Merge branch 'main' into web/revise-wizard-form-handling

* main: (60 commits)
  web/flows: attempt to fix bitwareden android compatibility (#7455)
  sources/oauth: fix patreon (#7454)
  website: bump the docusaurus group in /website with 3 updates (#7400)
  web/admin: fix chart label on dashboard user page (#7434)
  core: bump github.com/gorilla/sessions from 1.2.1 to 1.2.2 (#7446)
  core: bump github.com/gorilla/mux from 1.8.0 to 1.8.1 (#7443)
  core: bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#7442)
  core: bump github.com/gorilla/websocket from 1.5.0 to 1.5.1 (#7445)
  core: bump golang.org/x/sync from 0.4.0 to 0.5.0 (#7441)
  core: bump github.com/gorilla/securecookie from 1.1.1 to 1.1.2 (#7440)
  core: bump github.com/gorilla/handlers from 1.5.1 to 1.5.2 (#7444)
  web: bump rollup from 4.2.0 to 4.3.0 in /web (#7448)
  web: bump the eslint group in /web with 2 updates (#7447)
  core: bump uvicorn from 0.23.2 to 0.24.0 (#7450)
  core: bump selenium from 4.15.1 to 4.15.2 (#7449)
  core: bump ruff from 0.1.3 to 0.1.4 (#7451)
  web: bump the eslint group in /tests/wdio with 2 updates (#7452)
  providers/proxy: fix closed redis client (#7385)
  ci: explicitly give write permissions to packages (#7428)
  core: bump selenium from 4.15.0 to 4.15.1 (#7422)
  ...

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.1
+current_version = 2023.10.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/workflows/ci-main.yml

@@ -11,6 +11,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 env:
   POSTGRES_DB: authentik
@@ -185,6 +186,8 @@ jobs:
   build:
     needs: ci-core-mark
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
@@ -235,6 +238,8 @@ jobs:
   build-arm64:
     needs: ci-core-mark
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4

.github/workflows/ci-outpost.yml

@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 jobs:
   lint-golint:
@@ -65,6 +66,8 @@ jobs:
           - ldap
           - radius
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/ci-web.yml

@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 jobs:
   lint-eslint:

.github/workflows/ci-website.yml

@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 jobs:
   lint-prettier:

.github/workflows/release-publish.yml

@@ -7,6 +7,8 @@ on:
 jobs:
   build-server:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
@@ -52,6 +54,8 @@ jobs:
             VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
   build-outpost:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     strategy:
       fail-fast: false
       matrix:

Dockerfile

@@ -35,7 +35,14 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM docker.io/golang:1.21.3-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.3-bookworm AS go-builder
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+ARG GOOS=$TARGETOS
+ARG GOARCH=$TARGETARCH
 
 WORKDIR /go/src/goauthentik.io
 
@@ -57,10 +64,10 @@ ENV CGO_ENABLED=0
 
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
-    go build -o /go/authentik ./cmd/server
+    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM ghcr.io/maxmind/geoipupdate:v6.0 as geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.0 as geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
 ENV GEOIPUPDATE_VERBOSE="true"

Makefile

@@ -110,6 +110,8 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
+	sed -i 's/{/{/g' diff.md
+	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
 gen-clean:

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.1"
+__version__ = "2023.10.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/flows/migrations/0027_auto_20231028_1424.py

@@ -0,0 +1,34 @@
+# Generated by Django 4.2.6 on 2023-10-28 14:24
+
+from django.apps.registry import Apps
+from django.db import migrations
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from guardian.shortcuts import get_anonymous_user
+
+    Flow = apps.get_model("authentik_flows", "Flow")
+    User = apps.get_model("authentik_core", "User")
+
+    db_alias = schema_editor.connection.alias
+
+    users = User.objects.using(db_alias).exclude(username="akadmin")
+    try:
+        users = users.exclude(pk=get_anonymous_user().pk)
+    # pylint: disable=broad-except
+    except Exception:  # nosec
+        pass
+
+    if users.exists():
+        Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_flows", "0026_alter_flow_options"),
+    ]
+
+    operations = [
+        migrations.RunPython(set_oobe_flow_authentication),
+    ]

authentik/providers/oauth2/utils.py

@@ -188,6 +188,7 @@ def authenticate_provider(request: HttpRequest) -> Optional[OAuth2Provider]:
     if client_id != provider.client_id or client_secret != provider.client_secret:
         LOGGER.debug("(basic) Provider for basic auth does not exist")
         return None
+    CTX_AUTH_VIA.set("oauth_client_secret")
     return provider
 
 

authentik/providers/oauth2/views/token.py

@@ -17,6 +17,7 @@
 from sentry_sdk.hub import Hub
 from structlog.stdlib import get_logger
 
+from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import (
     USER_ATTRIBUTE_EXPIRES,
     USER_ATTRIBUTE_GENERATED,
@@ -448,6 +449,7 @@ def post(self, request: HttpRequest) -> HttpResponse:
                 if not self.provider:
                     LOGGER.warning("OAuth2Provider does not exist", client_id=client_id)
                     raise TokenError("invalid_client")
+                CTX_AUTH_VIA.set("oauth_client_secret")
                 self.params = TokenParams.parse(request, self.provider, client_id, client_secret)
 
             with Hub.current.start_span(

authentik/sources/oauth/types/patreon.py

@@ -12,8 +12,9 @@ class PatreonOAuthRedirect(OAuthRedirect):
     """Patreon OAuth2 Redirect"""
 
     def get_additional_parameters(self, source: OAuthSource):  # pragma: no cover
+        # https://docs.patreon.com/#scopes
         return {
-            "scope": ["openid", "email", "profile"],
+            "scope": ["identity", "identity[email]"],
         }
 
