release: 2021.5.4

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.3.3
+current_version = 2021.5.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
@@ -19,20 +19,18 @@ values =
 
 [bumpversion:file:website/docs/installation/docker-compose.md]
 
-[bumpversion:file:website/docs/installation/kubernetes.md]
-
 [bumpversion:file:docker-compose.yml]
 
-[bumpversion:file:helm/values.yaml]
-
-[bumpversion:file:helm/README.md]
-
-[bumpversion:file:helm/Chart.yaml]
-
 [bumpversion:file:.github/workflows/release.yml]
 
 [bumpversion:file:authentik/__init__.py]
 
+[bumpversion:file:internal/constants/constants.go]
+
 [bumpversion:file:outpost/pkg/version.go]
 
 [bumpversion:file:web/src/constants.ts]
+
+[bumpversion:file:website/docs/outposts/manual-deploy-docker-compose.md]
+
+[bumpversion:file:website/docs/outposts/manual-deploy-kubernetes.md]

.github/codecov.yml

@@ -0,0 +1,3 @@
+coverage:
+  precision: 2
+  round: up

.github/dependabot.yml

@@ -1,5 +1,13 @@
 version: 2
 updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
 - package-ecosystem: gomod
   directory: "/outpost"
   schedule:

.github/workflows/release.yml

@@ -3,32 +3,49 @@ name: authentik-on-release
 on:
   release:
     types: [published, created]
+  push:
+    branches:
+      - version-*
 
 jobs:
   # Build
   build-server:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1.1.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
       - name: Docker Login Registry
-        env:
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: prepare ts api client
+        run: |
+          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
       - name: Building Docker Image
-        run: docker build
-          --no-cache
-          -t beryju/authentik:2021.3.3
-          -t beryju/authentik:latest
-          -f Dockerfile .
-      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik:2021.3.3
-      - name: Push Docker Container to Registry (latest)
-        run: docker push beryju/authentik:latest
+        uses: docker/build-push-action@v2
+        with:
+          push: ${{ github.event_name == 'release' }}
+          tags: |
+            beryju/authentik:2021.5.4,
+            beryju/authentik:latest,
+            ghcr.io/goauthentik/server:2021.5.4,
+            ghcr.io/goauthentik/server:latest
+          platforms: linux/amd64,linux/arm64
+          context: .
   build-proxy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
           go-version: "^1.15"
@@ -37,53 +54,83 @@ jobs:
           cd outpost
           go get -u github.com/go-swagger/go-swagger/cmd/swagger
           swagger generate client -f ../swagger.yaml -A authentik -t pkg/
-          go build -v .
+          go build -v ./cmd/proxy/server.go
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1.1.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
       - name: Docker Login Registry
-        env:
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Building Docker Image
-        run: |
-          cd outpost/
-          docker build \
-          --no-cache \
-          -t beryju/authentik-proxy:2021.3.3 \
-          -t beryju/authentik-proxy:latest \
-          -f proxy.Dockerfile .
-      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-proxy:2021.3.3
-      - name: Push Docker Container to Registry (latest)
-        run: docker push beryju/authentik-proxy:latest
-  build-static:
+        uses: docker/build-push-action@v2
+        with:
+          push: ${{ github.event_name == 'release' }}
+          tags: |
+            beryju/authentik-proxy:2021.5.4,
+            beryju/authentik-proxy:latest,
+            ghcr.io/goauthentik/proxy:2021.5.4,
+            ghcr.io/goauthentik/proxy:latest
+          context: outpost/
+          file: outpost/proxy.Dockerfile
+          platforms: linux/amd64,linux/arm64
+  build-ldap:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
-      - name: Docker Login Registry
-        env:
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
-      - name: Building Docker Image
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: "^1.15"
+      - name: prepare go api client
         run: |
-          cd web/
-          docker build \
-          --no-cache \
-          -t beryju/authentik-static:2021.3.3 \
-          -t beryju/authentik-static:latest \
-          -f Dockerfile .
-      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-static:2021.3.3
-      - name: Push Docker Container to Registry (latest)
-        run: docker push beryju/authentik-static:latest
+          cd outpost
+          go get -u github.com/go-swagger/go-swagger/cmd/swagger
+          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
+          go build -v ./cmd/ldap/server.go
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1.1.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Docker Login Registry
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Building Docker Image
+        uses: docker/build-push-action@v2
+        with:
+          push: ${{ github.event_name == 'release' }}
+          tags: |
+            beryju/authentik-ldap:2021.5.4,
+            beryju/authentik-ldap:latest,
+            ghcr.io/goauthentik/ldap:2021.5.4,
+            ghcr.io/goauthentik/ldap:latest
+          context: outpost/
+          file: outpost/ldap.Dockerfile
+          platforms: linux/amd64,linux/arm64
   test-release:
+    if: ${{ github.event_name == 'release' }}
     needs:
       - build-server
-      - build-static
       - build-proxy
+      - build-ldap
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
       - name: Run test suite in final docker images
         run: |
           sudo apt-get install -y pwgen
@@ -92,20 +139,21 @@ jobs:
           docker-compose pull -q
           docker-compose up --no-start
           docker-compose start postgresql redis
-          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+          docker-compose run -u root --entrypoint /bin/bash server -c "apt-get update && apt-get install -y --no-install-recommends git && pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
   sentry-release:
+    if: ${{ github.event_name == 'release' }}
     needs:
       - test-release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
       - name: Create a Sentry.io release
-        uses: tclindner/sentry-releases-action@v1.2.0
+        uses: getsentry/action-release@v1
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: beryjuorg
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          tagName: 2021.3.3
+          version: authentik@2021.5.4
           environment: beryjuorg-prod

.github/workflows/tag.yml

@@ -10,7 +10,10 @@ jobs:
     name: Create Release from Tag
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v2
+      - name: prepare ts api client
+        run: |
+          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
       - name: Pre-release test
         run: |
           sudo apt-get install -y pwgen
@@ -24,26 +27,17 @@ jobs:
             -f Dockerfile .
           docker-compose up --no-start
           docker-compose start postgresql redis
-          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
-      - name: Install Helm
-        run: |
-          apt update && apt install -y curl
-          curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
-      - name: Helm package
-        run: |
-          helm dependency update helm/
-          helm package helm/
-          mv authentik-*.tgz authentik-chart.tgz
+          docker-compose run -u root --entrypoint /bin/bash server -c "apt-get update && apt-get install -y --no-install-recommends git && pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@0.2.0
+        uses: actions/github-script@v4.0.2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1.0.0
+        uses: actions/create-release@v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -51,13 +45,3 @@ jobs:
           release_name: Release ${{ steps.get_version.outputs.result }}
           draft: true
           prerelease: false
-      - name: Upload packaged Helm Chart
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1.0.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./authentik-chart.tgz
-          asset_name: authentik-chart.tgz
-          asset_content_type: application/gzip

.gitignore

@@ -202,3 +202,5 @@ selenium_screenshots/
 backups/
 media/
 *mmdb
+
+.idea/

.prospector.yaml

@@ -1,12 +0,0 @@
-strictness: medium
-test-warnings: true
-doc-warnings: false
-
-ignore-paths:
-  - migrations
-  - docs
-  - node_modules
-
-uses:
-  - django
-  - celery

.pylintrc

@@ -1,29 +0,0 @@
-[MASTER]
-
-disable =
-    arguments-differ,
-    no-self-use,
-    fixme,
-    locally-disabled,
-    too-many-ancestors,
-    too-few-public-methods,
-    import-outside-toplevel,
-    bad-continuation,
-    signature-differs,
-    similarities,
-    cyclic-import,
-    protected-access,
-    unsubscriptable-object # remove when pylint is upgraded to 2.6
-
-load-plugins=pylint_django,pylint.extensions.bad_builtin
-
-extension-pkg-whitelist=lxml,xmlsec
-
-# Allow constants to be shorter than normal (and lowercase, for settings.py)
-const-rgx=[a-zA-Z0-9_]{1,40}$
-
-ignored-modules=django-otp
-generated-members=xmlsec.constants.*,xmlsec.tree.*,xmlsec.template.*
-ignore=migrations
-max-attributes=12
-max-branches=20

Dockerfile

@@ -1,3 +1,4 @@
+# Stage 1: Lock python dependencies
 FROM python:3.9-slim-buster as locker
 
 COPY ./Pipfile /app/
@@ -9,40 +10,66 @@ RUN pip install pipenv && \
     pipenv lock -r > requirements.txt && \
     pipenv lock -rd > requirements-dev.txt
 
+# Stage 2: Build webui
+FROM node as npm-builder
+
+COPY ./web /static/
+
+ENV NODE_ENV=production
+RUN cd /static && npm i --production=false && npm run build
+
+# Stage 3: Build go proxy
+FROM golang:1.16.4 AS builder
+
+WORKDIR /work
+
+COPY --from=npm-builder /static/robots.txt /work/web/robots.txt
+COPY --from=npm-builder /static/security.txt /work/web/security.txt
+COPY --from=npm-builder /static/dist/ /work/web/dist/
+COPY --from=npm-builder /static/authentik/ /work/web/authentik/
+
+# RUN ls /work/web/static/authentik/ && exit 1
+COPY ./cmd /work/cmd
+COPY ./web/static.go /work/web/static.go
+COPY ./internal /work/internal
+COPY ./go.mod /work/go.mod
+COPY ./go.sum /work/go.sum
+
+RUN go build -o /work/authentik ./cmd/server/main.go
+
+# Stage 4: Run
 FROM python:3.9-slim-buster
 
 WORKDIR /
 COPY --from=locker /app/requirements.txt /
 COPY --from=locker /app/requirements-dev.txt /
 
+ARG GIT_BUILD_HASH
+ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
+
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends curl ca-certificates gnupg && \
+    apt-get install -y --no-install-recommends curl ca-certificates gnupg git runit && \
     curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
     echo "deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
     apt-get update && \
-    apt-get install -y --no-install-recommends postgresql-client-12 postgresql-client-11 build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
-    apt-get clean && \
+    apt-get install -y --no-install-recommends libpq-dev postgresql-client build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
     pip install -r /requirements.txt --no-cache-dir && \
-    apt-get remove --purge -y build-essential && \
+    apt-get remove --purge -y build-essential git && \
     apt-get autoremove --purge -y && \
-    # This is quite hacky, but docker has no guaranteed Group ID
-    # we could instead check for the GID of the socket and add the user dynamically,
-    # but then we have to drop permmissions later
-    groupadd -g 998 docker_998 && \
-    groupadd -g 999 docker_999 && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
-    usermod -a -G docker_998 authentik && \
-    usermod -a -G docker_999 authentik && \
     mkdir /backups && \
     chown authentik:authentik /backups
 
 COPY ./authentik/ /authentik
-COPY ./pytest.ini /
+COPY ./pyproject.toml /
 COPY ./xml /xml
 COPY ./manage.py /
 COPY ./lifecycle/ /lifecycle
+COPY --from=builder /work/authentik /authentik-proxy
 
 USER authentik
-STOPSIGNAL SIGINT
 ENV TMPDIR /dev/shm/
+ENV PYTHONUBUFFERED 1
 ENTRYPOINT [ "/lifecycle/bootstrap.sh" ]

Makefile

@@ -1,4 +1,7 @@
-all: lint-fix lint coverage gen
+.SHELLFLAGS += -x -e
+PWD = $(shell pwd)
+
+all: lint-fix lint test gen
 
 test-integration:
 	k3d cluster create || exit 0
@@ -6,33 +9,32 @@ test-integration:
 	coverage run manage.py test -v 3 tests/integration
 
 test-e2e:
-	coverage run manage.py test -v 3 tests/e2e
+	coverage run manage.py test --failfast -v 3 tests/e2e
 
-coverage:
+test:
 	coverage run manage.py test -v 3 authentik
 	coverage html
 	coverage report
 
 lint-fix:
-	isort -rc authentik tests lifecycle
+	isort authentik tests lifecycle
 	black authentik tests lifecycle
 
 lint:
 	pyright authentik tests lifecycle
 	bandit -r authentik tests lifecycle -x node_modules
 	pylint authentik tests lifecycle
-	prospector
 
-gen: coverage
+gen:
 	./manage.py generate_swagger -o swagger.yaml -f yaml
+	docker run \
+		--rm -v ${PWD}:/local \
+		openapitools/openapi-generator-cli generate \
+		-i /local/swagger.yaml \
+		-g typescript-fetch \
+		-o /local/web/api \
+		--additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
+	cd web/api && npx tsc
 
-local-stack:
-	export AUTHENTIK_TAG=testing
-	docker build -t beryju/authentik:testng .
-	docker-compose up -d
-	docker-compose run --rm server migrate
-
-build-static:
-	docker-compose -f scripts/ci.docker-compose.yml up -d
-	docker build -t beryju/authentik-static -f static.Dockerfile --network=scripts_default .
-	docker-compose -f scripts/ci.docker-compose.yml down -v
+run:
+	go run -v cmd/server/main.go

Pipfile

@@ -11,8 +11,7 @@ channels-redis = "*"
 dacite = "*"
 defusedxml = "*"
 django = "*"
-django-cors-middleware = "*"
-django-dbbackup = "*"
+django-dbbackup = { git = 'https://github.com/django-dbbackup/django-dbbackup.git', ref = '9d1909c30a3271c8c9c8450add30d6e0b996e145' }
 django-filter = "*"
 django-guardian = "*"
 django-model-utils = "*"
@@ -23,42 +22,41 @@ django-storages = "*"
 djangorestframework = "*"
 djangorestframework-guardian = "*"
 docker = "*"
-drf_yasg2 = "*"
+drf_yasg = "*"
 facebook-sdk = "*"
 geoip2 = "*"
 gunicorn = "*"
 kubernetes = "*"
 ldap3 = "*"
-lxml = "*"
+lxml = ">=4.6.3"
 packaging = "*"
 psycopg2-binary = "*"
 pycryptodome = "*"
-pyjwkest = "*"
+pyjwt = "*"
 pyyaml = "*"
 requests-oauthlib = "*"
 sentry-sdk = "*"
 service_identity = "*"
 structlog = "*"
 swagger-spec-validator = "*"
+twisted = "==20.3.0"
 urllib3 = {extras = ["secure"],version = "*"}
 uvicorn = {extras = ["standard"],version = "*"}
 webauthn = "*"
 xmlsec = "*"
-twisted = "==20.3.0"
 
 [requires]
 python_version = "3.9"
 
 [dev-packages]
-autopep8 = "*"
 bandit = "*"
-black = "==20.8b1"
-bumpversion = "*"
+black = "==21.5b1"
+bump2version = "*"
 colorama = "*"
 coverage = "*"
-pylint = "<=2.6.0"
+pylint = "*"
 pylint-django = "*"
-selenium = "*"
-prospector = "*"
 pytest = "*"
 pytest-django = "*"
+selenium = "*"
+requests-mock = "*"

README.md

@@ -4,13 +4,14 @@
 
 ---
 
-[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=flat-square)](https://discord.gg/KPnmtNWy)
-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/1?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
-[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/1?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
-[![Code Coverage](https://img.shields.io/codecov/c/gh/beryju/authentik?style=flat-square)](https://codecov.io/gh/BeryJu/authentik)
+[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=flat-square)](https://discord.gg/jg33eMhnj6)
+[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/6?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/6?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=flat-square)](https://codecov.io/gh/goauthentik/authentik)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=flat-square)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=flat-square)
-![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/BeryJu/authentik?style=flat-square)
+![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/goauthentik/authentik?style=flat-square)
+[Transifex](https://www.transifex.com/beryjuorg/authentik/)
 
 ## What is authentik?
 
@@ -26,12 +27,12 @@ For bigger setups, there is a Helm Chart in the `helm/` directory. This is docum
 
 Light | Dark
 --- | ---
-![](https://goauthentik.io/img/screen_apps_light.png) | ![](https://goauthentik.io/img/screen_apps_dark.png)
-![](https://goauthentik.io/img/screen_admin_light.png) | ![](https://goauthentik.io/img/screen_admin_dark.png)
+![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg)
+![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg)
 
 ## Development
 
-See [Development Documentation](https://goauthentik.io/docs/development/local-dev-environment)
+See [Development Documentation](https://goauthentik.io/developer-docs/)
 
 ## Security
 

SECURITY.md

@@ -4,9 +4,8 @@
 
 | Version    | Supported          |
 | ---------- | ------------------ |
-| 2021.1.x   | :white_check_mark: |
-| 2021.2.x   | :white_check_mark: |
-| 2021.3.x   | :white_check_mark: |
+| 2021.4.x   | :white_check_mark: |
+| 2021.5.x   | :white_check_mark: |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -1,2 +1,3 @@
 """authentik"""
-__version__ = "2021.3.3"
+__version__ = "2021.5.4"
+ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

authentik/admin/api/meta.py

@@ -0,0 +1,31 @@
+"""Meta API"""
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework.fields import CharField
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.viewsets import ViewSet
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.lib.utils.reflection import get_apps
+
+
+class AppSerializer(PassiveSerializer):
+    """Serialize Application info"""
+
+    name = CharField()
+    label = CharField()
+
+
+class AppsViewSet(ViewSet):
+    """Read-only view set list all installed apps"""
+
+    permission_classes = [IsAdminUser]
+
+    @swagger_auto_schema(responses={200: AppSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """List current messages and pass into Serializer"""
+        data = []
+        for app in sorted(get_apps(), key=lambda app: app.name):
+            data.append({"name": app.name, "label": app.verbose_name})
+        return Response(AppSerializer(data, many=True).data)

authentik/admin/api/metrics.py

@@ -3,18 +3,18 @@ import time
 from collections import Counter
 from datetime import timedelta
 
-from django.db.models import Count, ExpressionWrapper, F, Model
+from django.db.models import Count, ExpressionWrapper, F
 from django.db.models.fields import DurationField
 from django.db.models.functions import ExtractHour
 from django.utils.timezone import now
-from drf_yasg2.utils import swagger_auto_schema
-from rest_framework.fields import SerializerMethodField
+from drf_yasg.utils import swagger_auto_schema, swagger_serializer_method
+from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import Serializer
 from rest_framework.viewsets import ViewSet
 
+from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import Event, EventAction
 
 
@@ -37,41 +37,45 @@ def get_events_per_1h(**filter_kwargs) -> list[dict[str, int]]:
     for hour in range(0, -24, -1):
         results.append(
             {
-                "x": time.mktime((_now + timedelta(hours=hour)).timetuple()) * 1000,
-                "y": data[hour * -1],
+                "x_cord": time.mktime((_now + timedelta(hours=hour)).timetuple())
+                * 1000,
+                "y_cord": data[hour * -1],
             }
         )
     return results
 
 
-class AdministrationMetricsSerializer(Serializer):
+class CoordinateSerializer(PassiveSerializer):
+    """Coordinates for diagrams"""
+
+    x_cord = IntegerField(read_only=True)
+    y_cord = IntegerField(read_only=True)
+
+
+class LoginMetricsSerializer(PassiveSerializer):
     """Login Metrics per 1h"""
 
     logins_per_1h = SerializerMethodField()
     logins_failed_per_1h = SerializerMethodField()
 
+    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
     def get_logins_per_1h(self, _):
         """Get successful logins per hour for the last 24 hours"""
         return get_events_per_1h(action=EventAction.LOGIN)
 
+    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
     def get_logins_failed_per_1h(self, _):
         """Get failed logins per hour for the last 24 hours"""
         return get_events_per_1h(action=EventAction.LOGIN_FAILED)
 
-    def create(self, validated_data: dict) -> Model:
-        raise NotImplementedError
-
-    def update(self, instance: Model, validated_data: dict) -> Model:
-        raise NotImplementedError
-
 
 class AdministrationMetricsViewSet(ViewSet):
     """Login Metrics per 1h"""
 
     permission_classes = [IsAdminUser]
 
-    @swagger_auto_schema(responses={200: AdministrationMetricsSerializer(many=True)})
+    @swagger_auto_schema(responses={200: LoginMetricsSerializer(many=False)})
     def list(self, request: Request) -> Response:
         """Login Metrics per 1h"""
-        serializer = AdministrationMetricsSerializer(True)
+        serializer = LoginMetricsSerializer(True)
         return Response(serializer.data)

authentik/admin/api/tasks.py

@@ -2,22 +2,21 @@
 from importlib import import_module
 
 from django.contrib import messages
-from django.db.models import Model
 from django.http.response import Http404
 from django.utils.translation import gettext_lazy as _
-from drf_yasg2.utils import swagger_auto_schema
+from drf_yasg.utils import swagger_auto_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ChoiceField, DateTimeField, ListField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import Serializer
 from rest_framework.viewsets import ViewSet
 
+from authentik.core.api.utils import PassiveSerializer
 from authentik.events.monitored_tasks import TaskInfo, TaskResultStatus
 
 
-class TaskSerializer(Serializer):
+class TaskSerializer(PassiveSerializer):
     """Serialize TaskInfo and TaskResult"""
 
     task_name = CharField()
@@ -25,28 +24,41 @@ class TaskSerializer(Serializer):
     task_finish_timestamp = DateTimeField(source="finish_timestamp")
 
     status = ChoiceField(
-        source="result.status.value",
-        choices=[(x.value, x.name) for x in TaskResultStatus],
+        source="result.status.name",
+        choices=[(x.name, x.name) for x in TaskResultStatus],
     )
     messages = ListField(source="result.messages")
 
-    def create(self, validated_data: dict) -> Model:
-        raise NotImplementedError
-
-    def update(self, instance: Model, validated_data: dict) -> Model:
-        raise NotImplementedError
-
 
 class TaskViewSet(ViewSet):
     """Read-only view set that returns all background tasks"""
 
     permission_classes = [IsAdminUser]
 
+    @swagger_auto_schema(
+        responses={200: TaskSerializer(many=False), 404: "Task not found"}
+    )
+    # pylint: disable=invalid-name
+    def retrieve(self, request: Request, pk=None) -> Response:
+        """Get a single system task"""
+        task = TaskInfo.by_name(pk)
+        if not task:
+            raise Http404
+        return Response(TaskSerializer(task, many=False).data)
+
     @swagger_auto_schema(responses={200: TaskSerializer(many=True)})
     def list(self, request: Request) -> Response:
-        """List current messages and pass into Serializer"""
-        return Response(TaskSerializer(TaskInfo.all().values(), many=True).data)
+        """List system tasks"""
+        tasks = sorted(TaskInfo.all().values(), key=lambda task: task.task_name)
+        return Response(TaskSerializer(tasks, many=True).data)
 
+    @swagger_auto_schema(
+        responses={
+            204: "Task retried successfully",
+            404: "Task not found",
+            500: "Failed to retry task",
+        }
+    )
     @action(detail=True, methods=["post"])
     # pylint: disable=invalid-name
     def retry(self, request: Request, pk=None) -> Response:
@@ -65,12 +77,8 @@ class TaskViewSet(ViewSet):
                     % {"name": task.task_name}
                 ),
             )
-            return Response(
-                {
-                    "successful": True,
-                }
-            )
+            return Response(status=204)
         except ImportError:  # pragma: no cover
             # if we get an import error, the module path has probably changed
             task.delete()
-            return Response({"successful": False})
+            return Response(status=500)

authentik/admin/api/version.py

@@ -1,27 +1,33 @@
 """authentik administration overview"""
+from os import environ
+
 from django.core.cache import cache
-from django.db.models import Model
-from drf_yasg2.utils import swagger_auto_schema
+from drf_yasg.utils import swagger_auto_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
 from rest_framework.mixins import ListModelMixin
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import Serializer
 from rest_framework.viewsets import GenericViewSet
 
-from authentik import __version__
+from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
+from authentik.core.api.utils import PassiveSerializer
 
 
-class VersionSerializer(Serializer):
+class VersionSerializer(PassiveSerializer):
     """Get running and latest version."""
 
     version_current = SerializerMethodField()
     version_latest = SerializerMethodField()
+    build_hash = SerializerMethodField()
     outdated = SerializerMethodField()
 
+    def get_build_hash(self, _) -> str:
+        """Get build hash, if version is not latest or released"""
+        return environ.get(ENV_GIT_HASH_KEY, "")
+
     def get_version_current(self, _) -> str:
         """Get current version"""
         return __version__
@@ -40,17 +46,13 @@ class VersionSerializer(Serializer):
             self.get_version_latest(instance)
         )
 
-    def create(self, validated_data: dict) -> Model:
-        raise NotImplementedError
-
-    def update(self, instance: Model, validated_data: dict) -> Model:
-        raise NotImplementedError
-
 
 class VersionViewSet(ListModelMixin, GenericViewSet):
     """Get running and latest version."""
 
-    permission_classes = [IsAdminUser]
+    permission_classes = [IsAuthenticated]
+    pagination_class = None
+    filter_backends = []
 
     def get_queryset(self):  # pragma: no cover
         return None

authentik/admin/apps.py

@@ -7,5 +7,4 @@ class AuthentikAdminConfig(AppConfig):
 
     name = "authentik.admin"
     label = "authentik_admin"
-    mountpoint = "administration/"
     verbose_name = "authentik Admin"

authentik/admin/fields.py

@@ -1,107 +0,0 @@
-"""Additional fields"""
-import yaml
-from django import forms
-from django.utils.datastructures import MultiValueDict
-from django.utils.translation import gettext_lazy as _
-
-
-class ArrayFieldSelectMultiple(forms.SelectMultiple):
-    """This is a Form Widget for use with a Postgres ArrayField. It implements
-    a multi-select interface that can be given a set of `choices`.
-    You can provide a `delimiter` keyword argument to specify the delimeter used.
-
-    https://gist.github.com/stephane/00e73c0002de52b1c601"""
-
-    def __init__(self, *args, **kwargs):
-        # Accept a `delimiter` argument, and grab it (defaulting to a comma)
-        self.delimiter = kwargs.pop("delimiter", ",")
-        super().__init__(*args, **kwargs)
-
-    def value_from_datadict(self, data, files, name):
-        if isinstance(data, MultiValueDict):
-            # Normally, we'd want a list here, which is what we get from the
-            # SelectMultiple superclass, but the SimpleArrayField expects to
-            # get a delimited string, so we're doing a little extra work.
-            return self.delimiter.join(data.getlist(name))
-
-        return data.get(name)
-
-    def get_context(self, name, value, attrs):
-        return super().get_context(name, value.split(self.delimiter), attrs)
-
-
-class CodeMirrorWidget(forms.Textarea):
-    """Custom Textarea-based Widget that triggers a CodeMirror editor"""
-
-    # CodeMirror mode to enable
-    mode: str
-
-    template_name = "fields/codemirror.html"
-
-    def __init__(self, *args, mode="yaml", **kwargs):
-        super().__init__(*args, **kwargs)
-        self.mode = mode
-
-    def render(self, *args, **kwargs):
-        attrs = kwargs.setdefault("attrs", {})
-        attrs["mode"] = self.mode
-        return super().render(*args, **kwargs)
-
-
-class InvalidYAMLInput(str):
-    """Invalid YAML String type"""
-
-
-class YAMLString(str):
-    """YAML String type"""
-
-
-class YAMLField(forms.JSONField):
-    """Django's JSON Field converted to YAML"""
-
-    default_error_messages = {
-        "invalid": _("'%(value)s' value must be valid YAML."),
-    }
-    widget = forms.Textarea
-
-    def to_python(self, value):
-        if self.disabled:
-            return value
-        if value in self.empty_values:
-            return None
-        if isinstance(value, (list, dict, int, float, YAMLString)):
-            return value
-        try:
-            converted = yaml.safe_load(value)
-        except yaml.YAMLError:
-            raise forms.ValidationError(
-                self.error_messages["invalid"],
-                code="invalid",
-                params={"value": value},
-            )
-        if isinstance(converted, str):
-            return YAMLString(converted)
-        if converted is None:
-            return {}
-        return converted
-
-    def bound_data(self, data, initial):
-        if self.disabled:
-            return initial
-        try:
-            return yaml.safe_load(data)
-        except yaml.YAMLError:
-            return InvalidYAMLInput(data)
-
-    def prepare_value(self, value):
-        if isinstance(value, InvalidYAMLInput):
-            return value
-        return yaml.dump(value, explicit_start=True, default_flow_style=False)
-
-    def has_changed(self, initial, data):
-        if super().has_changed(initial, data):
-            return True
-        # For purposes of seeing whether something has changed, True isn't the
-        # same as 1 and the order of keys doesn't matter.
-        data = self.to_python(data)
-        return yaml.dump(initial, sort_keys=True) != yaml.dump(data, sort_keys=True)

authentik/admin/forms/overview.py

@@ -1,18 +0,0 @@
-"""Forms for modals on overview page"""
-from django import forms
-
-
-class PolicyCacheClearForm(forms.Form):
-    """Form to clear Policy cache"""
-
-    title = "Clear Policy cache"
-    body = """Are you sure you want to clear the policy cache?
-    This will cause all policies to be re-evaluated on their next usage."""
-
-
-class FlowCacheClearForm(forms.Form):
-    """Form to clear Flow cache"""
-
-    title = "Clear Flow cache"
-    body = """Are you sure you want to clear the flow cache?
-    This will cause all flows to be re-evaluated on their next usage."""

authentik/admin/forms/policies.py

@@ -1,12 +0,0 @@
-"""authentik administration forms"""
-from django import forms
-
-from authentik.admin.fields import CodeMirrorWidget, YAMLField
-from authentik.core.models import User
-
-
-class PolicyTestForm(forms.Form):
-    """Form to test policies against user"""
-
-    user = forms.ModelChoiceField(queryset=User.objects.all())
-    context = YAMLField(widget=CodeMirrorWidget(), required=False, initial=dict)

authentik/admin/forms/users.py

@@ -1,22 +0,0 @@
-"""authentik administrative user forms"""
-
-from django import forms
-
-from authentik.admin.fields import CodeMirrorWidget, YAMLField
-from authentik.core.models import User
-
-
-class UserForm(forms.ModelForm):
-    """Update User Details"""
-
-    class Meta:
-
-        model = User
-        fields = ["username", "name", "email", "is_active", "attributes"]
-        widgets = {
-            "name": forms.TextInput,
-            "attributes": CodeMirrorWidget,
-        }
-        field_classes = {
-            "attributes": YAMLField,
-        }

authentik/admin/mixins.py

@@ -1,9 +0,0 @@
-"""authentik admin mixins"""
-from django.contrib.auth.mixins import UserPassesTestMixin
-
-
-class AdminRequiredMixin(UserPassesTestMixin):
-    """Make sure user is administrator"""
-
-    def test_func(self):
-        return self.request.user.is_superuser

authentik/admin/settings.py

@@ -4,7 +4,7 @@ from celery.schedules import crontab
 CELERY_BEAT_SCHEDULE = {
     "admin_latest_version": {
         "task": "authentik.admin.tasks.update_latest_version",
-        "schedule": crontab(minute=0),  # Run every hour
+        "schedule": crontab(minute="*/60"),  # Run every hour
         "options": {"queue": "authentik_scheduled"},
     }
 }

authentik/admin/tasks.py

@@ -23,7 +23,9 @@ URL_FINDER = URLValidator.regex.pattern[1:]
 def update_latest_version(self: MonitoredTask):
     """Update latest version info"""
     try:
-        response = get("https://api.github.com/repos/beryju/authentik/releases/latest")
+        response = get(
+            "https://api.github.com/repos/goauthentik/authentik/releases/latest"
+        )
         response.raise_for_status()
         data = response.json()
         tag_name = data.get("tag_name")

authentik/admin/templates/administration/base.html

@@ -1,5 +0,0 @@
-{% load static %}
-{% load i18n %}
-
-{% block content %}
-{% endblock %}

authentik/admin/templates/administration/certificatekeypair/generate.html

@@ -1,14 +0,0 @@
-{% extends base_template|default:"generic/form.html" %}
-
-{% load authentik_utils %}
-{% load i18n %}
-
-{% block above_form %}
-<h1>
-    {% trans 'Generate Certificate-Key Pair' %}
-</h1>
-{% endblock %}
-
-{% block action %}
-{% trans 'Generate Certificate-Key Pair' %}
-{% endblock %}

authentik/admin/templates/administration/flow/import.html

@@ -1,13 +0,0 @@
-{% extends base_template|default:"generic/form.html" %}
-
-{% load i18n %}
-
-{% block above_form %}
-<h1>
-{% trans 'Import Flow' %}
-</h1>
-{% endblock %}
-
-{% block action %}
-{% trans 'Import Flow' %}
-{% endblock %}

authentik/admin/templates/administration/policy/test.html

@@ -1,46 +0,0 @@
-{% extends 'generic/form.html' %}
-
-{% load i18n %}
-
-{% block above_form %}
-<h1>{% blocktrans with policy=policy %}Test {{ policy }}{% endblocktrans %}</h1>
-{% endblock %}
-
-{% block beneath_form %}
-{% if result %}
-<div class="pf-c-form__group ">
-    <div class="pf-c-form__group-label">
-        <label class="pf-c-form__label" for="context-1">
-            <span class="pf-c-form__label-text">{% trans 'Passing' %}</span>
-        </label>
-    </div>
-    <div class="pf-c-form__group-label">
-        <div class="c-form__horizontal-group">
-            <span class="pf-c-form__label-text">{{ result.passing|yesno:"Yes,No" }}</span>
-        </div>
-    </div>
-</div>
-<div class="pf-c-form__group ">
-    <div class="pf-c-form__group-label">
-        <label class="pf-c-form__label" for="context-1">
-            <span class="pf-c-form__label-text">{% trans 'Messages' %}</span>
-        </label>
-    </div>
-    <div class="pf-c-form__group-label">
-        <div class="c-form__horizontal-group">
-            <ul>
-                {% for m in result.messages %}
-                <li><span class="pf-c-form__label-text">{{ m }}</span></li>
-                {% empty %}
-                <li><span class="pf-c-form__label-text">-</span></li>
-                {% endfor %}
-            </ul>
-        </div>
-    </div>
-</div>
-{% endif %}
-{% endblock %}
-
-{% block action %}
-{% trans 'Test' %}
-{% endblock %}

authentik/admin/templates/administration/user/disable.html

@@ -1,42 +0,0 @@
-{% extends "administration/base.html" %}
-
-{% load i18n %}
-{% load authentik_utils %}
-
-{% block content %}
-<section class="pf-c-page__main-section pf-m-light">
-    <div class="pf-c-content">
-        {% block above_form %}
-        <h1>
-            {% blocktrans with object_type=object|verbose_name %}
-            Disable {{ object_type }}
-            {% endblocktrans %}
-        </h1>
-        {% endblock %}
-    </div>
-</section>
-<section class="pf-c-page__main-section">
-    <div class="pf-l-stack">
-        <div class="pf-l-stack__item">
-            <div class="pf-c-card">
-                <div class="pf-c-card__body">
-                    <form action="" method="post" class="pf-c-form">
-                        {% csrf_token %}
-                        <p>
-                            {% blocktrans with object_type=object|verbose_name name=object %}
-                            Are you sure you want to disable {{ object_type }} "{{ object }}"?
-                            {% endblocktrans %}
-                        </p>
-                        <div class="pf-c-form__group pf-m-action">
-                            <div class="pf-c-form__actions">
-                                <input class="pf-c-button pf-m-danger" type="submit" value="{% trans 'Disable' %}" />
-                                <a class="pf-c-button pf-m-secondary" href="{% back %}">{% trans "Back" %}</a>
-                            </div>
-                        </div>
-                    </form>
-                </div>
-            </div>
-        </div>
-    </div>
-</section>
-{% endblock %}

authentik/admin/templates/fields/codemirror.html

@@ -1 +0,0 @@
-<ak-codemirror mode="{{ widget.attrs.mode }}"><textarea class="pf-c-form-control" name="{{ widget.name }}">{% if widget.value %}{{ widget.value }}{% endif %}</textarea></ak-codemirror>

authentik/admin/templates/generic/create.html

@@ -1,18 +0,0 @@
-{% extends base_template|default:"generic/form.html" %}
-
-{% load authentik_utils %}
-{% load i18n %}
-
-{% block above_form %}
-<h1>
-    {% blocktrans with type=form|form_verbose_name %}
-    Create {{ type }}
-    {% endblocktrans %}
-</h1>
-{% endblock %}
-
-{% block action %}
-{% blocktrans with type=form|form_verbose_name %}
-Create {{ type }}
-{% endblocktrans %}
-{% endblock %}

authentik/admin/templates/generic/form.html

@@ -1,40 +0,0 @@
-{% extends container_template|default:"administration/base.html" %}
-
-{% load i18n %}
-{% load authentik_utils %}
-{% load static %}
-
-{% block content %}
-<section class="pf-c-page__main-section pf-m-light">
-    <div class="pf-c-content">
-        {% block above_form %}
-        {% endblock %}
-    </div>
-</section>
-<section class="pf-c-page__main-section">
-    <div class="pf-l-stack">
-        <div class="pf-l-stack__item">
-            <div class="pf-c-card">
-                <div class="pf-c-card__body">
-                    <form id="main-form" action="" method="post" class="pf-c-form pf-m-horizontal" enctype="multipart/form-data">
-                        {% include 'partials/form_horizontal.html' with form=form %}
-                        {% block beneath_form %}
-                        {% endblock %}
-                    </form>
-                </div>
-            </div>
-        </div>
-    </div>
-</section>
-<footer class="pf-c-modal-box__footer">
-    <ak-spinner-button form="main-form">
-        {% block action %}{% endblock %}
-    </ak-spinner-button>&nbsp;
-    <a class="pf-c-button pf-m-secondary" href="{% back %}">{% trans "Cancel" %}</a>
-</footer>
-{% endblock %}
-
-{% block scripts %}
-{{ block.super }}
-{{ form.media.js }}
-{% endblock %}

authentik/admin/templates/generic/form_non_model.html

@@ -1,20 +0,0 @@
-{% extends base_template|default:"generic/form.html" %}
-
-{% load authentik_utils %}
-{% load i18n %}
-
-{% block above_form %}
-<h1>
-    {% trans form.title %}
-</h1>
-{% endblock %}
-
-{% block beneath_form %}
-<p>
-    {% trans form.body %}
-</p>
-{% endblock %}
-
-{% block action %}
-{% trans 'Confirm' %}
-{% endblock %}

authentik/admin/templates/generic/update.html

@@ -1,18 +0,0 @@
-{% extends base_template|default:"generic/form.html" %}
-
-{% load authentik_utils %}
-{% load i18n %}
-
-{% block above_form %}
-<h1>
-    {% blocktrans with type=form|form_verbose_name|title inst=form.instance %}
-    Update {{ inst }}
-    {% endblocktrans %}
-</h1>
-{% endblock %}
-
-{% block action %}
-{% blocktrans with type=form|form_verbose_name %}
-Update {{ type }}
-{% endblocktrans %}
-{% endblock %}

authentik/admin/tests/test_api.py

@@ -7,6 +7,7 @@ from django.urls import reverse
 from authentik import __version__
 from authentik.core.models import Group, User
 from authentik.core.tasks import clean_expired_models
+from authentik.events.monitored_tasks import TaskResultStatus
 
 
 class TestAdminAPI(TestCase):
@@ -27,9 +28,29 @@ class TestAdminAPI(TestCase):
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
         self.assertTrue(
-            any([task["task_name"] == "clean_expired_models" for task in body])
+            any(task["task_name"] == "clean_expired_models" for task in body)
         )
 
+    def test_tasks_single(self):
+        """Test Task API (read single)"""
+        clean_expired_models.delay()
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin_system_tasks-detail",
+                kwargs={"pk": "clean_expired_models"},
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertEqual(body["status"], TaskResultStatus.SUCCESSFUL.name)
+        self.assertEqual(body["task_name"], "clean_expired_models")
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin_system_tasks-detail", kwargs={"pk": "qwerqwer"}
+            )
+        )
+        self.assertEqual(response.status_code, 404)
+
     def test_tasks_retry(self):
         """Test Task API (retry)"""
         clean_expired_models.delay()
@@ -39,9 +60,7 @@ class TestAdminAPI(TestCase):
                 kwargs={"pk": "clean_expired_models"},
             )
         )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content)
-        self.assertTrue(body["successful"])
+        self.assertEqual(response.status_code, 204)
 
     def test_tasks_retry_404(self):
         """Test Task API (retry, 404)"""
@@ -71,3 +90,8 @@ class TestAdminAPI(TestCase):
         """Test metrics API"""
         response = self.client.get(reverse("authentik_api:admin_metrics-list"))
         self.assertEqual(response.status_code, 200)
+
+    def test_apps(self):
+        """Test apps API"""
+        response = self.client.get(reverse("authentik_api:apps-list"))
+        self.assertEqual(response.status_code, 200)

authentik/admin/tests/test_generated.py

@@ -1,66 +0,0 @@
-"""admin tests"""
-from importlib import import_module
-from typing import Callable
-
-from django.forms import ModelForm
-from django.test import Client, TestCase
-from django.urls import reverse
-from django.urls.exceptions import NoReverseMatch
-
-from authentik.admin.urls import urlpatterns
-from authentik.core.models import Group, User
-from authentik.lib.utils.reflection import get_apps
-
-
-class TestAdmin(TestCase):
-    """Generic admin tests"""
-
-    def setUp(self):
-        self.user = User.objects.create_user(username="test")
-        self.user.ak_groups.add(Group.objects.filter(is_superuser=True).first())
-        self.user.save()
-        self.client = Client()
-        self.client.force_login(self.user)
-
-
-def generic_view_tester(view_name: str) -> Callable:
-    """This is used instead of subTest for better visibility"""
-
-    def tester(self: TestAdmin):
-        try:
-            full_url = reverse(f"authentik_admin:{view_name}")
-            response = self.client.get(full_url)
-            self.assertTrue(response.status_code < 500)
-        except NoReverseMatch:
-            pass
-
-    return tester
-
-
-for url in urlpatterns:
-    method_name = url.name.replace("-", "_")
-    setattr(TestAdmin, f"test_view_{method_name}", generic_view_tester(url.name))
-
-
-def generic_form_tester(form: ModelForm) -> Callable:
-    """Test a form"""
-
-    def tester(self: TestAdmin):
-        form_inst = form()
-        self.assertFalse(form_inst.is_valid())
-
-    return tester
-
-
-# Load the forms module from every app, so we have all forms loaded
-for app in get_apps():
-    module = app.__module__.replace(".apps", ".forms")
-    try:
-        import_module(module)
-    except ImportError:
-        pass
-
-for form_class in ModelForm.__subclasses__():
-    setattr(
-        TestAdmin, f"test_form_{form_class.__name__}", generic_form_tester(form_class)
-    )

authentik/admin/tests/test_policy_binding.py

@@ -1,43 +0,0 @@
-"""admin tests"""
-from uuid import uuid4
-
-from django import forms
-from django.test import TestCase
-from django.test.client import RequestFactory
-
-from authentik.admin.views.policies_bindings import PolicyBindingCreateView
-from authentik.core.models import Application
-from authentik.policies.forms import PolicyBindingForm
-
-
-class TestPolicyBindingView(TestCase):
-    """Generic admin tests"""
-
-    def setUp(self):
-        self.factory = RequestFactory()
-
-    def test_without_get_param(self):
-        """Test PolicyBindingCreateView without get params"""
-        request = self.factory.get("/")
-        view = PolicyBindingCreateView(request=request)
-        self.assertEqual(view.get_initial(), {})
-
-    def test_with_params_invalid(self):
-        """Test PolicyBindingCreateView with invalid get params"""
-        request = self.factory.get("/", {"target": uuid4()})
-        view = PolicyBindingCreateView(request=request)
-        self.assertEqual(view.get_initial(), {})
-
-    def test_with_params(self):
-        """Test PolicyBindingCreateView with get params"""
-        target = Application.objects.create(name="test")
-        request = self.factory.get("/", {"target": target.pk.hex})
-        view = PolicyBindingCreateView(request=request)
-        self.assertEqual(view.get_initial(), {"target": target, "order": 0})
-
-        self.assertTrue(
-            isinstance(
-                PolicyBindingForm(initial={"target": "foo"}).fields["target"].widget,
-                forms.HiddenInput,
-            )
-        )

authentik/admin/tests/test_stage_bindings.py

@@ -1,43 +0,0 @@
-"""admin tests"""
-from uuid import uuid4
-
-from django import forms
-from django.test import TestCase
-from django.test.client import RequestFactory
-
-from authentik.admin.views.stages_bindings import StageBindingCreateView
-from authentik.flows.forms import FlowStageBindingForm
-from authentik.flows.models import Flow
-
-
-class TestStageBindingView(TestCase):
-    """Generic admin tests"""
-
-    def setUp(self):
-        self.factory = RequestFactory()
-
-    def test_without_get_param(self):
-        """Test StageBindingCreateView without get params"""
-        request = self.factory.get("/")
-        view = StageBindingCreateView(request=request)
-        self.assertEqual(view.get_initial(), {})
-
-    def test_with_params_invalid(self):
-        """Test StageBindingCreateView with invalid get params"""
-        request = self.factory.get("/", {"target": uuid4()})
-        view = StageBindingCreateView(request=request)
-        self.assertEqual(view.get_initial(), {})
-
-    def test_with_params(self):
-        """Test StageBindingCreateView with get params"""
-        target = Flow.objects.create(name="test", slug="test")
-        request = self.factory.get("/", {"target": target.pk.hex})
-        view = StageBindingCreateView(request=request)
-        self.assertEqual(view.get_initial(), {"target": target, "order": 0})
-
-        self.assertTrue(
-            isinstance(
-                FlowStageBindingForm(initial={"target": "foo"}).fields["target"].widget,
-                forms.HiddenInput,
-            )
-        )

authentik/admin/urls.py

@@ -1,344 +0,0 @@
-"""authentik URL Configuration"""
-from django.urls import path
-
-from authentik.admin.views import (
-    applications,
-    certificate_key_pair,
-    events_notifications_rules,
-    events_notifications_transports,
-    flows,
-    groups,
-    outposts,
-    outposts_service_connections,
-    overview,
-    policies,
-    policies_bindings,
-    property_mappings,
-    providers,
-    sources,
-    stages,
-    stages_bindings,
-    stages_invitations,
-    stages_prompts,
-    tokens,
-    users,
-)
-from authentik.providers.saml.views.metadata import MetadataImportView
-
-urlpatterns = [
-    path(
-        "overview/cache/flow/",
-        overview.FlowCacheClearView.as_view(),
-        name="overview-clear-flow-cache",
-    ),
-    path(
-        "overview/cache/policy/",
-        overview.PolicyCacheClearView.as_view(),
-        name="overview-clear-policy-cache",
-    ),
-    # Applications
-    path(
-        "applications/create/",
-        applications.ApplicationCreateView.as_view(),
-        name="application-create",
-    ),
-    path(
-        "applications/<uuid:pk>/update/",
-        applications.ApplicationUpdateView.as_view(),
-        name="application-update",
-    ),
-    path(
-        "applications/<uuid:pk>/delete/",
-        applications.ApplicationDeleteView.as_view(),
-        name="application-delete",
-    ),
-    # Tokens
-    path(
-        "tokens/<uuid:pk>/delete/",
-        tokens.TokenDeleteView.as_view(),
-        name="token-delete",
-    ),
-    # Sources
-    path("sources/create/", sources.SourceCreateView.as_view(), name="source-create"),
-    path(
-        "sources/<uuid:pk>/update/",
-        sources.SourceUpdateView.as_view(),
-        name="source-update",
-    ),
-    path(
-        "sources/<uuid:pk>/delete/",
-        sources.SourceDeleteView.as_view(),
-        name="source-delete",
-    ),
-    # Policies
-    path("policies/create/", policies.PolicyCreateView.as_view(), name="policy-create"),
-    path(
-        "policies/<uuid:pk>/update/",
-        policies.PolicyUpdateView.as_view(),
-        name="policy-update",
-    ),
-    path(
-        "policies/<uuid:pk>/delete/",
-        policies.PolicyDeleteView.as_view(),
-        name="policy-delete",
-    ),
-    path(
-        "policies/<uuid:pk>/test/",
-        policies.PolicyTestView.as_view(),
-        name="policy-test",
-    ),
-    # Policy bindings
-    path(
-        "policies/bindings/create/",
-        policies_bindings.PolicyBindingCreateView.as_view(),
-        name="policy-binding-create",
-    ),
-    path(
-        "policies/bindings/<uuid:pk>/update/",
-        policies_bindings.PolicyBindingUpdateView.as_view(),
-        name="policy-binding-update",
-    ),
-    path(
-        "policies/bindings/<uuid:pk>/delete/",
-        policies_bindings.PolicyBindingDeleteView.as_view(),
-        name="policy-binding-delete",
-    ),
-    # Providers
-    path(
-        "providers/create/",
-        providers.ProviderCreateView.as_view(),
-        name="provider-create",
-    ),
-    path(
-        "providers/create/saml/from-metadata/",
-        MetadataImportView.as_view(),
-        name="provider-saml-from-metadata",
-    ),
-    path(
-        "providers/<int:pk>/update/",
-        providers.ProviderUpdateView.as_view(),
-        name="provider-update",
-    ),
-    path(
-        "providers/<int:pk>/delete/",
-        providers.ProviderDeleteView.as_view(),
-        name="provider-delete",
-    ),
-    # Stages
-    path("stages/create/", stages.StageCreateView.as_view(), name="stage-create"),
-    path(
-        "stages/<uuid:pk>/update/",
-        stages.StageUpdateView.as_view(),
-        name="stage-update",
-    ),
-    path(
-        "stages/<uuid:pk>/delete/",
-        stages.StageDeleteView.as_view(),
-        name="stage-delete",
-    ),
-    # Stage bindings
-    path(
-        "stages/bindings/create/",
-        stages_bindings.StageBindingCreateView.as_view(),
-        name="stage-binding-create",
-    ),
-    path(
-        "stages/bindings/<uuid:pk>/update/",
-        stages_bindings.StageBindingUpdateView.as_view(),
-        name="stage-binding-update",
-    ),
-    path(
-        "stages/bindings/<uuid:pk>/delete/",
-        stages_bindings.StageBindingDeleteView.as_view(),
-        name="stage-binding-delete",
-    ),
-    # Stage Prompts
-    path(
-        "stages_prompts/create/",
-        stages_prompts.PromptCreateView.as_view(),
-        name="stage-prompt-create",
-    ),
-    path(
-        "stages_prompts/<uuid:pk>/update/",
-        stages_prompts.PromptUpdateView.as_view(),
-        name="stage-prompt-update",
-    ),
-    path(
-        "stages_prompts/<uuid:pk>/delete/",
-        stages_prompts.PromptDeleteView.as_view(),
-        name="stage-prompt-delete",
-    ),
-    # Stage Invitations
-    path(
-        "stages/invitations/create/",
-        stages_invitations.InvitationCreateView.as_view(),
-        name="stage-invitation-create",
-    ),
-    path(
-        "stages/invitations/<uuid:pk>/delete/",
-        stages_invitations.InvitationDeleteView.as_view(),
-        name="stage-invitation-delete",
-    ),
-    # Flows
-    path(
-        "flows/create/",
-        flows.FlowCreateView.as_view(),
-        name="flow-create",
-    ),
-    path(
-        "flows/import/",
-        flows.FlowImportView.as_view(),
-        name="flow-import",
-    ),
-    path(
-        "flows/<uuid:pk>/update/",
-        flows.FlowUpdateView.as_view(),
-        name="flow-update",
-    ),
-    path(
-        "flows/<uuid:pk>/execute/",
-        flows.FlowDebugExecuteView.as_view(),
-        name="flow-execute",
-    ),
-    path(
-        "flows/<uuid:pk>/export/",
-        flows.FlowExportView.as_view(),
-        name="flow-export",
-    ),
-    path(
-        "flows/<uuid:pk>/delete/",
-        flows.FlowDeleteView.as_view(),
-        name="flow-delete",
-    ),
-    # Property Mappings
-    path(
-        "property-mappings/create/",
-        property_mappings.PropertyMappingCreateView.as_view(),
-        name="property-mapping-create",
-    ),
-    path(
-        "property-mappings/<uuid:pk>/update/",
-        property_mappings.PropertyMappingUpdateView.as_view(),
-        name="property-mapping-update",
-    ),
-    path(
-        "property-mappings/<uuid:pk>/delete/",
-        property_mappings.PropertyMappingDeleteView.as_view(),
-        name="property-mapping-delete",
-    ),
-    path(
-        "property-mappings/<uuid:pk>/test/",
-        property_mappings.PropertyMappingTestView.as_view(),
-        name="property-mapping-test",
-    ),
-    # Users
-    path("users/create/", users.UserCreateView.as_view(), name="user-create"),
-    path("users/<int:pk>/update/", users.UserUpdateView.as_view(), name="user-update"),
-    path("users/<int:pk>/delete/", users.UserDeleteView.as_view(), name="user-delete"),
-    path(
-        "users/<int:pk>/disable/", users.UserDisableView.as_view(), name="user-disable"
-    ),
-    path("users/<int:pk>/enable/", users.UserEnableView.as_view(), name="user-enable"),
-    path(
-        "users/<int:pk>/reset/",
-        users.UserPasswordResetView.as_view(),
-        name="user-password-reset",
-    ),
-    # Groups
-    path("groups/create/", groups.GroupCreateView.as_view(), name="group-create"),
-    path(
-        "groups/<uuid:pk>/update/",
-        groups.GroupUpdateView.as_view(),
-        name="group-update",
-    ),
-    path(
-        "groups/<uuid:pk>/delete/",
-        groups.GroupDeleteView.as_view(),
-        name="group-delete",
-    ),
-    # Certificate-Key Pairs
-    path(
-        "crypto/certificates/create/",
-        certificate_key_pair.CertificateKeyPairCreateView.as_view(),
-        name="certificatekeypair-create",
-    ),
-    path(
-        "crypto/certificates/generate/",
-        certificate_key_pair.CertificateKeyPairGenerateView.as_view(),
-        name="certificatekeypair-generate",
-    ),
-    path(
-        "crypto/certificates/<uuid:pk>/update/",
-        certificate_key_pair.CertificateKeyPairUpdateView.as_view(),
-        name="certificatekeypair-update",
-    ),
-    path(
-        "crypto/certificates/<uuid:pk>/delete/",
-        certificate_key_pair.CertificateKeyPairDeleteView.as_view(),
-        name="certificatekeypair-delete",
-    ),
-    # Outposts
-    path(
-        "outposts/create/",
-        outposts.OutpostCreateView.as_view(),
-        name="outpost-create",
-    ),
-    path(
-        "outposts/<uuid:pk>/update/",
-        outposts.OutpostUpdateView.as_view(),
-        name="outpost-update",
-    ),
-    path(
-        "outposts/<uuid:pk>/delete/",
-        outposts.OutpostDeleteView.as_view(),
-        name="outpost-delete",
-    ),
-    # Outpost Service Connections
-    path(
-        "outpost_service_connections/create/",
-        outposts_service_connections.OutpostServiceConnectionCreateView.as_view(),
-        name="outpost-service-connection-create",
-    ),
-    path(
-        "outpost_service_connections/<uuid:pk>/update/",
-        outposts_service_connections.OutpostServiceConnectionUpdateView.as_view(),
-        name="outpost-service-connection-update",
-    ),
-    path(
-        "outpost_service_connections/<uuid:pk>/delete/",
-        outposts_service_connections.OutpostServiceConnectionDeleteView.as_view(),
-        name="outpost-service-connection-delete",
-    ),
-    # Event Notification Transpots
-    path(
-        "events/transports/create/",
-        events_notifications_transports.NotificationTransportCreateView.as_view(),
-        name="notification-transport-create",
-    ),
-    path(
-        "events/transports/<uuid:pk>/update/",
-        events_notifications_transports.NotificationTransportUpdateView.as_view(),
-        name="notification-transport-update",
-    ),
-    path(
-        "events/transports/<uuid:pk>/delete/",
-        events_notifications_transports.NotificationTransportDeleteView.as_view(),
-        name="notification-transport-delete",
-    ),
-    # Event Notification Rules
-    path(
-        "events/rules/create/",
-        events_notifications_rules.NotificationRuleCreateView.as_view(),
-        name="notification-rule-create",
-    ),
-    path(
-        "events/rules/<uuid:pk>/update/",
-        events_notifications_rules.NotificationRuleUpdateView.as_view(),
-        name="notification-rule-update",
-    ),
-    path(
-        "events/rules/<uuid:pk>/delete/",
-        events_notifications_rules.NotificationRuleDeleteView.as_view(),
-        name="notification-rule-delete",
-    ),
-]

authentik/admin/views/applications.py

@@ -1,80 +0,0 @@
-"""authentik Application administration"""
-from typing import Any
-
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
-from guardian.mixins import PermissionRequiredMixin
-from guardian.shortcuts import get_objects_for_user
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.core.forms.applications import ApplicationForm
-from authentik.core.models import Application
-from authentik.lib.views import CreateAssignPermView
-
-
-class ApplicationCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new Application"""
-
-    model = Application
-    form_class = ApplicationForm
-    permission_required = "authentik_core.add_application"
-
-    success_url = "/"
-    template_name = "generic/create.html"
-    success_message = _("Successfully created Application")
-
-    def get_initial(self) -> dict[str, Any]:
-        if "provider" in self.request.GET:
-            try:
-                initial_provider_pk = int(self.request.GET["provider"])
-            except ValueError:
-                return super().get_initial()
-            providers = (
-                get_objects_for_user(self.request.user, "authentik_core.view_provider")
-                .filter(pk=initial_provider_pk)
-                .select_subclasses()
-            )
-            if not providers.exists():
-                return {}
-            return {"provider": providers.first()}
-        return super().get_initial()
-
-
-class ApplicationUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update application"""
-
-    model = Application
-    form_class = ApplicationForm
-    permission_required = "authentik_core.change_application"
-
-    success_url = "/"
-    template_name = "generic/update.html"
-    success_message = _("Successfully updated Application")
-
-
-class ApplicationDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete application"""
-
-    model = Application
-    permission_required = "authentik_core.delete_application"
-
-    success_url = "/"
-    template_name = "generic/delete.html"
-    success_message = _("Successfully deleted Application")

authentik/admin/views/certificate_key_pair.py

@@ -1,95 +0,0 @@
-"""authentik CertificateKeyPair administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.http.response import HttpResponse
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
-from django.views.generic.edit import FormView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.crypto.builder import CertificateBuilder
-from authentik.crypto.forms import (
-    CertificateKeyPairForm,
-    CertificateKeyPairGenerateForm,
-)
-from authentik.crypto.models import CertificateKeyPair
-from authentik.lib.views import CreateAssignPermView
-
-
-class CertificateKeyPairCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new CertificateKeyPair"""
-
-    model = CertificateKeyPair
-    form_class = CertificateKeyPairForm
-    permission_required = "authentik_crypto.add_certificatekeypair"
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created Certificate-Key Pair")
-
-
-class CertificateKeyPairGenerateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    FormView,
-):
-    """Generate new CertificateKeyPair"""
-
-    model = CertificateKeyPair
-    form_class = CertificateKeyPairGenerateForm
-    permission_required = "authentik_crypto.add_certificatekeypair"
-
-    template_name = "administration/certificatekeypair/generate.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully generated Certificate-Key Pair")
-
-    def form_valid(self, form: CertificateKeyPairGenerateForm) -> HttpResponse:
-        builder = CertificateBuilder()
-        builder.common_name = form.data["common_name"]
-        builder.build(
-            subject_alt_names=form.data.get("subject_alt_name", "").split(","),
-            validity_days=int(form.data["validity_days"]),
-        )
-        builder.save()
-        return super().form_valid(form)
-
-
-class CertificateKeyPairUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update certificatekeypair"""
-
-    model = CertificateKeyPair
-    form_class = CertificateKeyPairForm
-    permission_required = "authentik_crypto.change_certificatekeypair"
-
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated Certificate-Key Pair")
-
-
-class CertificateKeyPairDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete certificatekeypair"""
-
-    model = CertificateKeyPair
-    permission_required = "authentik_crypto.delete_certificatekeypair"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted Certificate-Key Pair")

authentik/admin/views/events_notifications_rules.py

@@ -1,61 +0,0 @@
-"""authentik NotificationRule administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.events.forms import NotificationRuleForm
-from authentik.events.models import NotificationRule
-from authentik.lib.views import CreateAssignPermView
-
-
-class NotificationRuleCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new NotificationRule"""
-
-    model = NotificationRule
-    form_class = NotificationRuleForm
-    permission_required = "authentik_events.add_NotificationRule"
-
-    success_url = "/"
-    template_name = "generic/create.html"
-    success_message = _("Successfully created Notification Rule")
-
-
-class NotificationRuleUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update application"""
-
-    model = NotificationRule
-    form_class = NotificationRuleForm
-    permission_required = "authentik_events.change_NotificationRule"
-
-    success_url = "/"
-    template_name = "generic/update.html"
-    success_message = _("Successfully updated Notification Rule")
-
-
-class NotificationRuleDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete application"""
-
-    model = NotificationRule
-    permission_required = "authentik_events.delete_NotificationRule"
-
-    success_url = "/"
-    template_name = "generic/delete.html"
-    success_message = _("Successfully deleted Notification Rule")

authentik/admin/views/events_notifications_transports.py

@@ -1,58 +0,0 @@
-"""authentik NotificationTransport administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.events.forms import NotificationTransportForm
-from authentik.events.models import NotificationTransport
-from authentik.lib.views import CreateAssignPermView
-
-
-class NotificationTransportCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new NotificationTransport"""
-
-    model = NotificationTransport
-    form_class = NotificationTransportForm
-    permission_required = "authentik_events.add_notificationtransport"
-    success_url = "/"
-    template_name = "generic/create.html"
-    success_message = _("Successfully created Notification Transport")
-
-
-class NotificationTransportUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update application"""
-
-    model = NotificationTransport
-    form_class = NotificationTransportForm
-    permission_required = "authentik_events.change_notificationtransport"
-    success_url = "/"
-    template_name = "generic/update.html"
-    success_message = _("Successfully updated Notification Transport")
-
-
-class NotificationTransportDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete application"""
-
-    model = NotificationTransport
-    permission_required = "authentik_events.delete_notificationtransport"
-    success_url = "/"
-    template_name = "generic/delete.html"
-    success_message = _("Successfully deleted Notification Transport")

authentik/admin/views/flows.py

@@ -1,138 +0,0 @@
-"""authentik Flow administration"""
-from django.contrib import messages
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.http import HttpRequest, HttpResponse, JsonResponse
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from django.views.generic import DetailView, FormView, UpdateView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.flows.exceptions import FlowNonApplicableException
-from authentik.flows.forms import FlowForm, FlowImportForm
-from authentik.flows.models import Flow
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
-from authentik.flows.transfer.common import DataclassEncoder
-from authentik.flows.transfer.exporter import FlowExporter
-from authentik.flows.transfer.importer import FlowImporter
-from authentik.flows.views import SESSION_KEY_PLAN, FlowPlanner
-from authentik.lib.utils.urls import redirect_with_qs
-from authentik.lib.views import CreateAssignPermView, bad_request_message
-
-
-class FlowCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new Flow"""
-
-    model = Flow
-    form_class = FlowForm
-    permission_required = "authentik_flows.add_flow"
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created Flow")
-
-
-class FlowUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update flow"""
-
-    model = Flow
-    form_class = FlowForm
-    permission_required = "authentik_flows.change_flow"
-
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated Flow")
-
-
-class FlowDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Delete flow"""
-
-    model = Flow
-    permission_required = "authentik_flows.delete_flow"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted Flow")
-
-
-class FlowDebugExecuteView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
-    """Debug exectue flow, setting the current user as pending user"""
-
-    model = Flow
-    permission_required = "authentik_flows.view_flow"
-
-    # pylint: disable=unused-argument
-    def get(self, request: HttpRequest, pk: str) -> HttpResponse:
-        """Debug exectue flow, setting the current user as pending user"""
-        flow: Flow = self.get_object()
-        planner = FlowPlanner(flow)
-        planner.use_cache = False
-        try:
-            plan = planner.plan(self.request, {PLAN_CONTEXT_PENDING_USER: request.user})
-            self.request.session[SESSION_KEY_PLAN] = plan
-        except FlowNonApplicableException as exc:
-            return bad_request_message(
-                request,
-                _(
-                    "Flow not applicable to current user/request: %(messages)s"
-                    % {"messages": str(exc)}
-                ),
-            )
-        return redirect_with_qs(
-            "authentik_flows:flow-executor-shell",
-            self.request.GET,
-            flow_slug=flow.slug,
-        )
-
-
-class FlowImportView(LoginRequiredMixin, FormView):
-    """Import flow from JSON Export; only allowed for superusers
-    as these flows can contain python code"""
-
-    form_class = FlowImportForm
-    template_name = "administration/flow/import.html"
-    success_url = reverse_lazy("authentik_core:shell")
-
-    def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_superuser:
-            return self.handle_no_permission()
-        return super().dispatch(request, *args, **kwargs)
-
-    def form_valid(self, form: FlowImportForm) -> HttpResponse:
-        importer = FlowImporter(form.cleaned_data["flow"].read().decode())
-        successful = importer.apply()
-        if not successful:
-            messages.error(self.request, _("Failed to import flow."))
-        else:
-            messages.success(self.request, _("Successfully imported flow."))
-        return super().form_valid(form)
-
-
-class FlowExportView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
-    """Export Flow"""
-
-    model = Flow
-    permission_required = "authentik_flows.export_flow"
-
-    # pylint: disable=unused-argument
-    def get(self, request: HttpRequest, pk: str) -> HttpResponse:
-        """Debug exectue flow, setting the current user as pending user"""
-        flow: Flow = self.get_object()
-        exporter = FlowExporter(flow)
-        response = JsonResponse(exporter.export(), encoder=DataclassEncoder, safe=False)
-        response["Content-Disposition"] = f'attachment; filename="{flow.slug}.akflow"'
-        return response

authentik/admin/views/groups.py

@@ -1,60 +0,0 @@
-"""authentik Group administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.core.forms.groups import GroupForm
-from authentik.core.models import Group
-from authentik.lib.views import CreateAssignPermView
-
-
-class GroupCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new Group"""
-
-    model = Group
-    form_class = GroupForm
-    permission_required = "authentik_core.add_group"
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created Group")
-
-
-class GroupUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update group"""
-
-    model = Group
-    form_class = GroupForm
-    permission_required = "authentik_core.change_group"
-
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated Group")
-
-
-class GroupDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Delete group"""
-
-    model = Group
-    permission_required = "authentik_flows.delete_group"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted Group")

authentik/admin/views/outposts.py

@@ -1,66 +0,0 @@
-"""authentik Outpost administration"""
-from dataclasses import asdict
-from typing import Any
-
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.lib.views import CreateAssignPermView
-from authentik.outposts.forms import OutpostForm
-from authentik.outposts.models import Outpost, OutpostConfig
-
-
-class OutpostCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new Outpost"""
-
-    model = Outpost
-    form_class = OutpostForm
-    permission_required = "authentik_outposts.add_outpost"
-    success_url = "/"
-    template_name = "generic/create.html"
-    success_message = _("Successfully created Outpost")
-
-    def get_initial(self) -> dict[str, Any]:
-        return {
-            "_config": asdict(
-                OutpostConfig(authentik_host=self.request.build_absolute_uri("/"))
-            )
-        }
-
-
-class OutpostUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update outpost"""
-
-    model = Outpost
-    form_class = OutpostForm
-    permission_required = "authentik_outposts.change_outpost"
-    success_url = "/"
-    template_name = "generic/update.html"
-    success_message = _("Successfully updated Outpost")
-
-
-class OutpostDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Delete outpost"""
-
-    model = Outpost
-    permission_required = "authentik_outposts.delete_outpost"
-    success_url = "/"
-    template_name = "generic/delete.html"
-    success_message = _("Successfully deleted Outpost")

authentik/admin/views/outposts_service_connections.py

@@ -1,61 +0,0 @@
-"""authentik OutpostServiceConnection administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import (
-    DeleteMessageView,
-    InheritanceCreateView,
-    InheritanceUpdateView,
-)
-from authentik.outposts.models import OutpostServiceConnection
-
-
-class OutpostServiceConnectionCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    InheritanceCreateView,
-):
-    """Create new OutpostServiceConnection"""
-
-    model = OutpostServiceConnection
-    permission_required = "authentik_outposts.add_outpostserviceconnection"
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created Outpost Service Connection")
-
-
-class OutpostServiceConnectionUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    InheritanceUpdateView,
-):
-    """Update outpostserviceconnection"""
-
-    model = OutpostServiceConnection
-    permission_required = "authentik_outposts.change_outpostserviceconnection"
-
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated Outpost Service Connection")
-
-
-class OutpostServiceConnectionDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete outpostserviceconnection"""
-
-    model = OutpostServiceConnection
-    permission_required = "authentik_outposts.delete_outpostserviceconnection"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted Outpost Service Connection")

authentik/admin/views/overview.py

@@ -1,47 +0,0 @@
-"""authentik administration overview"""
-from django.contrib.messages.views import SuccessMessageMixin
-from django.core.cache import cache
-from django.http.request import HttpRequest
-from django.http.response import HttpResponse
-from django.utils.translation import gettext as _
-from django.views.generic import FormView
-from structlog.stdlib import get_logger
-
-from authentik.admin.forms.overview import FlowCacheClearForm, PolicyCacheClearForm
-from authentik.admin.mixins import AdminRequiredMixin
-from authentik.core.api.applications import user_app_cache_key
-
-LOGGER = get_logger()
-
-
-class PolicyCacheClearView(AdminRequiredMixin, SuccessMessageMixin, FormView):
-    """View to clear Policy cache"""
-
-    form_class = PolicyCacheClearForm
-    success_url = "/"
-    template_name = "generic/form_non_model.html"
-    success_message = _("Successfully cleared Policy cache")
-
-    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        keys = cache.keys("policy_*")
-        cache.delete_many(keys)
-        LOGGER.debug("Cleared Policy cache", keys=len(keys))
-        # Also delete user application cache
-        keys = cache.keys(user_app_cache_key("*"))
-        cache.delete_many(keys)
-        return super().post(request, *args, **kwargs)
-
-
-class FlowCacheClearView(AdminRequiredMixin, SuccessMessageMixin, FormView):
-    """View to clear Flow cache"""
-
-    form_class = FlowCacheClearForm
-    success_url = "/"
-    template_name = "generic/form_non_model.html"
-    success_message = _("Successfully cleared Flow cache")
-
-    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        keys = cache.keys("flow_*")
-        cache.delete_many(keys)
-        LOGGER.debug("Cleared flow cache", keys=len(keys))
-        return super().post(request, *args, **kwargs)

authentik/admin/views/policies.py

@@ -1,104 +0,0 @@
-"""authentik Policy administration"""
-from typing import Any
-
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.http import HttpResponse
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from django.views.generic import FormView
-from django.views.generic.detail import DetailView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.forms.policies import PolicyTestForm
-from authentik.admin.views.utils import (
-    DeleteMessageView,
-    InheritanceCreateView,
-    InheritanceUpdateView,
-)
-from authentik.policies.models import Policy, PolicyBinding
-from authentik.policies.process import PolicyProcess, PolicyRequest
-
-
-class PolicyCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    InheritanceCreateView,
-):
-    """Create new Policy"""
-
-    model = Policy
-    permission_required = "authentik_policies.add_policy"
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created Policy")
-
-
-class PolicyUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    InheritanceUpdateView,
-):
-    """Update policy"""
-
-    model = Policy
-    permission_required = "authentik_policies.change_policy"
-
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated Policy")
-
-
-class PolicyDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Delete policy"""
-
-    model = Policy
-    permission_required = "authentik_policies.delete_policy"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted Policy")
-
-
-class PolicyTestView(LoginRequiredMixin, DetailView, PermissionRequiredMixin, FormView):
-    """View to test policy(s)"""
-
-    model = Policy
-    form_class = PolicyTestForm
-    permission_required = "authentik_policies.view_policy"
-    template_name = "administration/policy/test.html"
-    object = None
-
-    def get_object(self, queryset=None) -> Policy:
-        return (
-            Policy.objects.filter(pk=self.kwargs.get("pk")).select_subclasses().first()
-        )
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["policy"] = self.get_object()
-        return super().get_context_data(**kwargs)
-
-    def post(self, *args, **kwargs) -> HttpResponse:
-        self.object = self.get_object()
-        return super().post(*args, **kwargs)
-
-    def form_valid(self, form: PolicyTestForm) -> HttpResponse:
-        policy = self.get_object()
-        user = form.cleaned_data.get("user")
-
-        p_request = PolicyRequest(user)
-        p_request.debug = True
-        p_request.set_http_request(self.request)
-        p_request.context = form.cleaned_data.get("context", {})
-
-        proc = PolicyProcess(PolicyBinding(policy=policy), p_request, None)
-        result = proc.execute()
-        context = self.get_context_data(form=form)
-        context["result"] = result
-        return self.render_to_response(context)

authentik/admin/views/policies_bindings.py

@@ -1,81 +0,0 @@
-"""authentik PolicyBinding administration"""
-from typing import Any
-
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.db.models import Max
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.lib.views import CreateAssignPermView
-from authentik.policies.forms import PolicyBindingForm
-from authentik.policies.models import PolicyBinding, PolicyBindingModel
-
-
-class PolicyBindingCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new PolicyBinding"""
-
-    model = PolicyBinding
-    permission_required = "authentik_policies.add_policybinding"
-    form_class = PolicyBindingForm
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created PolicyBinding")
-
-    def get_initial(self) -> dict[str, Any]:
-        if "target" in self.request.GET:
-            initial_target_pk = self.request.GET["target"]
-            targets = PolicyBindingModel.objects.filter(
-                pk=initial_target_pk
-            ).select_subclasses()
-            if not targets.exists():
-                return {}
-            max_order = PolicyBinding.objects.filter(target=targets.first()).aggregate(
-                Max("order")
-            )["order__max"]
-            if not isinstance(max_order, int):
-                max_order = -1
-            return {"target": targets.first(), "order": max_order + 1}
-        return super().get_initial()
-
-
-class PolicyBindingUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update policybinding"""
-
-    model = PolicyBinding
-    permission_required = "authentik_policies.change_policybinding"
-    form_class = PolicyBindingForm
-
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated PolicyBinding")
-
-
-class PolicyBindingDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete policybinding"""
-
-    model = PolicyBinding
-    permission_required = "authentik_policies.delete_policybinding"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted PolicyBinding")

authentik/admin/views/property_mappings.py

@@ -1,105 +0,0 @@
-"""authentik PropertyMapping administration"""
-from json import dumps
-from typing import Any
-
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.http import HttpResponse
-from django.utils.translation import gettext as _
-from django.views.generic import FormView
-from django.views.generic.detail import DetailView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.forms.policies import PolicyTestForm
-from authentik.admin.views.utils import (
-    DeleteMessageView,
-    InheritanceCreateView,
-    InheritanceUpdateView,
-)
-from authentik.core.models import PropertyMapping
-
-
-class PropertyMappingCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    InheritanceCreateView,
-):
-    """Create new PropertyMapping"""
-
-    model = PropertyMapping
-    permission_required = "authentik_core.add_propertymapping"
-    success_url = "/"
-    template_name = "generic/create.html"
-    success_message = _("Successfully created Property Mapping")
-
-
-class PropertyMappingUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    InheritanceUpdateView,
-):
-    """Update property_mapping"""
-
-    model = PropertyMapping
-    permission_required = "authentik_core.change_propertymapping"
-    success_url = "/"
-    template_name = "generic/update.html"
-    success_message = _("Successfully updated Property Mapping")
-
-
-class PropertyMappingDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete property_mapping"""
-
-    model = PropertyMapping
-    permission_required = "authentik_core.delete_propertymapping"
-    success_url = "/"
-    template_name = "generic/delete.html"
-    success_message = _("Successfully deleted Property Mapping")
-
-
-class PropertyMappingTestView(
-    LoginRequiredMixin, DetailView, PermissionRequiredMixin, FormView
-):
-    """View to test property mappings"""
-
-    model = PropertyMapping
-    form_class = PolicyTestForm
-    permission_required = "authentik_core.view_propertymapping"
-    template_name = "administration/property_mapping/test.html"
-    object = None
-
-    def get_object(self, queryset=None) -> PropertyMapping:
-        return (
-            PropertyMapping.objects.filter(pk=self.kwargs.get("pk"))
-            .select_subclasses()
-            .first()
-        )
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["property_mapping"] = self.get_object()
-        return super().get_context_data(**kwargs)
-
-    def post(self, *args, **kwargs) -> HttpResponse:
-        self.object = self.get_object()
-        return super().post(*args, **kwargs)
-
-    def form_valid(self, form: PolicyTestForm) -> HttpResponse:
-        mapping = self.get_object()
-        user = form.cleaned_data.get("user")
-
-        context = self.get_context_data(form=form)
-        try:
-            result = mapping.evaluate(
-                user, self.request, **form.cleaned_data.get("context", {})
-            )
-            context["result"] = dumps(result, indent=4)
-        except Exception as exc:  # pylint: disable=broad-except
-            context["result"] = str(exc)
-        return self.render_to_response(context)

authentik/admin/views/providers.py

@@ -1,57 +0,0 @@
-"""authentik Provider administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.utils.translation import gettext as _
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import (
-    DeleteMessageView,
-    InheritanceCreateView,
-    InheritanceUpdateView,
-)
-from authentik.core.models import Provider
-
-
-class ProviderCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    InheritanceCreateView,
-):
-    """Create new Provider"""
-
-    model = Provider
-    permission_required = "authentik_core.add_provider"
-    success_url = "/"
-    template_name = "generic/create.html"
-    success_message = _("Successfully created Provider")
-
-
-class ProviderUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    InheritanceUpdateView,
-):
-    """Update provider"""
-
-    model = Provider
-    permission_required = "authentik_core.change_provider"
-    success_url = "/"
-    template_name = "generic/update.html"
-    success_message = _("Successfully updated Provider")
-
-
-class ProviderDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete provider"""
-
-    model = Provider
-    permission_required = "authentik_core.delete_provider"
-    success_url = "/"
-    template_name = "generic/delete.html"
-    success_message = _("Successfully deleted Provider")

authentik/admin/views/sources.py

@@ -1,58 +0,0 @@
-"""authentik Source administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.utils.translation import gettext as _
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import (
-    DeleteMessageView,
-    InheritanceCreateView,
-    InheritanceUpdateView,
-)
-from authentik.core.models import Source
-
-
-class SourceCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    InheritanceCreateView,
-):
-    """Create new Source"""
-
-    model = Source
-    permission_required = "authentik_core.add_source"
-
-    success_url = "/"
-    template_name = "generic/create.html"
-    success_message = _("Successfully created Source")
-
-
-class SourceUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    InheritanceUpdateView,
-):
-    """Update source"""
-
-    model = Source
-    permission_required = "authentik_core.change_source"
-
-    success_url = "/"
-    template_name = "generic/update.html"
-    success_message = _("Successfully updated Source")
-
-
-class SourceDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Delete source"""
-
-    model = Source
-    permission_required = "authentik_core.delete_source"
-
-    success_url = "/"
-    template_name = "generic/delete.html"
-    success_message = _("Successfully deleted Source")

authentik/admin/views/stages.py

@@ -1,57 +0,0 @@
-"""authentik Stage administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import (
-    DeleteMessageView,
-    InheritanceCreateView,
-    InheritanceUpdateView,
-)
-from authentik.flows.models import Stage
-
-
-class StageCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    InheritanceCreateView,
-):
-    """Create new Stage"""
-
-    model = Stage
-    template_name = "generic/create.html"
-    permission_required = "authentik_flows.add_stage"
-
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created Stage")
-
-
-class StageUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    InheritanceUpdateView,
-):
-    """Update stage"""
-
-    model = Stage
-    permission_required = "authentik_flows.update_application"
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated Stage")
-
-
-class StageDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Delete stage"""
-
-    model = Stage
-    template_name = "generic/delete.html"
-    permission_required = "authentik_flows.delete_stage"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted Stage")

authentik/admin/views/stages_bindings.py

@@ -1,79 +0,0 @@
-"""authentik StageBinding administration"""
-from typing import Any
-
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.db.models import Max
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.flows.forms import FlowStageBindingForm
-from authentik.flows.models import Flow, FlowStageBinding
-from authentik.lib.views import CreateAssignPermView
-
-
-class StageBindingCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new StageBinding"""
-
-    model = FlowStageBinding
-    permission_required = "authentik_flows.add_flowstagebinding"
-    form_class = FlowStageBindingForm
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created StageBinding")
-
-    def get_initial(self) -> dict[str, Any]:
-        if "target" in self.request.GET:
-            initial_target_pk = self.request.GET["target"]
-            targets = Flow.objects.filter(pk=initial_target_pk).select_subclasses()
-            if not targets.exists():
-                return {}
-            max_order = FlowStageBinding.objects.filter(
-                target=targets.first()
-            ).aggregate(Max("order"))["order__max"]
-            if not isinstance(max_order, int):
-                max_order = -1
-            return {"target": targets.first(), "order": max_order + 1}
-        return super().get_initial()
-
-
-class StageBindingUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update FlowStageBinding"""
-
-    model = FlowStageBinding
-    permission_required = "authentik_flows.change_flowstagebinding"
-    form_class = FlowStageBindingForm
-
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated StageBinding")
-
-
-class StageBindingDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete FlowStageBinding"""
-
-    model = FlowStageBinding
-    permission_required = "authentik_flows.delete_flowstagebinding"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted FlowStageBinding")

authentik/admin/views/stages_invitations.py

@@ -1,51 +0,0 @@
-"""authentik Invitation administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.http import HttpResponseRedirect
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.lib.views import CreateAssignPermView
-from authentik.stages.invitation.forms import InvitationForm
-from authentik.stages.invitation.models import Invitation
-
-
-class InvitationCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new Invitation"""
-
-    model = Invitation
-    form_class = InvitationForm
-    permission_required = "authentik_stages_invitation.add_invitation"
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created Invitation")
-
-    def form_valid(self, form):
-        obj = form.save(commit=False)
-        obj.created_by = self.request.user
-        obj.save()
-        return HttpResponseRedirect(self.success_url)
-
-
-class InvitationDeleteView(
-    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
-):
-    """Delete invitation"""
-
-    model = Invitation
-    permission_required = "authentik_stages_invitation.delete_invitation"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted Invitation")

authentik/admin/views/stages_prompts.py

@@ -1,60 +0,0 @@
-"""authentik Prompt administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.lib.views import CreateAssignPermView
-from authentik.stages.prompt.forms import PromptAdminForm
-from authentik.stages.prompt.models import Prompt
-
-
-class PromptCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create new Prompt"""
-
-    model = Prompt
-    form_class = PromptAdminForm
-    permission_required = "authentik_stages_prompt.add_prompt"
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created Prompt")
-
-
-class PromptUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update prompt"""
-
-    model = Prompt
-    form_class = PromptAdminForm
-    permission_required = "authentik_stages_prompt.change_prompt"
-
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated Prompt")
-
-
-class PromptDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Delete prompt"""
-
-    model = Prompt
-    permission_required = "authentik_stages_prompt.delete_prompt"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted Prompt")

authentik/admin/views/tokens.py

@@ -1,19 +0,0 @@
-"""authentik Token administration"""
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.urls import reverse_lazy
-from django.utils.translation import gettext as _
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.core.models import Token
-
-
-class TokenDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Delete token"""
-
-    model = Token
-    permission_required = "authentik_core.delete_token"
-
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted Token")

authentik/admin/views/users.py

@@ -1,131 +0,0 @@
-"""authentik User administration"""
-from django.contrib import messages
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.contrib.auth.mixins import (
-    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
-)
-from django.contrib.messages.views import SuccessMessageMixin
-from django.http import HttpRequest, HttpResponse
-from django.http.response import HttpResponseRedirect
-from django.shortcuts import redirect
-from django.urls import reverse_lazy
-from django.utils.http import urlencode
-from django.utils.translation import gettext as _
-from django.views.generic import DetailView, UpdateView
-from guardian.mixins import PermissionRequiredMixin
-
-from authentik.admin.forms.users import UserForm
-from authentik.admin.views.utils import DeleteMessageView
-from authentik.core.models import Token, User
-from authentik.lib.views import CreateAssignPermView
-
-
-class UserCreateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    DjangoPermissionRequiredMixin,
-    CreateAssignPermView,
-):
-    """Create user"""
-
-    model = User
-    form_class = UserForm
-    permission_required = "authentik_core.add_user"
-
-    template_name = "generic/create.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully created User")
-
-
-class UserUpdateView(
-    SuccessMessageMixin,
-    LoginRequiredMixin,
-    PermissionRequiredMixin,
-    UpdateView,
-):
-    """Update user"""
-
-    model = User
-    form_class = UserForm
-    permission_required = "authentik_core.change_user"
-
-    # By default the object's name is user which is used by other checks
-    context_object_name = "object"
-    template_name = "generic/update.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully updated User")
-
-
-class UserDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Delete user"""
-
-    model = User
-    permission_required = "authentik_core.delete_user"
-
-    # By default the object's name is user which is used by other checks
-    context_object_name = "object"
-    template_name = "generic/delete.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully deleted User")
-
-
-class UserDisableView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
-    """Disable user"""
-
-    object: User
-
-    model = User
-    permission_required = "authentik_core.update_user"
-
-    # By default the object's name is user which is used by other checks
-    context_object_name = "object"
-    template_name = "administration/user/disable.html"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully disabled User")
-
-    def delete(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        self.object: User = self.get_object()
-        success_url = self.get_success_url()
-        self.object.is_active = False
-        self.object.save()
-        return HttpResponseRedirect(success_url)
-
-
-class UserEnableView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
-    """Enable user"""
-
-    object: User
-
-    model = User
-    permission_required = "authentik_core.update_user"
-
-    # By default the object's name is user which is used by other checks
-    context_object_name = "object"
-    success_url = reverse_lazy("authentik_core:shell")
-    success_message = _("Successfully enabled User")
-
-    def get(self, request: HttpRequest, *args, **kwargs):
-        self.object: User = self.get_object()
-        self.object.is_active = True
-        self.object.save()
-        return HttpResponseRedirect(self.success_url)
-
-
-class UserPasswordResetView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
-    """Get Password reset link for user"""
-
-    model = User
-    permission_required = "authentik_core.reset_user_password"
-
-    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """Create token for user and return link"""
-        super().get(request, *args, **kwargs)
-        token, __ = Token.objects.get_or_create(
-            identifier="password-reset-temp", user=self.object
-        )
-        querystring = urlencode({"token": token.key})
-        link = request.build_absolute_uri(
-            reverse_lazy("authentik_flows:default-recovery") + f"?{querystring}"
-        )
-        messages.success(request, _("Password reset link: %(link)s" % {"link": link}))
-        return redirect("/")

authentik/admin/views/utils.py

@@ -1,63 +0,0 @@
-"""authentik admin util views"""
-from typing import Any
-
-from django.contrib import messages
-from django.contrib.messages.views import SuccessMessageMixin
-from django.http import Http404
-from django.urls import reverse_lazy
-from django.views.generic import DeleteView, UpdateView
-
-from authentik.lib.utils.reflection import all_subclasses
-from authentik.lib.views import CreateAssignPermView
-
-
-class DeleteMessageView(SuccessMessageMixin, DeleteView):
-    """DeleteView which shows `self.success_message` on successful deletion"""
-
-    success_url = reverse_lazy("authentik_core:shell")
-
-    def delete(self, request, *args, **kwargs):
-        messages.success(self.request, self.success_message)
-        return super().delete(request, *args, **kwargs)
-
-
-class InheritanceCreateView(CreateAssignPermView):
-    """CreateView for objects using InheritanceManager"""
-
-    def get_form_class(self):
-        provider_type = self.request.GET.get("type")
-        try:
-            model = next(
-                x for x in all_subclasses(self.model) if x.__name__ == provider_type
-            )
-        except StopIteration as exc:
-            raise Http404 from exc
-        return model().form
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs = super().get_context_data(**kwargs)
-        form_cls = self.get_form_class()
-        if hasattr(form_cls, "template_name"):
-            kwargs["base_template"] = form_cls.template_name
-        return kwargs
-
-
-class InheritanceUpdateView(UpdateView):
-    """UpdateView for objects using InheritanceManager"""
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs = super().get_context_data(**kwargs)
-        form_cls = self.get_form_class()
-        if hasattr(form_cls, "template_name"):
-            kwargs["base_template"] = form_cls.template_name
-        return kwargs
-
-    def get_form_class(self):
-        return self.get_object().form
-
-    def get_object(self, queryset=None):
-        return (
-            self.model.objects.filter(pk=self.kwargs.get("pk"))
-            .select_subclasses()
-            .first()
-        )

authentik/api/auth.py

@@ -1,58 +0,0 @@
-"""API Authentication"""
-from base64 import b64decode
-from binascii import Error
-from typing import Any, Optional, Union
-
-from rest_framework.authentication import BaseAuthentication, get_authorization_header
-from rest_framework.request import Request
-from structlog.stdlib import get_logger
-
-from authentik.core.models import Token, TokenIntents, User
-
-LOGGER = get_logger()
-
-
-def token_from_header(raw_header: bytes) -> Optional[Token]:
-    """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
-    auth_credentials = raw_header.decode()
-    # Accept headers with Type format and without
-    if " " in auth_credentials:
-        auth_type, auth_credentials = auth_credentials.split()
-        if auth_type.lower() != "basic":
-            LOGGER.debug(
-                "Unsupported authentication type, denying", type=auth_type.lower()
-            )
-            return None
-    try:
-        auth_credentials = b64decode(auth_credentials.encode()).decode()
-    except (UnicodeDecodeError, Error):
-        return None
-    # Accept credentials with username and without
-    if ":" in auth_credentials:
-        _, password = auth_credentials.split(":")
-    else:
-        password = auth_credentials
-    if password == "":  # nosec
-        return None
-    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
-    if not tokens.exists():
-        LOGGER.debug("Token not found")
-        return None
-    return tokens.first()
-
-
-class AuthentikTokenAuthentication(BaseAuthentication):
-    """Token-based authentication using HTTP Basic authentication"""
-
-    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
-        """Token-based authentication using HTTP Basic authentication"""
-        auth = get_authorization_header(request)
-
-        token = token_from_header(auth)
-        if not token:
-            return None
-
-        return (token.user, None)
-
-    def authenticate_header(self, request: Request) -> str:
-        return 'Basic realm="authentik"'

authentik/api/authentication.py

@@ -0,0 +1,57 @@
+"""API Authentication"""
+from base64 import b64decode
+from binascii import Error
+from typing import Any, Optional, Union
+
+from rest_framework.authentication import BaseAuthentication, get_authorization_header
+from rest_framework.exceptions import AuthenticationFailed
+from rest_framework.request import Request
+from structlog.stdlib import get_logger
+
+from authentik.core.models import Token, TokenIntents, User
+
+LOGGER = get_logger()
+
+
+# pylint: disable=too-many-return-statements
+def token_from_header(raw_header: bytes) -> Optional[Token]:
+    """raw_header in the Format of `Bearer dGVzdDp0ZXN0`"""
+    auth_credentials = raw_header.decode()
+    if auth_credentials == "":
+        return None
+    auth_type, auth_credentials = auth_credentials.split()
+    if auth_type.lower() not in ["basic", "bearer"]:
+        LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
+        raise AuthenticationFailed("Unsupported authentication type")
+    password = auth_credentials
+    if auth_type.lower() == "basic":
+        try:
+            auth_credentials = b64decode(auth_credentials.encode()).decode()
+        except (UnicodeDecodeError, Error):
+            raise AuthenticationFailed("Malformed header")
+        # Accept credentials with username and without
+        if ":" in auth_credentials:
+            _, password = auth_credentials.split(":")
+        else:
+            password = auth_credentials
+    if password == "":  # nosec
+        raise AuthenticationFailed("Malformed header")
+    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
+    if not tokens.exists():
+        raise AuthenticationFailed("Token invalid/expired")
+    return tokens.first()
+
+
+class TokenAuthentication(BaseAuthentication):
+    """Token-based authentication using HTTP Bearer authentication"""
+
+    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
+        """Token-based authentication using HTTP Bearer authentication"""
+        auth = get_authorization_header(request)
+
+        token = token_from_header(auth)
+        # None is only returned when the header isn't set.
+        if not token:
+            return None
+
+        return (token.user, None)  # pragma: no cover

authentik/api/authorization.py

@@ -0,0 +1,35 @@
+"""API Authorization"""
+from django.db.models import Model
+from django.db.models.query import QuerySet
+from rest_framework.filters import BaseFilterBackend
+from rest_framework.permissions import BasePermission
+from rest_framework.request import Request
+
+
+class OwnerFilter(BaseFilterBackend):
+    """Filter objects by their owner"""
+
+    owner_key = "user"
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        return queryset.filter(**{self.owner_key: request.user})
+
+
+class OwnerPermissions(BasePermission):
+    """Authorize requests by an object's owner matching the requesting user"""
+
+    owner_key = "user"
+
+    def has_permission(self, request: Request, view) -> bool:
+        """If the user is authenticated, we allow all requests here. For listing, the
+        object-level permissions are done by the filter backend"""
+        return request.user.is_authenticated
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        """Check if the object's owner matches the currently logged in user"""
+        if not hasattr(obj, self.owner_key):
+            return False
+        owner = getattr(obj, self.owner_key)
+        if owner != request.user:
+            return False
+        return True

authentik/api/decorators.py

@@ -0,0 +1,32 @@
+"""API Decorators"""
+from functools import wraps
+from typing import Callable, Optional
+
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.viewsets import ModelViewSet
+
+
+def permission_required(
+    perm: Optional[str] = None, other_perms: Optional[list[str]] = None
+):
+    """Check permissions for a single custom action"""
+
+    def wrapper_outter(func: Callable):
+        """Check permissions for a single custom action"""
+
+        @wraps(func)
+        def wrapper(self: ModelViewSet, request: Request, *args, **kwargs) -> Response:
+            if perm:
+                obj = self.get_object()
+                if not request.user.has_perm(perm, obj):
+                    return self.permission_denied(request)
+            if other_perms:
+                for other_perm in other_perms:
+                    if not request.user.has_perm(other_perm):
+                        return self.permission_denied(request)
+            return func(self, request, *args, **kwargs)
+
+        return wrapper
+
+    return wrapper_outter

authentik/api/pagination_schema.py

@@ -1,8 +1,8 @@
 """Swagger Pagination Schema class"""
 from typing import OrderedDict
 
-from drf_yasg2 import openapi
-from drf_yasg2.inspectors import PaginatorInspector
+from drf_yasg import openapi
+from drf_yasg.inspectors import PaginatorInspector
 
 
 class PaginationInspector(PaginatorInspector):

authentik/api/schema.py

@@ -0,0 +1,102 @@
+"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
+from drf_yasg import openapi
+from drf_yasg.inspectors.view import SwaggerAutoSchema
+from drf_yasg.utils import force_real_str, is_list_view
+from rest_framework import exceptions, status
+from rest_framework.settings import api_settings
+
+
+class ErrorResponseAutoSchema(SwaggerAutoSchema):
+    """Inspector which includes an error schema"""
+
+    def get_generic_error_schema(self):
+        """Get a generic error schema"""
+        return openapi.Schema(
+            "Generic API Error",
+            type=openapi.TYPE_OBJECT,
+            properties={
+                "detail": openapi.Schema(
+                    type=openapi.TYPE_STRING, description="Error details"
+                ),
+                "code": openapi.Schema(
+                    type=openapi.TYPE_STRING, description="Error code"
+                ),
+            },
+            required=["detail"],
+        )
+
+    def get_validation_error_schema(self):
+        """Get a generic validation error schema"""
+        return openapi.Schema(
+            "Validation Error",
+            type=openapi.TYPE_OBJECT,
+            properties={
+                api_settings.NON_FIELD_ERRORS_KEY: openapi.Schema(
+                    description="List of validation errors not related to any field",
+                    type=openapi.TYPE_ARRAY,
+                    items=openapi.Schema(type=openapi.TYPE_STRING),
+                ),
+            },
+            additional_properties=openapi.Schema(
+                description=(
+                    "A list of error messages for each "
+                    "field that triggered a validation error"
+                ),
+                type=openapi.TYPE_ARRAY,
+                items=openapi.Schema(type=openapi.TYPE_STRING),
+            ),
+        )
+
+    def get_response_serializers(self):
+        responses = super().get_response_serializers()
+        definitions = self.components.with_scope(
+            openapi.SCHEMA_DEFINITIONS
+        )  # type: openapi.ReferenceResolver
+
+        definitions.setdefault("GenericError", self.get_generic_error_schema)
+        definitions.setdefault("ValidationError", self.get_validation_error_schema)
+        definitions.setdefault("APIException", self.get_generic_error_schema)
+
+        if self.get_request_serializer() or self.get_query_serializer():
+            responses.setdefault(
+                exceptions.ValidationError.status_code,
+                openapi.Response(
+                    description=force_real_str(
+                        exceptions.ValidationError.default_detail
+                    ),
+                    schema=openapi.SchemaRef(definitions, "ValidationError"),
+                ),
+            )
+
+        security = self.get_security()
+        if security is None or len(security) > 0:
+            # Note: 401 error codes are coerced  into 403 see
+            # rest_framework/views.py:433:handle_exception
+            # This is b/c the API uses token auth which doesn't have WWW-Authenticate header
+            responses.setdefault(
+                status.HTTP_403_FORBIDDEN,
+                openapi.Response(
+                    description="Authentication credentials were invalid, absent or insufficient.",
+                    schema=openapi.SchemaRef(definitions, "GenericError"),
+                ),
+            )
+        if not is_list_view(self.path, self.method, self.view):
+            responses.setdefault(
+                exceptions.PermissionDenied.status_code,
+                openapi.Response(
+                    description="Permission denied.",
+                    schema=openapi.SchemaRef(definitions, "APIException"),
+                ),
+            )
+            responses.setdefault(
+                exceptions.NotFound.status_code,
+                openapi.Response(
+                    description=(
+                        "Object does not exist or caller "
+                        "has insufficient permissions to access it."
+                    ),
+                    schema=openapi.SchemaRef(definitions, "APIException"),
+                ),
+            )
+
+        return responses

authentik/api/templates/api/swagger.html

@@ -0,0 +1,49 @@
+{% extends "base/skeleton.html" %}
+
+{% load static %}
+
+{% block title %}
+API Browser - {{ config.authentik.branding.title }}
+{% endblock %}
+
+{% block head %}
+<script type="module" src="{% static 'dist/rapidoc-min.js' %}"></script>
+{% endblock %}
+
+{% block body %}
+<script>
+function getCookie(name) {
+    let cookieValue = "";
+    if (document.cookie && document.cookie !== "") {
+        const cookies = document.cookie.split(";");
+        for (let i = 0; i < cookies.length; i++) {
+            const cookie = cookies[i].trim();
+            // Does this cookie string begin with the name we want?
+            if (cookie.substring(0, name.length + 1) === name + "=") {
+                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+                break;
+            }
+        }
+    }
+    return cookieValue;
+}
+window.addEventListener('DOMContentLoaded', (event) => {
+    const rapidocEl = document.querySelector('rapi-doc');
+    rapidocEl.addEventListener('before-try', (e) => {
+        e.detail.request.headers.append('X-CSRFToken', getCookie("authentik_csrf"));
+    });
+});
+</script>
+<rapi-doc
+    spec-url="{{ path }}"
+    heading-text="authentik"
+    theme="dark"
+    render-style="view"
+    primary-color="#fd4b2d"
+    allow-spec-url-load="false"
+    allow-spec-file-load="false">
+    <div slot="logo">
+        <img src="{% static 'dist/assets/icons/icon.png' %}" style="width:50px; height:50px" />
+    </div>
+</rapi-doc>
+{% endblock %}

authentik/api/templates/rest_framework/api.html

@@ -1,31 +0,0 @@
-{% extends "rest_framework/base.html" %}
-
-{% block title %}{% if name %}{{ name }} – {% endif %}authentik{% endblock %}
-
-{% block branding %}
-<span class='navbar-brand'>
-    authentik
-</span>
-{% endblock %}
-
-{% block style %}
-{{ block.super }}
-<style>
-    body {
-        background-color: #18191a;
-        color: #fafafa;
-    }
-    .prettyprint {
-        background-color: #1c1e21;
-        color: #fafafa;
-        border: 1px solid #2b2e33;
-    }
-    .pln {
-        color: #fafafa;
-    }
-    .well {
-        background-color: #1c1e21;
-        border: 1px solid #2b2e33;
-    }
-</style>
-{% endblock %}

authentik/api/tests.py

@@ -1,37 +0,0 @@
-"""Test API Authentication"""
-from base64 import b64encode
-
-from django.test import TestCase
-from guardian.shortcuts import get_anonymous_user
-
-from authentik.api.auth import token_from_header
-from authentik.core.models import Token, TokenIntents
-
-
-class TestAPIAuth(TestCase):
-    """Test API Authentication"""
-
-    def test_valid(self):
-        """Test valid token"""
-        token = Token.objects.create(
-            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
-        )
-        auth = b64encode(f":{token.key}".encode()).decode()
-        self.assertEqual(token_from_header(f"Basic {auth}".encode()), token)
-
-    def test_invalid_type(self):
-        """Test invalid type"""
-        self.assertIsNone(token_from_header("foo bar".encode()))
-
-    def test_invalid_decode(self):
-        """Test invalid bas64"""
-        self.assertIsNone(token_from_header("Basic bar".encode()))
-
-    def test_invalid_empty_password(self):
-        """Test invalid with empty password"""
-        self.assertIsNone(token_from_header("Basic :".encode()))
-
-    def test_invalid_no_token(self):
-        """Test invalid with no token"""
-        auth = b64encode(":abc".encode()).decode()
-        self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))

authentik/api/tests/test_auth.py

@@ -0,0 +1,49 @@
+"""Test API Authentication"""
+from base64 import b64encode
+
+from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
+from rest_framework.exceptions import AuthenticationFailed
+
+from authentik.api.authentication import token_from_header
+from authentik.core.models import Token, TokenIntents
+
+
+class TestAPIAuth(TestCase):
+    """Test API Authentication"""
+
+    def test_valid_basic(self):
+        """Test valid token"""
+        token = Token.objects.create(
+            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
+        )
+        auth = b64encode(f":{token.key}".encode()).decode()
+        self.assertEqual(token_from_header(f"Basic {auth}".encode()), token)
+
+    def test_valid_bearer(self):
+        """Test valid token"""
+        token = Token.objects.create(
+            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
+        )
+        self.assertEqual(token_from_header(f"Bearer {token.key}".encode()), token)
+
+    def test_invalid_type(self):
+        """Test invalid type"""
+        with self.assertRaises(AuthenticationFailed):
+            token_from_header("foo bar".encode())
+
+    def test_invalid_decode(self):
+        """Test invalid bas64"""
+        with self.assertRaises(AuthenticationFailed):
+            token_from_header("Basic bar".encode())
+
+    def test_invalid_empty_password(self):
+        """Test invalid with empty password"""
+        with self.assertRaises(AuthenticationFailed):
+            token_from_header("Basic :".encode())
+
+    def test_invalid_no_token(self):
+        """Test invalid with no token"""
+        with self.assertRaises(AuthenticationFailed):
+            auth = b64encode(":abc".encode()).decode()
+            self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))

authentik/api/tests/test_config.py

@@ -0,0 +1,16 @@
+"""Test config API"""
+from json import loads
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+
+class TestConfig(APITestCase):
+    """Test config API"""
+
+    def test_config(self):
+        """Test YAML generation"""
+        response = self.client.get(
+            reverse("authentik_api:configs-list"),
+        )
+        self.assertTrue(loads(response.content.decode()))

authentik/api/tests/test_decorators.py

@@ -0,0 +1,33 @@
+"""test decorators api"""
+from django.urls import reverse
+from guardian.shortcuts import assign_perm
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application, User
+
+
+class TestAPIDecorators(APITestCase):
+    """test decorators api"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = User.objects.create(username="test-user")
+
+    def test_obj_perm_denied(self):
+        """Test object perm denied"""
+        self.client.force_login(self.user)
+        app = Application.objects.create(name="denied", slug="denied")
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
+        self.assertEqual(response.status_code, 403)
+
+    def test_other_perm_denied(self):
+        """Test other perm denied"""
+        self.client.force_login(self.user)
+        app = Application.objects.create(name="denied", slug="denied")
+        assign_perm("authentik_core.view_application", self.user, app)
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
+        self.assertEqual(response.status_code, 403)

authentik/api/tests/test_swagger.py

@@ -0,0 +1,31 @@
+"""Swagger generation tests"""
+from json import loads
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+from yaml import safe_load
+
+
+class TestSwaggerGeneration(APITestCase):
+    """Generic admin tests"""
+
+    def test_yaml(self):
+        """Test YAML generation"""
+        response = self.client.get(
+            reverse("authentik_api:schema-json", kwargs={"format": ".yaml"}),
+        )
+        self.assertTrue(safe_load(response.content.decode()))
+
+    def test_json(self):
+        """Test JSON generation"""
+        response = self.client.get(
+            reverse("authentik_api:schema-json", kwargs={"format": ".json"}),
+        )
+        self.assertTrue(loads(response.content.decode()))
+
+    def test_browser(self):
+        """Test API Browser"""
+        response = self.client.get(
+            reverse("authentik_api:swagger"),
+        )
+        self.assertEqual(response.status_code, 200)

authentik/api/v2/config.py

@@ -1,32 +1,33 @@
 """core Configs API"""
-from django.db.models import Model
-from drf_yasg2.utils import swagger_auto_schema
-from rest_framework.fields import BooleanField, CharField
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework.fields import BooleanField, CharField, ListField
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import Serializer
 from rest_framework.viewsets import ViewSet
 
+from authentik.core.api.utils import PassiveSerializer
 from authentik.lib.config import CONFIG
 
 
-class ConfigSerializer(Serializer):
+class FooterLinkSerializer(PassiveSerializer):
+    """Links returned in Config API"""
+
+    href = CharField(read_only=True)
+    name = CharField(read_only=True)
+
+
+class ConfigSerializer(PassiveSerializer):
     """Serialize authentik Config into DRF Object"""
 
     branding_logo = CharField(read_only=True)
     branding_title = CharField(read_only=True)
+    ui_footer_links = ListField(child=FooterLinkSerializer(), read_only=True)
 
     error_reporting_enabled = BooleanField(read_only=True)
     error_reporting_environment = CharField(read_only=True)
     error_reporting_send_pii = BooleanField(read_only=True)
 
-    def create(self, validated_data: dict) -> Model:
-        raise NotImplementedError
-
-    def update(self, instance: Model, validated_data: dict) -> Model:
-        raise NotImplementedError
-
 
 class ConfigsViewSet(ViewSet):
     """Read-only view set that returns the current session's Configs"""
@@ -43,6 +44,7 @@ class ConfigsViewSet(ViewSet):
                 "error_reporting_enabled": CONFIG.y("error_reporting.enabled"),
                 "error_reporting_environment": CONFIG.y("error_reporting.environment"),
                 "error_reporting_send_pii": CONFIG.y("error_reporting.send_pii"),
+                "ui_footer_links": CONFIG.y("authentik.footer_links"),
             }
         )
         return Response(config.data)

authentik/api/v2/urls.py

@@ -1,15 +1,17 @@
 """api v2 urls"""
 from django.urls import path, re_path
-from drf_yasg2 import openapi
-from drf_yasg2.views import get_schema_view
+from drf_yasg import openapi
+from drf_yasg.views import get_schema_view
 from rest_framework import routers
 from rest_framework.permissions import AllowAny
 
+from authentik.admin.api.meta import AppsViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.tasks import TaskViewSet
 from authentik.admin.api.version import VersionViewSet
 from authentik.admin.api.workers import WorkerViewSet
 from authentik.api.v2.config import ConfigsViewSet
+from authentik.api.views import SwaggerView
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.groups import GroupViewSet
 from authentik.core.api.propertymappings import PropertyMappingViewSet
@@ -32,12 +34,12 @@ from authentik.outposts.api.outpost_service_connections import (
     ServiceConnectionViewSet,
 )
 from authentik.outposts.api.outposts import OutpostViewSet
-from authentik.policies.api import PolicyBindingViewSet, PolicyViewSet
+from authentik.policies.api.bindings import PolicyBindingViewSet
+from authentik.policies.api.policies import PolicyViewSet
 from authentik.policies.dummy.api import DummyPolicyViewSet
 from authentik.policies.event_matcher.api import EventMatcherPolicyViewSet
 from authentik.policies.expiry.api import PasswordExpiryPolicyViewSet
 from authentik.policies.expression.api import ExpressionPolicyViewSet
-from authentik.policies.group_membership.api import GroupMembershipPolicyViewSet
 from authentik.policies.hibp.api import HaveIBeenPwendPolicyViewSet
 from authentik.policies.password.api import PasswordPolicyViewSet
 from authentik.policies.reputation.api import (
@@ -45,23 +47,45 @@ from authentik.policies.reputation.api import (
     ReputationPolicyViewSet,
     UserReputationViewSet,
 )
-from authentik.providers.oauth2.api import OAuth2ProviderViewSet, ScopeMappingViewSet
+from authentik.providers.ldap.api import LDAPOutpostConfigViewSet, LDAPProviderViewSet
+from authentik.providers.oauth2.api.provider import OAuth2ProviderViewSet
+from authentik.providers.oauth2.api.scope import ScopeMappingViewSet
+from authentik.providers.oauth2.api.tokens import (
+    AuthorizationCodeViewSet,
+    RefreshTokenViewSet,
+)
 from authentik.providers.proxy.api import (
     ProxyOutpostConfigViewSet,
     ProxyProviderViewSet,
 )
 from authentik.providers.saml.api import SAMLPropertyMappingViewSet, SAMLProviderViewSet
 from authentik.sources.ldap.api import LDAPPropertyMappingViewSet, LDAPSourceViewSet
-from authentik.sources.oauth.api import OAuthSourceViewSet
+from authentik.sources.oauth.api.source import OAuthSourceViewSet
+from authentik.sources.oauth.api.source_connection import (
+    UserOAuthSourceConnectionViewSet,
+)
+from authentik.sources.plex.api import PlexSourceViewSet
 from authentik.sources.saml.api import SAMLSourceViewSet
-from authentik.stages.authenticator_static.api import AuthenticatorStaticStageViewSet
-from authentik.stages.authenticator_totp.api import AuthenticatorTOTPStageViewSet
+from authentik.stages.authenticator_static.api import (
+    AuthenticatorStaticStageViewSet,
+    StaticAdminDeviceViewSet,
+    StaticDeviceViewSet,
+)
+from authentik.stages.authenticator_totp.api import (
+    AuthenticatorTOTPStageViewSet,
+    TOTPAdminDeviceViewSet,
+    TOTPDeviceViewSet,
+)
 from authentik.stages.authenticator_validate.api import (
     AuthenticatorValidateStageViewSet,
 )
-from authentik.stages.authenticator_webauthn.api import AuthenticateWebAuthnStageViewSet
+from authentik.stages.authenticator_webauthn.api import (
+    AuthenticateWebAuthnStageViewSet,
+    WebAuthnAdminDeviceViewSet,
+    WebAuthnDeviceViewSet,
+)
 from authentik.stages.captcha.api import CaptchaStageViewSet
-from authentik.stages.consent.api import ConsentStageViewSet
+from authentik.stages.consent.api import ConsentStageViewSet, UserConsentViewSet
 from authentik.stages.deny.api import DenyStageViewSet
 from authentik.stages.dummy.api import DummyStageViewSet
 from authentik.stages.email.api import EmailStageViewSet
@@ -82,19 +106,23 @@ router.register("admin/version", VersionViewSet, basename="admin_version")
 router.register("admin/workers", WorkerViewSet, basename="admin_workers")
 router.register("admin/metrics", AdministrationMetricsViewSet, basename="admin_metrics")
 router.register("admin/system_tasks", TaskViewSet, basename="admin_system_tasks")
+router.register("admin/apps", AppsViewSet, basename="apps")
 
 router.register("core/applications", ApplicationViewSet)
 router.register("core/groups", GroupViewSet)
 router.register("core/users", UserViewSet)
+router.register("core/user_consent", UserConsentViewSet)
 router.register("core/tokens", TokenViewSet)
 
 router.register("outposts/outposts", OutpostViewSet)
+router.register("outposts/instances", OutpostViewSet)
 router.register("outposts/service_connections/all", ServiceConnectionViewSet)
 router.register("outposts/service_connections/docker", DockerServiceConnectionViewSet)
 router.register(
     "outposts/service_connections/kubernetes", KubernetesServiceConnectionViewSet
 )
 router.register("outposts/proxy", ProxyOutpostConfigViewSet)
+router.register("outposts/ldap", LDAPOutpostConfigViewSet)
 
 router.register("flows/instances", FlowViewSet)
 router.register("flows/bindings", FlowStageBindingViewSet)
@@ -107,15 +135,16 @@ router.register("events/transports", NotificationTransportViewSet)
 router.register("events/rules", NotificationRuleViewSet)
 
 router.register("sources/all", SourceViewSet)
+router.register("sources/oauth_user_connections", UserOAuthSourceConnectionViewSet)
 router.register("sources/ldap", LDAPSourceViewSet)
 router.register("sources/saml", SAMLSourceViewSet)
 router.register("sources/oauth", OAuthSourceViewSet)
+router.register("sources/plex", PlexSourceViewSet)
 
 router.register("policies/all", PolicyViewSet)
 router.register("policies/bindings", PolicyBindingViewSet)
 router.register("policies/expression", ExpressionPolicyViewSet)
 router.register("policies/event_matcher", EventMatcherPolicyViewSet)
-router.register("policies/group_membership", GroupMembershipPolicyViewSet)
 router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
 router.register("policies/password_expiry", PasswordExpiryPolicyViewSet)
 router.register("policies/password", PasswordPolicyViewSet)
@@ -124,15 +153,36 @@ router.register("policies/reputation/ips", IPReputationViewSet)
 router.register("policies/reputation", ReputationPolicyViewSet)
 
 router.register("providers/all", ProviderViewSet)
+router.register("providers/ldap", LDAPProviderViewSet)
 router.register("providers/proxy", ProxyProviderViewSet)
 router.register("providers/oauth2", OAuth2ProviderViewSet)
 router.register("providers/saml", SAMLProviderViewSet)
 
+router.register("oauth2/authorization_codes", AuthorizationCodeViewSet)
+router.register("oauth2/refresh_tokens", RefreshTokenViewSet)
+
 router.register("propertymappings/all", PropertyMappingViewSet)
 router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 router.register("propertymappings/scope", ScopeMappingViewSet)
 
+router.register("authenticators/static", StaticDeviceViewSet)
+router.register("authenticators/totp", TOTPDeviceViewSet)
+router.register("authenticators/webauthn", WebAuthnDeviceViewSet)
+router.register(
+    "authenticators/admin/static",
+    StaticAdminDeviceViewSet,
+    basename="admin-staticdevice",
+)
+router.register(
+    "authenticators/admin/totp", TOTPAdminDeviceViewSet, basename="admin-totpdevice"
+)
+router.register(
+    "authenticators/admin/webauthn",
+    WebAuthnAdminDeviceViewSet,
+    basename="admin-webauthndevice",
+)
+
 router.register("stages/all", StageViewSet)
 router.register("stages/authenticator/static", AuthenticatorStaticStageViewSet)
 router.register("stages/authenticator/totp", AuthenticatorTOTPStageViewSet)
@@ -158,33 +208,30 @@ router.register("policies/dummy", DummyPolicyViewSet)
 
 info = openapi.Info(
     title="authentik API",
-    default_version="v2",
+    default_version="v2beta",
     contact=openapi.Contact(email="hello@beryju.org"),
     license=openapi.License(
-        name="GNU GPLv3", url="https://github.com/BeryJu/authentik/blob/master/LICENSE"
+        name="GNU GPLv3",
+        url="https://github.com/goauthentik/authentik/blob/master/LICENSE",
     ),
 )
-SchemaView = get_schema_view(
-    info,
-    public=True,
-    permission_classes=(AllowAny,),
-)
+SchemaView = get_schema_view(info, public=True, permission_classes=(AllowAny,))
 
-urlpatterns = [
-    re_path(
-        r"^swagger(?P<format>\.json|\.yaml)$",
-        SchemaView.without_ui(cache_timeout=0),
-        name="schema-json",
-    ),
-    path(
-        "swagger/",
-        SchemaView.with_ui("swagger", cache_timeout=0),
-        name="schema-swagger-ui",
-    ),
-    path("redoc/", SchemaView.with_ui("redoc", cache_timeout=0), name="schema-redoc"),
-    path(
-        "flows/executor/<slug:flow_slug>/",
-        FlowExecutorView.as_view(),
-        name="flow-executor",
-    ),
-] + router.urls
+urlpatterns = (
+    [
+        path("", SwaggerView.as_view(), name="swagger"),
+    ]
+    + router.urls
+    + [
+        path(
+            "flows/executor/<slug:flow_slug>/",
+            FlowExecutorView.as_view(),
+            name="flow-executor",
+        ),
+        re_path(
+            r"^swagger(?P<format>\.json|\.yaml)$",
+            SchemaView.without_ui(cache_timeout=0),
+            name="schema-json",
+        ),
+    ]
+)

authentik/api/views.py

@@ -0,0 +1,22 @@
+"""General API Views"""
+from typing import Any
+
+from django.urls import reverse
+from django.views.generic import TemplateView
+
+
+class SwaggerView(TemplateView):
+    """Show swagger view based on rapi-doc"""
+
+    template_name = "api/swagger.html"
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        path = self.request.build_absolute_uri(
+            reverse(
+                "authentik_api:schema-json",
+                kwargs={
+                    "format": ".json",
+                },
+            )
+        )
+        return super().get_context_data(path=path, **kwargs)

authentik/core/admin.py

@@ -1,20 +0,0 @@
-"""authentik core admin"""
-
-from django.apps import AppConfig, apps
-from django.contrib import admin
-from django.contrib.admin.sites import AlreadyRegistered
-from guardian.admin import GuardedModelAdmin
-
-
-def admin_autoregister(app: AppConfig):
-    """Automatically register all models from app"""
-    for model in app.get_models():
-        try:
-            admin.site.register(model, GuardedModelAdmin)
-        except AlreadyRegistered:
-            pass
-
-
-for _app in apps.get_app_configs():
-    if _app.label.startswith("authentik_"):
-        admin_autoregister(_app)

authentik/core/api/applications.py

@@ -1,11 +1,15 @@
 """Application API Views"""
+from typing import Optional
+
 from django.core.cache import cache
 from django.db.models import QuerySet
-from django.http.response import Http404
-from guardian.shortcuts import get_objects_for_user
+from django.http.response import HttpResponseBadRequest
+from django.shortcuts import get_object_or_404
+from drf_yasg import openapi
+from drf_yasg.utils import no_body, swagger_auto_schema
 from rest_framework.decorators import action
 from rest_framework.fields import SerializerMethodField
-from rest_framework.generics import get_object_or_404
+from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
@@ -13,11 +17,13 @@ from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
 from structlog.stdlib import get_logger
 
-from authentik.admin.api.metrics import get_events_per_1h
+from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
+from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.models import Application
 from authentik.events.models import EventAction
 from authentik.policies.engine import PolicyEngine
+from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
 
 LOGGER = get_logger()
 
@@ -31,11 +37,11 @@ class ApplicationSerializer(ModelSerializer):
     """Application Serializer"""
 
     launch_url = SerializerMethodField()
-    provider = ProviderSerializer(source="get_provider", required=False)
+    provider_obj = ProviderSerializer(source="get_provider", required=False)
 
-    def get_launch_url(self, instance: Application) -> str:
+    def get_launch_url(self, instance: Application) -> Optional[str]:
         """Get generated launch URL"""
-        return instance.get_launch_url() or ""
+        return instance.get_launch_url()
 
     class Meta:
 
@@ -45,12 +51,13 @@ class ApplicationSerializer(ModelSerializer):
             "name",
             "slug",
             "provider",
+            "provider_obj",
             "launch_url",
             "meta_launch_url",
             "meta_icon",
             "meta_description",
             "meta_publisher",
-            "policies",
+            "policy_engine_mode",
         ]
 
 
@@ -86,13 +93,49 @@ class ApplicationViewSet(ModelViewSet):
                 applications.append(application)
         return applications
 
+    @swagger_auto_schema(
+        responses={
+            204: "Access granted",
+            403: "Access denied",
+        }
+    )
+    @action(detail=True, methods=["GET"])
+    # pylint: disable=unused-argument
+    def check_access(self, request: Request, slug: str) -> Response:
+        """Check access to a single application by slug"""
+        # Don't use self.get_object as that checks for view_application permission
+        # which the user might not have, even if they have access
+        application = get_object_or_404(Application, slug=slug)
+        engine = PolicyEngine(application, self.request.user, self.request)
+        engine.build()
+        if engine.passing:
+            return Response(status=204)
+        return Response(status=403)
+
+    @swagger_auto_schema(
+        manual_parameters=[
+            openapi.Parameter(
+                name="superuser_full_list",
+                in_=openapi.IN_QUERY,
+                type=openapi.TYPE_BOOLEAN,
+            )
+        ]
+    )
     def list(self, request: Request) -> Response:
         """Custom list method that checks Policy based access instead of guardian"""
+        self.request.session.pop(USER_LOGIN_AUTHENTICATED, None)
         queryset = self._filter_queryset_for_list(self.get_queryset())
         self.paginate_queryset(queryset)
 
         should_cache = request.GET.get("search", "") == ""
 
+        superuser_full_list = (
+            str(request.GET.get("superuser_full_list", "false")).lower() == "true"
+        )
+        if superuser_full_list and request.user.is_superuser:
+            serializer = self.get_serializer(queryset, many=True)
+            return self.get_paginated_response(serializer.data)
+
         allowed_applications = []
         if not should_cache:
             allowed_applications = self._get_allowed_applications(queryset)
@@ -109,15 +152,46 @@ class ApplicationViewSet(ModelViewSet):
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 
-    @action(detail=True)
+    @permission_required("authentik_core.change_application")
+    @swagger_auto_schema(
+        request_body=no_body,
+        manual_parameters=[
+            openapi.Parameter(
+                name="file",
+                in_=openapi.IN_FORM,
+                type=openapi.TYPE_FILE,
+                required=True,
+            )
+        ],
+        responses={200: "Success", 400: "Bad request"},
+    )
+    @action(
+        detail=True,
+        pagination_class=None,
+        filter_backends=[],
+        methods=["POST"],
+        parser_classes=(MultiPartParser,),
+    )
+    # pylint: disable=unused-argument
+    def set_icon(self, request: Request, slug: str):
+        """Set application icon"""
+        app: Application = self.get_object()
+        icon = request.FILES.get("file", None)
+        if not icon:
+            return HttpResponseBadRequest()
+        app.meta_icon = icon
+        app.save()
+        return Response({})
+
+    @permission_required(
+        "authentik_core.view_application", ["authentik_events.view_event"]
+    )
+    @swagger_auto_schema(responses={200: CoordinateSerializer(many=True)})
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=unused-argument
     def metrics(self, request: Request, slug: str):
         """Metrics for application logins"""
-        app = get_object_or_404(
-            get_objects_for_user(request.user, "authentik_core.view_application"),
-            slug=slug,
-        )
-        if not request.user.has_perm("authentik_events.view_event"):
-            raise Http404
+        app = self.get_object()
         return Response(
             get_events_per_1h(
                 action=EventAction.AUTHORIZE_APPLICATION,

authentik/core/api/groups.py

@@ -1,13 +1,19 @@
 """Groups API Viewset"""
+from django.db.models.query import QuerySet
+from rest_framework.fields import JSONField
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
+from rest_framework_guardian.filters import ObjectPermissionsFilter
 
+from authentik.core.api.utils import is_dict
 from authentik.core.models import Group
 
 
 class GroupSerializer(ModelSerializer):
     """Group Serializer"""
 
+    attributes = JSONField(validators=[is_dict], required=False)
+
     class Meta:
 
         model = Group
@@ -21,3 +27,17 @@ class GroupViewSet(ModelViewSet):
     serializer_class = GroupSerializer
     search_fields = ["name", "is_superuser"]
     filterset_fields = ["name", "is_superuser"]
+    ordering = ["name"]
+
+    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
+        """Custom filter_queryset method which ignores guardian, but still supports sorting"""
+        for backend in list(self.filter_backends):
+            if backend == ObjectPermissionsFilter:
+                continue
+            queryset = backend().filter_queryset(self.request, queryset, self)
+        return queryset
+
+    def filter_queryset(self, queryset):
+        if self.request.user.has_perm("authentik_core.view_group"):
+            return self._filter_queryset_for_list(queryset)
+        return super().filter_queryset(queryset)

authentik/core/api/propertymappings.py

@@ -1,47 +1,73 @@
 """PropertyMapping API Views"""
-from django.urls import reverse
-from drf_yasg2.utils import swagger_auto_schema
+from json import dumps
+
+from drf_yasg import openapi
+from drf_yasg.utils import swagger_auto_schema
+from guardian.shortcuts import get_objects_for_user
+from rest_framework import mixins
 from rest_framework.decorators import action
+from rest_framework.exceptions import PermissionDenied
+from rest_framework.fields import BooleanField, CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
-from rest_framework.viewsets import ReadOnlyModelViewSet
+from rest_framework.viewsets import GenericViewSet
 
-from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
+from authentik.api.decorators import permission_required
+from authentik.core.api.utils import (
+    MetaNameSerializer,
+    PassiveSerializer,
+    TypeCreateSerializer,
+)
+from authentik.core.expression import PropertyMappingEvaluator
 from authentik.core.models import PropertyMapping
-from authentik.lib.templatetags.authentik_utils import verbose_name
 from authentik.lib.utils.reflection import all_subclasses
+from authentik.managed.api import ManagedSerializer
+from authentik.policies.api.exec import PolicyTestSerializer
 
 
-class PropertyMappingSerializer(ModelSerializer, MetaNameSerializer):
+class PropertyMappingTestResultSerializer(PassiveSerializer):
+    """Result of a Property-mapping test"""
+
+    result = CharField(read_only=True)
+    successful = BooleanField(read_only=True)
+
+
+class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSerializer):
     """PropertyMapping Serializer"""
 
-    object_type = SerializerMethodField(method_name="get_type")
+    component = SerializerMethodField()
 
-    def get_type(self, obj):
-        """Get object type so that we know which API Endpoint to use to get the full object"""
-        return obj._meta.object_name.lower().replace("propertymapping", "")
+    def get_component(self, obj: PropertyMapping) -> str:
+        """Get object's component so that we know how to edit the object"""
+        return obj.component
 
-    def to_representation(self, instance: PropertyMapping):
-        # pyright: reportGeneralTypeIssues=false
-        if instance.__class__ == PropertyMapping:
-            return super().to_representation(instance)
-        return instance.serializer(instance=instance).data
+    def validate_expression(self, expression: str) -> str:
+        """Test Syntax"""
+        evaluator = PropertyMappingEvaluator()
+        evaluator.validate(expression)
+        return expression
 
     class Meta:
 
         model = PropertyMapping
         fields = [
             "pk",
+            "managed",
             "name",
             "expression",
-            "object_type",
+            "component",
             "verbose_name",
             "verbose_name_plural",
         ]
 
 
-class PropertyMappingViewSet(ReadOnlyModelViewSet):
+class PropertyMappingViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
     """PropertyMapping Viewset"""
 
     queryset = PropertyMapping.objects.none()
@@ -52,21 +78,69 @@ class PropertyMappingViewSet(ReadOnlyModelViewSet):
     filterset_fields = {"managed": ["isnull"]}
     ordering = ["name"]
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
         return PropertyMapping.objects.select_subclasses()
 
     @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
-    @action(detail=False)
+    @action(detail=False, pagination_class=None, filter_backends=[])
     def types(self, request: Request) -> Response:
         """Get all creatable property-mapping types"""
         data = []
         for subclass in all_subclasses(self.queryset.model):
+            subclass: PropertyMapping
             data.append(
                 {
-                    "name": verbose_name(subclass),
+                    "name": subclass._meta.verbose_name,
                     "description": subclass.__doc__,
-                    "link": reverse("authentik_admin:property-mapping-create")
-                    + f"?type={subclass.__name__}",
+                    # pyright: reportGeneralTypeIssues=false
+                    "component": subclass().component,
+                    "model_name": subclass._meta.model_name,
                 }
             )
         return Response(TypeCreateSerializer(data, many=True).data)
+
+    @permission_required("authentik_core.view_propertymapping")
+    @swagger_auto_schema(
+        request_body=PolicyTestSerializer(),
+        responses={200: PropertyMappingTestResultSerializer, 400: "Invalid parameters"},
+        manual_parameters=[
+            openapi.Parameter(
+                name="format_result",
+                in_=openapi.IN_QUERY,
+                type=openapi.TYPE_BOOLEAN,
+            )
+        ],
+    )
+    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
+    # pylint: disable=unused-argument, invalid-name
+    def test(self, request: Request, pk: str) -> Response:
+        """Test Property Mapping"""
+        mapping: PropertyMapping = self.get_object()
+        test_params = PolicyTestSerializer(data=request.data)
+        if not test_params.is_valid():
+            return Response(test_params.errors, status=400)
+
+        format_result = str(request.GET.get("format_result", "false")).lower() == "true"
+
+        # User permission check, only allow mapping testing for users that are readable
+        users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
+            pk=test_params.validated_data["user"].pk
+        )
+        if not users.exists():
+            raise PermissionDenied()
+
+        response_data = {"successful": True, "result": ""}
+        try:
+            result = mapping.evaluate(
+                users.first(),
+                self.request,
+                **test_params.validated_data.get("context", {}),
+            )
+            response_data["result"] = dumps(
+                result, indent=(4 if format_result else None)
+            )
+        except Exception as exc:  # pylint: disable=broad-except
+            response_data["result"] = str(exc)
+            response_data["successful"] = False
+        response = PropertyMappingTestResultSerializer(response_data)
+        return Response(response.data)

authentik/core/api/providers.py

@@ -1,17 +1,16 @@
 """Provider API Views"""
-from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
-from drf_yasg2.utils import swagger_auto_schema
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
-from rest_framework.viewsets import ModelViewSet
+from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Provider
-from authentik.lib.templatetags.authentik_utils import verbose_name
 from authentik.lib.utils.reflection import all_subclasses
 
 
@@ -21,11 +20,14 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
     assigned_application_slug = ReadOnlyField(source="application.slug")
     assigned_application_name = ReadOnlyField(source="application.name")
 
-    object_type = SerializerMethodField()
+    component = SerializerMethodField()
 
-    def get_object_type(self, obj):
-        """Get object type so that we know which API Endpoint to use to get the full object"""
-        return obj._meta.object_name.lower().replace("provider", "")
+    def get_component(self, obj: Provider):  # pragma: no cover
+        """Get object component so that we know how to edit the object"""
+        # pyright: reportGeneralTypeIssues=false
+        if obj.__class__ == Provider:
+            return ""
+        return obj.component
 
     class Meta:
 
@@ -33,10 +35,9 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
         fields = [
             "pk",
             "name",
-            "application",
             "authorization_flow",
             "property_mappings",
-            "object_type",
+            "component",
             "assigned_application_slug",
             "assigned_application_name",
             "verbose_name",
@@ -44,7 +45,12 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
         ]
 
 
-class ProviderViewSet(ModelViewSet):
+class ProviderViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
     """Provider Viewset"""
 
     queryset = Provider.objects.none()
@@ -57,28 +63,30 @@ class ProviderViewSet(ModelViewSet):
         "application__name",
     ]
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
         return Provider.objects.select_subclasses()
 
     @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
-    @action(detail=False)
+    @action(detail=False, pagination_class=None, filter_backends=[])
     def types(self, request: Request) -> Response:
         """Get all creatable provider types"""
         data = []
         for subclass in all_subclasses(self.queryset.model):
+            subclass: Provider
             data.append(
                 {
-                    "name": verbose_name(subclass),
+                    "name": subclass._meta.verbose_name,
                     "description": subclass.__doc__,
-                    "link": reverse("authentik_admin:provider-create")
-                    + f"?type={subclass.__name__}",
+                    "component": subclass().component,
+                    "model_name": subclass._meta.model_name,
                 }
             )
         data.append(
             {
                 "name": _("SAML Provider from Metadata"),
                 "description": _("Create a SAML Provider by importing its Metadata."),
-                "link": reverse("authentik_admin:provider-saml-from-metadata"),
+                "component": "ak-provider-saml-import-form",
+                "model_name": "",
             }
         )
         return Response(TypeCreateSerializer(data, many=True).data)

authentik/core/api/sources.py

@@ -1,26 +1,35 @@
 """Source API Views"""
-from django.urls import reverse
-from drf_yasg2.utils import swagger_auto_schema
+from typing import Iterable
+
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
-from rest_framework.viewsets import ReadOnlyModelViewSet
+from rest_framework.viewsets import GenericViewSet
+from structlog.stdlib import get_logger
 
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Source
-from authentik.lib.templatetags.authentik_utils import verbose_name
+from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.reflection import all_subclasses
+from authentik.policies.engine import PolicyEngine
+
+LOGGER = get_logger()
 
 
 class SourceSerializer(ModelSerializer, MetaNameSerializer):
     """Source Serializer"""
 
-    object_type = SerializerMethodField()
+    component = SerializerMethodField()
 
-    def get_object_type(self, obj):
-        """Get object type so that we know which API Endpoint to use to get the full object"""
-        return obj._meta.object_name.lower().replace("source", "")
+    def get_component(self, obj: Source):
+        """Get object component so that we know how to edit the object"""
+        # pyright: reportGeneralTypeIssues=false
+        if obj.__class__ == Source:
+            return ""
+        return obj.component
 
     class Meta:
 
@@ -32,34 +41,71 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "enabled",
             "authentication_flow",
             "enrollment_flow",
-            "object_type",
+            "component",
             "verbose_name",
             "verbose_name_plural",
+            "policy_engine_mode",
+            "user_matching_mode",
         ]
 
 
-class SourceViewSet(ReadOnlyModelViewSet):
+class SourceViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
     """Source Viewset"""
 
     queryset = Source.objects.none()
     serializer_class = SourceSerializer
     lookup_field = "slug"
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
         return Source.objects.select_subclasses()
 
     @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
-    @action(detail=False)
+    @action(detail=False, pagination_class=None, filter_backends=[])
     def types(self, request: Request) -> Response:
         """Get all creatable source types"""
         data = []
         for subclass in all_subclasses(self.queryset.model):
+            subclass: Source
+            component = ""
+            if subclass._meta.abstract:
+                component = subclass.__bases__[0]().component
+            else:
+                component = subclass().component
+            # pyright: reportGeneralTypeIssues=false
             data.append(
                 {
-                    "name": verbose_name(subclass),
+                    "name": subclass._meta.verbose_name,
                     "description": subclass.__doc__,
-                    "link": reverse("authentik_admin:source-create")
-                    + f"?type={subclass.__name__}",
+                    "component": component,
+                    "model_name": subclass._meta.model_name,
                 }
             )
         return Response(TypeCreateSerializer(data, many=True).data)
+
+    @swagger_auto_schema(responses={200: UserSettingSerializer(many=True)})
+    @action(detail=False, pagination_class=None, filter_backends=[])
+    def user_settings(self, request: Request) -> Response:
+        """Get all sources the user can configure"""
+        _all_sources: Iterable[Source] = Source.objects.filter(
+            enabled=True
+        ).select_subclasses()
+        matching_sources: list[UserSettingSerializer] = []
+        for source in _all_sources:
+            user_settings = source.ui_user_settings
+            if not user_settings:
+                continue
+            policy_engine = PolicyEngine(source, request.user, request)
+            policy_engine.build()
+            if not policy_engine.passing:
+                continue
+            source_settings = source.ui_user_settings
+            source_settings.initial_data["object_uid"] = source.slug
+            if not source_settings.is_valid():
+                LOGGER.warning(source_settings.errors)
+            matching_sources.append(source_settings.validated_data)
+        return Response(matching_sources)

authentik/core/api/tokens.py

@@ -1,29 +1,32 @@
 """Tokens API Viewset"""
-from django.db.models.base import Model
 from django.http.response import Http404
-from drf_yasg2.utils import swagger_auto_schema
+from drf_yasg.utils import swagger_auto_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, Serializer
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.decorators import permission_required
 from authentik.core.api.users import UserSerializer
-from authentik.core.models import Token
+from authentik.core.api.utils import PassiveSerializer
+from authentik.core.models import Token, TokenIntents
 from authentik.events.models import Event, EventAction
+from authentik.managed.api import ManagedSerializer
 
 
-class TokenSerializer(ModelSerializer):
+class TokenSerializer(ManagedSerializer, ModelSerializer):
     """Token Serializer"""
 
-    user = UserSerializer()
+    user = UserSerializer(required=False)
 
     class Meta:
 
         model = Token
         fields = [
             "pk",
+            "managed",
             "identifier",
             "intent",
             "user",
@@ -34,17 +37,11 @@ class TokenSerializer(ModelSerializer):
         depth = 2
 
 
-class TokenViewSerializer(Serializer):
+class TokenViewSerializer(PassiveSerializer):
     """Show token's current key"""
 
     key = CharField(read_only=True)
 
-    def create(self, validated_data: dict) -> Model:
-        raise NotImplementedError
-
-    def update(self, instance: Model, validated_data: dict) -> Model:
-        raise NotImplementedError
-
 
 class TokenViewSet(ModelViewSet):
     """Token Viewset"""
@@ -66,8 +63,17 @@ class TokenViewSet(ModelViewSet):
     ]
     ordering = ["expires"]
 
-    @swagger_auto_schema(responses={200: TokenViewSerializer(many=False)})
-    @action(detail=True)
+    def perform_create(self, serializer: TokenSerializer):
+        serializer.save(user=self.request.user, intent=TokenIntents.INTENT_API)
+
+    @permission_required("authentik_core.view_token_key")
+    @swagger_auto_schema(
+        responses={
+            200: TokenViewSerializer(many=False),
+            404: "Token not found or expired",
+        }
+    )
+    @action(detail=True, pagination_class=None, filter_backends=[])
     # pylint: disable=unused-argument
     def view_key(self, request: Request, identifier: str) -> Response:
         """Return token key and log access"""

authentik/core/api/users.py

@@ -1,14 +1,38 @@
 """User API Views"""
-from drf_yasg2.utils import swagger_auto_schema
+from json import loads
+
+from django.db.models.query import QuerySet
+from django.http.response import Http404
+from django.urls import reverse_lazy
+from django.utils.http import urlencode
+from django_filters.filters import BooleanFilter, CharFilter
+from django_filters.filterset import FilterSet
+from drf_yasg.utils import swagger_auto_schema, swagger_serializer_method
 from guardian.utils import get_anonymous_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField
+from rest_framework.fields import CharField, JSONField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import BooleanField, ModelSerializer
+from rest_framework.serializers import (
+    BooleanField,
+    ListSerializer,
+    ModelSerializer,
+    ValidationError,
+)
 from rest_framework.viewsets import ModelViewSet
+from rest_framework_guardian.filters import ObjectPermissionsFilter
 
-from authentik.core.models import User
+from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
+from authentik.api.decorators import permission_required
+from authentik.core.api.groups import GroupSerializer
+from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
+from authentik.core.middleware import (
+    SESSION_IMPERSONATE_ORIGINAL_USER,
+    SESSION_IMPERSONATE_USER,
+)
+from authentik.core.models import Token, TokenIntents, User
+from authentik.events.models import EventAction
+from authentik.flows.models import Flow, FlowDesignation
 
 
 class UserSerializer(ModelSerializer):
@@ -16,6 +40,9 @@ class UserSerializer(ModelSerializer):
 
     is_superuser = BooleanField(read_only=True)
     avatar = CharField(read_only=True)
+    attributes = JSONField(validators=[is_dict], required=False)
+    groups = ListSerializer(child=GroupSerializer(), read_only=True, source="ak_groups")
+    uid = CharField(read_only=True)
 
     class Meta:
 
@@ -27,26 +54,153 @@ class UserSerializer(ModelSerializer):
             "is_active",
             "last_login",
             "is_superuser",
+            "groups",
             "email",
             "avatar",
             "attributes",
+            "uid",
         ]
 
 
+class SessionUserSerializer(PassiveSerializer):
+    """Response for the /user/me endpoint, returns the currently active user (as `user` property)
+    and, if this user is being impersonated, the original user in the `original` property."""
+
+    user = UserSerializer()
+    original = UserSerializer(required=False)
+
+
+class UserMetricsSerializer(PassiveSerializer):
+    """User Metrics"""
+
+    logins_per_1h = SerializerMethodField()
+    logins_failed_per_1h = SerializerMethodField()
+    authorizations_per_1h = SerializerMethodField()
+
+    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    def get_logins_per_1h(self, _):
+        """Get successful logins per hour for the last 24 hours"""
+        user = self.context["user"]
+        return get_events_per_1h(action=EventAction.LOGIN, user__pk=user.pk)
+
+    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    def get_logins_failed_per_1h(self, _):
+        """Get failed logins per hour for the last 24 hours"""
+        user = self.context["user"]
+        return get_events_per_1h(
+            action=EventAction.LOGIN_FAILED, context__username=user.username
+        )
+
+    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    def get_authorizations_per_1h(self, _):
+        """Get failed logins per hour for the last 24 hours"""
+        user = self.context["user"]
+        return get_events_per_1h(
+            action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
+        )
+
+
+class UsersFilter(FilterSet):
+    """Filter for users"""
+
+    attributes = CharFilter(
+        field_name="attributes",
+        lookup_expr="",
+        label="Attributes",
+        method="filter_attributes",
+    )
+
+    is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
+
+    # pylint: disable=unused-argument
+    def filter_attributes(self, queryset, name, value):
+        """Filter attributes by query args"""
+        try:
+            value = loads(value)
+        except ValueError:
+            raise ValidationError(detail="filter: failed to parse JSON")
+        if not isinstance(value, dict):
+            raise ValidationError(detail="filter: value must be key:value mapping")
+        qs = {}
+        for key, _value in value.items():
+            qs[f"attributes__{key}"] = _value
+        return queryset.filter(**qs)
+
+    class Meta:
+        model = User
+        fields = ["username", "name", "is_active", "is_superuser", "attributes"]
+
+
 class UserViewSet(ModelViewSet):
     """User Viewset"""
 
     queryset = User.objects.none()
     serializer_class = UserSerializer
     search_fields = ["username", "name", "is_active"]
-    filterset_fields = ["username", "name", "is_active"]
+    filterset_class = UsersFilter
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
         return User.objects.all().exclude(pk=get_anonymous_user().pk)
 
-    @swagger_auto_schema(responses={200: UserSerializer(many=False)})
-    @action(detail=False)
+    @swagger_auto_schema(responses={200: SessionUserSerializer(many=False)})
+    @action(detail=False, pagination_class=None, filter_backends=[])
     # pylint: disable=invalid-name
     def me(self, request: Request) -> Response:
         """Get information about current user"""
-        return Response(UserSerializer(request.user).data)
+        serializer = SessionUserSerializer(
+            data={"user": UserSerializer(request.user).data}
+        )
+        if SESSION_IMPERSONATE_USER in request._request.session:
+            serializer.initial_data["original"] = UserSerializer(
+                request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
+            ).data
+        serializer.is_valid()
+        return Response(serializer.data)
+
+    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
+    @swagger_auto_schema(responses={200: UserMetricsSerializer(many=False)})
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=invalid-name, unused-argument
+    def metrics(self, request: Request, pk: int) -> Response:
+        """User metrics per 1h"""
+        user: User = self.get_object()
+        serializer = UserMetricsSerializer(True)
+        serializer.context["user"] = user
+        return Response(serializer.data)
+
+    @permission_required("authentik_core.reset_user_password")
+    @swagger_auto_schema(
+        responses={"200": LinkSerializer(many=False), "404": "No recovery flow found."},
+    )
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=invalid-name, unused-argument
+    def recovery(self, request: Request, pk: int) -> Response:
+        """Create a temporary link that a user can use to recover their accounts"""
+        # Check that there is a recovery flow, if not return an error
+        flow = Flow.with_policy(request, designation=FlowDesignation.RECOVERY)
+        if not flow:
+            raise Http404
+        user: User = self.get_object()
+        token, __ = Token.objects.get_or_create(
+            identifier=f"{user.uid}-password-reset",
+            user=user,
+            intent=TokenIntents.INTENT_RECOVERY,
+        )
+        querystring = urlencode({"token": token.key})
+        link = request.build_absolute_uri(
+            reverse_lazy("authentik_flows:default-recovery") + f"?{querystring}"
+        )
+        return Response({"link": link})
+
+    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
+        """Custom filter_queryset method which ignores guardian, but still supports sorting"""
+        for backend in list(self.filter_backends):
+            if backend == ObjectPermissionsFilter:
+                continue
+            queryset = backend().filter_queryset(self.request, queryset, self)
+        return queryset
+
+    def filter_queryset(self, queryset):
+        if self.request.user.has_perm("authentik_core.view_group"):
+            return self._filter_queryset_for_list(queryset)
+        return super().filter_queryset(queryset)

authentik/core/api/utils.py

@@ -1,21 +1,40 @@
 """API Utilities"""
+from typing import Any
+
 from django.db.models import Model
 from rest_framework.fields import CharField, IntegerField
-from rest_framework.serializers import Serializer, SerializerMethodField
+from rest_framework.serializers import (
+    Serializer,
+    SerializerMethodField,
+    ValidationError,
+)
 
 
-class MetaNameSerializer(Serializer):
+def is_dict(value: Any):
+    """Ensure a value is a dictionary, useful for JSONFields"""
+    if isinstance(value, dict):
+        return
+    raise ValidationError("Value must be a dictionary.")
+
+
+class PassiveSerializer(Serializer):
+    """Base serializer class which doesn't implement create/update methods"""
+
+    def create(self, validated_data: dict) -> Model:  # pragma: no cover
+        return Model()
+
+    def update(
+        self, instance: Model, validated_data: dict
+    ) -> Model:  # pragma: no cover
+        return Model()
+
+
+class MetaNameSerializer(PassiveSerializer):
     """Add verbose names to response"""
 
     verbose_name = SerializerMethodField()
     verbose_name_plural = SerializerMethodField()
 
-    def create(self, validated_data: dict) -> Model:
-        raise NotImplementedError
-
-    def update(self, instance: Model, validated_data: dict) -> Model:
-        raise NotImplementedError
-
     def get_verbose_name(self, obj: Model) -> str:
         """Return object's verbose_name"""
         return obj._meta.verbose_name
@@ -25,27 +44,22 @@ class MetaNameSerializer(Serializer):
         return obj._meta.verbose_name_plural
 
 
-class TypeCreateSerializer(Serializer):
+class TypeCreateSerializer(PassiveSerializer):
     """Types of an object that can be created"""
 
-    name = CharField(read_only=True)
-    description = CharField(read_only=True)
-    link = CharField(read_only=True)
-
-    def create(self, validated_data: dict) -> Model:
-        raise NotImplementedError
-
-    def update(self, instance: Model, validated_data: dict) -> Model:
-        raise NotImplementedError
+    name = CharField(required=True)
+    description = CharField(required=True)
+    component = CharField(required=True)
+    model_name = CharField(required=True)
 
 
-class CacheSerializer(Serializer):
+class CacheSerializer(PassiveSerializer):
     """Generic cache stats for an object"""
 
     count = IntegerField(read_only=True)
 
-    def create(self, validated_data: dict) -> Model:
-        raise NotImplementedError
 
-    def update(self, instance: Model, validated_data: dict) -> Model:
-        raise NotImplementedError
+class LinkSerializer(PassiveSerializer):
+    """Returns a single link"""
+
+    link = CharField()

authentik/core/apps.py

@@ -14,3 +14,4 @@ class AuthentikCoreConfig(AppConfig):
 
     def ready(self):
         import_module("authentik.core.signals")
+        import_module("authentik.core.managed")

authentik/core/channels.py

@@ -1,9 +1,10 @@
 """Channels base classes"""
 from channels.exceptions import DenyConnection
 from channels.generic.websocket import JsonWebsocketConsumer
+from rest_framework.exceptions import AuthenticationFailed
 from structlog.stdlib import get_logger
 
-from authentik.api.auth import token_from_header
+from authentik.api.authentication import token_from_header
 from authentik.core.models import User
 
 LOGGER = get_logger()
@@ -22,9 +23,13 @@ class AuthJsonConsumer(JsonWebsocketConsumer):
 
         raw_header = headers[b"authorization"]
 
-        token = token_from_header(raw_header)
-        if not token:
-            LOGGER.warning("Failed to authenticate")
+        try:
+            token = token_from_header(raw_header)
+            # token is only None when no header was given, in which case we deny too
+            if not token:
+                raise DenyConnection()
+        except AuthenticationFailed as exc:
+            LOGGER.warning("Failed to authenticate", exc=exc)
             raise DenyConnection()
 
         self.user = token.user

authentik/core/forms/applications.py

@@ -1,50 +0,0 @@
-"""authentik Core Application forms"""
-from django import forms
-from django.utils.translation import gettext_lazy as _
-
-from authentik.core.models import Application, Provider
-from authentik.lib.widgets import GroupedModelChoiceField
-
-
-class ApplicationForm(forms.ModelForm):
-    """Application Form"""
-
-    def __init__(self, *args, **kwargs):  # pragma: no cover
-        super().__init__(*args, **kwargs)
-        self.fields["provider"].queryset = (
-            Provider.objects.all().order_by("name").select_subclasses()
-        )
-
-    class Meta:
-
-        model = Application
-        fields = [
-            "name",
-            "slug",
-            "provider",
-            "meta_launch_url",
-            "meta_icon",
-            "meta_description",
-            "meta_publisher",
-        ]
-        widgets = {
-            "name": forms.TextInput(),
-            "meta_launch_url": forms.TextInput(),
-            "meta_publisher": forms.TextInput(),
-            "meta_icon": forms.FileInput(),
-        }
-        help_texts = {
-            "meta_launch_url": _(
-                (
-                    "If left empty, authentik will try to extract the launch URL "
-                    "based on the selected provider."
-                )
-            ),
-        }
-        field_classes = {"provider": GroupedModelChoiceField}
-        labels = {
-            "meta_launch_url": _("Launch URL"),
-            "meta_icon": _("Icon"),
-            "meta_description": _("Description"),
-            "meta_publisher": _("Publisher"),
-        }

authentik/core/forms/groups.py

@@ -1,38 +0,0 @@
-"""authentik Core Group forms"""
-from django import forms
-
-from authentik.admin.fields import CodeMirrorWidget, YAMLField
-from authentik.core.models import Group, User
-
-
-class GroupForm(forms.ModelForm):
-    """Group Form"""
-
-    members = forms.ModelMultipleChoiceField(
-        User.objects.all(),
-        required=False,
-    )
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        if self.instance.pk:
-            self.initial["members"] = self.instance.users.values_list("pk", flat=True)
-
-    def save(self, *args, **kwargs):
-        instance = super().save(*args, **kwargs)
-        if instance.pk:
-            instance.users.clear()
-            instance.users.add(*self.cleaned_data["members"])
-        return instance
-
-    class Meta:
-
-        model = Group
-        fields = ["name", "is_superuser", "parent", "members", "attributes"]
-        widgets = {
-            "name": forms.TextInput(),
-            "attributes": CodeMirrorWidget,
-        }
-        field_classes = {
-            "attributes": YAMLField,
-        }

authentik/core/forms/token.py

@@ -1,22 +0,0 @@
-"""Core user token form"""
-from django import forms
-
-from authentik.core.models import Token
-
-
-class UserTokenForm(forms.ModelForm):
-    """Token form, for tokens created by endusers"""
-
-    class Meta:
-
-        model = Token
-        fields = [
-            "identifier",
-            "expires",
-            "expiring",
-            "description",
-        ]
-        widgets = {
-            "identifier": forms.TextInput(),
-            "description": forms.TextInput(),
-        }

authentik/core/forms/users.py

@@ -1,15 +0,0 @@
-"""authentik core user forms"""
-
-from django import forms
-
-from authentik.core.models import User
-
-
-class UserDetailForm(forms.ModelForm):
-    """Update User Details"""
-
-    class Meta:
-
-        model = User
-        fields = ["username", "name", "email"]
-        widgets = {"name": forms.TextInput}

authentik/core/managed.py

@@ -0,0 +1,16 @@
+"""Core managed objects"""
+from authentik.core.models import Source
+from authentik.managed.manager import EnsureExists, ObjectManager
+
+
+class CoreManager(ObjectManager):
+    """Core managed objects"""
+
+    def reconcile(self):
+        return [
+            EnsureExists(
+                Source,
+                "goauthentik.io/sources/inbuilt",
+                name="authentik Built-in",
+            ),
+        ]

authentik/core/migrations/0003_default_user.py

@@ -1,6 +1,8 @@
 # Generated by Django 3.0.6 on 2020-05-23 16:40
+from os import environ
 
 from django.apps.registry import Apps
+from django.conf import settings
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
@@ -14,7 +16,12 @@ def create_default_user(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     akadmin, _ = User.objects.using(db_alias).get_or_create(
         username="akadmin", email="root@localhost", name="authentik Default Admin"
     )
-    akadmin.set_password("akadmin", signal=False)  # noqa # nosec
+    if "TF_BUILD" in environ or "AK_ADMIN_PASS" in environ or settings.TEST:
+        akadmin.set_password(
+            environ.get("AK_ADMIN_PASS", "akadmin"), signal=False
+        )  # noqa # nosec
+    else:
+        akadmin.set_unusable_password()
     akadmin.save()
 
 

authentik/core/migrations/0018_auto_20210330_1345.py

@@ -0,0 +1,21 @@
+# Generated by Django 3.1.7 on 2021-03-30 13:45
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0017_managed"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="token",
+            options={
+                "permissions": (("view_token_key", "View token's key"),),
+                "verbose_name": "Token",
+                "verbose_name_plural": "Tokens",
+            },
+        ),
+    ]

authentik/core/migrations/0019_source_managed.py

@@ -0,0 +1,24 @@
+# Generated by Django 3.2 on 2021-04-09 14:06
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0018_auto_20210330_1345"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="managed",
+            field=models.TextField(
+                default=None,
+                help_text="Objects which are managed by authentik. These objects are created and updated automatically. This is flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update.",
+                null=True,
+                unique=True,
+                verbose_name="Managed by authentik",
+            ),
+        ),
+    ]

authentik/core/migrations/0020_source_user_matching_mode.py

@@ -0,0 +1,40 @@
+# Generated by Django 3.2 on 2021-05-03 17:06
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0019_source_managed"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="user_matching_mode",
+            field=models.TextField(
+                choices=[
+                    ("identifier", "Use the source-specific identifier"),
+                    (
+                        "email_link",
+                        "Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses.",
+                    ),
+                    (
+                        "email_deny",
+                        "Use the user's email address, but deny enrollment when the email address already exists.",
+                    ),
+                    (
+                        "username_link",
+                        "Link to a user with identical username address. Can have security implications when a username is used with another source.",
+                    ),
+                    (
+                        "username_deny",
+                        "Use the user's username, but deny enrollment when the username already exists.",
+                    ),
+                ],
+                default="identifier",
+                help_text="How the source determines if an existing user should be authenticated or a new user enrolled.",
+            ),
+        ),
+    ]