release: 2024.8.0

web: fix dual-select with dynamic selection (cherry-pick #11133 ) (#11134 )
web: fix dual-select with dynamic selection (#11133) * web: fix dual-select with dynamic selection For dynamic selection, the property name is `.selector` to message that it's a function the API layer uses to select the elements. A few bits of lint picked. * web: added comment to clarify what the fallback selector does Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>
2024-09-02 14:14:03 +02:00 · 2024-08-30 19:07:36 +02:00 · 2024-08-29 13:29:47 +02:00 · 2024-08-29 01:58:56 +02:00 · 2024-08-29 01:34:33 +02:00
11 changed files with 41 additions and 25 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.8.0-rc2
+current_version = 2024.8.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -29,9 +29,9 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
-  imageNames:
-    description: "Docker image names"
-    value: ${{ steps.ev.outputs.imageNames }}
+  attestImageNames:
+    description: "Docker image names used for attestation"
+    value: ${{ steps.ev.outputs.attestImageNames }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -51,15 +51,24 @@ else:
        ]

 image_main_tag = image_tags[0].split(":")[-1]
-image_tags_rendered = ",".join(image_tags)
-image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
+
+
+def get_attest_image_names(image_with_tags: list[str]):
+    """Attestation only for GHCR"""
+    image_tags = []
+    for image_name in set(name.split(":")[0] for name in image_with_tags):
+        if not image_name.startswith("ghcr.io"):
+            continue
+        image_tags.append(image_name)
+    return ",".join(set(image_tags))
+

 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"shouldBuild={should_build}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
-    print(f"imageTags={image_tags_rendered}", file=_output)
-    print(f"imageNames={image_names_rendered}", file=_output)
+    print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -261,7 +261,7 @@ jobs:
        id: attest
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  pr-comment:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -115,7 +115,7 @@ jobs:
        id: attest
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-binary:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -58,7 +58,7 @@ jobs:
      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost:
@ -122,7 +122,7 @@ jobs:
      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost-binary:
--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@ -117,7 +117,7 @@ class LicenseKey:
                    our_cert.public_key(),
                    algorithms=["ES512"],
                    audience=get_license_aud(),
-                    options={"verify_exp": check_expiry},
+                    options={"verify_exp": check_expiry, "verify_signature": check_expiry},
                ),
            )
        except PyJWTError:
@ -134,7 +134,7 @@ class LicenseKey:
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
-            total.exp = min(total.exp, exp_ts)
+            total.exp = max(total.exp, exp_ts)
            total.license_flags.extend(lic.status.license_flags)
        return total

--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@ -164,7 +164,7 @@ class SAMLProvider(Provider):
    )

    sign_assertion = models.BooleanField(default=True)
-    sign_response = models.BooleanField(default=True)
+    sign_response = models.BooleanField(default=False)

    @property
    def launch_url(self) -> str | None:
--- a/web/src/admin/stages/identification/IdentificationStageForm.ts
+++ b/web/src/admin/stages/identification/IdentificationStageForm.ts
@ -46,7 +46,8 @@ async function makeSourcesSelector(instanceSources: string[] | undefined) {

    return localSources
        ? ([pk, _]: DualSelectPair) => localSources.has(pk)
-        : ([_0, _1, _2, source]: DualSelectPair<Source>) =>
+        : // Creating a new instance, auto-select built-in source only when no other sources exist
+          ([_0, _1, _2, source]: DualSelectPair<Source>) =>
              source !== undefined && source.component === "";
 }