 

authentik/stages/email/stage.py

@@ -52,17 +52,13 @@ def get_full_url(self, **kwargs) -> str:
             kwargs={"flow_slug": self.executor.flow.slug},
         )
         # Parse query string from current URL (full query string)
-        query_params = QueryDict(self.request.META.get("QUERY_STRING", ""), mutable=True)
+        # this view is only run within a flow executor, where we need to get the query string
+        # from the query= parameter (double encoded); but for the redirect
+        # we need to expand it since it'll go through the flow interface
+        query_params = QueryDict(self.request.GET.get(QS_QUERY), mutable=True)
         query_params.pop(QS_KEY_TOKEN, None)
-
-        # Check for nested query string used by flow executor, and remove any
-        # kind of flow token from that
-        if QS_QUERY in query_params:
-            inner_query_params = QueryDict(query_params.get(QS_QUERY), mutable=True)
-            inner_query_params.pop(QS_KEY_TOKEN, None)
-            query_params[QS_QUERY] = inner_query_params.urlencode()
-
         query_params.update(kwargs)
+        print(query_params)
         full_url = base_url
         if len(query_params) > 0:
             full_url = f"{full_url}?{query_params.urlencode()}"

authentik/stages/email/tests/test_stage.py

@@ -259,7 +259,7 @@ def test_url_existing_params(self):
         session.save()
 
         url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        url += "?foo=bar"
+        url += "?query=" + urlencode({"foo": "bar"})
         request = self.factory.get(url)
         stage_view = EmailStageView(
             FlowExecutorView(
@@ -273,31 +273,3 @@ def test_url_existing_params(self):
             stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
             f"http://testserver/if/flow/{self.flow.slug}/?foo=bar&flow_token={token}",
         )
-
-    def test_url_existing_params_nested(self):
-        """Test to ensure that URL params are preserved in the URL being sent (including nested)"""
-        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
-        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-
-        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        url += "?foo=bar&"
-        url += "query=" + urlencode({"nested": "value"})
-        request = self.factory.get(url)
-        stage_view = EmailStageView(
-            FlowExecutorView(
-                request=request,
-                flow=self.flow,
-            ),
-            request=request,
-        )
-        token = generate_id()
-        self.assertEqual(
-            stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
-            (
-                f"http://testserver/if/flow/{self.flow.slug}"
-                f"/?foo=bar&query=nested%3Dvalue&flow_token={token}"
-            ),
-        )

blueprints/default/flow-oobe.yaml

@@ -85,6 +85,19 @@ entries:
   identifiers:
     name: default-oobe-password-usable
   model: authentik_policies_expression.expressionpolicy
+- attrs:
+    expression: |
+      # This policy ensures that the setup flow can only be
+      # used one time
+      from authentik.flows.models import Flow, FlowAuthenticationRequirement
+      Flow.objects.filter(slug="initial-setup").update(
+          authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER,
+      )
+      return True
+  id: policy-default-oobe-flow-set-authentication
+  identifiers:
+    name: default-oobe-flow-set-authentication
+  model: authentik_policies_expression.expressionpolicy
 - attrs:
     fields:
     - !KeyOf prompt-field-header
@@ -129,6 +142,7 @@ entries:
     evaluate_on_plan: true
     invalid_response_action: retry
     re_evaluate_policies: false
+  id: binding-login
   identifiers:
     order: 100
     stage: !KeyOf stage-default-authentication-login
@@ -144,3 +158,8 @@ entries:
     policy: !KeyOf policy-default-oobe-prefill-user
     target: !KeyOf binding-password-write
   model: authentik_policies.policybinding
+- identifiers:
+    order: 0
+    policy: !KeyOf policy-default-oobe-flow-set-authentication
+    target: !KeyOf binding-login
+  model: authentik_policies.policybinding

blueprints/system/bootstrap.yaml

@@ -42,9 +42,3 @@ entries:
       user: !KeyOf admin-user
     attrs:
       key: !Context token
-  - model: authentik_blueprints.blueprintinstance
-    identifiers:
-      metadata:
-        labels:
-          blueprints.goauthentik.io/system-bootstrap: "true"
-    state: absent

docker-compose.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
     restart: unless-stopped
     command: server
     environment:
@@ -53,7 +53,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -13,24 +13,24 @@ require (
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.4.0
-	github.com/gorilla/handlers v1.5.1
-	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/securecookie v1.1.1
-	github.com/gorilla/sessions v1.2.1
-	github.com/gorilla/websocket v1.5.0
+	github.com/gorilla/handlers v1.5.2
+	github.com/gorilla/mux v1.8.1
+	github.com/gorilla/securecookie v1.1.2
+	github.com/gorilla/sessions v1.2.2
+	github.com/gorilla/websocket v1.5.1
 	github.com/jellydator/ttlcache/v3 v3.1.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/prometheus/client_golang v1.17.0
-	github.com/redis/go-redis/v9 v9.2.1
+	github.com/redis/go-redis/v9 v9.3.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.8.4
-	goauthentik.io/api/v3 v3.2023101.1
+	goauthentik.io/api/v3 v3.2023102.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.13.0
-	golang.org/x/sync v0.4.0
+	golang.org/x/sync v0.5.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@@ -42,7 +42,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect