release: 2021.9.1-rc2

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.8.1-rc2
+current_version = 2021.9.1-rc2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
@@ -23,7 +23,7 @@ values =
 
 [bumpversion:file:schema.yml]
 
-[bumpversion:file:.github/workflows/release.yml]
+[bumpversion:file:.github/workflows/release-publish.yml]
 
 [bumpversion:file:authentik/__init__.py]
 

.github/ISSUE_TEMPLATE/bug_report.md

@@ -27,7 +27,7 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
- - authentik version: [e.g. 0.10.0-stable]
+ - authentik version: [e.g. 2021.8.5]
  - Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

.github/ISSUE_TEMPLATE/question.md

@@ -20,7 +20,7 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
- - authentik version: [e.g. 0.10.0-stable]
+ - authentik version: [e.g. 2021.8.5]
  - Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

.github/workflows/ci-main.yml

@@ -0,0 +1,309 @@
+name: authentik-ci-main
+
+on:
+  push:
+    branches:
+      - master
+      - next
+      - version-*
+    paths-ignore:
+      - website
+  pull_request:
+    branches:
+      - master
+
+env:
+  POSTGRES_DB: authentik
+  POSTGRES_USER: authentik
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+
+jobs:
+  lint-pylint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      # - id: cache-pipenv
+      #   uses: actions/cache@v2.1.6
+      #   with:
+      #     path: ~/.local/share/virtualenvs
+      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: prepare
+        # env:
+        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+        run: scripts/ci_prepare.sh
+      - name: run pylint
+        run: pipenv run pylint authentik tests lifecycle
+  lint-black:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      # - id: cache-pipenv
+      #   uses: actions/cache@v2.1.6
+      #   with:
+      #     path: ~/.local/share/virtualenvs
+      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: prepare
+        # env:
+        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+        run: scripts/ci_prepare.sh
+      - name: run black
+        run: pipenv run black --check authentik tests lifecycle
+  lint-isort:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      # - id: cache-pipenv
+      #   uses: actions/cache@v2.1.6
+      #   with:
+      #     path: ~/.local/share/virtualenvs
+      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: prepare
+        # env:
+        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+        run: scripts/ci_prepare.sh
+      - name: run isort
+        run: pipenv run isort --check authentik tests lifecycle
+  lint-bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      # - id: cache-pipenv
+      #   uses: actions/cache@v2.1.6
+      #   with:
+      #     path: ~/.local/share/virtualenvs
+      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: prepare
+        # env:
+        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+        run: scripts/ci_prepare.sh
+      - name: run bandit
+        run: pipenv run bandit -r authentik tests lifecycle
+  lint-pyright:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '16'
+      - name: prepare
+        run: |
+          scripts/ci_prepare.sh
+          npm install -g pyright@1.1.136
+      - name: run bandit
+        run: pipenv run pyright e2e lifecycle
+  test-migrations:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      # - id: cache-pipenv
+      #   uses: actions/cache@v2.1.6
+      #   with:
+      #     path: ~/.local/share/virtualenvs
+      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: prepare
+        # env:
+        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+        run: scripts/ci_prepare.sh
+      - name: run migrations
+        run: pipenv run python -m lifecycle.migrate
+  test-migrations-from-stable:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      - name: checkout stable
+        run: |
+          # Copy current, latest config to local
+          cp authentik/lib/default.yml local.env.yml
+          git checkout $(git describe --abbrev=0 --match 'version/*')
+      # - id: cache-pipenv
+      #   uses: actions/cache@v2.1.6
+      #   with:
+      #     path: ~/.local/share/virtualenvs
+      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: prepare
+        # env:
+        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+        run: scripts/ci_prepare.sh
+      - name: run migrations to stable
+        run: pipenv run python -m lifecycle.migrate
+      - name: prepare variables
+        id: ev
+        run: |
+          python ./scripts/gh_do_set_branch.py
+      - name: checkout current code
+        run: |
+          set -x
+          git fetch
+          git checkout ${{ steps.ev.outputs.branchName }}
+          pipenv sync --dev
+      - name: migrate to latest
+        run: pipenv run python -m lifecycle.migrate
+  test-unittest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      # - id: cache-pipenv
+      #   uses: actions/cache@v2.1.6
+      #   with:
+      #     path: ~/.local/share/virtualenvs
+      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: prepare
+        # env:
+        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+        run: scripts/ci_prepare.sh
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
+      - name: run unittest
+        run: |
+          pipenv run make test
+          pipenv run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [unittest]unittest.xml --link=codecov
+      - if: ${{ always() }}
+        uses: codecov/codecov-action@v2
+  test-integration:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      # - id: cache-pipenv
+      #   uses: actions/cache@v2.1.6
+      #   with:
+      #     path: ~/.local/share/virtualenvs
+      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: prepare
+        # env:
+        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+        run: scripts/ci_prepare.sh
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.2.0
+      - name: run integration
+        run: |
+          pipenv run make test-integration
+          pipenv run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [integration]unittest.xml --link=codecov
+      - if: ${{ always() }}
+        uses: codecov/codecov-action@v2
+  test-e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: web/package-lock.json
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
+      # - id: cache-pipenv
+      #   uses: actions/cache@v2.1.6
+      #   with:
+      #     path: ~/.local/share/virtualenvs
+      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
+      - name: prepare
+        # env:
+        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
+        run: |
+          scripts/ci_prepare.sh
+          docker-compose -f tests/e2e/ci.docker-compose.yml up -d
+      - id: cache-web
+        uses: actions/cache@v2.1.6
+        with:
+          path: web/dist
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
+      - name: prepare web ui
+        if: steps.cache-web.outputs.cache-hit != 'true'
+        run: |
+          cd web
+          npm i
+          npm run build
+      - name: run e2e
+        run: |
+          pipenv run make test-e2e
+          pipenv run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [e2e]unittest.xml --link=codecov
+      - if: ${{ always() }}
+        uses: codecov/codecov-action@v2
+  build:
+    needs:
+      - lint-pylint
+      - lint-black
+      - lint-isort
+      - lint-bandit
+      - lint-pyright
+      - test-migrations
+      - test-migrations-from-stable
+      - test-unittest
+      - test-integration
+      - test-e2e
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: prepare variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
+        run: |
+          python ./scripts/gh_do_set_branch.py
+      - name: Login to Container Registry
+        uses: docker/login-action@v1
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          registry: beryju.org
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_PASSWORD }}
+      - name: Building Docker Image
+        uses: docker/build-push-action@v2
+        with:
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          tags: |
+            beryju.org/authentik/server:gh-${{ steps.ev.outputs.branchName }}
+            beryju.org/authentik/server:gh-${{ steps.ev.outputs.branchName }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
+          build-args: |
+            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}

.github/workflows/ci-outpost.yml

@@ -0,0 +1,69 @@
+name: authentik-ci-outpost
+
+on:
+  push:
+    branches:
+      - master
+      - next
+      - version-*
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  lint-golint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '^1.16.3'
+      - name: Run linter
+        run: |
+          # Create folder structure for go embeds
+          mkdir -p web/dist
+          mkdir -p website/help
+          touch web/dist/test website/help/test
+          docker run \
+            --rm \
+            -v $(pwd):/app \
+            -w /app \
+            golangci/golangci-lint:v1.39.0 \
+            golangci-lint run -v --timeout 200s
+  build:
+    needs:
+      - lint-golint
+    strategy:
+      matrix:
+        type:
+          - proxy
+          - ldap
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: prepare variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
+        run: |
+          python ./scripts/gh_do_set_branch.py
+      - name: Login to Container Registry
+        uses: docker/login-action@v1
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          registry: beryju.org
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_PASSWORD }}
+      - name: Building Docker Image
+        uses: docker/build-push-action@v2
+        with:
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          tags: |
+            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchName }}
+            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchName }}-${{ steps.ev.outputs.timestamp }}
+            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.sha }}
+          file: ${{ matrix.type }}.Dockerfile
+          build-args: |
+            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}

.github/workflows/ci-web.yml

@@ -0,0 +1,89 @@
+name: authentik-ci-web
+
+on:
+  push:
+    branches:
+      - master
+      - next
+      - version-*
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  lint-eslint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: web/package-lock.json
+      - run: |
+          cd web
+          npm install
+      - name: Generate API
+        run: make gen-web
+      - name: Eslint
+        run: |
+          cd web
+          npm run lint
+  lint-prettier:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: web/package-lock.json
+      - run: |
+          cd web
+          npm install
+      - name: Generate API
+        run: make gen-web
+      - name: prettier
+        run: |
+          cd web
+          npm run prettier-check
+  lint-lit-analyse:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: web/package-lock.json
+      - run: |
+          cd web
+          npm install
+      - name: Generate API
+        run: make gen-web
+      - name: prettier
+        run: |
+          cd web
+          npm run lit-analyse
+  build:
+    needs:
+      - lint-eslint
+      - lint-prettier
+      - lint-lit-analyse
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: web/package-lock.json
+      - run: |
+          cd web
+          npm install
+      - name: Generate API
+        run: make gen-web
+      - name: build
+        run: |
+          cd web
+          npm run build

.github/workflows/release-publish.yml

@@ -33,14 +33,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.8.1-rc2,
+            beryju/authentik:2021.9.1-rc2,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.8.1-rc2,
+            ghcr.io/goauthentik/server:2021.9.1-rc2,
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.1-rc2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.9.1-rc2', 'rc') }}
         run: |
           docker pull beryju/authentik:latest
           docker tag beryju/authentik:latest beryju/authentik:stable
@@ -75,14 +75,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-proxy:2021.8.1-rc2,
+            beryju/authentik-proxy:2021.9.1-rc2,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.8.1-rc2,
+            ghcr.io/goauthentik/proxy:2021.9.1-rc2,
             ghcr.io/goauthentik/proxy:latest
           file: proxy.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.1-rc2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.9.1-rc2', 'rc') }}
         run: |
           docker pull beryju/authentik-proxy:latest
           docker tag beryju/authentik-proxy:latest beryju/authentik-proxy:stable
@@ -117,14 +117,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-ldap:2021.8.1-rc2,
+            beryju/authentik-ldap:2021.9.1-rc2,
             beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.8.1-rc2,
+            ghcr.io/goauthentik/ldap:2021.9.1-rc2,
             ghcr.io/goauthentik/ldap:latest
           file: ldap.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.1-rc2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.9.1-rc2', 'rc') }}
         run: |
           docker pull beryju/authentik-ldap:latest
           docker tag beryju/authentik-ldap:latest beryju/authentik-ldap:stable
@@ -157,9 +157,9 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Setup Node.js environment
-        uses: actions/setup-node@v2.4.0
+        uses: actions/setup-node@v2
         with:
-          node-version: 12.x
+          node-version: '16'
       - name: Build web api client and web ui
         run: |
           export NODE_ENV=production
@@ -175,7 +175,7 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.8.1-rc2
+          version: authentik@2021.9.1-rc2
           environment: beryjuorg-prod
           sourcemaps: './web/dist'
           url_prefix: '~/static/dist'

.github/workflows/web-api-publish.yml

@@ -1,7 +1,7 @@
 name: authentik-web-api-publish
 on:
   push:
-    branches: [ master, version* ]
+    branches: [ master ]
     paths:
       - 'schema.yml'
 jobs:
@@ -12,7 +12,7 @@ jobs:
       # Setup .npmrc file to publish to npm
       - uses: actions/setup-node@v2
         with:
-          node-version: '16.x'
+          node-version: '16'
           registry-url: 'https://registry.npmjs.org'
       - name: Generate API Client
         run: make gen-web

CONTRIBUTING.md

@@ -11,8 +11,8 @@ The following is a set of guidelines for contributing to authentik and its compo
 [I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
 
 [What should I know before I get started?](#what-should-i-know-before-i-get-started)
-  * [Atom and Packages](#atom-and-packages)
-  * [Atom Design Decisions](#design-decisions)
+  * [The components](#the-components)
+  * [authentik's structure](#authentiks-structure)
 
 [How Can I Contribute?](#how-can-i-contribute)
   * [Reporting Bugs](#reporting-bugs)
@@ -22,14 +22,9 @@ The following is a set of guidelines for contributing to authentik and its compo
 
 [Styleguides](#styleguides)
   * [Git Commit Messages](#git-commit-messages)
-  * [JavaScript Styleguide](#javascript-styleguide)
-  * [CoffeeScript Styleguide](#coffeescript-styleguide)
-  * [Specs Styleguide](#specs-styleguide)
+  * [Python Styleguide](#python-styleguide)
   * [Documentation Styleguide](#documentation-styleguide)
 
-[Additional Notes](#additional-notes)
-  * [Issue and Pull Request Labels](#issue-and-pull-request-labels)
-
 ## Code of Conduct
 
 Basically, don't be a dickhead. This is an open-source non-profit project, that is made in the free time of Volunteers. If there's something you dislike or think can be done better, tell us! We'd love to hear any suggestions for improvement.

Dockerfile

@@ -18,22 +18,7 @@ COPY ./website /static/
 ENV NODE_ENV=production
 RUN cd /static && npm i && npm run build-docs-only
 
-# Stage 3: Generate API Client
-FROM openapitools/openapi-generator-cli as go-api-builder
-
-COPY ./schema.yml /local/schema.yml
-
-RUN	docker-entrypoint.sh generate \
-    --git-host goauthentik.io \
-    --git-repo-id outpost \
-    --git-user-id api \
-    -i /local/schema.yml \
-    -g go \
-    -o /local/api \
-    --additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true && \
-    rm -f /local/api/go.mod /local/api/go.sum
-
-# Stage 4: Build webui
+# Stage 3: Build webui
 FROM node as web-builder
 
 COPY ./web /static/
@@ -41,8 +26,8 @@ COPY ./web /static/
 ENV NODE_ENV=production
 RUN cd /static && npm i && npm run build
 
-# Stage 5: Build go proxy
-FROM golang:1.17.0 AS builder
+# Stage 4: Build go proxy
+FROM golang:1.17.1 AS builder
 
 WORKDIR /work
 
@@ -52,7 +37,6 @@ COPY --from=web-builder /static/dist/ /work/web/dist/
 COPY --from=web-builder /static/authentik/ /work/web/authentik/
 COPY --from=website-builder /static/help/ /work/website/help/
 
-COPY --from=go-api-builder /local/api api
 COPY ./cmd /work/cmd
 COPY ./web/static.go /work/web/static.go
 COPY ./website/static.go /work/website/static.go
@@ -62,7 +46,7 @@ COPY ./go.sum /work/go.sum
 
 RUN go build -o /work/authentik ./cmd/server/main.go
 
-# Stage 6: Run
+# Stage 5: Run
 FROM python:3.9-slim-buster
 
 WORKDIR /
@@ -97,6 +81,7 @@ COPY --from=builder /work/authentik /authentik-proxy
 
 USER authentik
 ENV TMPDIR /dev/shm/
-ENV PYTHONUBUFFERED 1
+ENV PYTHONUNBUFFERED 1
+ENV prometheus_multiproc_dir /dev/shm/
 ENV PATH "/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/lifecycle"
 ENTRYPOINT [ "/lifecycle/ak" ]

Makefile

@@ -7,8 +7,6 @@ NPM_VERSION = $(shell python -m scripts.npm_version)
 all: lint-fix lint test gen
 
 test-integration:
-	k3d cluster create || exit 0
-	k3d kubeconfig write -o ~/.kube/config --overwrite
 	coverage run manage.py test -v 3 tests/integration
 
 test-e2e:
@@ -61,13 +59,13 @@ gen-outpost:
 		-i /local/schema.yml \
 		-g go \
 		-o /local/api \
-		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true
+		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true,disallowAdditionalPropertiesIfNotPresent=false
 	rm -f api/go.mod api/go.sum
 
-gen: gen-build gen-clean gen-web gen-outpost
+gen: gen-build gen-clean gen-web
 
 migrate:
 	python -m lifecycle.migrate
 
 run:
-	go run -v cmd/server/main.go
+	WORKERS=1 go run -v cmd/server/main.go

Pipfile

@@ -49,9 +49,6 @@ ua-parser = "*"
 deepmerge = "*"
 colorama = "*"
 
-[requires]
-python_version = "3.9"
-
 [dev-packages]
 bandit = "*"
 black = "==21.5b1"

Pipfile.lock

@@ -1,12 +1,10 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "f0befa9b3dacc1c3363b9442fa7a43f6be2c46a8fcb80a994230d288a384e54d"
+            "sha256": "19d5324fd1a4af125ed57a683030ca14ee2d3648117748e4b32656875484728e"
         },
         "pipfile-spec": 6,
-        "requires": {
-            "python_version": "3.9"
-        },
+        "requires": {},
         "sources": [
             {
                 "name": "pypi",
@@ -122,19 +120,19 @@
         },
         "boto3": {
             "hashes": [
-                "sha256:7209b79833bdf13753aa24f76bf533890ffed2cc4fe1fe08619d223c209bbd11",
-                "sha256:f46c93d09acd4d4bfc6b9522ed852fecbdc508e0365f29ddfb3c146aae784b4e"
+                "sha256:63b9846c26e0905f4e9e39d6b59f152330c53a926d693439161c43dcf9779365",
+                "sha256:a9232185d8e7e2fd2b166c0ebee5d7b1f787fdb3093f33bbf5aa932c08f0ccac"
             ],
             "index": "pypi",
-            "version": "==1.18.27"
+            "version": "==1.18.42"
         },
         "botocore": {
             "hashes": [
-                "sha256:8c99abd7093ab11ce8d09c68732aeeb6065a53d2fe371568452e99291817fff5",
-                "sha256:b9e2c90bad164d111c229102f58f995c28576e719dd116b446965e1b786f8fa5"
+                "sha256:0952d1200968365b440045efe8e45bbae38cf603fee12bcfc3d7b5f963cbfa18",
+                "sha256:6de4fec4ee10987e4dea96f289553c2f45109fcaafcb74a5baee1221926e1306"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==1.21.27"
+            "version": "==1.21.42"
         },
         "cachetools": {
             "hashes": [
@@ -254,11 +252,11 @@
         },
         "charset-normalizer": {
             "hashes": [
-                "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
-                "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
+                "sha256:7098e7e862f6370a2a8d1a6398cd359815c45d12626267652c3f13dec58e2367",
+                "sha256:fa471a601dfea0f492e4f4fca035cd82155e65dc45c9b83bf4322dfab63755dd"
             ],
             "markers": "python_version >= '3'",
-            "version": "==2.0.4"
+            "version": "==2.0.5"
         },
         "click": {
             "hashes": [
@@ -305,22 +303,25 @@
         },
         "cryptography": {
             "hashes": [
-                "sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d",
-                "sha256:1e056c28420c072c5e3cb36e2b23ee55e260cb04eee08f702e0edfec3fb51959",
-                "sha256:240f5c21aef0b73f40bb9f78d2caff73186700bf1bc6b94285699aff98cc16c6",
-                "sha256:26965837447f9c82f1855e0bc8bc4fb910240b6e0d16a664bb722df3b5b06873",
-                "sha256:37340614f8a5d2fb9aeea67fd159bfe4f5f4ed535b1090ce8ec428b2f15a11f2",
-                "sha256:3d10de8116d25649631977cb37da6cbdd2d6fa0e0281d014a5b7d337255ca713",
-                "sha256:3d8427734c781ea5f1b41d6589c293089704d4759e34597dce91014ac125aad1",
-                "sha256:7ec5d3b029f5fa2b179325908b9cd93db28ab7b85bb6c1db56b10e0b54235177",
-                "sha256:8e56e16617872b0957d1c9742a3f94b43533447fd78321514abbe7db216aa250",
-                "sha256:b01fd6f2737816cb1e08ed4807ae194404790eac7ad030b34f2ce72b332f5586",
-                "sha256:bf40af59ca2465b24e54f671b2de2c59257ddc4f7e5706dbd6930e26823668d3",
-                "sha256:de4e5f7f68220d92b7637fc99847475b59154b7a1b3868fb7385337af54ac9ca",
-                "sha256:eb8cc2afe8b05acbd84a43905832ec78e7b3873fb124ca190f574dca7389a87d",
-                "sha256:ee77aa129f481be46f8d92a1a7db57269a2f23052d5f2433b4621bb457081cc9"
+                "sha256:0a7dcbcd3f1913f664aca35d47c1331fce738d44ec34b7be8b9d332151b0b01e",
+                "sha256:1eb7bb0df6f6f583dd8e054689def236255161ebbcf62b226454ab9ec663746b",
+                "sha256:21ca464b3a4b8d8e86ba0ee5045e103a1fcfac3b39319727bc0fc58c09c6aff7",
+                "sha256:34dae04a0dce5730d8eb7894eab617d8a70d0c97da76b905de9efb7128ad7085",
+                "sha256:3520667fda779eb788ea00080124875be18f2d8f0848ec00733c0ec3bb8219fc",
+                "sha256:3fa3a7ccf96e826affdf1a0a9432be74dc73423125c8f96a909e3835a5ef194a",
+                "sha256:5b0fbfae7ff7febdb74b574055c7466da334a5371f253732d7e2e7525d570498",
+                "sha256:8695456444f277af73a4877db9fc979849cd3ee74c198d04fc0776ebc3db52b9",
+                "sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c",
+                "sha256:94fff993ee9bc1b2440d3b7243d488c6a3d9724cc2b09cdb297f6a886d040ef7",
+                "sha256:9965c46c674ba8cc572bc09a03f4c649292ee73e1b683adb1ce81e82e9a6a0fb",
+                "sha256:a00cf305f07b26c351d8d4e1af84ad7501eca8a342dedf24a7acb0e7b7406e14",
+                "sha256:a305600e7a6b7b855cd798e00278161b681ad6e9b7eca94c721d5f588ab212af",
+                "sha256:cd65b60cfe004790c795cc35f272e41a3df4631e2fb6b35aa7ac6ef2859d554e",
+                "sha256:d2a6e5ef66503da51d2110edf6c403dc6b494cc0082f85db12f54e9c5d4c3ec5",
+                "sha256:d9ec0e67a14f9d1d48dd87a2531009a9b251c02ea42851c060b25c782516ff06",
+                "sha256:f44d141b8c4ea5eb4dbc9b3ad992d45580c1d22bf5e24363f2fbf50c2d7ae8a7"
             ],
-            "version": "==3.4.7"
+            "version": "==3.4.8"
         },
         "dacite": {
             "hashes": [
@@ -356,11 +357,11 @@
         },
         "django": {
             "hashes": [
-                "sha256:7f92413529aa0e291f3be78ab19be31aefb1e1c9a52cd59e130f505f27a51f13",
-                "sha256:f27f8544c9d4c383bbe007c57e3235918e258364577373d4920e9162837be022"
+                "sha256:95b318319d6997bac3595517101ad9cc83fe5672ac498ba48d1a410f47afecd2",
+                "sha256:e93c93565005b37ddebf2396b4dc4b6913c1838baa82efdfb79acedd5816c240"
             ],
             "index": "pypi",
-            "version": "==3.2.6"
+            "version": "==3.2.7"
         },
         "django-dbbackup": {
             "git": "https://github.com/django-dbbackup/django-dbbackup.git",
@@ -392,11 +393,11 @@
         },
         "django-otp": {
             "hashes": [
-                "sha256:01b5888f0bde5125e139433aacb947e52d5c406fa56c9db43c3e8d75b5c323c4",
-                "sha256:0d56dd2a7fbb6ee6e54557e036ca64add0bd3596f471794bad673b7637d5e935"
+                "sha256:0c03a471db9e876f3671314bc9a65bd56a5c3c108ee0562c473701310bba4a77",
+                "sha256:4c90cdaed683d736b0efafc034a3c6b410e1be2a53c24da287165b1f371d8776"
             ],
             "index": "pypi",
-            "version": "==1.0.6"
+            "version": "==1.1.1"
         },
         "django-prometheus": {
             "hashes": [
@@ -440,19 +441,19 @@
         },
         "docker": {
             "hashes": [
-                "sha256:3e8bc47534e0ca9331d72c32f2881bb13b93ded0bcdeab3c833fb7cf61c0a9a5",
-                "sha256:fc961d622160e8021c10d1bcabc388c57d55fb1f917175afbe24af442e6879bd"
+                "sha256:21ec4998e90dff7a7aaaa098ca8d839c7de412b89e6f6c30908372d58fecf663",
+                "sha256:9b17f0723d83c1f3418d2aa17bf90b24dbe97deda06208dd4262fa30a6ee87eb"
             ],
             "index": "pypi",
-            "version": "==5.0.0"
+            "version": "==5.0.2"
         },
         "drf-spectacular": {
             "hashes": [
-                "sha256:f080128c42183fcaed6b9e8e5afcd2e5cd68426b1f80bfc85938f25e62db7fe5",
-                "sha256:fb19aa69fcfcd37b0c9dfb9989c0671e1bb47af332ca2171378c7f840263788c"
+                "sha256:47ef6ec8ff48ac8aede6ec12450a55fee381cf84de969ef1724dcde5a93de6b8",
+                "sha256:d746b936cb4cddec380ea95bf91de6a6721777dfc42e0eea53b83c61a625e94e"
             ],
             "index": "pypi",
-            "version": "==0.17.3"
+            "version": "==0.18.2"
         },
         "duo-client": {
             "hashes": [
@@ -487,11 +488,11 @@
         },
         "google-auth": {
             "hashes": [
-                "sha256:c012c8be7c442c8309ca8fa0876fef33f5fd977c467be1e1c1c2f721e8ebd73c",
-                "sha256:ea1af050b3e06eb73e4470f704d23007307bc0e87c13e015f6b90460f1407bd3"
+                "sha256:7ae5eda089d393ca01658b550df24913cbbbdd34e9e6dedc1cea747485ae0c04",
+                "sha256:bde03220ed56e4e147dec92339c90ce95159dce657e2cccd0ac1fe82f6a96284"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==2.0.1"
+            "version": "==2.1.0"
         },
         "gunicorn": {
             "hashes": [
@@ -1105,11 +1106,11 @@
         },
         "sqlparse": {
             "hashes": [
-                "sha256:017cde379adbd6a1f15a61873f43e8274179378e95ef3fede90b5aa64d304ed0",
-                "sha256:0f91fd2e829c44362cbcfab3e9ae12e22badaa8a29ad5ff599f9ec109f0454e8"
+                "sha256:0c00730c74263a94e5a9919ade150dfc3b19c574389985446148402998287dae",
+                "sha256:48719e356bb8b42991bdbb1e8b83223757b93789c00910a616a071910ca4a64d"
             ],
             "markers": "python_version >= '3.5'",
-            "version": "==0.4.1"
+            "version": "==0.4.2"
         },
         "structlog": {
             "hashes": [
@@ -1148,11 +1149,11 @@
         },
         "typing-extensions": {
             "hashes": [
-                "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
-                "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
-                "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
+                "sha256:49f75d16ff11f1cd258e1b988ccff82a3ca5570217d7ad8c5f48205dd99a677e",
+                "sha256:d8226d10bc02a29bcc81df19a26e56a9647f8b0a6d4a83924139f4a8b01f17b7",
+                "sha256:f1d25edafde516b146ecd0613dabcc61409817af4766fbbcfb8d1ad4ec441a34"
             ],
-            "version": "==3.10.0.0"
+            "version": "==3.10.0.2"
         },
         "ua-parser": {
             "hashes": [
@@ -1253,58 +1254,50 @@
         },
         "websockets": {
             "hashes": [
-                "sha256:0dd4eb8e0bbf365d6f652711ce21b8fd2b596f873d32aabb0fbb53ec604418cc",
-                "sha256:1d0971cc7251aeff955aa742ec541ee8aaea4bb2ebf0245748fbec62f744a37e",
-                "sha256:1d6b4fddb12ab9adf87b843cd4316c4bd602db8d5efd2fb83147f0458fe85135",
-                "sha256:230a3506df6b5f446fed2398e58dcaafdff12d67fe1397dff196411a9e820d02",
-                "sha256:276d2339ebf0df4f45df453923ebd2270b87900eda5dfd4a6b0cfa15f82111c3",
-                "sha256:2cf04601633a4ec176b9cc3d3e73789c037641001dbfaf7c411f89cd3e04fcaf",
-                "sha256:3ddff38894c7857c476feb3538dd847514379d6dc844961dc99f04b0384b1b1b",
-                "sha256:48c222feb3ced18f3dc61168ca18952a22fb88e5eb8902d2bf1b50faefdc34a2",
-                "sha256:51d04df04ed9d08077d10ccbe21e6805791b78eac49d16d30a1f1fe2e44ba0af",
-                "sha256:597c28f3aa7a09e8c070a86b03107094ee5cdafcc0d55f2f2eac92faac8dc67d",
-                "sha256:5c8f0d82ea2468282e08b0cf5307f3ad022290ed50c45d5cb7767957ca782880",
-                "sha256:7189e51955f9268b2bdd6cc537e0faa06f8fffda7fb386e5922c6391de51b077",
-                "sha256:7df3596838b2a0c07c6f6d67752c53859a54993d4f062689fdf547cb56d0f84f",
-                "sha256:826ccf85d4514609219725ba4a7abd569228c2c9f1968e8be05be366f68291ec",
-                "sha256:836d14eb53b500fd92bd5db2fc5894f7c72b634f9c2a28f546f75967503d8e25",
-                "sha256:85db8090ba94e22d964498a47fdd933b8875a1add6ebc514c7ac8703eb97bbf0",
-                "sha256:85e701a6c316b7067f1e8675c638036a796fe5116783a4c932e7eb8e305a3ffe",
-                "sha256:900589e19200be76dd7cbaa95e9771605b5ce3f62512d039fb3bc5da9014912a",
-                "sha256:9147868bb0cc01e6846606cd65cbf9c58598f187b96d14dd1ca17338b08793bb",
-                "sha256:9e7fdc775fe7403dbd8bc883ba59576a6232eac96dacb56512daacf7af5d618d",
-                "sha256:ab5ee15d3462198c794c49ccd31773d8a2b8c17d622aa184f669d2b98c2f0857",
-                "sha256:ad893d889bc700a5835e0a95a3e4f2c39e91577ab232a3dc03c262a0f8fc4b5c",
-                "sha256:b2e71c4670ebe1067fa8632f0d081e47254ee2d3d409de54168b43b0ba9147e0",
-                "sha256:b43b13e5622c5a53ab12f3272e6f42f1ce37cd5b6684b2676cb365403295cd40",
-                "sha256:b4ad84b156cf50529b8ac5cc1638c2cf8680490e3fccb6121316c8c02620a2e4",
-                "sha256:be5fd35e99970518547edc906efab29afd392319f020c3c58b0e1a158e16ed20",
-                "sha256:caa68c95bc1776d3521f81eeb4d5b9438be92514ec2a79fececda814099c8314",
-                "sha256:d144b350045c53c8ff09aa1cfa955012dd32f00c7e0862c199edcabb1a8b32da",
-                "sha256:d2c2d9b24d3c65b5a02cac12cbb4e4194e590314519ed49db2f67ef561c3cf58",
-                "sha256:e9e5fd6dbdf95d99bc03732ded1fc8ef22ebbc05999ac7e0c7bf57fe6e4e5ae2",
-                "sha256:ebf459a1c069f9866d8569439c06193c586e72c9330db1390af7c6a0a32c4afd",
-                "sha256:f31722f1c033c198aa4a39a01905951c00bd1c74f922e8afc1b1c62adbcdd56a",
-                "sha256:f68c352a68e5fdf1e97288d5cec9296664c590c25932a8476224124aaf90dbcd"
+                "sha256:01db0ecd1a0ca6702d02a5ed40413e18b7d22f94afb3bbe0d323bac86c42c1c8",
+                "sha256:085bb8a6e780d30eaa1ba48ac7f3a6707f925edea787cfb761ce5a39e77ac09b",
+                "sha256:1ac35426fe3e7d3d0fac3d63c8965c76ed67a8fd713937be072bf0ce22808539",
+                "sha256:1f6b814cff6aadc4288297cb3a248614829c6e4ff5556593c44a115e9dd49939",
+                "sha256:2a43072e434c041a99f2e1eb9b692df0232a38c37c61d00e9f24db79474329e4",
+                "sha256:5b2600e01c7ca6f840c42c747ffbe0254f319594ed108db847eb3d75f4aacb80",
+                "sha256:62160772314920397f9d219147f958b33fa27a12c662d4455c9ccbba9a07e474",
+                "sha256:706e200fc7f03bed99ad0574cd1ea8b0951477dd18cc978ccb190683c69dba76",
+                "sha256:71358c7816e2762f3e4af3adf0040f268e219f5a38cb3487a9d0fc2e554fef6a",
+                "sha256:7d2e12e4f901f1bc062dfdf91831712c4106ed18a9a4cdb65e2e5f502124ca37",
+                "sha256:7f79f02c7f9a8320aff7d3321cd1c7e3a7dbc15d922ac996cca827301ee75238",
+                "sha256:82b17524b1ce6ae7f7dd93e4d18e9b9474071e28b65dbf1dfe9b5767778db379",
+                "sha256:82bd921885231f4a30d9bc550552495b3fc36b1235add6d374e7c65c3babd805",
+                "sha256:8bbf8660c3f833ddc8b1afab90213f2e672a9ddac6eecb3cde968e6b2807c1c7",
+                "sha256:9a4d889162bd48588e80950e07fa5e039eee9deb76a58092e8c3ece96d7ef537",
+                "sha256:b4ade7569b6fd17912452f9c3757d96f8e4044016b6d22b3b8391e641ca50456",
+                "sha256:b8176deb6be540a46695960a765a77c28ac8b2e3ef2ec95d50a4f5df901edb1c",
+                "sha256:c4fc9a1d242317892590abe5b61a9127f1a61740477bfb121743f290b8054002",
+                "sha256:c5880442f5fc268f1ef6d37b2c152c114deccca73f48e3a8c48004d2f16f4567",
+                "sha256:cd8c6f2ec24aedace251017bc7a414525171d4e6578f914acab9349362def4da",
+                "sha256:d67646ddd17a86117ae21c27005d83c1895c0cef5d7be548b7549646372f868a",
+                "sha256:e42a1f1e03437b017af341e9bbfdc09252cd48ef32a8c3c3ead769eab3b17368",
+                "sha256:eb282127e9c136f860c6068a4fba5756eb25e755baffb5940b6f1eae071928b2",
+                "sha256:fe83b3ec9ef34063d86dfe1029160a85f24a5a94271036e5714a57acfdd089a1",
+                "sha256:ff59c6bdb87b31f7e2d596f09353d5a38c8c8ff571b0e2238e8ee2d55ad68465"
             ],
-            "version": "==9.1"
+            "version": "==10.0"
         },
         "xmlsec": {
             "hashes": [
-                "sha256:23f209260b37bdc2fd96af837494c47dd1e67964f077442b63acd83c0f62e212",
-                "sha256:4fb38ab0bf3e47cbae136119674a869e09d61c939b510350f369c8ac46087373",
-                "sha256:705ab5b848afdf3a5c78b1322276054c885f44dc51601e14cb883a9c86cbe20f",
-                "sha256:843d10bba4c480609da74ee11fff1ee0fc1c12821c656979f12a7a4ecb043e03",
-                "sha256:86d54b93f8278e2f0c504d0744e39a483c1c7ce9993f2ca70184cc7770faa982",
-                "sha256:8922fba55a060ee81de4a7f5efc593c5bf121047763aecf0eead02e061c9d2db",
-                "sha256:c7b49d4fce83186b89f7ce6cec765245d36a70d0acc2f3ed0ba95c735b3667da",
-                "sha256:cd2eaaff7f31784a07dd99ce81fa767313df3ba1834faa4143ee2c07000cac7a",
-                "sha256:dea5bef9b5830c36ccb7a68a0d94d49eaea4d03fbbd04179652bf661b7e6e30f",
-                "sha256:eadff662d89c80db409c69d82eb3e695e16d4a5e8ab56b5b22670a54e9c6ff20",
-                "sha256:ee233d0bc27fb8f447ca2622b0de2ac2df45b8795f02ef263825912011fe4fe9"
+                "sha256:135724cdce60e6bbd072fca6f09a21f72e2cecc59eebb4eed7740c316ecabc7b",
+                "sha256:1b4377f6d37ad714ba95a227ef40fb54ba1b22ef5170ce04c330fe45ee6ad184",
+                "sha256:2c86ac6ce570c9e04f04da0cd5e7d3db346e4b5b1d006311606368f17c756ef9",
+                "sha256:4e5f565de311afa33aaee4724566e685f951afe301212b6cf82f98cf9d8a1749",
+                "sha256:9a2b8a780093b0fe8cecae53a81a8cd9edd50c08980d374c5317c91f065042d9",
+                "sha256:ce9c681adbc87b4f06c2b16725d9b2edbdbd508117dae4288b5faf78c1406038",
+                "sha256:d22da4d3dcc559fb2e54e782f39c9ddad5f8d5b356f86a79bbb80b0a45115c97",
+                "sha256:db3e18ca883c01bbe28c9f5197c66f676c9772cf2d85f667e6122fc4d0702225",
+                "sha256:e4783f7814aa2a3e318385cce8ef87c82954b9a59535a48f67da4e2c21c08ce1",
+                "sha256:f32e54065f0404ceff71388daa7fa7df10e1fb800051dfe302d63abb0acf0020",
+                "sha256:f5d242b1a19a36078608f5d7f4d561c5ca55cac8061a323a071c06275267dc19"
             ],
             "index": "pypi",
-            "version": "==1.3.11"
+            "version": "==1.3.12"
         },
         "yarl": {
             "hashes": [
@@ -1417,11 +1410,11 @@
         },
         "astroid": {
             "hashes": [
-                "sha256:b6c2d75cd7c2982d09e7d41d70213e863b3ba34d3bd4014e08f167cee966e99e",
-                "sha256:ecc50f9b3803ebf8ea19aa2c6df5622d8a5c31456a53c741d3be044d96ff0948"
+                "sha256:3b680ce0419b8a771aba6190139a3998d14b413852506d99aff8dc2bf65ee67c",
+                "sha256:dc1e8b28427d6bbef6b8842b18765ab58f558c42bb80540bd7648c98412af25e"
             ],
             "markers": "python_version ~= '3.6'",
-            "version": "==2.7.2"
+            "version": "==2.7.3"
         },
         "attrs": {
             "hashes": [
@@ -1464,11 +1457,11 @@
         },
         "charset-normalizer": {
             "hashes": [
-                "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
-                "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
+                "sha256:7098e7e862f6370a2a8d1a6398cd359815c45d12626267652c3f13dec58e2367",
+                "sha256:fa471a601dfea0f492e4f4fca035cd82155e65dc45c9b83bf4322dfab63755dd"
             ],
             "markers": "python_version >= '3'",
-            "version": "==2.0.4"
+            "version": "==2.0.5"
         },
         "click": {
             "hashes": [
@@ -1579,7 +1572,7 @@
                 "sha256:9c2ea1e62d871267b78307fe511c0838ba0da28698c5732d54e2790bf3ba9899",
                 "sha256:e17d6e2b81095c9db0a03a8025a957f334d6ea30b26f9ec70805411e5c7c81f2"
             ],
-            "markers": "python_version < '4.0' and python_full_version >= '3.6.1'",
+            "markers": "python_version < '4' and python_full_version >= '3.6.1'",
             "version": "==5.9.3"
         },
         "lazy-object-proxy": {
@@ -1649,19 +1642,19 @@
         },
         "platformdirs": {
             "hashes": [
-                "sha256:4666d822218db6a262bdfdc9c39d21f23b4cfdb08af331a81e92751daf6c866c",
-                "sha256:632daad3ab546bd8e6af0537d09805cec458dce201bccfe23012df73332e181e"
+                "sha256:15b056538719b1c94bdaccb29e5f81879c7f7f0f4a153f46086d155dffcd4f0f",
+                "sha256:8003ac87717ae2c7ee1ea5a84a1a61e87f3fbd16eb5aadba194ea30a9019f648"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==2.2.0"
+            "version": "==2.3.0"
         },
         "pluggy": {
             "hashes": [
-                "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
-                "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
+                "sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159",
+                "sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3"
             ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==0.13.1"
+            "markers": "python_version >= '3.6'",
+            "version": "==1.0.0"
         },
         "py": {
             "hashes": [
@@ -1704,11 +1697,11 @@
         },
         "pytest": {
             "hashes": [
-                "sha256:50bcad0a0b9c5a72c8e4e7c9855a3ad496ca6a881a3641b4260605450772c54b",
-                "sha256:91ef2131a9bd6be8f76f1f08eac5c5317221d6ad1e143ae03894b862e8976890"
+                "sha256:131b36680866a76e6781d13f101efb86cf674ebb9762eb70d3082b6f29889e89",
+                "sha256:7310f8d27bc79ced999e760ca304d69f6ba6c6649c0b60fb0e04a4a77cacc134"
             ],
             "index": "pypi",
-            "version": "==6.2.4"
+            "version": "==6.2.5"
         },
         "pytest-django": {
             "hashes": [
@@ -1755,49 +1748,49 @@
         },
         "regex": {
             "hashes": [
-                "sha256:03840a07a402576b8e3a6261f17eb88abd653ad4e18ec46ef10c9a63f8c99ebd",
-                "sha256:06ba444bbf7ede3890a912bd4904bb65bf0da8f0d8808b90545481362c978642",
-                "sha256:1f9974826aeeda32a76648fc677e3125ade379869a84aa964b683984a2dea9f1",
-                "sha256:330836ad89ff0be756b58758878409f591d4737b6a8cef26a162e2a4961c3321",
-                "sha256:38600fd58c2996829480de7d034fb2d3a0307110e44dae80b6b4f9b3d2eea529",
-                "sha256:3a195e26df1fbb40ebee75865f9b64ba692a5824ecb91c078cc665b01f7a9a36",
-                "sha256:41acdd6d64cd56f857e271009966c2ffcbd07ec9149ca91f71088574eaa4278a",
-                "sha256:45f97ade892ace20252e5ccecdd7515c7df5feeb42c3d2a8b8c55920c3551c30",
-                "sha256:4b0c211c55d4aac4309c3209833c803fada3fc21cdf7b74abedda42a0c9dc3ce",
-                "sha256:5d5209c3ba25864b1a57461526ebde31483db295fc6195fdfc4f8355e10f7376",
-                "sha256:615fb5a524cffc91ab4490b69e10ae76c1ccbfa3383ea2fad72e54a85c7d47dd",
-                "sha256:61e734c2bcb3742c3f454dfa930ea60ea08f56fd1a0eb52d8cb189a2f6be9586",
-                "sha256:640ccca4d0a6fcc6590f005ecd7b16c3d8f5d52174e4854f96b16f34c39d6cb7",
-                "sha256:6dbd51c3db300ce9d3171f4106da18fe49e7045232630fe3d4c6e37cb2b39ab9",
-                "sha256:71a904da8c9c02aee581f4452a5a988c3003207cb8033db426f29e5b2c0b7aea",
-                "sha256:8021dee64899f993f4b5cca323aae65aabc01a546ed44356a0965e29d7893c94",
-                "sha256:8b8d551f1bd60b3e1c59ff55b9e8d74607a5308f66e2916948cafd13480b44a3",
-                "sha256:93f9f720081d97acee38a411e861d4ce84cbc8ea5319bc1f8e38c972c47af49f",
-                "sha256:96f0c79a70642dfdf7e6a018ebcbea7ea5205e27d8e019cad442d2acfc9af267",
-                "sha256:9966337353e436e6ba652814b0a957a517feb492a98b8f9d3b6ba76d22301dcc",
-                "sha256:a34ba9e39f8269fd66ab4f7a802794ffea6d6ac500568ec05b327a862c21ce23",
-                "sha256:a49f85f0a099a5755d0a2cc6fc337e3cb945ad6390ec892332c691ab0a045882",
-                "sha256:a795829dc522227265d72b25d6ee6f6d41eb2105c15912c230097c8f5bfdbcdc",
-                "sha256:a89ca4105f8099de349d139d1090bad387fe2b208b717b288699ca26f179acbe",
-                "sha256:ac95101736239260189f426b1e361dc1b704513963357dc474beb0f39f5b7759",
-                "sha256:ae87ab669431f611c56e581679db33b9a467f87d7bf197ac384e71e4956b4456",
-                "sha256:b091dcfee169ad8de21b61eb2c3a75f9f0f859f851f64fdaf9320759a3244239",
-                "sha256:b511c6009d50d5c0dd0bab85ed25bc8ad6b6f5611de3a63a59786207e82824bb",
-                "sha256:b79dc2b2e313565416c1e62807c7c25c67a6ff0a0f8d83a318df464555b65948",
-                "sha256:bca14dfcfd9aae06d7d8d7e105539bd77d39d06caaae57a1ce945670bae744e0",
-                "sha256:c835c30f3af5c63a80917b72115e1defb83de99c73bc727bddd979a3b449e183",
-                "sha256:ccd721f1d4fc42b541b633d6e339018a08dd0290dc67269df79552843a06ca92",
-                "sha256:d6c2b1d78ceceb6741d703508cd0e9197b34f6bf6864dab30f940f8886e04ade",
-                "sha256:d6ec4ae13760ceda023b2e5ef1f9bc0b21e4b0830458db143794a117fdbdc044",
-                "sha256:d8b623fc429a38a881ab2d9a56ef30e8ea20c72a891c193f5ebbddc016e083ee",
-                "sha256:ea9753d64cba6f226947c318a923dadaf1e21cd8db02f71652405263daa1f033",
-                "sha256:ebbceefbffae118ab954d3cd6bf718f5790db66152f95202ebc231d58ad4e2c2",
-                "sha256:ecb6e7c45f9cd199c10ec35262b53b2247fb9a408803ed00ee5bb2b54aa626f5",
-                "sha256:ef9326c64349e2d718373415814e754183057ebc092261387a2c2f732d9172b2",
-                "sha256:f93a9d8804f4cec9da6c26c8cfae2c777028b4fdd9f49de0302e26e00bb86504",
-                "sha256:faf08b0341828f6a29b8f7dd94d5cf8cc7c39bfc3e67b78514c54b494b66915a"
+                "sha256:04f6b9749e335bb0d2f68c707f23bb1773c3fb6ecd10edf0f04df12a8920d468",
+                "sha256:08d74bfaa4c7731b8dac0a992c63673a2782758f7cfad34cf9c1b9184f911354",
+                "sha256:0fc1f8f06977c2d4f5e3d3f0d4a08089be783973fc6b6e278bde01f0544ff308",
+                "sha256:121f4b3185feaade3f85f70294aef3f777199e9b5c0c0245c774ae884b110a2d",
+                "sha256:1413b5022ed6ac0d504ba425ef02549a57d0f4276de58e3ab7e82437892704fc",
+                "sha256:1743345e30917e8c574f273f51679c294effba6ad372db1967852f12c76759d8",
+                "sha256:28fc475f560d8f67cc8767b94db4c9440210f6958495aeae70fac8faec631797",
+                "sha256:31a99a4796bf5aefc8351e98507b09e1b09115574f7c9dbb9cf2111f7220d2e2",
+                "sha256:328a1fad67445550b982caa2a2a850da5989fd6595e858f02d04636e7f8b0b13",
+                "sha256:473858730ef6d6ff7f7d5f19452184cd0caa062a20047f6d6f3e135a4648865d",
+                "sha256:4cde065ab33bcaab774d84096fae266d9301d1a2f5519d7bd58fc55274afbf7a",
+                "sha256:5f6a808044faae658f546dd5f525e921de9fa409de7a5570865467f03a626fc0",
+                "sha256:610b690b406653c84b7cb6091facb3033500ee81089867ee7d59e675f9ca2b73",
+                "sha256:66256b6391c057305e5ae9209941ef63c33a476b73772ca967d4a2df70520ec1",
+                "sha256:6eebf512aa90751d5ef6a7c2ac9d60113f32e86e5687326a50d7686e309f66ed",
+                "sha256:79aef6b5cd41feff359acaf98e040844613ff5298d0d19c455b3d9ae0bc8c35a",
+                "sha256:808ee5834e06f57978da3e003ad9d6292de69d2bf6263662a1a8ae30788e080b",
+                "sha256:8e44769068d33e0ea6ccdf4b84d80c5afffe5207aa4d1881a629cf0ef3ec398f",
+                "sha256:999ad08220467b6ad4bd3dd34e65329dd5d0df9b31e47106105e407954965256",
+                "sha256:9b006628fe43aa69259ec04ca258d88ed19b64791693df59c422b607b6ece8bb",
+                "sha256:9d05ad5367c90814099000442b2125535e9d77581855b9bee8780f1b41f2b1a2",
+                "sha256:a577a21de2ef8059b58f79ff76a4da81c45a75fe0bfb09bc8b7bb4293fa18983",
+                "sha256:a617593aeacc7a691cc4af4a4410031654f2909053bd8c8e7db837f179a630eb",
+                "sha256:abb48494d88e8a82601af905143e0de838c776c1241d92021e9256d5515b3645",
+                "sha256:ac88856a8cbccfc14f1b2d0b829af354cc1743cb375e7f04251ae73b2af6adf8",
+                "sha256:b4c220a1fe0d2c622493b0a1fd48f8f991998fb447d3cd368033a4b86cf1127a",
+                "sha256:b844fb09bd9936ed158ff9df0ab601e2045b316b17aa8b931857365ea8586906",
+                "sha256:bdc178caebd0f338d57ae445ef8e9b737ddf8fbc3ea187603f65aec5b041248f",
+                "sha256:c206587c83e795d417ed3adc8453a791f6d36b67c81416676cad053b4104152c",
+                "sha256:c61dcc1cf9fd165127a2853e2c31eb4fb961a4f26b394ac9fe5669c7a6592892",
+                "sha256:c7cb4c512d2d3b0870e00fbbac2f291d4b4bf2634d59a31176a87afe2777c6f0",
+                "sha256:d4a332404baa6665b54e5d283b4262f41f2103c255897084ec8f5487ce7b9e8e",
+                "sha256:d5111d4c843d80202e62b4fdbb4920db1dcee4f9366d6b03294f45ed7b18b42e",
+                "sha256:e1e8406b895aba6caa63d9fd1b6b1700d7e4825f78ccb1e5260551d168db38ed",
+                "sha256:e8690ed94481f219a7a967c118abaf71ccc440f69acd583cab721b90eeedb77c",
+                "sha256:ed283ab3a01d8b53de3a05bfdf4473ae24e43caee7dcb5584e86f3f3e5ab4374",
+                "sha256:ed4b50355b066796dacdd1cf538f2ce57275d001838f9b132fab80b75e8c84dd",
+                "sha256:ee329d0387b5b41a5dddbb6243a21cb7896587a651bebb957e2d2bb8b63c0791",
+                "sha256:f3bf1bc02bc421047bfec3343729c4bbbea42605bcfd6d6bfe2c07ade8b12d2a",
+                "sha256:f585cbbeecb35f35609edccb95efd95a3e35824cd7752b586503f7e6087303f1",
+                "sha256:f60667673ff9c249709160529ab39667d1ae9fd38634e006bec95611f632e759"
             ],
-            "version": "==2021.8.21"
+            "version": "==2021.8.28"
         },
         "requests": {
             "hashes": [

README.md

@@ -4,14 +4,15 @@
 
 ---
 
-[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6)
-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/6?style=for-the-badge)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
-[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/6?compact_message&style=for-the-badge)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-main?label=core%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-main.yml)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-outpost?label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-web?label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
+[![Testspace tests](https://img.shields.io/testspace/total/goauthentik/goauthentik:authentik/master?style=for-the-badge)](https://goauthentik.testspace.com/)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
-![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/goauthentik/authentik?style=for-the-badge)
-[Transifex](https://www.transifex.com/beryjuorg/authentik/)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/beryjuorg/authentik/)
 
 ## What is authentik?
 

SECURITY.md

@@ -6,9 +6,8 @@
 
 | Version    | Supported          |
 | ---------- | ------------------ |
-| 2021.5.x   | :white_check_mark: |
-| 2021.6.x   | :white_check_mark: |
 | 2021.7.x   | :white_check_mark: |
+| 2021.8.x   | :white_check_mark: |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.8.1-rc2"
+__version__ = "2021.9.1-rc2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

authentik/admin/tasks.py

@@ -6,12 +6,14 @@ from django.core.cache import cache
 from django.core.validators import URLValidator
 from packaging.version import parse
 from prometheus_client import Info
-from requests import RequestException, get
+from requests import RequestException
 from structlog.stdlib import get_logger
 
 from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.events.models import Event, EventAction
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
+from authentik.lib.config import CONFIG
+from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -36,12 +38,17 @@ def _set_prom_info():
 @CELERY_APP.task(bind=True, base=MonitoredTask)
 def update_latest_version(self: MonitoredTask):
     """Update latest version info"""
+    if CONFIG.y_bool("disable_update_check"):
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
+        self.set_status(TaskResult(TaskResultStatus.WARNING, messages=["Version check disabled."]))
+        return
     try:
-        response = get("https://api.github.com/repos/goauthentik/authentik/releases/latest")
+        response = get_http_session().get(
+            "https://version.goauthentik.io/version.json",
+        )
         response.raise_for_status()
         data = response.json()
-        tag_name = data.get("tag_name")
-        upstream_version = tag_name.split("/")[1]
+        upstream_version = data.get("stable", {}).get("version")
         cache.set(VERSION_CACHE_KEY, upstream_version, VERSION_CACHE_TIMEOUT)
         self.set_status(
             TaskResult(TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"])
@@ -58,7 +65,7 @@ def update_latest_version(self: MonitoredTask):
             ).exists():
                 return
             event_dict = {"new_version": upstream_version}
-            if match := re.search(URL_FINDER, data.get("body", "")):
+            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
                 event_dict["message"] = f"Changelog: {match.group()}"
             Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
     except (RequestException, IndexError) as exc:

authentik/admin/tests/test_tasks.py

@@ -1,52 +1,28 @@
 """test admin tasks"""
-import json
-from dataclasses import dataclass
-from unittest.mock import Mock, patch
-
 from django.core.cache import cache
 from django.test import TestCase
-from requests.exceptions import RequestException
+from requests_mock import Mocker
 
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.events.models import Event, EventAction
 
-
-@dataclass
-class MockResponse:
-    """Mock class to emulate the methods of requests's Response we need"""
-
-    status_code: int
-    response: str
-
-    def json(self) -> dict:
-        """Get json parsed response"""
-        return json.loads(self.response)
-
-    def raise_for_status(self):
-        """raise RequestException if status code is 400 or more"""
-        if self.status_code >= 400:
-            raise RequestException
-
-
-REQUEST_MOCK_VALID = Mock(
-    return_value=MockResponse(
-        200,
-        """{
-            "tag_name": "version/99999999.9999999",
-            "body": "https://goauthentik.io/test"
-        }""",
-    )
-)
-
-REQUEST_MOCK_INVALID = Mock(return_value=MockResponse(400, "{}"))
+RESPONSE_VALID = {
+    "$schema": "https://version.goauthentik.io/schema.json",
+    "stable": {
+        "version": "99999999.9999999",
+        "changelog": "See https://goauthentik.io/test",
+        "reason": "bugfix",
+    },
+}
 
 
 class TestAdminTasks(TestCase):
     """test admin tasks"""
 
-    @patch("authentik.admin.tasks.get", REQUEST_MOCK_VALID)
     def test_version_valid_response(self):
         """Test Update checker with valid response"""
+        with Mocker() as mocker:
+            mocker.get("https://version.goauthentik.io/version.json", json=RESPONSE_VALID)
             update_latest_version.delay().get()
             self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
             self.assertTrue(
@@ -69,9 +45,10 @@ class TestAdminTasks(TestCase):
                 1,
             )
 
-    @patch("authentik.admin.tasks.get", REQUEST_MOCK_INVALID)
     def test_version_error(self):
         """Test Update checker with invalid response"""
+        with Mocker() as mocker:
+            mocker.get("https://version.goauthentik.io/version.json", status_code=400)
             update_latest_version.delay().get()
             self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
             self.assertFalse(

authentik/api/schema.py

@@ -31,7 +31,7 @@ VALIDATION_ERROR = build_object_type(
         "non_field_errors": build_array_type(build_standard_type(OpenApiTypes.STR)),
         "code": build_standard_type(OpenApiTypes.STR),
     },
-    required=["detail"],
+    required=[],
     additionalProperties={},
 )
 

authentik/api/tasks.py

@@ -0,0 +1,19 @@
+"""API tasks"""
+
+from authentik.lib.utils.http import get_http_session
+from authentik.root.celery import CELERY_APP
+
+SENTRY_SESSION = get_http_session()
+
+
+@CELERY_APP.task()
+def sentry_proxy(payload: str):
+    """Relay data to sentry"""
+    SENTRY_SESSION.post(
+        "https://sentry.beryju.org/api/8/envelope/",
+        data=payload,
+        headers={
+            "Content-Type": "application/octet-stream",
+        },
+        timeout=10,
+    )

authentik/api/urls.py

@@ -1,8 +1,10 @@
 """authentik api urls"""
 from django.urls import include, path
 
-from authentik.api.v2.urls import urlpatterns as v2_urls
+from authentik.api.v3.urls import urlpatterns as v3_urls
 
 urlpatterns = [
-    path("v2beta/", include(v2_urls)),
+    # Remove in 2022.1
+    path("v2beta/", include(v3_urls)),
+    path("v3/", include(v3_urls)),
 ]

authentik/api/v2/sentry.py

@@ -1,38 +0,0 @@
-"""Sentry tunnel"""
-from json import loads
-
-from django.conf import settings
-from django.http.request import HttpRequest
-from django.http.response import HttpResponse
-from django.views.generic.base import View
-from requests import post
-from requests.exceptions import RequestException
-
-from authentik.lib.config import CONFIG
-
-
-class SentryTunnelView(View):
-    """Sentry tunnel, to prevent ad blockers from blocking sentry"""
-
-    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """Sentry tunnel, to prevent ad blockers from blocking sentry"""
-        # Only allow usage of this endpoint when error reporting is enabled
-        if not CONFIG.y_bool("error_reporting.enabled", False):
-            return HttpResponse(status=400)
-        # Body is 2 json objects separated by \n
-        full_body = request.body
-        header = loads(full_body.splitlines()[0])
-        # Check that the DSN is what we expect
-        dsn = header.get("dsn", "")
-        if dsn != settings.SENTRY_DSN:
-            return HttpResponse(status=400)
-        response = post(
-            "https://sentry.beryju.org/api/8/envelope/",
-            data=full_body,
-            headers={"Content-Type": "application/octet-stream"},
-        )
-        try:
-            response.raise_for_status()
-        except RequestException:
-            return HttpResponse(status=500)
-        return HttpResponse(status=response.status_code)

authentik/api/v3/sentry.py

@@ -0,0 +1,60 @@
+"""Sentry tunnel"""
+from json import loads
+
+from django.conf import settings
+from django.http.request import HttpRequest
+from django.http.response import HttpResponse
+from rest_framework.authentication import SessionAuthentication
+from rest_framework.parsers import BaseParser
+from rest_framework.permissions import AllowAny
+from rest_framework.request import Request
+from rest_framework.throttling import AnonRateThrottle
+from rest_framework.views import APIView
+
+from authentik.api.tasks import sentry_proxy
+from authentik.lib.config import CONFIG
+
+
+class PlainTextParser(BaseParser):
+    """Plain text parser."""
+
+    media_type = "text/plain"
+
+    def parse(self, stream, media_type=None, parser_context=None) -> str:
+        """Simply return a string representing the body of the request."""
+        return stream.read()
+
+
+class CsrfExemptSessionAuthentication(SessionAuthentication):
+    """CSRF-exempt Session authentication"""
+
+    def enforce_csrf(self, request: Request):
+        return  # To not perform the csrf check previously happening
+
+
+class SentryTunnelView(APIView):
+    """Sentry tunnel, to prevent ad blockers from blocking sentry"""
+
+    serializer_class = None
+    parser_classes = [PlainTextParser]
+    throttle_classes = [AnonRateThrottle]
+    permission_classes = [AllowAny]
+    authentication_classes = [CsrfExemptSessionAuthentication]
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Sentry tunnel, to prevent ad blockers from blocking sentry"""
+        # Only allow usage of this endpoint when error reporting is enabled
+        if not CONFIG.y_bool("error_reporting.enabled", False):
+            return HttpResponse(status=400)
+        # Body is 2 json objects separated by \n
+        full_body = request.body
+        lines = full_body.splitlines()
+        if len(lines) < 1:
+            return HttpResponse(status=400)
+        header = loads(lines[0])
+        # Check that the DSN is what we expect
+        dsn = header.get("dsn", "")
+        if dsn != settings.SENTRY_DSN:
+            return HttpResponse(status=400)
+        sentry_proxy.delay(full_body.decode())
+        return HttpResponse(status=204)

authentik/api/v3/urls.py

@@ -1,6 +1,6 @@
-"""api v2 urls"""
+"""api v3 urls"""
 from django.urls import path
-from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.cache import cache_page
 from drf_spectacular.views import SpectacularAPIView
 from rest_framework import routers
 
@@ -10,8 +10,8 @@ from authentik.admin.api.system import SystemView
 from authentik.admin.api.tasks import TaskViewSet
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.workers import WorkerView
-from authentik.api.v2.config import ConfigView
-from authentik.api.v2.sentry import SentryTunnelView
+from authentik.api.v3.config import ConfigView
+from authentik.api.v3.sentry import SentryTunnelView
 from authentik.api.views import APIBrowserView
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -24,6 +24,7 @@ from authentik.core.api.users import UserViewSet
 from authentik.crypto.api import CertificateKeyPairViewSet
 from authentik.events.api.event import EventViewSet
 from authentik.events.api.notification import NotificationViewSet
+from authentik.events.api.notification_mapping import NotificationWebhookMappingViewSet
 from authentik.events.api.notification_rule import NotificationRuleViewSet
 from authentik.events.api.notification_transport import NotificationTransportViewSet
 from authentik.flows.api.bindings import FlowStageBindingViewSet
@@ -159,6 +160,7 @@ router.register("propertymappings/all", PropertyMappingViewSet)
 router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 router.register("propertymappings/scope", ScopeMappingViewSet)
+router.register("propertymappings/notification", NotificationWebhookMappingViewSet)
 
 router.register("authenticators/duo", DuoDeviceViewSet)
 router.register("authenticators/static", StaticDeviceViewSet)
@@ -225,7 +227,7 @@ urlpatterns = (
             FlowExecutorView.as_view(),
             name="flow-executor",
         ),
-        path("sentry/", csrf_exempt(SentryTunnelView.as_view()), name="sentry"),
-        path("schema/", SpectacularAPIView.as_view(), name="schema"),
+        path("sentry/", SentryTunnelView.as_view(), name="sentry"),
+        path("schema/", cache_page(86400)(SpectacularAPIView.as_view()), name="schema"),
     ]
 )

authentik/core/api/applications.py

@@ -4,14 +4,9 @@ from django.db.models import QuerySet
 from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import (
-    OpenApiParameter,
-    OpenApiResponse,
-    extend_schema,
-    inline_serializer,
-)
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, CharField, FileField, ReadOnlyField
+from rest_framework.fields import ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -24,6 +19,7 @@ from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
 from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import FilePathSerializer, FileUploadSerializer
 from authentik.core.models import Application, User
 from authentik.events.models import EventAction
 from authentik.policies.api.exec import PolicyTestResultSerializer
@@ -71,7 +67,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
-    queryset = Application.objects.all()
+    queryset = Application.objects.all().prefetch_related("provider")
     serializer_class = ApplicationSerializer
     search_fields = [
         "name",
@@ -180,13 +176,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
     @permission_required("authentik_core.change_application")
     @extend_schema(
         request={
-            "multipart/form-data": inline_serializer(
-                "SetIcon",
-                fields={
-                    "file": FileField(required=False),
-                    "clear": BooleanField(default=False),
-                },
-            )
+            "multipart/form-data": FileUploadSerializer,
         },
         responses={
             200: OpenApiResponse(description="Success"),
@@ -218,7 +208,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required("authentik_core.change_application")
     @extend_schema(
-        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        request=FilePathSerializer,
         responses={
             200: OpenApiResponse(description="Success"),
             400: OpenApiResponse(description="Bad request"),

authentik/core/api/authenticated_sessions.py

@@ -11,6 +11,7 @@ from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
+from authentik.api.authorization import OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.models import AuthenticatedSession
 from authentik.events.geo import GEOIP_READER, GeoIPDict
@@ -102,11 +103,8 @@ class AuthenticatedSessionViewSet(
     search_fields = ["user__username", "last_ip", "last_user_agent"]
     filterset_fields = ["user__username", "last_ip", "last_user_agent"]
     ordering = ["user__username"]
-    filter_backends = [
-        DjangoFilterBackend,
-        OrderingFilter,
-        SearchFilter,
-    ]
+    permission_classes = [OwnerPermissions]
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
 
     def get_queryset(self):
         user = self.request.user if self.request else get_anonymous_user()

authentik/core/api/groups.py

@@ -2,7 +2,7 @@
 from django.db.models.query import QuerySet
 from django_filters.filters import ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from rest_framework.fields import BooleanField, CharField, JSONField
+from rest_framework.fields import CharField, JSONField
 from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
@@ -15,7 +15,6 @@ from authentik.core.models import Group, User
 class GroupMemberSerializer(ModelSerializer):
     """Stripped down user serializer to show relevant users for groups"""
 
-    is_superuser = BooleanField(read_only=True)
     avatar = CharField(read_only=True)
     attributes = JSONField(validators=[is_dict], required=False)
     uid = CharField(read_only=True)
@@ -29,7 +28,6 @@ class GroupMemberSerializer(ModelSerializer):
             "name",
             "is_active",
             "last_login",
-            "is_superuser",
             "email",
             "avatar",
             "attributes",
@@ -81,7 +79,7 @@ class GroupFilter(FilterSet):
 class GroupViewSet(UsedByMixin, ModelViewSet):
     """Group Viewset"""
 
-    queryset = Group.objects.all()
+    queryset = Group.objects.all().select_related("parent").prefetch_related("users")
     serializer_class = GroupSerializer
     search_fields = ["name", "is_superuser"]
     filterset_class = GroupFilter

authentik/core/api/sources.py

@@ -95,7 +95,9 @@ class SourceViewSet(
     @action(detail=False, pagination_class=None, filter_backends=[])
     def user_settings(self, request: Request) -> Response:
         """Get all sources the user can configure"""
-        _all_sources: Iterable[Source] = Source.objects.filter(enabled=True).select_subclasses()
+        _all_sources: Iterable[Source] = (
+            Source.objects.filter(enabled=True).select_subclasses().order_by("name")
+        )
         matching_sources: list[UserSettingSerializer] = []
         for source in _all_sources:
             user_settings = source.ui_user_settings

authentik/core/api/tokens.py

@@ -23,10 +23,12 @@ from authentik.managed.api import ManagedSerializer
 class TokenSerializer(ManagedSerializer, ModelSerializer):
     """Token Serializer"""
 
-    user = UserSerializer(required=False)
+    user_obj = UserSerializer(required=False, source="user")
 
     def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
         """Ensure only API or App password tokens are created."""
+        request: Request = self.context["request"]
+        attrs.setdefault("user", request.user)
         attrs.setdefault("intent", TokenIntents.INTENT_API)
         if attrs.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
             raise ValidationError(f"Invalid intent {attrs.get('intent')}")
@@ -41,11 +43,14 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
             "identifier",
             "intent",
             "user",
+            "user_obj",
             "description",
             "expires",
             "expiring",
         ]
-        depth = 2
+        extra_kwargs = {
+            "user": {"required": False},
+        }
 
 
 class TokenViewSerializer(PassiveSerializer):

authentik/core/api/users.py

@@ -1,4 +1,5 @@
 """User API Views"""
+from datetime import timedelta
 from json import loads
 from typing import Optional
 
@@ -7,6 +8,7 @@ from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
 from django.utils.http import urlencode
+from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from django_filters.filters import BooleanFilter, CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
@@ -274,6 +276,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                     identifier=f"service-account-{username}-password",
                     intent=TokenIntents.INTENT_APP_PASSWORD,
                     user=user,
+                    expires=now() + timedelta(days=360),
                 )
                 return Response({"username": user.username, "token": token.key})
             except (IntegrityError) as exc:
@@ -310,7 +313,9 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         # since it caches the full object
         if SESSION_IMPERSONATE_USER in request.session:
             request.session[SESSION_IMPERSONATE_USER] = new_user
-        return self.me(request)
+        serializer = SessionUserSerializer(data={"user": UserSelfSerializer(request.user).data})
+        serializer.is_valid()
+        return Response(serializer.data)
 
     @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
     @extend_schema(responses={200: UserMetricsSerializer(many=False)})

authentik/core/api/utils.py

@@ -2,7 +2,7 @@
 from typing import Any
 
 from django.db.models import Model
-from rest_framework.fields import CharField, IntegerField
+from rest_framework.fields import BooleanField, CharField, FileField, IntegerField
 from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError
 
 
@@ -22,8 +22,18 @@ class PassiveSerializer(Serializer):
     def update(self, instance: Model, validated_data: dict) -> Model:  # pragma: no cover
         return Model()
 
-    class Meta:
-        model = Model
+
+class FileUploadSerializer(PassiveSerializer):
+    """Serializer to upload file"""
+
+    file = FileField(required=False)
+    clear = BooleanField(default=False)
+
+
+class FilePathSerializer(PassiveSerializer):
+    """Serializer to upload file"""
+
+    url = CharField()
 
 
 class MetaNameSerializer(PassiveSerializer):

authentik/core/sources/flow_manager.py

@@ -184,7 +184,7 @@ class SourceFlowManager:
         # Ensure redirect is carried through when user was trying to
         # authorize application
         final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:if-admin"
+            NEXT_ARG_NAME, "authentik_core:if-user"
         )
         kwargs.update(
             {
@@ -243,9 +243,9 @@ class SourceFlowManager:
             return self.handle_auth_user(connection)
         return redirect(
             reverse(
-                "authentik_core:if-admin",
+                "authentik_core:if-user",
             )
-            + f"#/user;page-{self.source.slug}"
+            + f"#/settings;page-{self.source.slug}"
         )
 
     def handle_enroll(

authentik/core/sources/stage.py

@@ -28,3 +28,7 @@ class PostUserEnrollmentStage(StageView):
             source=connection.source,
         ).from_http(self.request)
         return self.executor.stage_ok()
+
+    def post(self, request: HttpRequest) -> HttpResponse:
+        """Wrapper for post requests"""
+        return self.get(request)

authentik/core/templates/base/skeleton.html

@@ -8,16 +8,15 @@
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
         <title>{% block title %}{% trans title|default:tenant.branding_title %}{% endblock %}</title>
-        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}?v={{ ak_version }}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}?v={{ ak_version }}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}?v={{ ak_version }}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}?v={{ ak_version }}">
+        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}">
         {% block head_before %}
         {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}?v={{ ak_version }}">
-        <script src="{% static 'dist/poly.js' %}?v={{ ak_version }}" type="module"></script>
-        <script>window["polymerSkipLoadingFontRoboto"] = true;</script>
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
+        <script src="{% static 'dist/poly.js' %}" type="module"></script>
         {% block head %}
         {% endblock %}
     </head>

authentik/core/templates/if/admin.html

@@ -4,7 +4,7 @@
 {% load i18n %}
 
 {% block head %}
-<script src="{% static 'dist/AdminInterface.js' %}?v={{ ak_version }}" type="module"></script>
+<script src="{% static 'dist/AdminInterface.js' %}" type="module"></script>
 {% endblock %}
 
 {% block body %}

authentik/core/templates/if/end_session.html

@@ -21,7 +21,7 @@ You've logged out of {{ application }}.
         {% endblocktrans %}
     </p>
 
-    <a id="ak-back-home" href="{% url 'authentik_core:if-admin' %}" class="pf-c-button pf-m-primary">{% trans 'Go back to overview' %}</a>
+    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">{% trans 'Go back to overview' %}</a>
 
     <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">{% trans 'Log out of authentik' %}</a>
 

authentik/core/templates/if/flow.html

@@ -4,13 +4,14 @@
 {% load i18n %}
 
 {% block head_before %}
+{{ block.super }}
 {% if flow.compatibility_mode %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
 {% endblock %}
 
 {% block head %}
-<script src="{% static 'dist/FlowInterface.js' %}?v={{ ak_version }}" type="module"></script>
+<script src="{% static 'dist/FlowInterface.js' %}" type="module"></script>
 <style>
 .pf-c-background-image::before {
     --ak-flow-background: url("{{ flow.background_url }}");

authentik/core/templates/if/user.html

@@ -0,0 +1,28 @@
+{% extends "base/skeleton.html" %}
+
+{% load static %}
+{% load i18n %}
+
+{% block head %}
+<script src="{% static 'dist/UserInterface.js' %}" type="module"></script>
+{% endblock %}
+
+{% block body %}
+<ak-message-container></ak-message-container>
+<ak-interface-user>
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+        <div class="pf-c-empty-state" style="height: 100vh;">
+            <div class="pf-c-empty-state__content">
+                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
+                    <span class="pf-c-spinner__clipper"></span>
+                    <span class="pf-c-spinner__lead-ball"></span>
+                    <span class="pf-c-spinner__tail-ball"></span>
+                </span>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans "Loading..." %}
+                </h1>
+            </div>
+        </div>
+    </section>
+</ak-interface-user>
+{% endblock %}

authentik/core/templates/login/base_full.html

@@ -4,7 +4,7 @@
 {% load i18n %}
 
 {% block head_before %}
-<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}?v={{ ak_version }}">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 {% endblock %}
 
 {% block head %}

authentik/core/tests/test_impersonation.py

@@ -58,4 +58,4 @@ class TestImpersonation(TestCase):
         self.client.force_login(self.other_user)
 
         response = self.client.get(reverse("authentik_core:impersonate-end"))
-        self.assertRedirects(response, reverse("authentik_core:if-admin"))
+        self.assertRedirects(response, reverse("authentik_core:if-user"))

authentik/core/urls.py

@@ -12,7 +12,7 @@ from authentik.core.views.session import EndSessionView
 urlpatterns = [
     path(
         "",
-        login_required(RedirectView.as_view(pattern_name="authentik_core:if-admin")),
+        login_required(RedirectView.as_view(pattern_name="authentik_core:if-user")),
         name="root-redirect",
     ),
     # Impersonation
@@ -32,6 +32,11 @@ urlpatterns = [
         ensure_csrf_cookie(TemplateView.as_view(template_name="if/admin.html")),
         name="if-admin",
     ),
+    path(
+        "if/user/",
+        ensure_csrf_cookie(TemplateView.as_view(template_name="if/user.html")),
+        name="if-user",
+    ),
     path(
         "if/flow/<slug:flow_slug>/",
         ensure_csrf_cookie(FlowInterfaceView.as_view()),

authentik/core/views/impersonate.py

@@ -28,7 +28,7 @@ class ImpersonateInitView(View):
 
         Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
 
-        return redirect("authentik_core:if-admin")
+        return redirect("authentik_core:if-user")
 
 
 class ImpersonateEndView(View):
@@ -41,7 +41,7 @@ class ImpersonateEndView(View):
             or SESSION_IMPERSONATE_ORIGINAL_USER not in request.session
         ):
             LOGGER.debug("Can't end impersonation", user=request.user)
-            return redirect("authentik_core:if-admin")
+            return redirect("authentik_core:if-user")
 
         original_user = request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
 

authentik/crypto/models.py

@@ -78,9 +78,7 @@ class CertificateKeyPair(CreatedUpdatedModel):
     @property
     def kid(self):
         """Get Key ID used for JWKS"""
-        return "{0}".format(
-            md5(self.key_data.encode("utf-8")).hexdigest() if self.key_data else ""  # nosec
-        )
+        return md5(self.key_data.encode("utf-8")).hexdigest() if self.key_data else ""  # nosec
 
     def __str__(self) -> str:
         return f"Certificate-Key Pair {self.name}"

authentik/events/api/notification.py

@@ -1,8 +1,13 @@
 """Notification API Views"""
 from django_filters.rest_framework import DjangoFilterBackend
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
+from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
 from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.request import Request
+from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
@@ -53,3 +58,18 @@ class NotificationViewSet(
     ]
     permission_classes = [OwnerPermissions]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+
+    @extend_schema(
+        request=OpenApiTypes.NONE,
+        responses={
+            204: OpenApiResponse(description="Marked tasks as read successfully."),
+        },
+    )
+    @action(detail=False, methods=["post"])
+    def mark_all_seen(self, request: Request) -> Response:
+        """Mark all the user's notifications as seen"""
+        notifications = Notification.objects.filter(user=request.user)
+        for notification in notifications:
+            notification.seen = True
+        Notification.objects.bulk_update(notifications, ["seen"])
+        return Response({}, status=204)

authentik/events/api/notification_mapping.py

@@ -0,0 +1,28 @@
+"""NotificationWebhookMapping API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.events.models import NotificationWebhookMapping
+
+
+class NotificationWebhookMappingSerializer(ModelSerializer):
+    """NotificationWebhookMapping Serializer"""
+
+    class Meta:
+
+        model = NotificationWebhookMapping
+        fields = [
+            "pk",
+            "name",
+            "expression",
+        ]
+
+
+class NotificationWebhookMappingViewSet(UsedByMixin, ModelViewSet):
+    """NotificationWebhookMapping Viewset"""
+
+    queryset = NotificationWebhookMapping.objects.all()
+    serializer_class = NotificationWebhookMappingSerializer
+    filterset_fields = ["name"]
+    ordering = ["name"]

authentik/events/api/notification_transport.py

@@ -38,6 +38,7 @@ class NotificationTransportSerializer(ModelSerializer):
             "mode",
             "mode_verbose",
             "webhook_url",
+            "webhook_mapping",
             "send_once",
         ]
 

authentik/events/apps.py

@@ -1,10 +1,7 @@
 """authentik events app"""
-from datetime import timedelta
 from importlib import import_module
 
 from django.apps import AppConfig
-from django.db import ProgrammingError
-from django.utils.timezone import now
 
 
 class AuthentikEventsConfig(AppConfig):
@@ -16,12 +13,3 @@ class AuthentikEventsConfig(AppConfig):
 
     def ready(self):
         import_module("authentik.events.signals")
-        try:
-            from authentik.events.models import Event
-
-            date_from = now() - timedelta(days=1)
-
-            for event in Event.objects.filter(created__gte=date_from):
-                event._set_prom_metrics()
-        except ProgrammingError:
-            pass

authentik/events/migrations/0018_auto_20210911_2217.py

@@ -0,0 +1,46 @@
+# Generated by Django 3.2.6 on 2021-09-11 22:17
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0028_alter_token_intent"),
+        ("authentik_events", "0017_alter_event_action"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="NotificationWebhookMapping",
+            fields=[
+                (
+                    "propertymapping_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.propertymapping",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Notification Webhook Mapping",
+                "verbose_name_plural": "Notification Webhook Mappings",
+            },
+            bases=("authentik_core.propertymapping",),
+        ),
+        migrations.AddField(
+            model_name="notificationtransport",
+            name="webhook_mapping",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_events.notificationwebhookmapping",
+            ),
+        ),
+    ]

authentik/events/models.py

@@ -2,25 +2,25 @@
 from datetime import timedelta
 from inspect import getmodule, stack
 from smtplib import SMTPException
-from typing import Optional, Union
+from typing import TYPE_CHECKING, Optional, Type, Union
 from uuid import uuid4
 
 from django.conf import settings
 from django.db import models
 from django.http import HttpRequest
+from django.http.request import QueryDict
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from prometheus_client import Gauge
-from requests import RequestException, post
+from requests import RequestException
 from structlog.stdlib import get_logger
 
 from authentik import __version__
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
-from authentik.core.models import ExpiringModel, Group, User
+from authentik.core.models import ExpiringModel, Group, PropertyMapping, User
 from authentik.events.geo import GEOIP_READER
 from authentik.events.utils import cleanse_dict, get_user, model_to_dict, sanitize_dict
 from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.utils.http import get_client_ip
+from authentik.lib.utils.http import get_client_ip, get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -28,11 +28,8 @@ from authentik.tenants.models import Tenant
 from authentik.tenants.utils import DEFAULT_TENANT
 
 LOGGER = get_logger("authentik.events")
-GAUGE_EVENTS = Gauge(
-    "authentik_events",
-    "Events in authentik",
-    ["action", "user_username", "app", "client_ip"],
-)
+if TYPE_CHECKING:
+    from rest_framework.serializers import Serializer
 
 
 def default_event_duration():
@@ -143,8 +140,9 @@ class Event(ExpiringModel):
         `user` arguments optionally overrides user from requests."""
         if request:
             self.context["http_request"] = {
-                "path": request.get_full_path(),
+                "path": request.path,
                 "method": request.method,
+                "args": QueryDict(request.META.get("QUERY_STRING", "")),
             }
         if hasattr(request, "tenant"):
             tenant: Tenant = request.tenant
@@ -182,14 +180,6 @@ class Event(ExpiringModel):
             return
         self.context["geo"] = city
 
-    def _set_prom_metrics(self):
-        GAUGE_EVENTS.labels(
-            action=self.action,
-            user_username=self.user.get("username"),
-            app=self.app,
-            client_ip=self.client_ip,
-        ).set(self.created.timestamp())
-
     def save(self, *args, **kwargs):
         if self._state.adding:
             LOGGER.debug(
@@ -200,7 +190,6 @@ class Event(ExpiringModel):
                 user=self.user,
             )
         super().save(*args, **kwargs)
-        self._set_prom_metrics()
 
     @property
     def summary(self) -> str:
@@ -235,6 +224,9 @@ class NotificationTransport(models.Model):
     mode = models.TextField(choices=TransportMode.choices)
 
     webhook_url = models.TextField(blank=True)
+    webhook_mapping = models.ForeignKey(
+        "NotificationWebhookMapping", on_delete=models.SET_DEFAULT, null=True, default=None
+    )
     send_once = models.BooleanField(
         default=False,
         help_text=_(
@@ -254,15 +246,22 @@ class NotificationTransport(models.Model):
 
     def send_webhook(self, notification: "Notification") -> list[str]:
         """Send notification to generic webhook"""
-        try:
-            response = post(
-                self.webhook_url,
-                json={
+        default_body = {
             "body": notification.body,
             "severity": notification.severity,
             "user_email": notification.user.email,
             "user_username": notification.user.username,
-                },
+        }
+        if self.webhook_mapping:
+            default_body = self.webhook_mapping.evaluate(
+                user=notification.user,
+                request=None,
+                notification=notification,
+            )
+        try:
+            response = get_http_session().post(
+                self.webhook_url,
+                json=default_body,
             )
             response.raise_for_status()
         except RequestException as exc:
@@ -312,7 +311,7 @@ class NotificationTransport(models.Model):
         if notification.event:
             body["attachments"][0]["title"] = notification.event.action
         try:
-            response = post(self.webhook_url, json=body)
+            response = get_http_session().post(self.webhook_url, json=body)
             response.raise_for_status()
         except RequestException as exc:
             text = exc.response.text if exc.response else str(exc)
@@ -429,3 +428,25 @@ class NotificationRule(PolicyBindingModel):
 
         verbose_name = _("Notification Rule")
         verbose_name_plural = _("Notification Rules")
+
+
+class NotificationWebhookMapping(PropertyMapping):
+    """Modify the schema and layout of the webhook being sent"""
+
+    @property
+    def component(self) -> str:
+        return "ak-property-mapping-notification-form"
+
+    @property
+    def serializer(self) -> Type["Serializer"]:
+        from authentik.events.api.notification_mapping import NotificationWebhookMappingSerializer
+
+        return NotificationWebhookMappingSerializer
+
+    def __str__(self):
+        return f"Notification Webhook Mapping {self.name}"
+
+    class Meta:
+
+        verbose_name = _("Notification Webhook Mapping")
+        verbose_name_plural = _("Notification Webhook Mappings")

authentik/events/monitored_tasks.py

@@ -11,6 +11,7 @@ from django.core.cache import cache
 from prometheus_client import Gauge
 
 from authentik.events.models import Event, EventAction
+from authentik.lib.utils.errors import exception_to_string
 
 GAUGE_TASKS = Gauge(
     "authentik_system_tasks",
@@ -174,9 +175,7 @@ class MonitoredTask(Task):
         ).save(self.result_timeout_hours)
         Event.new(
             EventAction.SYSTEM_TASK_EXCEPTION,
-            message=(
-                f"Task {self.__name__} encountered an error: " "\n".join(self._result.messages)
-            ),
+            message=(f"Task {self.__name__} encountered an error: {exception_to_string(exc)}"),
         ).save()
         return super().on_failure(exc, task_id, args, kwargs, einfo=einfo)
 

authentik/events/tests/test_api.py

@@ -4,15 +4,15 @@ from django.urls import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.models import User
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification, NotificationSeverity
 
 
 class TestEventsAPI(APITestCase):
     """Test Event API"""
 
     def setUp(self) -> None:
-        user = User.objects.get(username="akadmin")
-        self.client.force_login(user)
+        self.user = User.objects.get(username="akadmin")
+        self.client.force_login(self.user)
 
     def test_top_n(self):
         """Test top_per_user"""
@@ -30,3 +30,14 @@ class TestEventsAPI(APITestCase):
             reverse("authentik_api:event-actions"),
         )
         self.assertEqual(response.status_code, 200)
+
+    def test_notifications(self):
+        """Test notifications"""
+        notification = Notification.objects.create(
+            user=self.user, severity=NotificationSeverity.ALERT, body="", seen=False
+        )
+        self.client.post(
+            reverse("authentik_api:notification-mark-all-seen"),
+        )
+        notification.refresh_from_db()
+        self.assertTrue(notification.seen)

authentik/flows/api/flows.py

@@ -7,10 +7,10 @@ from django.http.response import HttpResponseBadRequest, JsonResponse
 from django.urls import reverse
 from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, FileField, ReadOnlyField
+from rest_framework.fields import ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -20,7 +20,12 @@ from structlog.stdlib import get_logger
 
