls.cleanup()
        if self.ssh:
            self.logger.debug("Cleaning up SSH")
            self.ssh.cleanup()
 class DockerController(BaseController):
@ -27,8 +89,9 @@ class DockerController(BaseController):
        if outpost.managed == MANAGED_OUTPOST:
            return
        try:
-            self.client = connection.client()
+            self.client = DockerClient(connection)
-        except ServiceConnectionInvalid as exc:
+        except DockerException as exc:
            self.logger.warning(exc)
            raise ControllerException from exc
    @property
@ -110,7 +173,7 @@ class DockerController(BaseController):
        image = self.get_container_image()
        try:
            self.client.images.pull(image)
-        except DockerException:
+        except DockerException:  # pragma: no cover
            image = f"goauthentik.io/{self.outpost.type}:latest"
            self.client.images.pull(image)
        return image
@ -144,7 +207,7 @@ class DockerController(BaseController):
                True,
            )
-    def _migrate_container_name(self):
+    def _migrate_container_name(self):  # pragma: no cover
        """Migrate 2021.9 to 2021.10+"""
        old_name = f"authentik-proxy-{self.outpost.uuid.hex}"
        try:
@ -169,7 +232,7 @@ class DockerController(BaseController):
            # Check if the container is out of date, delete it and retry
            if len(container.image.tags) > 0:
                should_image = self.try_pull_image()
-                if should_image not in container.image.tags:
+                if should_image not in container.image.tags:  # pragma: no cover
                    self.logger.info(
                        "Container has mismatched image, re-creating...",
                        has=container.image.tags,
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -20,6 +20,11 @@ if TYPE_CHECKING:
 T = TypeVar("T", V1Pod, V1Deployment)
 def get_version() -> str:
    """Wrapper for __version__ to make testing easier"""
    return __version__
 class KubernetesObjectReconciler(Generic[T]):
    """Base Kubernetes Reconciler, handles the basic logic."""
@ -146,13 +151,13 @@ class KubernetesObjectReconciler(Generic[T]):
        return V1ObjectMeta(
            namespace=self.namespace,
            labels={
                "app.kubernetes.io/name": f"authentik-{self.controller.outpost.type.lower()}",
                "app.kubernetes.io/instance": slugify(self.controller.outpost.name),
                "app.kubernetes.io/version": __version__,
                "app.kubernetes.io/managed-by": "goauthentik.io",
-                "goauthentik.io/outpost-uuid": self.controller.outpost.uuid.hex,
+                "app.kubernetes.io/name": f"authentik-{self.controller.outpost.type.lower()}",
-                "goauthentik.io/outpost-type": str(self.controller.outpost.type),
+                "app.kubernetes.io/version": get_version(),
                "goauthentik.io/outpost-name": slugify(self.controller.outpost.name),
                "goauthentik.io/outpost-type": str(self.controller.outpost.type),
                "goauthentik.io/outpost-uuid": self.controller.outpost.uuid.hex,
            },
            **kwargs,
        )
--- a/authentik/outposts/controllers/k8s/deployment.py
+++ b/authentik/outposts/controllers/k8s/deployment.py
@ -18,6 +18,7 @@ from kubernetes.client import (
    V1SecretKeySelector,
 )
 from authentik import __version__, get_full_version
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.triggers import NeedsUpdate
@ -52,15 +53,18 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
            raise NeedsUpdate()
        super().reconcile(current, reference)
-    def get_pod_meta(self) -> dict[str, str]:
+    def get_pod_meta(self, **kwargs) -> dict[str, str]:
        """Get common object metadata"""
-        return {
+        kwargs.update(
-            "app.kubernetes.io/name": "authentik-outpost",
+            {
-            "app.kubernetes.io/managed-by": "goauthentik.io",
+                "app.kubernetes.io/name": f"authentik-outpost-{self.outpost.type}",
-            "goauthentik.io/outpost-uuid": self.controller.outpost.uuid.hex,
+                "app.kubernetes.io/managed-by": "goauthentik.io",
-            "goauthentik.io/outpost-name": slugify(self.controller.outpost.name),
+                "goauthentik.io/outpost-uuid": self.controller.outpost.uuid.hex,
-            "goauthentik.io/outpost-type": str(self.controller.outpost.type),
+                "goauthentik.io/outpost-name": slugify(self.controller.outpost.name),
-        }
+                "goauthentik.io/outpost-type": str(self.controller.outpost.type),
            }
        )
        return kwargs
    def get_reference_object(self) -> V1Deployment:
        """Get deployment object for outpost"""
@ -77,13 +81,24 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
        meta = self.get_object_meta(name=self.name)
        image_name = self.controller.get_container_image()
        image_pull_secrets = self.outpost.config.kubernetes_image_pull_secrets
        version = get_full_version()
        return V1Deployment(
            metadata=meta,
            spec=V1DeploymentSpec(
                replicas=self.outpost.config.kubernetes_replicas,
                selector=V1LabelSelector(match_labels=self.get_pod_meta()),
                template=V1PodTemplateSpec(
-                    metadata=V1ObjectMeta(labels=self.get_pod_meta()),
+                    metadata=V1ObjectMeta(
                        labels=self.get_pod_meta(
                            **{
                                # Support istio-specific labels, but also use the standard k8s
                                # recommendations
                                "app.kubernetes.io/version": version,
                                "app": "authentik-outpost",
                                "version": version,
                            }
                        )
                    ),
                    spec=V1PodSpec(
                        image_pull_secrets=[
                            V1ObjectReference(name=secret) for secret in image_pull_secrets
--- a/authentik/outposts/controllers/k8s/service.py
+++ b/authentik/outposts/controllers/k8s/service.py
@ -6,6 +6,7 @@ from kubernetes.client import CoreV1Api, V1Service, V1ServicePort, V1ServiceSpec
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.triggers import NeedsUpdate
 from authentik.outposts.controllers.k8s.utils import compare_ports
 if TYPE_CHECKING:
@ -25,6 +26,8 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
        # after an authentik update. However the ports might have also changed during
        # the update, so this causes the service to be re-created with higher
        # priority than being updated.
        if current.spec.selector != reference.spec.selector:
            raise NeedsUpdate()
        super().reconcile(current, reference)
    def get_reference_object(self) -> V1Service:
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@ -1,34 +1,67 @@
 """Kubernetes deployment controller"""
 from io import StringIO
 from typing import Type
 from kubernetes.client import VersionApi, VersionInfo
 from kubernetes.client.api_client import ApiClient
 from kubernetes.client.configuration import Configuration
 from kubernetes.client.exceptions import OpenApiException
 from kubernetes.config.config_exception import ConfigException
 from kubernetes.config.incluster_config import load_incluster_config
 from kubernetes.config.kube_config import load_kube_config_from_dict
 from structlog.testing import capture_logs
 from urllib3.exceptions import HTTPError
 from yaml import dump_all
-from authentik.outposts.controllers.base import BaseController, ControllerException
+from authentik.outposts.controllers.base import BaseClient, BaseController, ControllerException
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.secret import SecretReconciler
 from authentik.outposts.controllers.k8s.service import ServiceReconciler
 from authentik.outposts.controllers.k8s.service_monitor import PrometheusServiceMonitorReconciler
-from authentik.outposts.models import KubernetesServiceConnection, Outpost, ServiceConnectionInvalid
+from authentik.outposts.models import (
    KubernetesServiceConnection,
    Outpost,
    OutpostServiceConnectionState,
    ServiceConnectionInvalid,
 )
 class KubernetesClient(ApiClient, BaseClient):
    """Custom kubernetes client based on service connection"""
    def __init__(self, connection: KubernetesServiceConnection):
        config = Configuration()
        try:
            if connection.local:
                load_incluster_config(client_configuration=config)
            else:
                load_kube_config_from_dict(connection.kubeconfig, client_configuration=config)
            super().__init__(config)
        except ConfigException as exc:
            raise ServiceConnectionInvalid from exc
    def fetch_state(self) -> OutpostServiceConnectionState:
        """Get version info"""
        try:
            api_instance = VersionApi(self)
            version: VersionInfo = api_instance.get_code()
            return OutpostServiceConnectionState(version=version.git_version, healthy=True)
        except (OpenApiException, HTTPError, ServiceConnectionInvalid):
            return OutpostServiceConnectionState(version="", healthy=False)
 class KubernetesController(BaseController):
    """Manage deployment of outpost in kubernetes"""
-    reconcilers: dict[str, Type[KubernetesObjectReconciler]]
+    reconcilers: dict[str, type[KubernetesObjectReconciler]]
    reconcile_order: list[str]
-    client: ApiClient
+    client: KubernetesClient
    connection: KubernetesServiceConnection
    def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection) -> None:
        super().__init__(outpost, connection)
-        self.client = connection.client()
+        self.client = KubernetesClient(connection)
        self.reconcilers = {
            "secret": SecretReconciler,
            "deployment": DeploymentReconciler,
--- a/authentik/outposts/docker_ssh.py
+++ b/authentik/outposts/docker_ssh.py
@ -0,0 +1,82 @@
 """Docker SSH helper"""
 import os
 from pathlib import Path
 from tempfile import gettempdir
 from authentik.crypto.models import CertificateKeyPair
 HEADER = "### Managed by authentik"
 FOOTER = "### End Managed by authentik"
 def opener(path, flags):
    """File opener to create files as 700 perms"""
    return os.open(path, flags, 0o700)
 class DockerInlineSSH:
    """Create paramiko ssh config from CertificateKeyPair"""
    host: str
    keypair: CertificateKeyPair
    key_path: str
    config_path: Path
    header: str
    def __init__(self, host: str, keypair: CertificateKeyPair) -> None:
        self.host = host
        self.keypair = keypair
        self.config_path = Path("~/.ssh/config").expanduser()
        self.header = f"{HEADER} - {self.host}\n"
    def write_config(self, key_path: str) -> bool:
        """Update the local user's ssh config file"""
        with open(self.config_path, "a+", encoding="utf-8") as ssh_config:
            if self.header in ssh_config.readlines():
                return False
            ssh_config.writelines(
                [
                    self.header,
                    f"Host {self.host}\n",
                    f"    IdentityFile {key_path}\n",
                    f"{FOOTER}\n",
                    "\n",
                ]
            )
        return True
    def write_key(self):
        """Write keypair's private key to a temporary file"""
        path = Path(gettempdir(), f"{self.keypair.pk}_private.pem")
        with open(path, "w", encoding="utf8", opener=opener) as _file:
            _file.write(self.keypair.key_data)
        return str(path)
    def write(self):
        """Write keyfile and update ssh config"""
        self.key_path = self.write_key()
        was_written = self.write_config(self.key_path)
        if not was_written:
            self.cleanup()
    def cleanup(self):
        """Cleanup when we're done"""
        try:
            os.unlink(self.key_path)
            with open(self.config_path, "r+", encoding="utf-8") as ssh_config:
                start = 0
                end = 0
                lines = ssh_config.readlines()
                for idx, line in enumerate(lines):
                    if line == self.header:
                        start = idx
                    if start != 0 and line == f"{FOOTER}\n":
                        end = idx
            with open(self.config_path, "w+", encoding="utf-8") as ssh_config:
                lines = lines[:start] + lines[end + 2 :]
                ssh_config.writelines(lines)
        except OSError:
            # If we fail deleting a file it doesn't matter that much
            # since we're just in a container
            pass
--- a/authentik/outposts/docker_tls.py
+++ b/authentik/outposts/docker_tls.py
@ -1,4 +1,5 @@
 """Create Docker TLSConfig from CertificateKeyPair"""
 from os import unlink
 from pathlib import Path
 from tempfile import gettempdir
 from typing import Optional
@ -14,6 +15,8 @@ class DockerInlineTLS:
    verification_kp: Optional[CertificateKeyPair]
    authentication_kp: Optional[CertificateKeyPair]
    _paths: list[str]
    def __init__(
        self,
        verification_kp: Optional[CertificateKeyPair],
@ -21,14 +24,21 @@ class DockerInlineTLS:
    ) -> None:
        self.verification_kp = verification_kp
        self.authentication_kp = authentication_kp
        self._paths = []
    def write_file(self, name: str, contents: str) -> str:
        """Wrapper for mkstemp that uses fdopen"""
        path = Path(gettempdir(), name)
        with open(path, "w", encoding="utf8") as _file:
            _file.write(contents)
        self._paths.append(str(path))
        return str(path)
    def cleanup(self):
        """Clean up certificates when we're done"""
        for path in self._paths:
            unlink(path)
    def write(self) -> TLSConfig:
        """Create TLSConfig with Certificate Key pairs"""
        # So yes, this is quite ugly. But sadly, there is no clean way to pass
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -1,8 +1,7 @@
 """Outpost models"""
 from dataclasses import asdict, dataclass, field
 from datetime import datetime
-from os import environ
+from typing import Iterable, Optional
 from typing import Iterable, Optional, Union
 from uuid import uuid4
 from dacite import from_dict
@ -11,23 +10,13 @@ from django.core.cache import cache
 from django.db import IntegrityError, models, transaction
 from django.db.models.base import Model
 from django.utils.translation import gettext_lazy as _
 from docker.client import DockerClient
 from docker.errors import DockerException
 from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from kubernetes.client import VersionApi, VersionInfo
 from kubernetes.client.api_client import ApiClient
 from kubernetes.client.configuration import Configuration
 from kubernetes.client.exceptions import OpenApiException
 from kubernetes.config.config_exception import ConfigException
 from kubernetes.config.incluster_config import load_incluster_config
 from kubernetes.config.kube_config import load_kube_config_from_dict
 from model_utils.managers import InheritanceManager
 from packaging.version import LegacyVersion, Version, parse
 from structlog.stdlib import get_logger
 from urllib3.exceptions import HTTPError
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__, get_build_hash
 from authentik.core.models import (
    USER_ATTRIBUTE_CAN_OVERRIDE_IP,
    USER_ATTRIBUTE_SA,
@ -44,7 +33,7 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.managed.models import ManagedModel
 from authentik.outposts.controllers.k8s.utils import get_namespace
-from authentik.outposts.docker_tls import DockerInlineTLS
+from authentik.tenants.models import Tenant
 OUR_VERSION = parse(__version__)
 OUTPOST_HELLO_INTERVAL = 10
@ -86,7 +75,7 @@ class OutpostConfig:
 class OutpostModel(Model):
    """Base model for providers that need more objects than just themselves"""
-    def get_required_objects(self) -> Iterable[Union[models.Model, str]]:
+    def get_required_objects(self) -> Iterable[models.Model | str]:
        """Return a list of all required objects"""
        return [self]
@ -149,10 +138,6 @@ class OutpostServiceConnection(models.Model):
            return OutpostServiceConnectionState("", False)
        return state
    def fetch_state(self) -> OutpostServiceConnectionState:
        """Fetch current Service Connection state"""
        raise NotImplementedError
    @property
    def component(self) -> str:
        """Return component used to edit this object"""
@ -210,35 +195,6 @@ class DockerServiceConnection(OutpostServiceConnection):
    def __str__(self) -> str:
        return f"Docker Service-Connection {self.name}"
    def client(self) -> DockerClient:
        """Get DockerClient"""
        try:
            client = None
            if self.local:
                client = DockerClient.from_env()
            else:
                client = DockerClient(
                    base_url=self.url,
                    tls=DockerInlineTLS(
                        verification_kp=self.tls_verification,
                        authentication_kp=self.tls_authentication,
                    ).write(),
                )
            client.containers.list()
        except DockerException as exc:
            LOGGER.warning(exc)
            raise ServiceConnectionInvalid from exc
        return client
    def fetch_state(self) -> OutpostServiceConnectionState:
        try:
            client = self.client()
            return OutpostServiceConnectionState(
                version=client.info()["ServerVersion"], healthy=True
            )
        except ServiceConnectionInvalid:
            return OutpostServiceConnectionState(version="", healthy=False)
    class Meta:
        verbose_name = _("Docker Service-Connection")
@ -265,27 +221,6 @@ class KubernetesServiceConnection(OutpostServiceConnection):
    def __str__(self) -> str:
        return f"Kubernetes Service-Connection {self.name}"
    def fetch_state(self) -> OutpostServiceConnectionState:
        try:
            client = self.client()
            api_instance = VersionApi(client)
            version: VersionInfo = api_instance.get_code()
            return OutpostServiceConnectionState(version=version.git_version, healthy=True)
        except (OpenApiException, HTTPError, ServiceConnectionInvalid):
            return OutpostServiceConnectionState(version="", healthy=False)
    def client(self) -> ApiClient:
        """Get Kubernetes client configured from kubeconfig"""
        config = Configuration()
        try:
            if self.local:
                load_incluster_config(client_configuration=config)
            else:
                load_kube_config_from_dict(self.kubeconfig, client_configuration=config)
            return ApiClient(config)
        except ConfigException as exc:
            raise ServiceConnectionInvalid from exc
    class Meta:
        verbose_name = _("Kubernetes Service-Connection")
@ -385,7 +320,8 @@ class Outpost(ManagedModel):
                    user.user_permissions.add(permission.first())
        LOGGER.debug(
            "Updated service account's permissions",
-            perms=UserObjectPermission.objects.filter(user=user),
+            obj_perms=UserObjectPermission.objects.filter(user=user),
            perms=user.user_permissions.all(),
        )
    @property
@ -438,9 +374,9 @@ class Outpost(ManagedModel):
            Token.objects.filter(identifier=self.token_identifier).delete()
            return self.token
-    def get_required_objects(self) -> Iterable[Union[models.Model, str]]:
+    def get_required_objects(self) -> Iterable[models.Model | str]:
        """Get an iterator of all objects the user needs read access to"""
-        objects: list[Union[models.Model, str]] = [
+        objects: list[models.Model | str] = [
            self,
            "authentik_events.add_event",
        ]
@ -449,6 +385,10 @@ class Outpost(ManagedModel):
                objects.extend(provider.get_required_objects())
            else:
                objects.append(provider)
        if self.managed:
            for tenant in Tenant.objects.filter(web_certificate__isnull=False):
                objects.append(tenant)
                objects.append(tenant.web_certificate)
        return objects
    def __str__(self) -> str:
@ -463,7 +403,7 @@ class OutpostState:
    channel_ids: list[str] = field(default_factory=list)
    last_seen: Optional[datetime] = field(default=None)
    version: Optional[str] = field(default=None)
-    version_should: Union[Version, LegacyVersion] = field(default=OUR_VERSION)
+    version_should: Version | LegacyVersion = field(default=OUR_VERSION)
    build_hash: str = field(default="")
    _outpost: Optional[Outpost] = field(default=None)
@ -473,7 +413,7 @@ class OutpostState:
        """Check if outpost version matches our version"""
        if not self.version:
            return False
-        if self.build_hash != environ.get(ENV_GIT_HASH_KEY, ""):
+        if self.build_hash != get_build_hash():
            return False
        return parse(self.version) < OUR_VERSION
@ -481,6 +421,8 @@ class OutpostState:
    def for_outpost(outpost: Outpost) -> list["OutpostState"]:
        """Get all states for an outpost"""
        keys = cache.keys(f"{outpost.state_cache_prefix}_*")
        if not keys:
            return []
        states = []
        for key in keys:
            instance_uid = key.replace(f"{outpost.state_cache_prefix}_", "")
--- a/authentik/outposts/signals.py
+++ b/authentik/outposts/signals.py
@ -10,6 +10,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.utils.reflection import class_to_path
 from authentik.outposts.models import Outpost, OutpostServiceConnection
 from authentik.outposts.tasks import CACHE_KEY_OUTPOST_DOWN, outpost_controller, outpost_post_save
 from authentik.tenants.models import Tenant
 LOGGER = get_logger()
 UPDATE_TRIGGERING_MODELS = (
@ -17,6 +18,7 @@ UPDATE_TRIGGERING_MODELS = (
    OutpostServiceConnection,
    Provider,
    CertificateKeyPair,
    Tenant,
 )
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -25,6 +25,8 @@ from authentik.events.monitored_tasks import (
 )
 from authentik.lib.utils.reflection import path_to_class
 from authentik.outposts.controllers.base import BaseController, ControllerException
 from authentik.outposts.controllers.docker import DockerClient
 from authentik.outposts.controllers.kubernetes import KubernetesClient
 from authentik.outposts.models import (
    DockerServiceConnection,
    KubernetesServiceConnection,
@ -45,21 +47,21 @@ LOGGER = get_logger()
 CACHE_KEY_OUTPOST_DOWN = "outpost_teardown_%s"
-def controller_for_outpost(outpost: Outpost) -> Optional[BaseController]:
+def controller_for_outpost(outpost: Outpost) -> Optional[type[BaseController]]:
    """Get a controller for the outpost, when a service connection is defined"""
    if not outpost.service_connection:
        return None
    service_connection = outpost.service_connection
    if outpost.type == OutpostType.PROXY:
        if isinstance(service_connection, DockerServiceConnection):
-            return ProxyDockerController(outpost, service_connection)
+            return ProxyDockerController
        if isinstance(service_connection, KubernetesServiceConnection):
-            return ProxyKubernetesController(outpost, service_connection)
+            return ProxyKubernetesController
    if outpost.type == OutpostType.LDAP:
        if isinstance(service_connection, DockerServiceConnection):
-            return LDAPDockerController(outpost, service_connection)
+            return LDAPDockerController
        if isinstance(service_connection, KubernetesServiceConnection):
-            return LDAPKubernetesController(outpost, service_connection)
+            return LDAPKubernetesController
    return None
@ -71,7 +73,16 @@ def outpost_service_connection_state(connection_pk: Any):
    )
    if not connection:
        return
-    state = connection.fetch_state()
+    if isinstance(connection, DockerServiceConnection):
        cls = DockerClient
    if isinstance(connection, KubernetesServiceConnection):
        cls = KubernetesClient
    try:
        with cls(connection) as client:
            state = client.fetch_state()
    except ServiceConnectionInvalid as exc:
        LOGGER.warning("Failed to get client status", exc=exc)
        return
    cache.set(connection.state_key, state, timeout=None)
@ -114,14 +125,15 @@ def outpost_controller(
        return
    self.set_uid(slugify(outpost.name))
    try:
-        controller = controller_for_outpost(outpost)
+        controller_type = controller_for_outpost(outpost)
-        if not controller:
+        if not controller_type:
            return
-        logs = getattr(controller, f"{action}_with_logs")()
+        with controller_type(outpost, outpost.service_connection) as controller:
-        LOGGER.debug("---------------Outpost Controller logs starting----------------")
+            logs = getattr(controller, f"{action}_with_logs")()
-        for log in logs:
+            LOGGER.debug("---------------Outpost Controller logs starting----------------")
-            LOGGER.debug(log)
+            for log in logs:
-        LOGGER.debug("-----------------Outpost Controller logs end-------------------")
+                LOGGER.debug(log)
            LOGGER.debug("-----------------Outpost Controller logs end-------------------")
    except (ControllerException, ServiceConnectionInvalid) as exc:
        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
    else:
--- a/authentik/outposts/tests/test_controller_docker.py
+++ b/authentik/outposts/tests/test_controller_docker.py
@ -0,0 +1,124 @@
 """Docker controller tests"""
 from django.test import TestCase
 from docker.models.containers import Container
 from authentik.managed.manager import ObjectManager
 from authentik.outposts.controllers.base import ControllerException
 from authentik.outposts.controllers.docker import DockerController
 from authentik.outposts.managed import MANAGED_OUTPOST
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostType
 from authentik.providers.proxy.controllers.docker import ProxyDockerController
 class DockerControllerTests(TestCase):
    """Docker controller tests"""
    def setUp(self) -> None:
        self.outpost = Outpost.objects.create(
            name="test",
            type=OutpostType.PROXY,
        )
        self.integration = DockerServiceConnection(name="test")
        ObjectManager().run()
    def test_init_managed(self):
        """Docker controller shouldn't do anything for managed outpost"""
        controller = DockerController(
            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(), self.integration
        )
        self.assertIsNone(controller.up())
        self.assertIsNone(controller.down())
    def test_init_invalid(self):
        """Ensure init fails with invalid client"""
        with self.assertRaises(ControllerException):
            DockerController(self.outpost, self.integration)
    def test_env_valid(self):
        """Test environment check"""
        controller = DockerController(
            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(), self.integration
        )
        env = [f"{key}={value}" for key, value in controller._get_env().items()]
        container = Container(attrs={"Config": {"Env": env}})
        self.assertFalse(controller._comp_env(container))
    def test_env_invalid(self):
        """Test environment check"""
        controller = DockerController(
            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(), self.integration
        )
        container = Container(attrs={"Config": {"Env": []}})
        self.assertTrue(controller._comp_env(container))
    def test_label_valid(self):
        """Test label check"""
        controller = DockerController(
            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(), self.integration
        )
        container = Container(attrs={"Config": {"Labels": controller._get_labels()}})
        self.assertFalse(controller._comp_labels(container))
    def test_label_invalid(self):
        """Test label check"""
        controller = DockerController(
            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(), self.integration
        )
        container = Container(attrs={"Config": {"Labels": {}}})
        self.assertTrue(controller._comp_labels(container))
        container = Container(attrs={"Config": {"Labels": {"io.goauthentik.outpost-uuid": "foo"}}})
        self.assertTrue(controller._comp_labels(container))
    def test_port_valid(self):
        """Test port check"""
        controller = ProxyDockerController(
            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(), self.integration
        )
        container = Container(
            attrs={
                "NetworkSettings": {
                    "Ports": {
                        "9000/tcp": [{"HostIp": "", "HostPort": "9000"}],
                        "9443/tcp": [{"HostIp": "", "HostPort": "9443"}],
                    }
                },
                "State": "",
            }
        )
        with self.settings(TEST=False):
            self.assertFalse(controller._comp_ports(container))
            container.attrs["State"] = "running"
            self.assertFalse(controller._comp_ports(container))
    def test_port_invalid(self):
        """Test port check"""
        controller = ProxyDockerController(
            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(), self.integration
        )
        container_no_ports = Container(
            attrs={"NetworkSettings": {"Ports": None}, "State": "running"}
        )
        container_missing_port = Container(
            attrs={
                "NetworkSettings": {
                    "Ports": {
                        "9443/tcp": [{"HostIp": "", "HostPort": "9443"}],
                    }
                },
                "State": "running",
            }
        )
        container_mismatched_host = Container(
            attrs={
                "NetworkSettings": {
                    "Ports": {
                        "9443/tcp": [{"HostIp": "", "HostPort": "123"}],
                    }
                },
                "State": "running",
            }
        )
        with self.settings(TEST=False):
            self.assertFalse(controller._comp_ports(container_no_ports))
            self.assertTrue(controller._comp_ports(container_missing_port))
            self.assertTrue(controller._comp_ports(container_mismatched_host))
--- a/authentik/policies/engine.py
+++ b/authentik/policies/engine.py
@ -5,7 +5,7 @@ from typing import Iterator, Optional
 from django.core.cache import cache
 from django.http import HttpRequest
-from prometheus_client import Histogram
+from prometheus_client import Gauge, Histogram
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
@ -14,13 +14,11 @@ from authentik.core.models import User
 from authentik.policies.models import Policy, PolicyBinding, PolicyBindingModel, PolicyEngineMode
 from authentik.policies.process import PolicyProcess, cache_key
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.root.monitoring import UpdatingGauge
 CURRENT_PROCESS = current_process()
-GAUGE_POLICIES_CACHED = UpdatingGauge(
+GAUGE_POLICIES_CACHED = Gauge(
    "authentik_policies_cached",
    "Cached Policies",
    update_func=lambda: len(cache.keys("policy_*") or []),
 )
 HIST_POLICIES_BUILD_TIME = Histogram(
    "authentik_policies_build_time",
--- a/authentik/policies/password/api.py
+++ b/authentik/policies/password/api.py
@ -13,6 +13,7 @@ class PasswordPolicySerializer(PolicySerializer):
        model = PasswordPolicy
        fields = PolicySerializer.Meta.fields + [
            "password_field",
            "amount_digits",
            "amount_uppercase",
            "amount_lowercase",
            "amount_symbols",
--- a/authentik/policies/password/migrations/0003_passwordpolicy_amount_digits.py
+++ b/authentik/policies/password/migrations/0003_passwordpolicy_amount_digits.py
@ -0,0 +1,38 @@
 # Generated by Django 4.0 on 2021-12-18 14:54
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_policies_password", "0002_passwordpolicy_password_field"),
    ]
    operations = [
        migrations.AddField(
            model_name="passwordpolicy",
            name="amount_digits",
            field=models.PositiveIntegerField(default=0),
        ),
        migrations.AlterField(
            model_name="passwordpolicy",
            name="amount_lowercase",
            field=models.PositiveIntegerField(default=0),
        ),
        migrations.AlterField(
            model_name="passwordpolicy",
            name="amount_symbols",
            field=models.PositiveIntegerField(default=0),
        ),
        migrations.AlterField(
            model_name="passwordpolicy",
            name="amount_uppercase",
            field=models.PositiveIntegerField(default=0),
        ),
        migrations.AlterField(
            model_name="passwordpolicy",
            name="length_min",
            field=models.PositiveIntegerField(default=0),
        ),
    ]
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -13,6 +13,7 @@ from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 LOGGER = get_logger()
 RE_LOWER = re.compile("[a-z]")
 RE_UPPER = re.compile("[A-Z]")
 RE_DIGITS = re.compile("[0-9]")
 class PasswordPolicy(Policy):
@ -23,10 +24,11 @@ class PasswordPolicy(Policy):
        help_text=_("Field key to check, field keys defined in Prompt stages are available."),
    )
-    amount_uppercase = models.IntegerField(default=0)
+    amount_digits = models.PositiveIntegerField(default=0)
-    amount_lowercase = models.IntegerField(default=0)
+    amount_uppercase = models.PositiveIntegerField(default=0)
-    amount_symbols = models.IntegerField(default=0)
+    amount_lowercase = models.PositiveIntegerField(default=0)
-    length_min = models.IntegerField(default=0)
+    amount_symbols = models.PositiveIntegerField(default=0)
    length_min = models.PositiveIntegerField(default=0)
    symbol_charset = models.TextField(default=r"!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ")
    error_message = models.TextField()
@ -40,6 +42,7 @@ class PasswordPolicy(Policy):
    def component(self) -> str:
        return "ak-policy-password-form"
    # pylint: disable=too-many-return-statements
    def passes(self, request: PolicyRequest) -> PolicyResult:
        if (
            self.password_field not in request.context
@ -62,6 +65,9 @@ class PasswordPolicy(Policy):
            LOGGER.debug("password failed", reason="length")
            return PolicyResult(False, self.error_message)
        if self.amount_digits > 0 and len(RE_DIGITS.findall(password)) < self.amount_digits:
            LOGGER.debug("password failed", reason="amount_digits")
            return PolicyResult(False, self.error_message)
        if self.amount_lowercase > 0 and len(RE_LOWER.findall(password)) < self.amount_lowercase:
            LOGGER.debug("password failed", reason="amount_lowercase")
            return PolicyResult(False, self.error_message)
--- a/authentik/policies/password/tests/test_flows.py
+++ b/authentik/policies/password/tests/test_flows.py
@ -1,16 +1,14 @@
 """Password flow tests"""
 from django.urls.base import reverse
 from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 from authentik.core.models import User
 from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.tests import FlowTestCase
 from authentik.policies.password.models import PasswordPolicy
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
-class TestPasswordPolicyFlow(APITestCase):
+class TestPasswordPolicyFlow(FlowTestCase):
    """Test Password Policy"""
    def setUp(self) -> None:
@ -53,29 +51,22 @@ class TestPasswordPolicyFlow(APITestCase):
            {"password": "akadmin"},
        )
        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
+        self.assertStageResponse(
-            force_str(response.content),
+            response,
-            {
+            self.flow,
-                "component": "ak-stage-prompt",
+            component="ak-stage-prompt",
-                "fields": [
+            fields=[
-                    {
+                {
-                        "field_key": "password",
+                    "field_key": "password",
-                        "label": "PASSWORD_LABEL",
+                    "label": "PASSWORD_LABEL",
-                        "order": 0,
+                    "order": 0,
-                        "placeholder": "PASSWORD_PLACEHOLDER",
+                    "placeholder": "PASSWORD_PLACEHOLDER",
-                        "required": True,
+                    "required": True,
-                        "type": "password",
+                    "type": "password",
-                        "sub_text": "",
+                    "sub_text": "",
-                    }
+                }
-                ],
+            ],
-                "flow_info": {
+            response_errors={
-                    "background": self.flow.background_url,
+                "non_field_errors": [{"code": "invalid", "string": self.policy.error_message}]
                    "cancel_url": reverse("authentik_flows:cancel"),
                    "title": "",
                },
                "response_errors": {
                    "non_field_errors": [{"code": "invalid", "string": self.policy.error_message}]
                },
                "type": ChallengeTypes.NATIVE.value,
            },
        )
--- a/authentik/policies/password/tests/test_policy.py
+++ b/authentik/policies/password/tests/test_policy.py
@ -13,6 +13,7 @@ class TestPasswordPolicy(TestCase):
    def setUp(self) -> None:
        self.policy = PasswordPolicy.objects.create(
            name="test_false",
            amount_digits=1,
            amount_uppercase=1,
            amount_lowercase=2,
            amount_symbols=3,
@ -38,7 +39,7 @@ class TestPasswordPolicy(TestCase):
    def test_failed_lowercase(self):
        """not enough lowercase"""
        request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = "TTTTTTTTTTTTTTTTTTTTTTTe"  # nosec
+        request.context["password"] = "1TTTTTTTTTTTTTTTTTTTTTTe"  # nosec
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages, ("test message",))
@ -46,15 +47,23 @@ class TestPasswordPolicy(TestCase):
    def test_failed_uppercase(self):
        """not enough uppercase"""
        request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = "tttttttttttttttttttttttE"  # nosec
+        request.context["password"] = "1tttttttttttttttttttttE"  # nosec
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages, ("test message",))
    def test_failed_symbols(self):
-        """not enough uppercase"""
+        """not enough symbols"""
        request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = "TETETETETETETETETETETETETe!!!"  # nosec
+        request.context["password"] = "1ETETETETETETETETETETETETe!!!"  # nosec
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages, ("test message",))
    def test_failed_digits(self):
        """not enough digits"""
        request = PolicyRequest(get_anonymous_user())
        request.context["password"] = "TETETETETETETETETETETE1e!!!"  # nosec
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages, ("test message",))
@ -62,7 +71,7 @@ class TestPasswordPolicy(TestCase):
    def test_true(self):
        """Positive password case"""
        request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = generate_key() + "ee!!!"  # nosec
+        request.context["password"] = generate_key() + "1ee!!!"  # nosec
        result: PolicyResult = self.policy.passes(request)
        self.assertTrue(result.passing)
        self.assertEqual(result.messages, tuple())
--- a/authentik/policies/reputation/api.py
+++ b/authentik/policies/reputation/api.py
@ -1,11 +1,11 @@
-"""Source API Views"""
+"""Reputation policy API Views"""
 from rest_framework import mixins
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.policies.api.policies import PolicySerializer
-from authentik.policies.reputation.models import IPReputation, ReputationPolicy, UserReputation
+from authentik.policies.reputation.models import Reputation, ReputationPolicy
 class ReputationPolicySerializer(PolicySerializer):
@ -29,59 +29,32 @@ class ReputationPolicyViewSet(UsedByMixin, ModelViewSet):
    ordering = ["name"]
-class IPReputationSerializer(ModelSerializer):
+class ReputationSerializer(ModelSerializer):
-    """IPReputation Serializer"""
+    """Reputation Serializer"""
    class Meta:
-        model = IPReputation
+        model = Reputation
        fields = [
            "pk",
            "identifier",
            "ip",
            "ip_geo_data",
            "score",
            "updated",
        ]
-class IPReputationViewSet(
+class ReputationViewSet(
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
    mixins.ListModelMixin,
    GenericViewSet,
 ):
-    """IPReputation Viewset"""
+    """Reputation Viewset"""
-    queryset = IPReputation.objects.all()
+    queryset = Reputation.objects.all()
-    serializer_class = IPReputationSerializer
+    serializer_class = ReputationSerializer
-    search_fields = ["ip", "score"]
+    search_fields = ["identifier", "ip", "score"]
-    filterset_fields = ["ip", "score"]
+    filterset_fields = ["identifier", "ip", "score"]
    ordering = ["ip"]
 class UserReputationSerializer(ModelSerializer):
    """UserReputation Serializer"""
    class Meta:
        model = UserReputation
        fields = [
            "pk",
            "username",
            "score",
            "updated",
        ]
 class UserReputationViewSet(
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
    mixins.ListModelMixin,
    GenericViewSet,
 ):
    """UserReputation Viewset"""
    queryset = UserReputation.objects.all()
    serializer_class = UserReputationSerializer
    search_fields = ["username", "score"]
    filterset_fields = ["username", "score"]
    ordering = ["username"]
--- a/authentik/policies/reputation/apps.py
+++ b/authentik/policies/reputation/apps.py
@ -13,3 +13,4 @@ class AuthentikPolicyReputationConfig(AppConfig):
    def ready(self):
        import_module("authentik.policies.reputation.signals")
        import_module("authentik.policies.reputation.tasks")
--- a/authentik/policies/reputation/migrations/0003_reputation_delete_ipreputation_delete_userreputation.py
+++ b/authentik/policies/reputation/migrations/0003_reputation_delete_ipreputation_delete_userreputation.py
@ -0,0 +1,40 @@
 # Generated by Django 4.0.1 on 2022-01-05 18:56
 import uuid
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_policies_reputation", "0002_auto_20210529_2046"),
    ]
    operations = [
        migrations.CreateModel(
            name="Reputation",
            fields=[
                (
                    "reputation_uuid",
                    models.UUIDField(
                        default=uuid.uuid4, primary_key=True, serialize=False, unique=True
                    ),
                ),
                ("identifier", models.TextField()),
                ("ip", models.GenericIPAddressField()),
                ("ip_geo_data", models.JSONField(default=dict)),
                ("score", models.BigIntegerField(default=0)),
                ("updated", models.DateTimeField(auto_now_add=True)),
            ],
            options={
                "unique_together": {("identifier", "ip")},
            },
        ),
        migrations.DeleteModel(
            name="IPReputation",
        ),
        migrations.DeleteModel(
            name="UserReputation",
        ),
    ]
--- a/authentik/policies/reputation/models.py
+++ b/authentik/policies/reputation/models.py
@ -1,17 +1,20 @@
 """authentik reputation request policy"""
-from django.core.cache import cache
+from uuid import uuid4
 from django.db import models
 from django.db.models import Sum
 from django.db.models.query_utils import Q
 from django.utils.translation import gettext as _
 from rest_framework.serializers import BaseSerializer
 from structlog import get_logger
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.http import get_client_ip
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
 LOGGER = get_logger()
-CACHE_KEY_IP_PREFIX = "authentik_reputation_ip_"
+CACHE_KEY_PREFIX = "goauthentik.io/policies/reputation/scores/"
 CACHE_KEY_USER_PREFIX = "authentik_reputation_user_"
 class ReputationPolicy(Policy):
@ -33,20 +36,22 @@ class ReputationPolicy(Policy):
    def passes(self, request: PolicyRequest) -> PolicyResult:
        remote_ip = get_client_ip(request.http_request)
-        passing = False
+        query = Q()
        if self.check_ip:
-            score = cache.get_or_set(CACHE_KEY_IP_PREFIX + remote_ip, 0)
+            query |= Q(ip=remote_ip)
            passing += passing or score <= self.threshold
            LOGGER.debug("Score for IP", ip=remote_ip, score=score, passing=passing)
        if self.check_username:
-            score = cache.get_or_set(CACHE_KEY_USER_PREFIX + request.user.username, 0)
+            query |= Q(identifier=request.user.username)
-            passing += passing or score <= self.threshold
+        score = (
-            LOGGER.debug(
+            Reputation.objects.filter(query).aggregate(total_score=Sum("score"))["total_score"] or 0
-                "Score for Username",
+        )
-                username=request.user.username,
+        passing = score <= self.threshold
-                score=score,
+        LOGGER.debug(
-                passing=passing,
+            "Score for user",
-            )
+            username=request.user.username,
            remote_ip=remote_ip,
            score=score,
            passing=passing,
        )
        return PolicyResult(bool(passing))
    class Meta:
@ -55,23 +60,27 @@ class ReputationPolicy(Policy):
        verbose_name_plural = _("Reputation Policies")
-class IPReputation(models.Model):
+class Reputation(SerializerModel):
-    """Store score coming from the same IP"""
+    """Reputation for user and or IP."""
-    ip = models.GenericIPAddressField(unique=True)
+    reputation_uuid = models.UUIDField(primary_key=True, unique=True, default=uuid4)
    score = models.IntegerField(default=0)
    updated = models.DateTimeField(auto_now=True)
-    def __str__(self):
+    identifier = models.TextField()
-        return f"IPReputation for {self.ip} @ {self.score}"
+    ip = models.GenericIPAddressField()
    ip_geo_data = models.JSONField(default=dict)
    score = models.BigIntegerField(default=0)
    updated = models.DateTimeField(auto_now_add=True)
-class UserReputation(models.Model):
+    @property
-    """Store score attempting to log in as the same username"""
+    def serializer(self) -> BaseSerializer:
        from authentik.policies.reputation.api import ReputationSerializer
-    username = models.TextField()
+        return ReputationSerializer
    score = models.IntegerField(default=0)
    updated = models.DateTimeField(auto_now=True)
-    def __str__(self):
+    def __str__(self) -> str:
-        return f"UserReputation for {self.username} @ {self.score}"
+        return f"Reputation {self.identifier}/{self.ip} @ {self.score}"
    class Meta:
        unique_together = ("identifier", "ip")
--- a/authentik/policies/reputation/settings.py
+++ b/authentik/policies/reputation/settings.py
@ -2,13 +2,8 @@
 from celery.schedules import crontab
 CELERY_BEAT_SCHEDULE = {
-    "policies_reputation_ip_save": {
+    "policies_reputation_save": {
-        "task": "authentik.policies.reputation.tasks.save_ip_reputation",
+        "task": "authentik.policies.reputation.tasks.save_reputation",
        "schedule": crontab(minute="*/5"),
        "options": {"queue": "authentik_scheduled"},
    },
    "policies_reputation_user_save": {
        "task": "authentik.policies.reputation.tasks.save_user_reputation",
        "schedule": crontab(minute="*/5"),
        "options": {"queue": "authentik_scheduled"},
    },
--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -7,28 +7,32 @@ from structlog.stdlib import get_logger
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_client_ip
-from authentik.policies.reputation.models import CACHE_KEY_IP_PREFIX, CACHE_KEY_USER_PREFIX
+from authentik.policies.reputation.models import CACHE_KEY_PREFIX
 from authentik.policies.reputation.tasks import save_reputation
 from authentik.stages.identification.signals import identification_failed
 LOGGER = get_logger()
 CACHE_TIMEOUT = int(CONFIG.y("redis.cache_timeout_reputation"))
-def update_score(request: HttpRequest, username: str, amount: int):
+def update_score(request: HttpRequest, identifier: str, amount: int):
    """Update score for IP and User"""
    remote_ip = get_client_ip(request)
    try:
        # We only update the cache here, as its faster than writing to the DB
-        cache.get_or_set(CACHE_KEY_IP_PREFIX + remote_ip, 0, CACHE_TIMEOUT)
+        score = cache.get_or_set(
-        cache.incr(CACHE_KEY_IP_PREFIX + remote_ip, amount)
+            CACHE_KEY_PREFIX + remote_ip + identifier,
-
+            {"ip": remote_ip, "identifier": identifier, "score": 0},
-        cache.get_or_set(CACHE_KEY_USER_PREFIX + username, 0, CACHE_TIMEOUT)
+            CACHE_TIMEOUT,
-        cache.incr(CACHE_KEY_USER_PREFIX + username, amount)
+        )
        score["score"] += amount
        cache.set(CACHE_KEY_PREFIX + remote_ip + identifier, score)
    except ValueError as exc:
        LOGGER.warning("failed to set reputation", exc=exc)
-    LOGGER.debug("Updated score", amount=amount, for_user=username, for_ip=remote_ip)
+    LOGGER.debug("Updated score", amount=amount, for_user=identifier, for_ip=remote_ip)
    save_reputation.delay()
@receiver(user_login_failed)
--- a/authentik/policies/reputation/tasks.py
+++ b/authentik/policies/reputation/tasks.py
@ -2,14 +2,15 @@
 from django.core.cache import cache
 from structlog.stdlib import get_logger
 from authentik.events.geo import GEOIP_READER
 from authentik.events.monitored_tasks import (
    MonitoredTask,
    TaskResult,
    TaskResultStatus,
    prefill_task,
 )
-from authentik.policies.reputation.models import IPReputation, UserReputation
+from authentik.policies.reputation.models import Reputation
-from authentik.policies.reputation.signals import CACHE_KEY_IP_PREFIX, CACHE_KEY_USER_PREFIX
+from authentik.policies.reputation.signals import CACHE_KEY_PREFIX
 from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
@ -17,29 +18,16 @@ LOGGER = get_logger()
@CELERY_APP.task(bind=True, base=MonitoredTask)
@prefill_task
-def save_ip_reputation(self: MonitoredTask):
+def save_reputation(self: MonitoredTask):
    """Save currently cached reputation to database"""
    objects_to_update = []
-    for key, score in cache.get_many(cache.keys(CACHE_KEY_IP_PREFIX + "*")).items():
+    for _, score in cache.get_many(cache.keys(CACHE_KEY_PREFIX + "*")).items():
-        remote_ip = key.replace(CACHE_KEY_IP_PREFIX, "")
+        rep, _ = Reputation.objects.get_or_create(
-        rep, _ = IPReputation.objects.get_or_create(ip=remote_ip)
+            ip=score["ip"],
-        rep.score = score
+            identifier=score["identifier"],
        )
        rep.ip_geo_data = GEOIP_READER.city_dict(score["ip"]) or {}
        rep.score = score["score"]
        objects_to_update.append(rep)
-    IPReputation.objects.bulk_update(objects_to_update, ["score"])
+    Reputation.objects.bulk_update(objects_to_update, ["score", "ip_geo_data"])
-    self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL, ["Successfully updated IP Reputation"]))
+    self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL, ["Successfully updated Reputation"]))
@CELERY_APP.task(bind=True, base=MonitoredTask)
@prefill_task
 def save_user_reputation(self: MonitoredTask):
    """Save currently cached reputation to database"""
    objects_to_update = []
    for key, score in cache.get_many(cache.keys(CACHE_KEY_USER_PREFIX + "*")).items():
        username = key.replace(CACHE_KEY_USER_PREFIX, "")
        rep, _ = UserReputation.objects.get_or_create(username=username)
        rep.score = score
        objects_to_update.append(rep)
    UserReputation.objects.bulk_update(objects_to_update, ["score"])
    self.set_status(
        TaskResult(TaskResultStatus.SUCCESSFUL, ["Successfully updated User Reputation"])
    )
--- a/authentik/policies/reputation/tests.py
+++ b/authentik/policies/reputation/tests.py
@ -4,15 +4,8 @@ from django.core.cache import cache
 from django.test import RequestFactory, TestCase
 from authentik.core.models import User
-from authentik.lib.utils.http import DEFAULT_IP
+from authentik.policies.reputation.models import CACHE_KEY_PREFIX, Reputation, ReputationPolicy
-from authentik.policies.reputation.models import (
+from authentik.policies.reputation.tasks import save_reputation
    CACHE_KEY_IP_PREFIX,
    CACHE_KEY_USER_PREFIX,
    IPReputation,
    ReputationPolicy,
    UserReputation,
 )
 from authentik.policies.reputation.tasks import save_ip_reputation, save_user_reputation
 from authentik.policies.types import PolicyRequest
@ -24,9 +17,8 @@ class TestReputationPolicy(TestCase):
        self.request = self.request_factory.get("/")
        self.test_ip = "127.0.0.1"
        self.test_username = "test"
-        cache.delete(CACHE_KEY_IP_PREFIX + self.test_ip)
+        keys = cache.keys(CACHE_KEY_PREFIX + "*")
-        cache.delete(CACHE_KEY_IP_PREFIX + DEFAULT_IP)
+        cache.delete_many(keys)
        cache.delete(CACHE_KEY_USER_PREFIX + self.test_username)
        # We need a user for the one-to-one in userreputation
        self.user = User.objects.create(username=self.test_username)
@ -35,20 +27,26 @@ class TestReputationPolicy(TestCase):
        # Trigger negative reputation
        authenticate(self.request, username=self.test_username, password=self.test_username)
        # Test value in cache
-        self.assertEqual(cache.get(CACHE_KEY_IP_PREFIX + self.test_ip), -1)
+        self.assertEqual(
            cache.get(CACHE_KEY_PREFIX + self.test_ip + self.test_username),
            {"ip": "127.0.0.1", "identifier": "test", "score": -1},
        )
        # Save cache and check db values
-        save_ip_reputation.delay().get()
+        save_reputation.delay().get()
-        self.assertEqual(IPReputation.objects.get(ip=self.test_ip).score, -1)
+        self.assertEqual(Reputation.objects.get(ip=self.test_ip).score, -1)
    def test_user_reputation(self):
        """test User reputation"""
        # Trigger negative reputation
        authenticate(self.request, username=self.test_username, password=self.test_username)
        # Test value in cache
-        self.assertEqual(cache.get(CACHE_KEY_USER_PREFIX + self.test_username), -1)
+        self.assertEqual(
            cache.get(CACHE_KEY_PREFIX + self.test_ip + self.test_username),
            {"ip": "127.0.0.1", "identifier": "test", "score": -1},
        )
        # Save cache and check db values
-        save_user_reputation.delay().get()
+        save_reputation.delay().get()
-        self.assertEqual(UserReputation.objects.get(username=self.test_username).score, -1)
+        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, -1)
    def test_policy(self):
        """Test Policy"""
--- a/Show More
+++ b/Show More