release: 2024.6.0-rc2 (#10176 )

website/docs: update 2024.6 release notes with latest changes (cherry-pick #10174 ) (#10175 )
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2024-06-19 16:53:45 +00:00 · 2024-06-19 16:16:08 +00:00 · 2024-06-19 15:42:39 +00:00 · 2024-06-19 23:45:06 +09:00 · 2024-06-19 13:20:28 +00:00 · 2024-06-18 17:27:49 +00:00
74 changed files with 253 additions and 125 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.0-rc1
+current_version = 2024.6.0-rc2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -17,6 +17,8 @@ optional_value = final

 [bumpversion:file:pyproject.toml]

+[bumpversion:file:package.json]
+
 [bumpversion:file:docker-compose.yml]

 [bumpversion:file:schema.yml]
--- a/3
+++ b/3
@ -22,6 +22,8 @@ RUN npm run build-bundled
 # Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder

+ARG GIT_BUILD_HASH
+ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production

 WORKDIR /work/web
@ -31,6 +33,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
    npm ci --include=dev

+COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}

-{% load static %}
+{% load authentik_core %}

 {% block title %}
 API Browser - {{ brand.branding_title }}
 {% endblock %}

 {% block head %}
-<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -11,14 +11,13 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet

 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.tenants.utils import get_current_tenant


--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -17,7 +17,6 @@ from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodFiel
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

@ -26,6 +25,7 @@ from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -8,12 +8,12 @@ from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser

 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -17,12 +17,12 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
+from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
--- a/authentik/core/api/property_mappings.py
+++ b/authentik/core/api/property_mappings.py
@ -8,11 +8,10 @@ from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.fields import BooleanField, CharField
+from rest_framework.fields import BooleanField, CharField, SerializerMethodField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet

 from authentik.blueprints.api import ManagedSerializer
@ -20,6 +19,7 @@ from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
    MetaNameSerializer,
+    ModelSerializer,
    PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -6,13 +6,12 @@ from django.utils.translation import gettext_lazy as _
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from rest_framework import mixins
-from rest_framework.fields import ReadOnlyField
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
+from rest_framework.fields import ReadOnlyField, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import Provider


--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -11,7 +11,6 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

@ -19,7 +18,7 @@ from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -12,7 +12,6 @@ from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.api.authorization import OwnerSuperuserPermissions
@ -20,7 +19,7 @@ from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -40,7 +40,6 @@ from rest_framework.serializers import (
    BooleanField,
    DateTimeField,
    ListSerializer,
-    ModelSerializer,
    PrimaryKeyRelatedField,
    ValidationError,
 )
@ -52,7 +51,12 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
+from authentik.core.api.utils import (
+    JSONDictField,
+    LinkSerializer,
+    ModelSerializer,
+    PassiveSerializer,
+)
 from authentik.core.middleware import (
    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
    SESSION_KEY_IMPERSONATE_USER,
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -12,9 +12,12 @@ from rest_framework.fields import (
    JSONField,
    SerializerMethodField,
 )
+from rest_framework.serializers import ModelSerializer as BaseModelSerializer
 from rest_framework.serializers import (
    Serializer,
    ValidationError,
+    model_meta,
+    raise_errors_on_nested_writes,
 )


@ -25,6 +28,39 @@ def is_dict(value: Any):
    raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")


+class ModelSerializer(BaseModelSerializer):
+
+    def update(self, instance: Model, validated_data):
+        raise_errors_on_nested_writes("update", self, validated_data)
+        info = model_meta.get_field_info(instance)
+
+        # Simply set each attribute on the instance, and then save it.
+        # Note that unlike `.create()` we don't need to treat many-to-many
+        # relationships as being a special case. During updates we already
+        # have an instance pk for the relationships to be associated with.
+        m2m_fields = []
+        for attr, value in validated_data.items():
+            if attr in info.relations and info.relations[attr].to_many:
+                m2m_fields.append((attr, value))
+            else:
+                setattr(instance, attr, value)
+
+        instance.save()
+
+        # Note that many-to-many fields are set after updating instance.
+        # Setting m2m fields triggers signals which could potentially change
+        # updated instance and we do not want it to collide with .update()
+        for attr, value in m2m_fields:
+            field = getattr(instance, attr)
+            # We can't check for inheritance here as m2m managers are generated dynamically
+            if field.__class__.__name__ == "RelatedManager":
+                field.set(value, bulk=False)
+            else:
+                field.set(value)
+
+        return instance
+
+
 class JSONDictField(JSONField):
    """JSON Field which only allows dictionaries"""

--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -76,8 +76,11 @@ class PropertyMappingEvaluator(BaseEvaluator):
        )
        if "request" in self._context:
            req: PolicyRequest = self._context["request"]
-            event.from_http(req.http_request, req.user)
-            return
+            if req.http_request:
+                event.from_http(req.http_request, req.user)
+                return
+            elif req.user:
+                event.set_user(req.user)
        event.save()

    def evaluate(self, *args, **kwargs) -> Any:
--- a/authentik/core/expression/exceptions.py
+++ b/authentik/core/expression/exceptions.py
@ -16,3 +16,7 @@ class SkipObjectException(PropertyMappingExpressionException):
    """Exception which can be raised in a property mapping to skip syncing an object.
    Only applies to Property mappings which sync objects, and not on mappings which transitively
    apply to a single user"""
+
+    def __init__(self) -> None:
+        # For this class only, both of these are set by the function evaluating the property mapping
+        super().__init__(exc=None, mapping=None)
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -1,5 +1,6 @@
 {% load static %}
 {% load i18n %}
+{% load authentik_core %}

 <!DOCTYPE html>

@ -14,8 +15,8 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
-        <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
+        {% versioned_script "dist/poly-%v.js" %}
+        {% versioned_script "dist/standalone/loading/index-%v.js" %}
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}

-{% load static %}
+{% load authentik_core %}

 {% block head %}
-<script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/admin/AdminInterface-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -1,6 +1,7 @@
 {% extends "base/skeleton.html" %}

 {% load static %}
+{% load authentik_core %}

 {% block head_before %}
 {{ block.super }}
@ -17,7 +18,7 @@ window.authentik.flow = {
 {% endblock %}

 {% block head %}
-<script src="{% static 'dist/flow/FlowInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/flow/FlowInterface-%v.js" %}
 <style>
 :root {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}

-{% load static %}
+{% load authentik_core %}

 {% block head %}
-<script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/user/UserInterface-%v.js" %}
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templatetags/init.py
+++ b/authentik/core/templatetags/init.py
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -0,0 +1,27 @@
+"""authentik core tags"""
+
+from django import template
+from django.templatetags.static import static as static_loader
+from django.utils.safestring import mark_safe
+
+from authentik import get_full_version
+
+register = template.Library()
+
+
+@register.simple_tag()
+def versioned_script(path: str) -> str:
+    """Wrapper around {% static %} tag that supports setting the version"""
+    returned_lines = [
+        (
+            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
+            '" type="module"></script>'
+        ),
+        # Legacy method of loading scripts used as a fallback, without the version in the filename
+        # TODO: Remove after 2024.6 or later
+        (
+            f'<script src="{static_loader(path.replace("-%v", ""))}?'
+            f'version={get_full_version()}" type="module"></script>'
+        ),
+    ]
+    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -24,13 +24,12 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
--- a/authentik/enterprise/api.py
+++ b/authentik/enterprise/api.py
@ -13,11 +13,10 @@ from rest_framework.fields import CharField, IntegerField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
 from authentik.enterprise.models import License
--- a/authentik/enterprise/providers/google_workspace/api/groups.py
+++ b/authentik/enterprise/providers/google_workspace/api/groups.py
@ -1,11 +1,11 @@
 """GoogleWorkspaceProviderGroup API Views"""

 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserGroupSerializer
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin

--- a/authentik/enterprise/providers/google_workspace/api/users.py
+++ b/authentik/enterprise/providers/google_workspace/api/users.py
@ -1,11 +1,11 @@
 """GoogleWorkspaceProviderUser API Views"""

 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin

--- a/authentik/enterprise/providers/microsoft_entra/api/groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/groups.py
@ -1,11 +1,11 @@
 """MicrosoftEntraProviderGroup API Views"""

 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserGroupSerializer
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin

--- a/authentik/enterprise/providers/microsoft_entra/api/users.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/users.py
@ -1,11 +1,11 @@
 """MicrosoftEntraProviderUser API Views"""

 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin

--- a/authentik/enterprise/providers/rac/api/connection_tokens.py
+++ b/authentik/enterprise/providers/rac/api/connection_tokens.py
@ -3,12 +3,12 @@
 from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
 from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
--- a/authentik/enterprise/providers/rac/api/endpoints.py
+++ b/authentik/enterprise/providers/rac/api/endpoints.py
@ -8,11 +8,11 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Provider
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}

-{% load static %}
+{% load authentik_core %}

 {% block head %}
-<script src="{% static 'dist/enterprise/rac/index.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/enterprise/rac/index-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon }}">
--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@ -15,12 +15,11 @@ from rest_framework.decorators import action
 from rest_framework.fields import DictField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.core.api.object_types import TypeCreateSerializer
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.events.models import Event, EventAction


--- a/authentik/events/api/notification_mappings.py
+++ b/authentik/events/api/notification_mappings.py
@ -1,9 +1,9 @@
 """NotificationWebhookMapping API Views"""

-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.events.models import NotificationWebhookMapping


--- a/authentik/events/api/notification_rules.py
+++ b/authentik/events/api/notification_rules.py
@ -1,10 +1,10 @@
 """NotificationRule API Views"""

-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.events.models import NotificationRule


--- a/authentik/events/api/notification_transports.py
+++ b/authentik/events/api/notification_transports.py
@ -9,11 +9,10 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.events.models import (
    Event,
    Notification,
--- a/authentik/events/api/notifications.py
+++ b/authentik/events/api/notifications.py
@ -9,11 +9,11 @@ from rest_framework.fields import ReadOnlyField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.events.api.events import EventSerializer
 from authentik.events.models import Notification

--- a/authentik/events/api/tasks.py
+++ b/authentik/events/api/tasks.py
@ -16,10 +16,10 @@ from rest_framework.fields import (
 )
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ReadOnlyModelViewSet
 from structlog.stdlib import get_logger

+from authentik.core.api.utils import ModelSerializer
 from authentik.events.logs import LogEventSerializer
 from authentik.events.models import SystemTask, TaskStatus
 from authentik.rbac.decorators import permission_required
--- a/authentik/flows/api/bindings.py
+++ b/authentik/flows/api/bindings.py
@ -3,10 +3,10 @@
 from typing import Any

 from rest_framework.exceptions import ValidationError
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.flows.api.stages import StageSerializer
 from authentik.flows.models import FlowStageBinding

--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -7,18 +7,22 @@ from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, CharField, ReadOnlyField
+from rest_framework.fields import BooleanField, CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, Importer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import CacheSerializer, LinkSerializer, PassiveSerializer
+from authentik.core.api.utils import (
+    CacheSerializer,
+    LinkSerializer,
+    ModelSerializer,
+    PassiveSerializer,
+)
 from authentik.events.logs import LogEventSerializer
 from authentik.flows.api.flows_diagram import FlowDiagram, FlowDiagramSerializer
 from authentik.flows.exceptions import FlowNonApplicableException
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -4,15 +4,15 @@ from django.urls.base import reverse
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
+from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.api.flows import FlowSetSerializer
 from authentik.flows.models import ConfigurableStage, Stage
--- a/authentik/lib/sync/mapper.py
+++ b/authentik/lib/sync/mapper.py
@ -4,7 +4,10 @@ from django.db.models import QuerySet
 from django.http import HttpRequest

 from authentik.core.expression.evaluator import PropertyMappingEvaluator
-from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.expression.exceptions import (
+    PropertyMappingExpressionException,
+    SkipObjectException,
+)
 from authentik.core.models import PropertyMapping, User


@ -57,6 +60,10 @@ class PropertyMappingManager:
            mapping.set_context(user, request, **kwargs)
            try:
                value = mapping.evaluate(mapping.model.expression)
+            except SkipObjectException as exc:
+                exc.exc = exc
+                exc.mapping = mapping
+                raise exc from exc
            except PropertyMappingExpressionException as exc:
                raise exc from exc
            except Exception as exc:
--- a/authentik/lib/sync/outgoing/api.py
+++ b/authentik/lib/sync/outgoing/api.py
@ -7,9 +7,8 @@ from rest_framework.decorators import action
 from rest_framework.fields import BooleanField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer

-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.events.api.tasks import SystemTaskSerializer
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider

--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -6,17 +6,17 @@ from django_filters.filters import ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, DateTimeField, SerializerMethodField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet

 from authentik import get_build_hash
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.core.models import Provider
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.providers.rac.models import RACProvider
--- a/authentik/outposts/api/service_connections.py
+++ b/authentik/outposts/api/service_connections.py
@ -12,13 +12,13 @@ from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, ReadOnlyField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet

 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
    MetaNameSerializer,
+    ModelSerializer,
    PassiveSerializer,
 )
 from authentik.outposts.models import (
--- a/authentik/policies/api/bindings.py
+++ b/authentik/policies/api/bindings.py
@ -5,13 +5,15 @@ from collections import OrderedDict
 from django.core.exceptions import ObjectDoesNotExist
 from django_filters.filters import BooleanFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from rest_framework.serializers import ModelSerializer, PrimaryKeyRelatedField, ValidationError
+from rest_framework.exceptions import ValidationError
+from rest_framework.serializers import PrimaryKeyRelatedField
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
+from authentik.core.api.utils import ModelSerializer
 from authentik.policies.api.policies import PolicySerializer
 from authentik.policies.models import PolicyBinding, PolicyBindingModel

--- a/authentik/policies/api/policies.py
+++ b/authentik/policies/api/policies.py
@ -6,9 +6,9 @@ from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
+from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

@ -18,6 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
    CacheSerializer,
    MetaNameSerializer,
+    ModelSerializer,
 )
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.policies.api.exec import PolicyTestResultSerializer, PolicyTestSerializer
--- a/authentik/policies/reputation/api.py
+++ b/authentik/policies/reputation/api.py
@ -3,10 +3,10 @@
 from django.utils.translation import gettext_lazy as _
 from rest_framework import mixins
 from rest_framework.exceptions import ValidationError
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.policies.api.policies import PolicySerializer
 from authentik.policies.reputation.models import Reputation, ReputationPolicy

--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -1,6 +1,8 @@
 """authentik reputation request signals"""

 from django.contrib.auth.signals import user_logged_in
+from django.db import transaction
+from django.db.models import F
 from django.dispatch import receiver
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
@ -19,16 +21,21 @@ def update_score(request: HttpRequest, identifier: str, amount: int):
    """Update score for IP and User"""
    remote_ip = ClientIPMiddleware.get_client_ip(request)

-    Reputation.objects.update_or_create(
-        ip=remote_ip,
-        identifier=identifier,
-        defaults={
-            "score": amount,
-            "ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {},
-            "ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {},
-            "expires": reputation_expiry(),
-        },
-    )
+    with transaction.atomic():
+        reputation, created = Reputation.objects.select_for_update().get_or_create(
+            ip=remote_ip,
+            identifier=identifier,
+            defaults={
+                "score": amount,
+                "ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {},
+                "ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {},
+                "expires": reputation_expiry(),
+            },
+        )
+
+        if not created:
+            reputation.score = F("score") + amount
+            reputation.save()
    LOGGER.debug("Updated score", amount=amount, for_user=identifier, for_ip=remote_ip)


--- a/authentik/policies/reputation/tests.py
+++ b/authentik/policies/reputation/tests.py
@ -39,6 +39,15 @@ class TestReputationPolicy(TestCase):
        )
        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, -1)

+    def test_update_reputation(self):
+        """test reputation update"""
+        Reputation.objects.create(identifier=self.test_username, ip=self.test_ip, score=43)
+        # Trigger negative reputation
+        authenticate(
+            self.request, self.backends, username=self.test_username, password=self.test_username
+        )
+        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, 42)
+
    def test_policy(self):
        """Test Policy"""
        request = PolicyRequest(user=self.user)
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@ -5,11 +5,11 @@ from django.db.models.query import Q
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from rest_framework.fields import CharField, ListField, SerializerMethodField
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet

 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.providers.ldap.models import LDAPProvider


--- a/authentik/providers/oauth2/api/tokens.py
+++ b/authentik/providers/oauth2/api/tokens.py
@ -7,12 +7,11 @@ from guardian.utils import get_anonymous_user
 from rest_framework import mixins
 from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import MetaNameSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken

--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -6,12 +6,11 @@ from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema_field
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ListField, ReadOnlyField, SerializerMethodField
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet

 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.models import ScopeMapping
 from authentik.providers.oauth2.views.provider import ProviderInfoView
--- a/authentik/providers/radius/api.py
+++ b/authentik/providers/radius/api.py
@ -1,11 +1,11 @@
 """RadiusProvider API Views"""

 from rest_framework.fields import CharField, ListField
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet

 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.providers.radius.models import RadiusProvider


--- a/authentik/providers/scim/api/groups.py
+++ b/authentik/providers/scim/api/groups.py
@ -1,11 +1,11 @@
 """SCIMProviderGroup API Views"""

 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserGroupSerializer
+from authentik.core.api.utils import ModelSerializer
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 from authentik.providers.scim.models import SCIMProviderGroup

--- a/authentik/providers/scim/api/users.py
+++ b/authentik/providers/scim/api/users.py
@ -1,11 +1,11 @@
 """SCIMProviderUser API Views"""

 from rest_framework import mixins
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 from authentik.providers.scim.models import SCIMProviderUser

--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@ -13,10 +13,9 @@ from rest_framework.fields import (
    ReadOnlyField,
    SerializerMethodField,
 )
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ReadOnlyModelViewSet

-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User
 from authentik.lib.validators import RequiredTogetherValidator
 from authentik.policies.event_matcher.models import model_choices
--- a/authentik/rbac/api/rbac_assigned_by_roles.py
+++ b/authentik/rbac/api/rbac_assigned_by_roles.py
@ -12,10 +12,9 @@ from rest_framework.fields import CharField, ReadOnlyField
 from rest_framework.mixins import ListModelMixin
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.policies.event_matcher.models import model_choices
 from authentik.rbac.api.rbac import PermissionAssignSerializer
 from authentik.rbac.decorators import permission_required
--- a/authentik/rbac/api/rbac_assigned_by_users.py
+++ b/authentik/rbac/api/rbac_assigned_by_users.py
@ -13,10 +13,10 @@ from rest_framework.fields import BooleanField, ReadOnlyField
 from rest_framework.mixins import ListModelMixin
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import User, UserTypes
 from authentik.policies.event_matcher.models import model_choices
 from authentik.rbac.api.rbac import PermissionAssignSerializer
--- a/authentik/rbac/api/roles.py
+++ b/authentik/rbac/api/roles.py
@ -1,9 +1,9 @@
 """RBAC Roles"""

-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.rbac.models import Role


--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -1,7 +1,6 @@
 """root settings for authentik"""

 import importlib
-import os
 from collections import OrderedDict
 from hashlib import sha512
 from pathlib import Path
@ -10,7 +9,7 @@ from celery.schedules import crontab
 from django.conf import ImproperlyConfigured
 from sentry_sdk import set_tag

-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__
 from authentik.lib.config import CONFIG, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
@ -511,7 +510,6 @@ def _update_settings(app_path: str):

 if DEBUG:
    CELERY["task_always_eager"] = True
-    os.environ[ENV_GIT_HASH_KEY] = "dev"
    REST_FRAMEWORK["DEFAULT_RENDERER_CLASSES"].append(
        "rest_framework.renderers.BrowsableAPIRenderer"
    )
--- a/authentik/stages/authenticator_duo/api.py
+++ b/authentik/stages/authenticator_duo/api.py
@ -12,12 +12,12 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.flows.api.stages import StageSerializer
 from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
--- a/authentik/stages/authenticator_sms/api.py
+++ b/authentik/stages/authenticator_sms/api.py
@ -4,11 +4,11 @@ from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet

 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.flows.api.stages import StageSerializer
 from authentik.stages.authenticator_sms.models import AuthenticatorSMSStage, SMSDevice

--- a/authentik/stages/authenticator_static/api.py
+++ b/authentik/stages/authenticator_static/api.py
@ -4,11 +4,11 @@ from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet

 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.flows.api.stages import StageSerializer
 from authentik.stages.authenticator_static.models import (
    AuthenticatorStaticStage,
--- a/authentik/stages/authenticator_totp/api.py
+++ b/authentik/stages/authenticator_totp/api.py
@ -5,11 +5,11 @@ from rest_framework import mixins
 from rest_framework.fields import ChoiceField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet

 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.flows.api.stages import StageSerializer
 from authentik.stages.authenticator_totp.models import (
    AuthenticatorTOTPStage,
--- a/authentik/stages/authenticator_webauthn/api/devices.py
+++ b/authentik/stages/authenticator_webauthn/api/devices.py
@ -4,11 +4,11 @@ from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet

 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.stages.authenticator_webauthn.api.device_types import WebAuthnDeviceTypeSerializer
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice

--- a/authentik/stages/invitation/api.py
+++ b/authentik/stages/invitation/api.py
@ -2,12 +2,11 @@

 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField
+from authentik.core.api.utils import JSONDictField, ModelSerializer
 from authentik.flows.api.flows import FlowSerializer
 from authentik.flows.api.stages import StageSerializer
 from authentik.stages.invitation.models import Invitation, InvitationStage
--- a/authentik/tenants/api/domains.py
+++ b/authentik/tenants/api/domains.py
@ -3,9 +3,9 @@
 from django.apps import apps
 from django.http import HttpResponseNotFound
 from rest_framework.filters import OrderingFilter, SearchFilter
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

+from authentik.core.api.utils import ModelSerializer
 from authentik.tenants.api.tenants import TenantApiKeyPermission
 from authentik.tenants.models import Domain

--- a/authentik/tenants/api/settings.py
+++ b/authentik/tenants/api/settings.py
@ -3,8 +3,8 @@
 from django_tenants.utils import get_public_schema_name
 from rest_framework.generics import RetrieveUpdateAPIView
 from rest_framework.permissions import SAFE_METHODS
-from rest_framework.serializers import ModelSerializer

+from authentik.core.api.utils import ModelSerializer
 from authentik.rbac.permissions import HasPermission
 from authentik.tenants.models import Tenant

--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
-  "name": "@goauthentik/authentik",
-  "version": "1.0.0",
-  "private": true
+    "name": "@goauthentik/authentik",
+    "version": "2024.6.0",
+    "private": true
 }
--- a/proxy.Dockerfile
+++ b/proxy.Dockerfile
@ -1,11 +1,12 @@
 # syntax=docker/dockerfile:1

-# Stage 1: Build website
+# Stage 1: Build web
 FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder

 ENV NODE_ENV=production
 WORKDIR /static

+COPY package.json /
 COPY web/package.json .
 COPY web/package-lock.json .
 RUN --mount=type=bind,target=/static/package.json,src=./web/package.json \
--- a/web/build.mjs
+++ b/web/build.mjs
@ -1,3 +1,4 @@
+import { execFileSync } from "child_process";
 import * as chokidar from "chokidar";
 import esbuild from "esbuild";
 import fs from "fs";
@ -9,12 +10,25 @@ import { fileURLToPath } from "url";

 const __dirname = fileURLToPath(new URL(".", import.meta.url));

+let authentikProjectRoot = __dirname + "../";
+try {
+    // Use the package.json file in the root folder, as it has the current version information.
+    authentikProjectRoot = execFileSync("git", ["rev-parse", "--show-toplevel"], {
+        encoding: "utf8",
+    }).replace("\n", "");
+} catch (exc) {
+    // We probably don't have a .git folder, which could happen in container builds
+}
+const rootPackage = JSON.parse(fs.readFileSync(path.join(authentikProjectRoot, "./package.json")));
+
 // eslint-disable-next-line no-undef
 const isProdBuild = process.env.NODE_ENV === "production";

 // eslint-disable-next-line no-undef
 const apiBasePath = process.env.AK_API_BASE_PATH || "";

+const envGitHashKey = "GIT_BUILD_HASH";
+
 const definitions = {
    "process.env.NODE_ENV": JSON.stringify(isProdBuild ? "production" : "development"),
    "process.env.CWD": JSON.stringify(cwd()),
@ -80,8 +94,17 @@ const baseArgs = {
    format: "esm",
 };

+function getVersion() {
+    let version = rootPackage.version;
+    if (process.env[envGitHashKey]) {
+        version = `${version}.${process.env[envGitHashKey]}`;
+    }
+    return version;
+}
+
 async function buildOneSource(source, dest) {
    const DIST = path.join(__dirname, "./dist", dest);
+    // eslint-disable-next-line no-console
    console.log(`[${new Date(Date.now()).toISOString()}] Starting build for target ${source}`);

    try {
@ -89,13 +112,13 @@ async function buildOneSource(source, dest) {
        await esbuild.build({
            ...baseArgs,
            entryPoints: [`./src/${source}`],
+            entryNames: `[dir]/[name]-${getVersion()}`,
            outdir: DIST,
        });
        const end = Date.now();
+        // eslint-disable-next-line no-console
        console.log(
-            `[${new Date(end).toISOString()}] Finished build for target ${source} in ${
-                Date.now() - start
-            }ms`,
+            `[${new Date(end).toISOString()}] Finished build for target ${source} in ${Date.now() - start}ms`,
        );
    } catch (exc) {
        console.error(`[${new Date(Date.now()).toISOString()}] Failed to build ${source}: ${exc}`);
@ -112,12 +135,14 @@ function debouncedBuild() {
        clearTimeout(timeoutId);
    }
    timeoutId = setTimeout(() => {
+        // eslint-disable-next-line no-console
        console.clear();
        buildAuthentik(interfaces);
    }, 250);
 }

 if (process.argv.length > 2 && (process.argv[2] === "-h" || process.argv[2] === "--help")) {
+    // eslint-disable-next-line no-console
    console.log(`Build the authentikUI

 options:
@ -129,6 +154,7 @@ options:
 }

 if (process.argv.length > 2 && (process.argv[2] === "-w" || process.argv[2] === "--watch")) {
+    // eslint-disable-next-line no-console
    console.log("Watching ./src for changes");
    chokidar.watch("./src").on("all", (event, path) => {
        if (!["add", "change", "unlink"].includes(event)) {
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -18,10 +18,10 @@
                "@formatjs/intl-listformat": "^7.5.7",
                "@fortawesome/fontawesome-free": "^6.5.2",
                "@goauthentik/api": "^2024.4.2-1718378698",
-                "@lit-labs/task": "^3.1.0",
                "@lit/context": "^1.1.2",
                "@lit/localize": "^0.12.1",
                "@lit/reactive-element": "^2.0.4",
+                "@lit/task": "^1.0.1",
                "@open-wc/lit-helpers": "^0.7.0",
                "@patternfly/elements": "^3.0.1",
                "@patternfly/patternfly": "^4.224.2",
@ -3333,15 +3333,6 @@
            "integrity": "sha512-yWJKmpGE6lUURKAaIltoPIE/wrbY3TEkqQt+X0m+7fQNnAv0keydnYvbiJFP1PnMhizmIWRWOG5KLhYyc/xl+g==",
            "license": "BSD-3-Clause"
        },
-        "node_modules/@lit-labs/task": {
-            "version": "3.1.0",
-            "resolved": "https://registry.npmjs.org/@lit-labs/task/-/task-3.1.0.tgz",
-            "integrity": "sha512-zMlcUtZeHDT83IiT2+CJBSoFvWDLnPEezhOCgqjxW4DmRHlbgd7jdft97T6dw4S4RvIETfI7OOyvubCV/EzTlg==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "@lit/task": "^1.0.0"
-            }
-        },
        "node_modules/@lit/context": {
            "version": "1.1.2",
            "resolved": "https://registry.npmjs.org/@lit/context/-/context-1.1.2.tgz",
@ -3403,10 +3394,9 @@
            }
        },
        "node_modules/@lit/task": {
-            "version": "1.0.0",
-            "resolved": "https://registry.npmjs.org/@lit/task/-/task-1.0.0.tgz",
-            "integrity": "sha512-7jocGBh3yGlo3kKxQggZph2txK4X5GYNWp2FAsmV9u2spzUypwrzRzXe8I72icAb02B00+k2nlvxVcrQB6vyrw==",
-            "license": "BSD-3-Clause",
+            "version": "1.0.1",
+            "resolved": "https://registry.npmjs.org/@lit/task/-/task-1.0.1.tgz",
+            "integrity": "sha512-fVLDtmwCau8NywnFIXaJxsCZjzaIxnVq+cFRKYC1Y4tA4/0rMTvF6DLZZ2JE51BwzOluaKtgJX8x1QDsQtAaIw==",
            "dependencies": {
                "@lit/reactive-element": "^1.0.0 || ^2.0.0"
            }
--- a/web/package.json
+++ b/web/package.json
@ -39,10 +39,10 @@
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.5.2",
        "@goauthentik/api": "^2024.4.2-1718378698",
-        "@lit-labs/task": "^3.1.0",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.1",
        "@lit/reactive-element": "^2.0.4",
+        "@lit/task": "^1.0.1",
        "@open-wc/lit-helpers": "^0.7.0",
        "@patternfly/elements": "^3.0.1",
        "@patternfly/patternfly": "^4.224.2",
--- a/web/src/elements/buttons/SpinnerButton/BaseTaskButton.ts
+++ b/web/src/elements/buttons/SpinnerButton/BaseTaskButton.ts
@ -66,7 +66,11 @@ export abstract class BaseTaskButton extends CustomEmitterElement(AKElement) {
        this.onSuccess = this.onSuccess.bind(this);
        this.onError = this.onError.bind(this);
        this.onClick = this.onClick.bind(this);
-        this.actionTask = new Task(this, {
+        this.actionTask = this.buildTask();
+    }
+
+    buildTask() {
+        return new Task(this, {
            task: () => this.callAction(),
            args: () => [],
            autoRun: false,
@ -77,8 +81,9 @@ export abstract class BaseTaskButton extends CustomEmitterElement(AKElement) {

    onComplete() {
        setTimeout(() => {
-            this.actionTask.status = TaskStatus.INITIAL;
            this.dispatchCustomEvent(`${this.eventPrefix}-reset`);
+            // set-up for the next task...
+            this.actionTask = this.buildTask();
            this.requestUpdate();
        }, SPINNER_TIMEOUT);
    }
@ -98,7 +103,8 @@ export abstract class BaseTaskButton extends CustomEmitterElement(AKElement) {
    }

    onClick() {
-        if (this.actionTask.status !== TaskStatus.INITIAL) {
+        // Don't accept clicks when a task is in progress..
+        if (this.actionTask.status === TaskStatus.PENDING) {
            return;
        }
        this.dispatchCustomEvent(`${this.eventPrefix}-click`);
--- a/website/docs/releases/2024/v2024.6.md
+++ b/website/docs/releases/2024/v2024.6.md
@ -25,6 +25,10 @@ The provided Helm chart defaults to PostgreSQL 15. If you are using the Helm cha

 The provided Compose file was updated with PostgreSQL 16. You can follow the procedure [here](../../troubleshooting/postgres/upgrade_docker.md) to upgrade.

+### Group names unicity
+
+With this release, authentik now enforces unique group names. Existing groups with name collisions that were created in earlier versions can still exist, but any new groups you create will need a unique name. If changing attributes, permission-level, or parent on an existing group with a name collision, you need to also change its name to be unique. Note that changing members or roles associated with the group does not require a rename.
+
 ## New features

