# What
- Replaces the *massive* switch/case block for stages with a lookup table.
# Why
- Because it was a massive switch/case block calling 22 different functions with the *exact same*
signatures, and that created both a ton of duplication in the code as well as introduced last-line
risks.
* edit to match new UI
* polished text
* more tweaks
* additional sentence about Flow Executor and link to docs
---------
Co-authored-by: Tana M Berry <tana@goauthentik.com>
# What
- Replaces the "brand links" box at the bottom of FlowExecutor with a component for showing brand
links.
# Why
- Confusion arose about what "footer links" mean in any given context, and breaking this out,
labeling it "brand-links," reduces that confusion. It also isolates and reduces the testable
surface area of the Executor.
we had to change these dependencies for 2024.8.x since that doesn't have invalidation flows
they also need to be changed for 2024.10 when upgrading, and these migrations don't need the invalidation flow migration at all
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Translate locale/en/LC_MESSAGES/django.po in it
100% translated source file: 'locale/en/LC_MESSAGES/django.po'
on 'it'.
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
add CSP header to files in `/media`
This fixes a security issue of stored cross-site scripting via embedding
JavaScript in SVG files by a malicious user with `can_save_media`
capability.
This can be exploited if:
- the uploaded file is served from the same origin as authentik, and
- the user opens the uploaded file directly in their browser
Co-authored-by: Jens L. <jens@goauthentik.io>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* web/bugfix/fix-reporting-in-wizard-submit
# What
- Preserves the errors locally for the Wizard, providing explanation and links to fix the issues
# Why
Just a silly mistake on my part. There shouldn't be two copies of errors (and there isn't in the BIG
PRs), but this is how it's designed right now and making the errors show up is an easy fix. In doing
so, the "hack" to move the "bad provider name" to the provider page is included.
* Updated package.json to use Chromedriver 130
* main: (28 commits)
providers/scim: accept string and int for SCIM IDs (#12093)
website: bump the docusaurus group in /website with 9 updates (#12086)
core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (#12080)
translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#12079)
scripts: remove read_replicas from generated dev config (#12078)
core: bump geoip2 from 4.8.0 to 4.8.1 (#12071)
core: bump goauthentik.io/api/v3 from 3.2024100.2 to 3.2024102.2 (#12072)
core: bump maxmind/geoipupdate from v7.0.1 to v7.1.0 (#12073)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12074)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12075)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#12076)
translate: Updates for file web/xliff/en.xlf in zh_CN (#12077)
web/admin: auto-prefill user path for new users based on selected path (#12070)
core: bump aiohttp from 3.10.2 to 3.10.11 (#12069)
web/admin: fix brand title not respected in application list (#12068)
core: bump pyjwt from 2.9.0 to 2.10.0 (#12063)
web: add italian locale (#11958)
web/admin: better footer links (#12004)
core, web: update translations (#12052)
core: bump twilio from 9.3.6 to 9.3.7 (#12061)
...
Translate locale/en/LC_MESSAGES/django.po in de
100% translated source file: 'locale/en/LC_MESSAGES/django.po'
on 'de'.
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* First things first: save the blueprint that initializes the test runner.
* Committing to having the PKs be a string, and streamlining an event handler. Type solidity needed for the footer control.
* web/admin/better-footer-links
# What
- A data control that takes two string fields and returns the JSON object for a FooterLink
- A data control that takes a control like the one above and assists the user in entering a
collection of such objects.
# Why
We're trying to move away from CodeMirror for the simple things, like tables of what is essentially
data entry. Jens proposed this ArrayInput thing, and I've simplified it so you define what "a row"
is as a small, lightweight custom Component that returns and validates the datatype for that row,
and ArrayInput creates a table of rows, and that's that.
We're still working out the details, but the demo is to replace the "Name & URL" table in
AdminSettingsForm with this, since it was silly to ask the customer to hand-write JSON or YAML,
getting the keys right every time, for an `Array<Record<{ name: string, href: string }>>`. And some
client-side validation can't hurt.
Storybook included. Tests to come.
* Not ready for prime time.
* One lint. Other lints are still in progress.
* web: lots of 'as unknown as Foo'
I know this is considered bad practice, but we use Lit and Lit.spread
to send initialization arguments to functions that create DOM
objects, and Lit's prefix convention of '.' for object, '?' for
boolean, and '@' for event handler doesn't map at all to the Interface
declarations of Typescript. So we have to cast these types when
sending them via functions to constructors.
* web/admin/better-footer-links
# What
- Remove the "JSON or YAML" language from the AdminSettings page for describing FooterLinks inputs.
- Add unit tests for ArrayInput and AdminSettingsFooterLinks.
- Provide a property for accessing a component's value
# Why
Providing a property by which the JSONified version of the value can be accessed enhances the
ability of tests to independently check that the value is in a state we desire, since properties can
easily be accessed across the wire protocol used by browser-based testing environments.
* Ensure the UI is built from _current_ before running tests.
* core: add support to set policy bindings in transactional endpoint
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* improve permission checks
especially since we'll be using the wizard as default in the future, it shouldn't be superuser only
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* rebase, fix error response when using duplicate name in provider
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* add permission test
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* main:
providers/ldap: fix global search_full_directory permission not being sufficient (#12028)
website/docs: 2024.10.2 release notes (#12025)
lifecycle: fix ak exit status not being passed (#12024)
core: use versioned_script for path only (#12003)
core, web: update translations (#12020)
core: bump google-api-python-client from 2.152.0 to 2.153.0 (#12021)
providers/oauth2: fix manual device code entry (#12017)
crypto: validate that generated certificate's name is unique (#12015)
core, web: update translations (#12006)
core: bump google-api-python-client from 2.151.0 to 2.152.0 (#12007)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12011)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12010)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#12012)
translate: Updates for file web/xliff/en.xlf in zh_CN (#12013)
providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (#11968)
website/docs: move S3 ad GeoIP to System Management/Operations (#11998)
website/integrations: nextcloud: add SSE warning (#11976)
* providers/ldap: fix global search_full_directory permission not being sufficient
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* use full name of permission
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* lifecycle: fix ak exit status not being passed
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* use waitstatus_to_exitcode
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* providers/oauth2: fix manual device code entry
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* make code input a char field to prevent leading 0s from being cut off
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* main: (21 commits)
web: bump API Client version (#11997)
sources/kerberos: use new python-kadmin implementation (#11932)
core: add ability to provide reason for impersonation (#11951)
website/integrations: update vcenter integration docs (#11768)
core, web: update translations (#11995)
website: bump postcss from 8.4.48 to 8.4.49 in /website (#11996)
web: bump API Client version (#11992)
blueprints: add default Password policy (#11793)
stages/captcha: Run interactive captcha in Frame (#11857)
core, web: update translations (#11979)
core: bump packaging from 24.1 to 24.2 (#11985)
core: bump ruff from 0.7.2 to 0.7.3 (#11986)
core: bump msgraph-sdk from 1.11.0 to 1.12.0 (#11987)
website: bump the docusaurus group in /website with 9 updates (#11988)
website: bump postcss from 8.4.47 to 8.4.48 in /website (#11989)
stages/password: use recovery flow from brand (#11953)
core: bump golang.org/x/sync from 0.8.0 to 0.9.0 (#11962)
web: bump cookie, swagger-client and express in /web (#11966)
core, web: update translations (#11959)
core: bump debugpy from 1.8.7 to 1.8.8 (#11961)
...
* core: add ability to provide reason for impersonation
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* tenants api things
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* add missing implem
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* A tooltip needs a DOM object to determine the coordinates where it should render. A solitary string is not enough; a is needed here.
* web: user impersonation reason
To determine where to render the Tooltip content, the object associated with the Tooltip must be a DOM object with an HTML tag. A naked string is not enough; a `<span>` will do nicely here.
Also, fixed a build failure: PFSize was not defined in RelatedUserList.
* add and fix tests
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* avoid migration change
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* small fixes
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Ken Sternberg <ken@goauthentik.io>
* core: add prompt_data to auth flow (#11702)
I added the prompt_data and user_path to the auth flow. This allows us to more easily sync users details whenever they're logged in through a Source by using the Write stage, identical to an Enrolment flow.
This makes sure that mappings etc are automatically taken into consideration, and are passed to the Authentication flow.
While I was at it, I made the code consistent with the `handle_enroll` method.
Signed-off-by: Wouter van Os <wouter0100@gmail.com>
* updates
* and remove errant .py file that somwhow snuck into the PR! also removed errant api ref files remove old images
* tweak to bumb build
* tweaks
* more tweaks
* removed extraneous old settings
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Update website/integrations/services/vmware-vcenter/index.md
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* formatting
* tweak
* why not saved before argh
---------
Signed-off-by: Wouter van Os <wouter0100@gmail.com>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Wouter van Os <wouter0100@gmail.com>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens L. <jens@goauthentik.io>
* add password policy to default password change flow
This change complies with the minimal compositional requirements by
NIST SP 800-63 Digital Identity Guidelines. See
https://pages.nist.gov/800-63-4/sp800-63b.html#password
More work is needed to comply with other parts of the Guidelines,
specifically
> If the chosen password is found on the blocklist, the CSP or verifier
> [...] SHALL provide the reason for rejection.
and
> Verifiers SHALL offer guidance to the subscriber to assist the user in
> choosing a strong password. This is particularly important following
> the rejection of a password on the blocklist as it discourages trivial
> modification of listed weak passwords.