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import CacheSerializer, LinkSerializer
+from authentik.core.api.utils import (
+    CacheSerializer,
+    FilePathSerializer,
+    FileUploadSerializer,
+    LinkSerializer,
+)
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
@@ -147,7 +152,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
         ],
     )
     @extend_schema(
-        request={"multipart/form-data": inline_serializer("SetIcon", fields={"file": FileField()})},
+        request={"multipart/form-data": FileUploadSerializer},
         responses={
             204: OpenApiResponse(description="Successfully imported flow"),
             400: OpenApiResponse(description="Bad request"),
@@ -259,13 +264,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
     @permission_required("authentik_flows.change_flow")
     @extend_schema(
         request={
-            "multipart/form-data": inline_serializer(
-                "SetIcon",
-                fields={
-                    "file": FileField(required=False),
-                    "clear": BooleanField(default=False),
-                },
-            )
+            "multipart/form-data": FileUploadSerializer,
         },
         responses={
             200: OpenApiResponse(description="Success"),
@@ -301,7 +300,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required("authentik_core.change_application")
     @extend_schema(
-        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        request=FilePathSerializer,
         responses={
             200: OpenApiResponse(description="Success"),
             400: OpenApiResponse(description="Bad request"),

authentik/flows/api/stages.py

@@ -86,7 +86,7 @@ class StageViewSet(
     @action(detail=False, pagination_class=None, filter_backends=[])
     def user_settings(self, request: Request) -> Response:
         """Get all stages the user can configure"""
-        _all_stages: Iterable[Stage] = Stage.objects.all().select_subclasses()
+        _all_stages: Iterable[Stage] = Stage.objects.all().select_subclasses().order_by("name")
         matching_stages: list[dict] = []
         for stage in _all_stages:
             user_settings = stage.ui_user_settings

authentik/flows/management/commands/benchmark.py

@@ -31,6 +31,7 @@ class FlowPlanProcess(PROCESS_CLASS):  # pragma: no cover
         self.request = RequestFactory().get("/")
 
     def run(self):
+        """Execute 1000 flow plans"""
         print(f"Proc {self.index} Running")
 
         def test_inner():

authentik/flows/migrations/0024_alter_flow_compatibility_mode.py

@@ -0,0 +1,21 @@
+# Generated by Django 3.2.6 on 2021-08-30 14:49
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0023_alter_flow_background"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="flow",
+            name="compatibility_mode",
+            field=models.BooleanField(
+                default=False,
+                help_text="Enable compatibility mode, increases compatibility with password managers on mobile devices.",
+            ),
+        ),
+    ]

authentik/flows/models.py

@@ -125,7 +125,7 @@ class Flow(SerializerModel, PolicyBindingModel):
     )
 
     compatibility_mode = models.BooleanField(
-        default=True,
+        default=False,
         help_text=_(
             "Enable compatibility mode, increases compatibility with "
             "password managers on mobile devices."

authentik/flows/tests/test_stage_views.py

@@ -0,0 +1,31 @@
+"""stage view tests"""
+from typing import Callable, Type
+
+from django.test import RequestFactory, TestCase
+
+from authentik.flows.stage import StageView
+from authentik.flows.views import FlowExecutorView
+from authentik.lib.utils.reflection import all_subclasses
+
+
+class TestViews(TestCase):
+    """Generic model properties tests"""
+
+    def setUp(self) -> None:
+        self.factory = RequestFactory()
+        self.exec = FlowExecutorView(request=self.factory.get("/"))
+
+
+def view_tester_factory(view_class: Type[StageView]) -> Callable:
+    """Test a form"""
+
+    def tester(self: TestViews):
+        model_class = view_class(self.exec)
+        self.assertIsNotNone(model_class.post)
+        self.assertIsNotNone(model_class.get)
+
+    return tester
+
+
+for view in all_subclasses(StageView):
+    setattr(TestViews, f"test_view_{view.__name__}", view_tester_factory(view))

authentik/flows/tests/test_views.py

@@ -2,10 +2,10 @@
 from unittest.mock import MagicMock, PropertyMock, patch
 
 from django.http import HttpRequest, HttpResponse
-from django.test import TestCase
 from django.test.client import RequestFactory
 from django.urls import reverse
 from django.utils.encoding import force_str
+from rest_framework.test import APITestCase
 
 from authentik.core.models import User
 from authentik.flows.challenge import ChallengeTypes
@@ -37,7 +37,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse):
 TO_STAGE_RESPONSE_MOCK = MagicMock(side_effect=to_stage_response)
 
 
-class TestFlowExecutor(TestCase):
+class TestFlowExecutor(APITestCase):
     """Test views logic"""
 
     def setUp(self):

authentik/flows/tests/test_views_helper.py

@@ -1,5 +1,5 @@
 """flow views tests"""
-from django.test import Client, TestCase
+from django.test import TestCase
 from django.urls import reverse
 
 from authentik.flows.models import Flow, FlowDesignation
@@ -10,9 +10,6 @@ from authentik.flows.views import SESSION_KEY_PLAN
 class TestHelperView(TestCase):
     """Test helper views logic"""
 
-    def setUp(self):
-        self.client = Client()
-
     def test_default_view(self):
         """Test that ToDefaultFlow returns the expected URL"""
         flow = Flow.objects.filter(

authentik/lib/default.yml

@@ -9,7 +9,9 @@ postgresql:
 web:
   listen: 0.0.0.0:9000
   listen_tls: 0.0.0.0:9443
+  listen_metrics: 0.0.0.0:9300
   load_local_files: false
+  outpost_port_offset: 0
 
 redis:
   host: localhost
@@ -54,6 +56,7 @@ outposts:
   # %(build_hash)s: Build hash if you're running a beta version
   docker_image_base: "ghcr.io/goauthentik/%(type)s:%(version)s"
 
+disable_update_check: false
 avatars: env://AUTHENTIK_AUTHENTIK__AVATARS?gravatar
 geoip: "./GeoLite2-City.mmdb"
 

authentik/lib/expression/evaluator.py

@@ -4,13 +4,13 @@ from textwrap import indent
 from typing import Any, Iterable, Optional
 
 from django.core.exceptions import FieldError
-from requests import Session
 from rest_framework.serializers import ValidationError
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
 
 from authentik.core.models import User
+from authentik.lib.utils.http import get_http_session
 
 LOGGER = get_logger()
 
@@ -35,7 +35,7 @@ class BaseEvaluator:
             "ak_is_group_member": BaseEvaluator.expr_is_group_member,
             "ak_user_by": BaseEvaluator.expr_user_by,
             "ak_logger": get_logger(),
-            "requests": Session(),
+            "requests": get_http_session(),
         }
         self._context = {}
         self._filename = "BaseEvalautor"

authentik/lib/utils/http.py

@@ -1,9 +1,13 @@
 """http helpers"""
+from os import environ
 from typing import Any, Optional
 
 from django.http import HttpRequest
+from requests.sessions import Session
 from structlog.stdlib import get_logger
 
+from authentik import ENV_GIT_HASH_KEY, __version__
+
 OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP"
 OUTPOST_TOKEN_HEADER = "HTTP_X_AUTHENTIK_OUTPOST_TOKEN"  # nosec
 DEFAULT_IP = "255.255.255.255"
@@ -60,3 +64,16 @@ def get_client_ip(request: Optional[HttpRequest]) -> str:
     if override:
         return override
     return _get_client_ip_from_meta(request.META)
+
+
+def authentik_user_agent() -> str:
+    """Get a common user agent"""
+    build = environ.get(ENV_GIT_HASH_KEY, "tagged")
+    return f"authentik@{__version__} (build={build})"
+
+
+def get_http_session() -> Session:
+    """Get a requests session with common headers"""
+    session = Session()
+    session.headers["User-Agent"] = authentik_user_agent()
+    return session

authentik/outposts/channels.py

@@ -15,7 +15,7 @@ from authentik.core.channels import AuthJsonConsumer
 from authentik.outposts.models import OUTPOST_HELLO_INTERVAL, Outpost, OutpostState
 
 GAUGE_OUTPOSTS_CONNECTED = Gauge(
-    "authentik_outposts_connected", "Currently connected outposts", ["outpost", "uid"]
+    "authentik_outposts_connected", "Currently connected outposts", ["outpost", "uid", "expected"]
 )
 GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
     "authentik_outposts_last_update",
@@ -76,6 +76,7 @@ class OutpostConsumer(AuthJsonConsumer):
             GAUGE_OUTPOSTS_CONNECTED.labels(
                 outpost=self.outpost.name,
                 uid=self.last_uid,
+                expected=self.outpost.config.kubernetes_replicas,
             ).dec()
         LOGGER.debug(
             "removed outpost instance from cache",
@@ -100,6 +101,7 @@ class OutpostConsumer(AuthJsonConsumer):
             GAUGE_OUTPOSTS_CONNECTED.labels(
                 outpost=self.outpost.name,
                 uid=self.last_uid,
+                expected=self.outpost.config.kubernetes_replicas,
             ).inc()
             LOGGER.debug(
                 "added outpost instace to cache",

authentik/outposts/controllers/docker.py

@@ -29,7 +29,9 @@ class DockerController(BaseController):
             raise ControllerException from exc
 
     def _get_labels(self) -> dict[str, str]:
-        return {}
+        return {
+            "io.goauthentik.outpost-uuid": self.outpost.pk.hex,
+        }
 
     def _get_env(self) -> dict[str, str]:
         return {
@@ -49,6 +51,17 @@ class DockerController(BaseController):
                 return True
         return False
 
+    def _comp_labels(self, container: Container) -> bool:
+        """Check if container's labels is equal to what we would set. Return true if container needs
+        to be rebuilt."""
+        should_be = self._get_labels()
+        for key, expected_value in should_be.items():
+            if key not in container.labels:
+                return True
+            if container.labels[key] != expected_value:
+                return True
+        return False
+
     def _comp_ports(self, container: Container) -> bool:
         """Check that the container has the correct ports exposed. Return true if container needs
         to be rebuilt."""
@@ -92,9 +105,11 @@ class DockerController(BaseController):
                 "environment": self._get_env(),
                 "labels": self._get_labels(),
                 "restart_policy": {"Name": "unless-stopped"},
+                "network": self.outpost.config.docker_network,
             }
             if settings.TEST:
                 del container_args["ports"]
+                del container_args["network"]
                 container_args["network_mode"] = "host"
             return (
                 self.client.containers.create(**container_args),
@@ -133,6 +148,11 @@ class DockerController(BaseController):
                 self.logger.info("Container has outdated config, re-creating...")
                 self.down()
                 return self.up(depth + 1)
+            # Check that container values match our values
+            if self._comp_labels(container):
+                self.logger.info("Container has outdated labels, re-creating...")
+                self.down()
+                return self.up(depth + 1)
             if (
                 container.attrs.get("HostConfig", {})
                 .get("RestartPolicy", {})

authentik/outposts/controllers/k8s/base.py

@@ -3,10 +3,11 @@ from typing import TYPE_CHECKING, Generic, TypeVar
 
 from django.utils.text import slugify
 from kubernetes.client import V1ObjectMeta
+from kubernetes.client.exceptions import ApiException, OpenApiException
 from kubernetes.client.models.v1_deployment import V1Deployment
 from kubernetes.client.models.v1_pod import V1Pod
-from kubernetes.client.rest import ApiException
 from structlog.stdlib import get_logger
+from urllib3.exceptions import HTTPError
 
 from authentik import __version__
 from authentik.lib.sentry import SentryIgnoredException
@@ -72,8 +73,9 @@ class KubernetesObjectReconciler(Generic[T]):
         try:
             try:
                 current = self.retrieve()
-            except ApiException as exc:
-                if exc.status == 404:
+            except (OpenApiException, HTTPError) as exc:
+                # pylint: disable=no-member
+                if isinstance(exc, ApiException) and exc.status == 404:
                     self.logger.debug("Failed to get current, triggering recreate")
                     raise NeedsRecreate from exc
                 self.logger.debug("Other unhandled error", exc=exc)
@@ -104,8 +106,9 @@ class KubernetesObjectReconciler(Generic[T]):
             current = self.retrieve()
             self.delete(current)
             self.logger.debug("Removing")
-        except ApiException as exc:
-            if exc.status == 404:
+        except (OpenApiException, HTTPError) as exc:
+            # pylint: disable=no-member
+            if isinstance(exc, ApiException) and exc.status == 404:
                 self.logger.debug("Failed to get current, assuming non-existant")
                 return
             self.logger.debug("Other unhandled error", exc=exc)

authentik/outposts/controllers/k8s/service.py

@@ -3,8 +3,8 @@ from typing import TYPE_CHECKING
 
 from kubernetes.client import CoreV1Api, V1Service, V1ServicePort, V1ServiceSpec
 
-from authentik.outposts.controllers.base import FIELD_MANAGER, DeploymentPort
-from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsUpdate
+from authentik.outposts.controllers.base import FIELD_MANAGER
+from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsRecreate
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 
 if TYPE_CHECKING:
@@ -21,44 +21,13 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
     def reconcile(self, current: V1Service, reference: V1Service):
         super().reconcile(current, reference)
         if len(current.spec.ports) != len(reference.spec.ports):
-            raise NeedsUpdate()
+            raise NeedsRecreate()
         for port in reference.spec.ports:
             if port not in current.spec.ports:
-                raise NeedsUpdate()
-
-    def get_embedded_reference_object(self) -> V1Service:
-        """Get Service for embedded outpost"""
-        selector_labels = {
-            "app.kubernetes.io/name": "authentik",
-            "app.kubernetes.io/component": "server",
-        }
-        meta = self.get_object_meta(name=self.name)
-        ports = []
-        for port in [
-            DeploymentPort(9000, "http", "tcp"),
-            DeploymentPort(9443, "https", "tcp"),
-        ]:
-            ports.append(
-                V1ServicePort(
-                    name=port.name,
-                    port=port.port,
-                    protocol=port.protocol.upper(),
-                    target_port=port.inner_port or port.port,
-                )
-            )
-        return V1Service(
-            metadata=meta,
-            spec=V1ServiceSpec(
-                ports=ports,
-                selector=selector_labels,
-                type=self.controller.outpost.config.kubernetes_service_type,
-            ),
-        )
+                raise NeedsRecreate()
 
     def get_reference_object(self) -> V1Service:
         """Get deployment object for outpost"""
-        if self.is_embedded:
-            return self.get_embedded_reference_object()
         meta = self.get_object_meta(name=self.name)
         ports = []
         for port in self.controller.deployment_ports:
@@ -70,6 +39,12 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
                     target_port=port.inner_port or port.port,
                 )
             )
+        if self.is_embedded:
+            selector_labels = {
+                "app.kubernetes.io/name": "authentik",
+                "app.kubernetes.io/component": "server",
+            }
+        else:
             selector_labels = DeploymentReconciler(self.controller).get_pod_meta()
         return V1Service(
             metadata=meta,

authentik/outposts/controllers/k8s/service_monitor.py

@@ -0,0 +1,150 @@
+"""Kubernetes Prometheus ServiceMonitor Reconciler"""
+from dataclasses import asdict, dataclass, field
+from typing import TYPE_CHECKING
+
+from dacite import from_dict
+from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi
+
+from authentik.outposts.controllers.base import FIELD_MANAGER
+from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
+
+if TYPE_CHECKING:
+    from authentik.outposts.controllers.kubernetes import KubernetesController
+
+
+@dataclass
+class PrometheusServiceMonitorSpecEndpoint:
+    """Prometheus ServiceMonitor endpoint spec"""
+
+    port: str
+    path: str = field(default="/metrics")
+
+
+@dataclass
+class PrometheusServiceMonitorSpecSelector:
+    """Prometheus ServiceMonitor selector spec"""
+
+    # pylint: disable=invalid-name
+    matchLabels: dict
+
+
+@dataclass
+class PrometheusServiceMonitorSpec:
+    """Prometheus ServiceMonitor spec"""
+
+    endpoints: list[PrometheusServiceMonitorSpecEndpoint]
+    # pylint: disable=invalid-name
+    selector: PrometheusServiceMonitorSpecSelector
+
+
+@dataclass
+class PrometheusServiceMonitorMetadata:
+    """Prometheus ServiceMonitor metadata"""
+
+    name: str
+    namespace: str
+    labels: dict = field(default_factory=dict)
+
+
+@dataclass
+class PrometheusServiceMonitor:
+    """Prometheus ServiceMonitor"""
+
+    # pylint: disable=invalid-name
+    apiVersion: str
+    kind: str
+    metadata: PrometheusServiceMonitorMetadata
+    spec: PrometheusServiceMonitorSpec
+
+
+CRD_NAME = "servicemonitors.monitoring.coreos.com"
+CRD_GROUP = "monitoring.coreos.com"
+CRD_VERSION = "v1"
+CRD_PLURAL = "servicemonitors"
+
+
+class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusServiceMonitor]):
+    """Kubernetes Prometheus ServiceMonitor Reconciler"""
+
+    def __init__(self, controller: "KubernetesController") -> None:
+        super().__init__(controller)
+        self.api_ex = ApiextensionsV1Api(controller.client)
+        self.api = CustomObjectsApi(controller.client)
+
+    @property
+    def noop(self) -> bool:
+        return (not self._crd_exists()) or (self.is_embedded)
+
+    def _crd_exists(self) -> bool:
+        """Check if the Prometheus ServiceMonitor exists"""
+        return bool(
+            len(
+                self.api_ex.list_custom_resource_definition(
+                    field_selector=f"metadata.name={CRD_NAME}"
+                ).items
+            )
+        )
+
+    def get_reference_object(self) -> PrometheusServiceMonitor:
+        """Get service monitor object for outpost"""
+        return PrometheusServiceMonitor(
+            apiVersion=f"{CRD_GROUP}/{CRD_VERSION}",
+            kind="ServiceMonitor",
+            metadata=PrometheusServiceMonitorMetadata(
+                name=self.name,
+                namespace=self.namespace,
+                labels=self.get_object_meta().labels,
+            ),
+            spec=PrometheusServiceMonitorSpec(
+                endpoints=[
+                    PrometheusServiceMonitorSpecEndpoint(
+                        port="http-metrics",
+                    )
+                ],
+                selector=PrometheusServiceMonitorSpecSelector(
+                    matchLabels=self.get_object_meta(name=self.name).labels,
+                ),
+            ),
+        )
+
+    def create(self, reference: PrometheusServiceMonitor):
+        return self.api.create_namespaced_custom_object(
+            group=CRD_GROUP,
+            version=CRD_VERSION,
+            plural=CRD_PLURAL,
+            namespace=self.namespace,
+            body=asdict(reference),
+            field_manager=FIELD_MANAGER,
+        )
+
+    def delete(self, reference: PrometheusServiceMonitor):
+        return self.api.delete_namespaced_custom_object(
+            group=CRD_GROUP,
+            version=CRD_VERSION,
+            namespace=self.namespace,
+            plural=CRD_PLURAL,
+            name=self.name,
+        )
+
+    def retrieve(self) -> PrometheusServiceMonitor:
+        return from_dict(
+            PrometheusServiceMonitor,
+            self.api.get_namespaced_custom_object(
+                group=CRD_GROUP,
+                version=CRD_VERSION,
+                namespace=self.namespace,
+                plural=CRD_PLURAL,
+                name=self.name,
+            ),
+        )
+
+    def update(self, current: PrometheusServiceMonitor, reference: PrometheusServiceMonitor):
+        return self.api.patch_namespaced_custom_object(
+            group=CRD_GROUP,
+            version=CRD_VERSION,
+            namespace=self.namespace,
+            plural=CRD_PLURAL,
+            name=self.name,
+            body=asdict(reference),
+            field_manager=FIELD_MANAGER,
+        )

authentik/outposts/controllers/kubernetes.py

@@ -3,8 +3,9 @@ from io import StringIO
 from typing import Type
 
 from kubernetes.client.api_client import ApiClient
-from kubernetes.client.exceptions import ApiException
+from kubernetes.client.exceptions import OpenApiException
 from structlog.testing import capture_logs
+from urllib3.exceptions import HTTPError
 from yaml import dump_all
 
 from authentik.outposts.controllers.base import BaseController, ControllerException
@@ -12,7 +13,8 @@ from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.secret import SecretReconciler
 from authentik.outposts.controllers.k8s.service import ServiceReconciler
-from authentik.outposts.models import KubernetesServiceConnection, Outpost
+from authentik.outposts.controllers.k8s.service_monitor import PrometheusServiceMonitorReconciler
+from authentik.outposts.models import KubernetesServiceConnection, Outpost, ServiceConnectionInvalid
 
 
 class KubernetesController(BaseController):
@@ -31,8 +33,9 @@ class KubernetesController(BaseController):
             "secret": SecretReconciler,
             "deployment": DeploymentReconciler,
             "service": ServiceReconciler,
+            "prometheus servicemonitor": PrometheusServiceMonitorReconciler,
         }
-        self.reconcile_order = ["secret", "deployment", "service"]
+        self.reconcile_order = ["secret", "deployment", "service", "prometheus servicemonitor"]
 
     def up(self):
         try:
@@ -40,7 +43,7 @@ class KubernetesController(BaseController):
                 reconciler = self.reconcilers[reconcile_key](self)
                 reconciler.up()
 
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
             raise ControllerException(str(exc)) from exc
 
     def up_with_logs(self) -> list[str]:
@@ -55,7 +58,7 @@ class KubernetesController(BaseController):
                     reconciler.up()
                 all_logs += [f"{reconcile_key.title()}: {x['event']}" for x in logs]
             return all_logs
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
             raise ControllerException(str(exc)) from exc
 
     def down(self):
@@ -65,7 +68,7 @@ class KubernetesController(BaseController):
                 self.logger.debug("Tearing down object", name=reconcile_key)
                 reconciler.down()
 
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
             raise ControllerException(str(exc)) from exc
 
     def down_with_logs(self) -> list[str]:
@@ -80,7 +83,7 @@ class KubernetesController(BaseController):
                     reconciler.down()
                 all_logs += [f"{reconcile_key.title()}: {x['event']}" for x in logs]
             return all_logs
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
             raise ControllerException(str(exc)) from exc
 
     def get_static_deployment(self) -> str:

authentik/outposts/models.py

@@ -56,6 +56,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 
 
 @dataclass
+# pylint: disable=too-many-instance-attributes
 class OutpostConfig:
     """Configuration an outpost uses to configure it self"""
 
@@ -67,8 +68,10 @@ class OutpostConfig:
     log_level: str = CONFIG.y("log_level")
     error_reporting_enabled: bool = CONFIG.y_bool("error_reporting.enabled")
     error_reporting_environment: str = CONFIG.y("error_reporting.environment", "customer")
-
     object_naming_template: str = field(default="ak-outpost-%(name)s")
+
+    docker_network: Optional[str] = field(default=None)
+
     kubernetes_replicas: int = field(default=1)
     kubernetes_namespace: str = field(default_factory=get_namespace)
     kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
@@ -362,7 +365,7 @@ class Outpost(ManagedModel):
                     )
                     try:
                         assign_perm(code_name, user, model_or_perm)
-                    except Permission.DoesNotExist as exc:
+                    except (Permission.DoesNotExist, AttributeError) as exc:
                         LOGGER.warning(
                             "permission doesn't exist",
                             code_name=code_name,

authentik/outposts/tasks.py

@@ -100,7 +100,7 @@ def outpost_controller(
     if from_cache:
         outpost: Outpost = cache.get(CACHE_KEY_OUTPOST_DOWN % outpost_pk)
     else:
-        outpost: Outpost = Outpost.objects.get(pk=outpost_pk)
+        outpost: Outpost = Outpost.objects.filter(pk=outpost_pk).first()
     if not outpost:
         return
     self.set_uid(slugify(outpost.name))
@@ -148,10 +148,7 @@ def outpost_post_save(model_class: str, model_pk: Any):
         return
 
     if isinstance(instance, Outpost):
-        LOGGER.debug("Ensuring token and permissions for outpost", instance=instance)
-        _ = instance.token
-        _ = instance.user
-        LOGGER.debug("Trigger reconcile for outpost")
+        LOGGER.debug("Trigger reconcile for outpost", instance=instance)
         outpost_controller.delay(instance.pk)
 
     if isinstance(instance, (OutpostModel, Outpost)):

authentik/policies/engine.py

@@ -81,11 +81,11 @@ class PolicyEngine:
             .iterator()
         )
 
-    def _check_policy_type(self, policy: Policy):
+    def _check_policy_type(self, binding: PolicyBinding):
         """Check policy type, make sure it's not the root class as that has no logic implemented"""
         # pyright: reportGeneralTypeIssues=false
-        if policy.__class__ == Policy:
-            raise TypeError(f"Policy '{policy}' is root type")
+        if binding.policy is not None and binding.policy.__class__ == Policy:
+            raise TypeError(f"Policy '{binding.policy}' is root type")
 
     def build(self) -> "PolicyEngine":
         """Build wrapper which monitors performance"""
@@ -102,7 +102,7 @@ class PolicyEngine:
             for binding in self._iter_bindings():
                 self.__expected_result_count += 1
 
-                self._check_policy_type(binding.policy)
+                self._check_policy_type(binding)
                 key = cache_key(binding, self.request)
                 cached_policy = cache.get(key, None)
                 if cached_policy and self.use_cache:

authentik/policies/hibp/models.py

@@ -3,10 +3,10 @@ from hashlib import sha1
 
 from django.db import models
 from django.utils.translation import gettext as _
-from requests import get
 from rest_framework.serializers import BaseSerializer
 from structlog.stdlib import get_logger
 
+from authentik.lib.utils.http import get_http_session
 from authentik.policies.models import Policy, PolicyResult
 from authentik.policies.types import PolicyRequest
 
@@ -49,7 +49,7 @@ class HaveIBeenPwendPolicy(Policy):
 
         pw_hash = sha1(password.encode("utf-8")).hexdigest()  # nosec
         url = f"https://api.pwnedpasswords.com/range/{pw_hash[:5]}"
-        result = get(url).text
+        result = get_http_session().get(url).text
         final_count = 0
         for line in result.split("\r\n"):
             full_hash, count = line.split(":")

authentik/policies/password/models.py

@@ -8,8 +8,11 @@ from structlog.stdlib import get_logger
 
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
 LOGGER = get_logger()
+RE_LOWER = re.compile("[a-z]")
+RE_UPPER = re.compile("[A-Z]")
 
 
 class PasswordPolicy(Policy):
@@ -38,31 +41,42 @@ class PasswordPolicy(Policy):
         return "ak-policy-password-form"
 
     def passes(self, request: PolicyRequest) -> PolicyResult:
-        if self.password_field not in request.context:
+        if (
+            self.password_field not in request.context
+            and self.password_field not in request.context.get(PLAN_CONTEXT_PROMPT, {})
+        ):
             LOGGER.warning(
                 "Password field not set in Policy Request",
                 field=self.password_field,
                 fields=request.context.keys(),
+                prompt_fields=request.context.get(PLAN_CONTEXT_PROMPT, {}).keys(),
             )
             return PolicyResult(False, _("Password not set in context"))
+
+        if self.password_field in request.context:
             password = request.context[self.password_field]
+        else:
+            password = request.context[PLAN_CONTEXT_PROMPT][self.password_field]
 
-        filter_regex = []
-        if self.amount_lowercase > 0:
-            filter_regex.append(r"[a-z]{%d,}" % self.amount_lowercase)
-        if self.amount_uppercase > 0:
-            filter_regex.append(r"[A-Z]{%d,}" % self.amount_uppercase)
+        if len(password) < self.length_min:
+            LOGGER.debug("password failed", reason="length")
+            return PolicyResult(False, self.error_message)
+
+        if self.amount_lowercase > 0 and len(RE_LOWER.findall(password)) < self.amount_lowercase:
+            LOGGER.debug("password failed", reason="amount_lowercase")
+            return PolicyResult(False, self.error_message)
+        if self.amount_uppercase > 0 and len(RE_UPPER.findall(password)) < self.amount_lowercase:
+            LOGGER.debug("password failed", reason="amount_uppercase")
+            return PolicyResult(False, self.error_message)
         if self.amount_symbols > 0:
-            filter_regex.append(r"[%s]{%d,}" % (self.symbol_charset, self.amount_symbols))
-        full_regex = "|".join(filter_regex)
-        LOGGER.debug("Built regex", regexp=full_regex)
-        result = bool(re.compile(full_regex).match(password))
+            count = 0
+            for symbol in self.symbol_charset:
+                count += password.count(symbol)
+            if count < self.amount_symbols:
+                LOGGER.debug("password failed", reason="amount_symbols")
+                return PolicyResult(False, self.error_message)
 
-        result = result and len(password) >= self.length_min
-
-        if not result:
-            return PolicyResult(result, self.error_message)
-        return PolicyResult(result)
+        return PolicyResult(True)
 
     class Meta:
 

authentik/policies/password/tests.py

@@ -1,57 +0,0 @@
-"""Password Policy tests"""
-from django.test import TestCase
-from guardian.shortcuts import get_anonymous_user
-
-from authentik.policies.password.models import PasswordPolicy
-from authentik.policies.types import PolicyRequest, PolicyResult
-
-
-class TestPasswordPolicy(TestCase):
-    """Test Password Policy"""
-
-    def test_invalid(self):
-        """Test without password"""
-        policy = PasswordPolicy.objects.create(
-            name="test_invalid",
-            amount_uppercase=1,
-            amount_lowercase=2,
-            amount_symbols=3,
-            length_min=24,
-            error_message="test message",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        result: PolicyResult = policy.passes(request)
-        self.assertFalse(result.passing)
-        self.assertEqual(result.messages[0], "Password not set in context")
-
-    def test_false(self):
-        """Failing password case"""
-        policy = PasswordPolicy.objects.create(
-            name="test_false",
-            amount_uppercase=1,
-            amount_lowercase=2,
-            amount_symbols=3,
-            length_min=24,
-            error_message="test message",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = "test"
-        result: PolicyResult = policy.passes(request)
-        self.assertFalse(result.passing)
-        self.assertEqual(result.messages, ("test message",))
-
-    def test_true(self):
-        """Positive password case"""
-        policy = PasswordPolicy.objects.create(
-            name="test_true",
-            amount_uppercase=1,
-            amount_lowercase=2,
-            amount_symbols=3,
-            length_min=3,
-            error_message="test message",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = "Test()!"
-        result: PolicyResult = policy.passes(request)
-        self.assertTrue(result.passing)
-        self.assertEqual(result.messages, tuple())

authentik/policies/password/tests/test_flows.py

@@ -0,0 +1,80 @@
+"""Password flow tests"""
+from django.urls.base import reverse
+from django.utils.encoding import force_str
+from rest_framework.test import APITestCase
+
+from authentik.core.models import User
+from authentik.flows.challenge import ChallengeTypes
+from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
+from authentik.policies.password.models import PasswordPolicy
+from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
+
+
+class TestPasswordPolicyFlow(APITestCase):
+    """Test Password Policy"""
+
+    def setUp(self) -> None:
+        self.user = User.objects.create(username="unittest", email="test@beryju.org")
+
+        self.flow = Flow.objects.create(
+            name="test-prompt",
+            slug="test-prompt",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        password_prompt = Prompt.objects.create(
+            field_key="password",
+            label="PASSWORD_LABEL",
+            type=FieldTypes.PASSWORD,
+            required=True,
+            placeholder="PASSWORD_PLACEHOLDER",
+        )
+
+        self.policy = PasswordPolicy.objects.create(
+            name="test_true",
+            amount_uppercase=1,
+            amount_lowercase=2,
+            amount_symbols=3,
+            length_min=3,
+            error_message="test message",
+        )
+        stage = PromptStage.objects.create(name="prompt-stage")
+        stage.validation_policies.set([self.policy])
+        stage.fields.set(
+            [
+                password_prompt,
+            ]
+        )
+        FlowStageBinding.objects.create(target=self.flow, stage=stage, order=2)
+
+    def test_prompt_data(self):
+        """Test policy attached to a prompt stage"""
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            {"password": "akadmin"},
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "component": "ak-stage-prompt",
+                "fields": [
+                    {
+                        "field_key": "password",
+                        "label": "PASSWORD_LABEL",
+                        "order": 0,
+                        "placeholder": "PASSWORD_PLACEHOLDER",
+                        "required": True,
+                        "type": "password",
+                    }
+                ],
+                "flow_info": {
+                    "background": self.flow.background_url,
+                    "cancel_url": reverse("authentik_flows:cancel"),
+                    "title": "",
+                },
+                "response_errors": {
+                    "non_field_errors": [{"code": "invalid", "string": self.policy.error_message}]
+                },
+                "type": ChallengeTypes.NATIVE.value,
+            },
+        )

authentik/policies/password/tests/test_policy.py

@@ -0,0 +1,68 @@
+"""Password Policy tests"""
+from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from authentik.lib.generators import generate_key
+from authentik.policies.password.models import PasswordPolicy
+from authentik.policies.types import PolicyRequest, PolicyResult
+
+
+class TestPasswordPolicy(TestCase):
+    """Test Password Policy"""
+
+    def setUp(self) -> None:
+        self.policy = PasswordPolicy.objects.create(
+            name="test_false",
+            amount_uppercase=1,
+            amount_lowercase=2,
+            amount_symbols=3,
+            length_min=24,
+            error_message="test message",
+        )
+
+    def test_invalid(self):
+        """Test without password"""
+        request = PolicyRequest(get_anonymous_user())
+        result: PolicyResult = self.policy.passes(request)
+        self.assertFalse(result.passing)
+        self.assertEqual(result.messages[0], "Password not set in context")
+
+    def test_failed_length(self):
+        """Password too short"""
+        request = PolicyRequest(get_anonymous_user())
+        request.context["password"] = "test"
+        result: PolicyResult = self.policy.passes(request)
+        self.assertFalse(result.passing)
+        self.assertEqual(result.messages, ("test message",))
+
+    def test_failed_lowercase(self):
+        """not enough lowercase"""
+        request = PolicyRequest(get_anonymous_user())
+        request.context["password"] = "TTTTTTTTTTTTTTTTTTTTTTTe"
+        result: PolicyResult = self.policy.passes(request)
+        self.assertFalse(result.passing)
+        self.assertEqual(result.messages, ("test message",))
+
+    def test_failed_uppercase(self):
+        """not enough uppercase"""
+        request = PolicyRequest(get_anonymous_user())
+        request.context["password"] = "tttttttttttttttttttttttE"
+        result: PolicyResult = self.policy.passes(request)
+        self.assertFalse(result.passing)
+        self.assertEqual(result.messages, ("test message",))
+
+    def test_failed_symbols(self):
+        """not enough uppercase"""
+        request = PolicyRequest(get_anonymous_user())
+        request.context["password"] = "TETETETETETETETETETETETETe!!!"
+        result: PolicyResult = self.policy.passes(request)
+        self.assertFalse(result.passing)
+        self.assertEqual(result.messages, ("test message",))
+
+    def test_true(self):
+        """Positive password case"""
+        request = PolicyRequest(get_anonymous_user())
+        request.context["password"] = generate_key() + "ee!!!"
+        result: PolicyResult = self.policy.passes(request)
+        self.assertTrue(result.passing)
+        self.assertEqual(result.messages, tuple())

authentik/providers/ldap/api.py

@@ -29,7 +29,19 @@ class LDAPProviderViewSet(UsedByMixin, ModelViewSet):
 
     queryset = LDAPProvider.objects.all()
     serializer_class = LDAPProviderSerializer
-    filterset_fields = "__all__"
+    filterset_fields = {
+        "application": ["isnull"],
+        "name": ["iexact"],
+        "authorization_flow__slug": ["iexact"],
+        "base_dn": ["iexact"],
+        "search_group__group_uuid": ["iexact"],
+        "search_group__name": ["iexact"],
+        "certificate__kp_uuid": ["iexact"],
+        "certificate__name": ["iexact"],
+        "tls_server_name": ["iexact"],
+        "uid_start_number": ["iexact"],
+        "gid_start_number": ["iexact"],
+    }
     ordering = ["name"]
 
 

authentik/providers/ldap/controllers/docker.py

@@ -12,4 +12,5 @@ class LDAPDockerController(DockerController):
         self.deployment_ports = [
             DeploymentPort(389, "ldap", "tcp", 3389),
             DeploymentPort(636, "ldaps", "tcp", 6636),
+            DeploymentPort(9300, "http-metrics", "tcp", 9300),
         ]

authentik/providers/ldap/controllers/kubernetes.py

@@ -12,4 +12,5 @@ class LDAPKubernetesController(KubernetesController):
         self.deployment_ports = [
             DeploymentPort(389, "ldap", "tcp", 3389),
             DeploymentPort(636, "ldaps", "tcp", 6636),
+            DeploymentPort(9300, "http-metrics", "tcp", 9300),
         ]

authentik/providers/oauth2/api/provider.py

@@ -3,7 +3,7 @@ from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import ReadOnlyField
+from rest_framework.fields import CharField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -49,12 +49,12 @@ class OAuth2ProviderSerializer(ProviderSerializer):
 class OAuth2ProviderSetupURLs(PassiveSerializer):
     """OAuth2 Provider Metadata serializer"""
 
-    issuer = ReadOnlyField()
-    authorize = ReadOnlyField()
-    token = ReadOnlyField()
-    user_info = ReadOnlyField()
-    provider_info = ReadOnlyField()
-    logout = ReadOnlyField()
+    issuer = CharField(read_only=True)
+    authorize = CharField(read_only=True)
+    token = CharField(read_only=True)
+    user_info = CharField(read_only=True)
+    provider_info = CharField(read_only=True)
+    logout = CharField(read_only=True)
 
 
 class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):

authentik/providers/oauth2/api/scope.py

@@ -1,6 +1,8 @@
 """OAuth2Provider API Views"""
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import extend_schema_field
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.propertymappings import PropertyMappingSerializer
@@ -23,7 +25,7 @@ class ScopeMappingSerializer(PropertyMappingSerializer):
 class ScopeMappingFilter(FilterSet):
     """Filter for ScopeMapping"""
 
-    managed = AllValuesMultipleFilter(field_name="managed")
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
 
     class Meta:
         model = ScopeMapping

authentik/providers/oauth2/errors.py

@@ -151,12 +151,13 @@ class AuthorizeError(OAuth2Error):
         # http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthError
         hash_or_question = "#" if self.grant_type == GrantTypes.IMPLICIT else "?"
 
-        uri = "{0}{1}error={2}&error_description={3}".format(
-            self.redirect_uri, hash_or_question, self.error, description
+        uri = (
+            f"{self.redirect_uri}{hash_or_question}error="
+            f"{self.error}&error_description={description}"
         )
 
         # Add state if present.
-        uri = uri + ("&state={0}".format(self.state) if self.state else "")
+        uri = uri + (f"&state={self.state}" if self.state else "")
 
         return uri
 

authentik/providers/oauth2/migrations/0017_alter_oauth2provider_token_validity.py

@@ -0,0 +1,24 @@
+# Generated by Django 3.2.6 on 2021-09-08 15:12
+
+from django.db import migrations, models
+
+import authentik.lib.utils.time
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0016_alter_authorizationcode_nonce"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="oauth2provider",
+            name="token_validity",
+            field=models.TextField(
+                default="days=30",
+                help_text="Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).",
+                validators=[authentik.lib.utils.time.timedelta_string_validator],
+            ),
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -182,7 +182,7 @@ class OAuth2Provider(Provider):
         ),
     )
     token_validity = models.TextField(
-        default="minutes=10",
+        default="days=30",
         validators=[timedelta_string_validator],
         help_text=_(
             (

authentik/providers/oauth2/tests/test_authorize.py

@@ -247,7 +247,7 @@ class TestAuthorize(OAuthTestCase):
                 "to": (
                     f"http://localhost#access_token={token.access_token}"
                     f"&id_token={provider.encode(token.id_token.to_dict())}&token_type=bearer"
-                    f"&expires_in=600&state={state}"
+                    f"&expires_in=60&state={state}"
                 ),
             },
         )

authentik/providers/oauth2/tests/test_token.py

@@ -141,7 +141,7 @@ class TestToken(OAuthTestCase):
                 "access_token": new_token.access_token,
                 "refresh_token": new_token.refresh_token,
                 "token_type": "bearer",
-                "expires_in": 600,
+                "expires_in": 2592000,
                 "id_token": provider.encode(
                     new_token.id_token.to_dict(),
                 ),
@@ -190,7 +190,7 @@ class TestToken(OAuthTestCase):
                 "access_token": new_token.access_token,
                 "refresh_token": new_token.refresh_token,
                 "token_type": "bearer",
-                "expires_in": 600,
+                "expires_in": 2592000,
                 "id_token": provider.encode(
                     new_token.id_token.to_dict(),
                 ),
@@ -236,7 +236,7 @@ class TestToken(OAuthTestCase):
                 "access_token": new_token.access_token,
                 "refresh_token": new_token.refresh_token,
                 "token_type": "bearer",
-                "expires_in": 600,
+                "expires_in": 2592000,
                 "id_token": provider.encode(
                     new_token.id_token.to_dict(),
                 ),

authentik/providers/oauth2/views/authorize.py

@@ -238,6 +238,10 @@ class OAuthFulfillmentStage(StageView):
         parsed = urlparse(uri)
         return HttpResponseRedirectScheme(uri, allowed_schemes=[parsed.scheme])
 
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Wrapper when this stage gets hit with a post request"""
+        return self.get(request, *args, **kwargs)
+
     # pylint: disable=unused-argument
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         """final Stage of an OAuth2 Flow"""
@@ -367,7 +371,7 @@ class OAuthFulfillmentStage(StageView):
 
         query_fragment["token_type"] = "bearer"
         query_fragment["expires_in"] = int(
-            timedelta_from_string(self.provider.token_validity).total_seconds()
+            timedelta_from_string(self.provider.access_code_validity).total_seconds()
         )
         query_fragment["state"] = self.params.state if self.params.state else ""
 

authentik/providers/proxy/api.py

@@ -1,7 +1,7 @@
 """ProxyProvider API Views"""
 from typing import Any
 
-from drf_spectacular.utils import extend_schema_field, extend_schema_serializer
+from drf_spectacular.utils import extend_schema_field
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.serializers import ModelSerializer
@@ -72,6 +72,7 @@ class ProxyProviderSerializer(ProviderSerializer):
             "mode",
             "redirect_uris",
             "cookie_domain",
+            "token_validity",
         ]
 
 
@@ -80,11 +81,27 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
 
     queryset = ProxyProvider.objects.all()
     serializer_class = ProxyProviderSerializer
-    filterset_fields = "__all__"
+    filterset_fields = {
+        "application": ["isnull"],
+        "name": ["iexact"],
+        "authorization_flow__slug": ["iexact"],
+        "property_mappings": ["iexact"],
+        "internal_host": ["iexact"],
+        "external_host": ["iexact"],
+        "internal_host_ssl_validation": ["iexact"],
+        "certificate__kp_uuid": ["iexact"],
+        "certificate__name": ["iexact"],
+        "skip_path_regex": ["iexact"],
+        "basic_auth_enabled": ["iexact"],
+        "basic_auth_password_attribute": ["iexact"],
+        "basic_auth_user_attribute": ["iexact"],
+        "mode": ["iexact"],
+        "redirect_uris": ["iexact"],
+        "cookie_domain": ["iexact"],
+    }
     ordering = ["name"]
 
 
-@extend_schema_serializer(deprecate_fields=["forward_auth_mode"])
 class ProxyOutpostConfigSerializer(ModelSerializer):
     """Proxy provider serializer for outposts"""
 

authentik/providers/proxy/controllers/docker.py

@@ -13,8 +13,9 @@ class ProxyDockerController(DockerController):
     def __init__(self, outpost: Outpost, connection: DockerServiceConnection):
         super().__init__(outpost, connection)
         self.deployment_ports = [
-            DeploymentPort(4180, "http", "tcp"),
-            DeploymentPort(4443, "https", "tcp"),
+            DeploymentPort(9000, "http", "tcp"),
+            DeploymentPort(9300, "http-metrics", "tcp"),
+            DeploymentPort(9443, "https", "tcp"),
         ]
 
     def _get_labels(self) -> dict[str, str]:
@@ -22,13 +23,13 @@ class ProxyDockerController(DockerController):
         for proxy_provider in ProxyProvider.objects.filter(outpost__in=[self.outpost]):
             proxy_provider: ProxyProvider
             external_host_name = urlparse(proxy_provider.external_host)
-            hosts.append(f"`{external_host_name}`")
+            hosts.append(f"`{external_host_name.netloc}`")
         traefik_name = f"ak-outpost-{self.outpost.pk.hex}"
-        return {
-            "traefik.enable": "true",
-            f"traefik.http.routers.{traefik_name}-router.rule": f"Host({','.join(hosts)})",
-            f"traefik.http.routers.{traefik_name}-router.tls": "true",
-            f"traefik.http.routers.{traefik_name}-router.service": f"{traefik_name}-service",
-            f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path": "/",
-            f"traefik.http.services.{traefik_name}-service.loadbalancer.server.port": "4180",
-        }
+        labels = super()._get_labels()
+        labels["traefik.enable"] = "true"
+        labels[f"traefik.http.routers.{traefik_name}-router.rule"] = f"Host({','.join(hosts)})"
+        labels[f"traefik.http.routers.{traefik_name}-router.tls"] = "true"
+        labels[f"traefik.http.routers.{traefik_name}-router.service"] = f"{traefik_name}-service"
+        labels[f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path"] = "/"
+        labels[f"traefik.http.services.{traefik_name}-service.loadbalancer.server.port"] = "9000"
+        return labels

authentik/providers/proxy/controllers/k8s/ingress.py

@@ -61,6 +61,7 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
         have_hosts.sort()
 
         have_hosts_tls = []
+        if current.spec.tls:
             for tls_config in current.spec.tls:
                 if tls_config and tls_config.hosts:
                     have_hosts_tls += tls_config.hosts

authentik/providers/proxy/controllers/k8s/traefik.py

@@ -106,7 +106,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
             ),
             spec=TraefikMiddlewareSpec(
                 forwardAuth=TraefikMiddlewareSpecForwardAuth(
-                    address=f"http://{self.name}.{self.namespace}:4180/akprox/auth?traefik",
+                    address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
                     authResponseHeaders=[
                         "Set-Cookie",
                         "X-Auth-Username",

authentik/providers/proxy/controllers/kubernetes.py

@@ -12,8 +12,9 @@ class ProxyKubernetesController(KubernetesController):
     def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection):
         super().__init__(outpost, connection)
         self.deployment_ports = [
-            DeploymentPort(4180, "http", "tcp"),
-            DeploymentPort(4443, "https", "tcp"),
+            DeploymentPort(9000, "http", "tcp"),
+            DeploymentPort(9300, "http-metrics", "tcp"),
+            DeploymentPort(9443, "https", "tcp"),
         ]
         self.reconcilers["ingress"] = IngressReconciler
         self.reconcilers["traefik middleware"] = TraefikMiddlewareReconciler

authentik/providers/proxy/migrations/0014_proxy_v2.py

@@ -0,0 +1,23 @@
+# Generated by Django 3.2.6 on 2021-09-09 11:24
+
+from django.apps.registry import Apps
+from django.db import migrations
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_defaults(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from authentik.providers.proxy.models import JWTAlgorithms, ProxyProvider
+
+    db_alias = schema_editor.connection.alias
+    for provider in ProxyProvider.objects.using(db_alias).filter(jwt_alg=JWTAlgorithms.RS256):
+        provider.set_oauth_defaults()
+        provider.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_proxy", "0013_mode"),
+    ]
+
+    operations = [migrations.RunPython(migrate_defaults)]

authentik/providers/proxy/models.py

@@ -128,8 +128,8 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
     def set_oauth_defaults(self):
         """Ensure all OAuth2-related settings are correct"""
         self.client_type = ClientTypes.CONFIDENTIAL
-        self.jwt_alg = JWTAlgorithms.RS256
-        self.rsa_key = CertificateKeyPair.objects.exclude(key_data__iexact="").first()
+        self.jwt_alg = JWTAlgorithms.HS256
+        self.rsa_key = None
         scopes = ScopeMapping.objects.filter(
             scope_name__in=[
                 SCOPE_OPENID,
@@ -139,12 +139,7 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
             ]
         )
         self.property_mappings.set(scopes)
-        self.redirect_uris = "\n".join(
-            [
-                _get_callback_url(self.external_host),
-                _get_callback_url(self.internal_host),
-            ]
-        )
+        self.redirect_uris = _get_callback_url(self.external_host)
 
     def __str__(self):
         return f"Proxy Provider {self.name}"

authentik/providers/saml/api.py

@@ -9,9 +9,14 @@ from django.utils.translation import gettext_lazy as _
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    extend_schema_field,
+)
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, FileField, ReadOnlyField, SerializerMethodField
+from rest_framework.fields import CharField, FileField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.permissions import AllowAny
 from rest_framework.relations import SlugRelatedField
@@ -70,8 +75,8 @@ class SAMLProviderSerializer(ProviderSerializer):
 class SAMLMetadataSerializer(PassiveSerializer):
     """SAML Provider Metadata serializer"""
 
-    metadata = ReadOnlyField()
-    download_url = ReadOnlyField(required=False)
+    metadata = CharField(read_only=True)
+    download_url = CharField(read_only=True, required=False)
 
 
 class SAMLProviderImportSerializer(PassiveSerializer):
@@ -185,7 +190,7 @@ class SAMLPropertyMappingSerializer(PropertyMappingSerializer):
 class SAMLPropertyMappingFilter(FilterSet):
     """Filter for SAMLPropertyMapping"""
 
-    managed = AllValuesMultipleFilter(field_name="managed")
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
 
     class Meta:
         model = SAMLPropertyMapping

authentik/providers/saml/processors/request_parser.py

@@ -59,6 +59,10 @@ class AuthNRequestParser:
     ) -> AuthNRequest:
         root = ElementTree.fromstring(decoded_xml)
 
+        if "AssertionConsumerServiceURL" not in root.attrib:
+            msg = "Missing 'AssertionConsumerServiceURL' attribute"
+            LOGGER.warning(msg)
+            raise CannotHandleAssertion(msg)
         request_acs_url = root.attrib["AssertionConsumerServiceURL"]
 
         if self.provider.acs_url.lower() != request_acs_url.lower():
@@ -66,7 +70,7 @@ class AuthNRequestParser:
                 f"ACS URL of {request_acs_url} doesn't match Provider "
                 f"ACS URL of {self.provider.acs_url}."
             )
-            LOGGER.info(msg)
+            LOGGER.warning(msg)
             raise CannotHandleAssertion(msg)
 
         auth_n_request = AuthNRequest(id=root.attrib["ID"], relay_state=relay_state)