@ -75,11 +76,11 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                stageUuid: this.instance.pk || "",
                identificationStageRequest: data,
            });
-        } else {
-            return new StagesApi(DEFAULT_CONFIG).stagesIdentificationCreate({
-                identificationStageRequest: data,
-            });
        }
+
+        return new StagesApi(DEFAULT_CONFIG).stagesIdentificationCreate({
+            identificationStageRequest: data,
+        });
    }

    isUserFieldSelected(field: UserFieldsEnum): boolean {
@ -232,12 +233,12 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                        ?required=${true}
                        name="sources"
                    >
-                        <ak-dual-select-provider-dynamic-selected
+                        <ak-dual-select-dynamic-selected
                            .provider=${sourcesProvider}
-                            .selected=${makeSourcesSelector(this.instance?.sources)}
+                            .selector=${makeSourcesSelector(this.instance?.sources)}
                            available-label="${msg("Available Stages")}"
                            selected-label="${msg("Selected Stages")}"
-                        ></ak-dual-select-provider-dynamic-selected>
+                        ></ak-dual-select-dynamic-selected>
                        <p class="pf-c-form__helper-text">
                            ${msg(
                                "Select sources should be shown for users to authenticate with. This only affects web-based sources, not LDAP.",
--- a/web/src/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.ts
+++ b/web/src/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.ts
@ -50,3 +50,9 @@ export class AkDualSelectDynamic extends AkDualSelectProvider {
        ></ak-dual-select>`;
    }
 }
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-dual-select-dynamic-selected": AkDualSelectDynamic;
+    }
+}
--- a/website/docs/releases/2024/v2024.8.md
+++ b/website/docs/releases/2024/v2024.8.md
@ -35,7 +35,7 @@ To try out the release candidate, replace your Docker image tag with the latest

    This property mapping populates the `username` and `attributes.phone` attributes of a user at the same time, reducing the number of mappings that are run and thus improving performance. Additionally, they are more straightforward to read, and this change allowed us to implement property mappings for OAuth and SAML sources as well.

-    authentik will automatically migrate existing property mappings to this new format, by generating some Python code for each of the existing property mappings expressions. authentik-manager property mappings will automatically get updated to the new format.
+    authentik will automatically migrate existing property mappings to this new format, by generating some Python code for each of the existing property mappings expressions. authentik-managed property mappings will automatically get updated to the new format.

    **If you have any custom property mappings, we recommend migrating them to this new format.**

@ -45,7 +45,7 @@ To try out the release candidate, replace your Docker image tag with the latest

    SAML sources now sync groups by default when a `http://schemas.xmlsoap.org/claims/Group` attribute is available in the assertion.

-    To disable that behavior, create an OAuth/SAML source property mapping with the following expression:
+    To disable that behavior, create an OAuth/SAML source property mapping with the expression below and assign it as a user property mapping on the source.

    ```python
    return {
Author	SHA1	Message	Date
Jens Langhammer	2fb097061d	release: 2024.8.0	2024-09-02 14:14:03 +02:00
gcp-cherry-pick-bot[bot]	8962d17e03	web: fix dual-select with dynamic selection (cherry-pick #11133 ) (#11134 ) web: fix dual-select with dynamic selection (#11133) * web: fix dual-select with dynamic selection For dynamic selection, the property name is `.selector` to message that it's a function the API layer uses to select the elements. A few bits of lint picked. * web: added comment to clarify what the fallback selector does Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>	2024-08-30 19:07:36 +02:00
gcp-cherry-pick-bot[bot]	8326e1490c	ci: fix failing release attestation (cherry-pick #11107 ) (#11120 ) ci: fix failing release attestation (#11107) * ci: fix failing release attestation * fix --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-08-29 13:29:47 +02:00
gcp-cherry-pick-bot[bot]	091e4d3e4c	enterprise: fix incorrect comparison for latest validity date (cherry-pick #11109 ) (#11110 ) enterprise: fix incorrect comparison for latest validity date (#11109) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-08-29 01:58:56 +02:00
gcp-cherry-pick-bot[bot]	6ee77edcbb	website/docs: 2024.8 release notes: reword group sync disable and fix typo (cherry-pick #11103 ) (#11108 ) website/docs: 2024.8 release notes: reword group sync disable and fix… (#11103) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-08-29 01:34:33 +02:00