 -   **Google Workspace Provider** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
@ -98,12 +102,14 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.6
 -   core: add option to select group for property mapping testing (#9834)
 -   core: fix auth_method and auth_method_args being overwritten by password stage (#9782)
 -   core: fix condition in task clean_expiring_models (#9603)
+-   core: fix error when raising SkipObject in mapping (cherry-pick #10153)
 -   core: fix logic for token expiration (#9426)
 -   core: fix source flow_manager not always appending save stage (#9659)
 -   core: fix source_flow_manager saving user-source connection too early (#9559)
 -   core: fix task clean_expiring_models removing valid sessions with using database storage (#9598)
 -   core: groups api: always prefetch users (#9974)
 -   core: groups: optimize recursive children query (#9931)
+-   core: include version in built JS files (cherry-pick #9558) (#10148)
 -   core: only prefetch related objects when required (#9476)
 -   crypto: update fingerprint at same time as certificate (#10036)
 -   enterprise/audit: fix audit logging with m2m relations (#9571)
@ -124,6 +130,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.6
 -   lifecycle: always try custom redis URL (#9441)
 -   lifecycle: close database connection after migrating (#9516)
 -   lifecycle: fix ak test-all command
+-   policies/reputation: fix existing reputation update (cherry-pick #10124) (#10125)
 -   policies/reputation: save to database directly (#10059)
 -   policies: fix ak_call_policy failing when used in testing (#9853)
 -   providers/oauth2: don't handle api scope as special scope (#9910)
@ -144,6 +151,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.6
 -   root: docker-compose: remove version top level element (#9631)
 -   root: handle asgi exception (#10085)
 -   root: include task_id in events and logs (#9749)
+-   root: use custom model serializer that saves m2m without bulk (cherry-pick #10139) (#10151)
 -   sources/oauth: ensure all UI sources return a valid source (#9401)
 -   sources/oauth: fix OAuth Client sending token request incorrectly (#9474)
 -   sources/oauth: modernizes discord icon (#9817)
@ -176,6 +184,8 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.6
 -   web: Add resolved and integrity fields back to package-lock.json (#9419)
 -   web: clean up some repetitive types (#9241)
 -   web: clean up the options rendering in PromptForm (#9564)
+-   web: fix docker build for non-release versions (cherry-pick #10154) (#10155)
+-   web: fix needed because recent upgrade to task breaks spinner button (cherry-pick #10142) (#10150)
 -   web: fix value handling inside controlled components (#9648)
 -   web: markdown: display markdown even when frontmatter is missing (#9404)
Author	SHA1	Message	Date
Marc 'risson' Schmitt	0bbbc7def2	release: 2024.6.0-rc2 (#10176 )	2024-06-19 16:53:45 +00:00
gcp-cherry-pick-bot[bot]	43fd3eecda	website/docs: update 2024.6 release notes with latest changes (cherry-pick #10174 ) (#10175 ) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-06-19 16:16:08 +00:00
gcp-cherry-pick-bot[bot]	631b120e4f	website/docs: 2024.6 release notes: add note about group names (cherry-pick #10170 ) (#10171 ) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>	2024-06-19 15:42:39 +00:00
gcp-cherry-pick-bot[bot]	9ea517d606	core: fix error when raising SkipObject in mapping (cherry-pick #10153 ) (#10173 ) core: fix error when raising SkipObject in mapping (#10153) * core: fix error when raising SkipObject in mapping * fix events not being saved thanks tests --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-06-19 23:45:06 +09:00
gcp-cherry-pick-bot[bot]	7b7a7e3073	website/docs: update 2024.6 release notes with latest changes (cherry-pick #10167 ) (#10168 ) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-06-19 13:20:28 +00:00
gcp-cherry-pick-bot[bot]	ca3cdc3fd2	web: fix docker build for non-release versions (cherry-pick #10154 ) (#10155 ) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> fix docker build for non-release versions (#10154)	2024-06-18 17:27:49 +00:00
gcp-cherry-pick-bot[bot]	6e12277903	root: use custom model serializer that saves m2m without bulk (cherry-pick #10139 ) (#10151 ) root: use custom model serializer that saves m2m without bulk (#10139) * use custom model serializer that saves m2m without bulk * sigh --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-06-18 23:40:53 +09:00
gcp-cherry-pick-bot[bot]	2f42144b33	web: fix needed because recent upgrade to task breaks spinner button (cherry-pick #10142 ) (#10150 ) web: fix needed because recent upgrade to task breaks spinner button (#10142) web: fix broken Task plug-in rebase and fix package json Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>	2024-06-18 17:39:13 +09:00
gcp-cherry-pick-bot[bot]	eef02f2892	core: include version in built JS files (cherry-pick #9558 ) (#10148 ) core: include version in built JS files (#9558) * web: fix esbuild issue with style sheets Getting ESBuild, Lit, and Storybook to all agree on how to read and parse stylesheets is a serious pain. This fix better identifies the value types (instances) being passed from various sources in the repo to the three different kinds of style processors we're using (the native one, the polyfill one, and whatever the heck Storybook does internally). Falling back to using older CSS instantiating techniques one era at a time seems to do the trick. It's ugly, but in the face of the aggressive styling we use to avoid Flashes of Unstyled Content (FLoUC), it's the logic with which we're left. In standard mode, the following warning appears on the console when running a Flow: ``` Autofocus processing was blocked because a document already has a focused element. ``` In compatibility mode, the following error appears on the console when running a Flow: ``` crawler-inject.js:1106 Uncaught TypeError: Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'. at initDomMutationObservers (crawler-inject.js:1106:18) at crawler-inject.js:1114:24 at Array.forEach (<anonymous>) at initDomMutationObservers (crawler-inject.js:1114:10) at crawler-inject.js:1549:1 initDomMutationObservers @ crawler-inject.js:1106 (anonymous) @ crawler-inject.js:1114 initDomMutationObservers @ crawler-inject.js:1114 (anonymous) @ crawler-inject.js:1549 ``` Despite this error, nothing seems to be broken and flows work as anticipated. * core: include version in built JS files * add fallback * include build hash * format * fix stuff why does this even work locally * idk man node * just not use import assertions * web: add no-console, use proper dirname path * web: retarget to use the base package.json file. * web: encode path to root package.json using git This is the most authoritative way of finding the root of the git project. * use full version to match frontend * add fallback for missing .git folder --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io> Co-authored-by: Ken Sternberg <ken@goauthentik.io>	2024-06-18 17:39:04 +09:00
gcp-cherry-pick-bot[bot]	b6157ecaf1	policies/reputation: fix existing reputation update (cherry-pick #10124 ) (#10125 ) policies/reputation: fix existing reputation update (#10124) * add failing test case * fix reputation update * lint --------- Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-06-16 19:52:04 +02:00