* add docs for default Password policy
* remove HIBP from default Password policy
* add zxcvbn to default Password policy
* add fallback password error message to password policy, fix validation policy
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* reword docs
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
* add HIBP caveat
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
* separate policy into separate blueprint
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* use password policy for oobe flow
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* kiss
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
* main:
website/docs: fix slug matching redirect URI causing broken refresh (#11950)
website/integrations: jellyfin: update plugin catalog location (#11948)
translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#11942)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11946)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11947)
website/docs: clarify traefik ingress setup (#11938)
core: bump importlib-metadata from 8.4.0 to 8.5.0 (#11934)
web: bump API Client version (#11930)
root: backport version bump `2024.10.1` (#11929)
website/docs: `2024.10.1` Release Notes (#11926)
website: bump path-to-regexp from 1.8.0 to 1.9.0 in /website (#11924)
core: bump sentry-sdk from 2.17.0 to 2.18.0 (#11918)
website: bump the docusaurus group in /website with 9 updates (#11917)
core: bump goauthentik.io/api/v3 from 3.2024100.1 to 3.2024100.2 (#11915)
core, web: update translations (#11914)
* website/integrations: jellyfin: update plugin catalog location
The add repositories button is now under the Admin interface > Catalog > Gear icon. This PR reflects that change.
Signed-off-by: 4d62 <github-user@sdko.org>
* website/integrations: jellyfin: condense steps
Reduce the number of steps from 5 to it's original number, 3.
Signed-off-by: 4d62 <github-user@sdko.org>
* website/integrations: jellyfin: add admin dashboard location
Tell the user where the admin dashboard is and how to reach it.
Signed-off-by: 4d62 <github-user@sdko.org>
---------
Signed-off-by: 4d62 <github-user@sdko.org>
Translate locale/en/LC_MESSAGES/django.po in de
100% translated source file: 'locale/en/LC_MESSAGES/django.po'
on 'de'.
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
* fix API Changes in `2024.10` changelog
* add `2024.10.1` API Changes to changelog
* add changes in `2024.10.1` to changelog
* change `details` to `h3` in changelog
* main:
core: add `None` check to a device's `extra_description` (#11904)
providers/oauth2: fix size limited index for tokens (#11879)
web: fix missing status code on failed build (#11903)
website: bump docusaurus-theme-openapi-docs from 4.1.0 to 4.2.0 in /website (#11897)
translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#11891)
stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#11884)
translate: Updates for file web/xliff/en.xlf in tr (#11878)
translate: Updates for file locale/en/LC_MESSAGES/django.po in tr (#11866)
core: bump google-api-python-client from 2.149.0 to 2.151.0 (#11885)
core: bump selenium from 4.26.0 to 4.26.1 (#11886)
core, web: update translations (#11896)
website: bump docusaurus-plugin-openapi-docs from 4.1.0 to 4.2.0 in /website (#11898)
core: bump watchdog from 5.0.3 to 6.0.0 (#11899)
core: bump ruff from 0.7.1 to 0.7.2 (#11900)
core: bump django-pglock from 1.6.2 to 1.7.0 (#11901)
website/docs: fix release notes to say Federation (#11889)
* main:
website: bump elliptic from 6.5.7 to 6.6.0 in /website (#11869)
core: bump selenium from 4.25.0 to 4.26.0 (#11875)
core: bump goauthentik.io/api/v3 from 3.2024083.14 to 3.2024100.1 (#11876)
website/docs: add info about invalidation flow, default flows in general (#11800)
website: fix docs redirect (#11873)
website: remove RC disclaimer for version 2024.10 (#11871)
website: update supported versions (#11841)
web: bump API Client version (#11870)
root: backport version bump 2024.10.0 (#11868)
website/docs: 2024.8.4 release notes (#11862)
web/admin: provide default invalidation flows for LDAP and Radius (#11861)
* providers/oauth2: fix size limited index for tokens
I preserved the migrations as comments so the index IDs and migration
IDs remain searchable without accessing git history.
* rename migration file to more descriptive
Translate locale/en/LC_MESSAGES/django.po in de
100% translated source file: 'locale/en/LC_MESSAGES/django.po'
on 'de'.
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
* main: (43 commits)
core, web: update translations (#11858)
web/admin: fix code-based MFA toggle not working in wizard (#11854)
sources/kerberos: add kiprop to ignored system principals (#11852)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11846)
translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#11845)
translate: Updates for file web/xliff/en.xlf in zh_CN (#11847)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#11848)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11849)
translate: Updates for file web/xliff/en.xlf in it (#11850)
website: 2024.10 Release Notes (#11839)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#11814)
core, web: update translations (#11821)
core: bump goauthentik.io/api/v3 from 3.2024083.13 to 3.2024083.14 (#11830)
core: bump service-identity from 24.1.0 to 24.2.0 (#11831)
core: bump twilio from 9.3.5 to 9.3.6 (#11832)
core: bump pytest-randomly from 3.15.0 to 3.16.0 (#11833)
website/docs: Update social-logins github (#11822)
website/docs: remove � (#11823)
lifecycle: fix kdc5-config missing (#11826)
website/docs: update preview status of different features (#11817)
...
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
2024-10-23 14:17:30 -07:00
210 changed files with 17909 additions and 7450 deletions
@ -33,6 +33,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
# Stage 2: Run
FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips
ARG VERSION
ARG GIT_BUILD_HASH
ENVGIT_BUILD_HASH=$GIT_BUILD_HASH
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
