Merge branch 'main' into web/sidebar-with-live-content-3

* main: (47 commits)
  web: bump the wdio group in /tests/wdio with 2 updates (#7702)
  events: fix lint (#7700)
  events: add better fallback for sanitize_item to ensure everything can be saved as JSON (#7694)
  web: bump the wdio group in /tests/wdio with 4 updates (#7696)
  events: include user agent in events (#7693)
  web: fix labels on group view page (#7677)
  website/docs: Add OIDC auth integration with Nextcloud (#7406)
  web: fix locale (#7689)
  core: bump python from 3.11.5-bookworm to 3.12.0-bookworm (#7048)
  translate: Updates for file web/xliff/en.xlf in zh_TW (#7688)
  web: bump pyright from 1.1.336 to 1.1.337 in /web (#7681)
  core: bump sentry-sdk from 1.35.0 to 1.36.0 (#7683)
  website: bump prism-react-renderer from 2.2.0 to 2.3.0 in /website (#7685)
  web: bump the sentry group in /web with 2 updates (#7679)
  web: bump rollup from 4.5.0 to 4.5.1 in /web (#7680)
  web: bump @types/codemirror from 5.60.14 to 5.60.15 in /web (#7682)
  web: bump the wdio group in /tests/wdio with 2 updates (#7684)
  website: bump react-tooltip from 5.23.0 to 5.24.0 in /website (#7686)
  core: bump goauthentik.io/api/v3 from 3.2023103.4 to 3.2023104.1 (#7687)
  website/blog: Blog on security (#7671)
  ...

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.3
+current_version = 2023.10.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/actions/setup/action.yml

@@ -2,7 +2,7 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"
 
 inputs:
-  postgresql_tag:
+  postgresql_version:
     description: "Optional postgresql image tag"
     default: "12"
 
@@ -33,9 +33,8 @@ runs:
     - name: Setup dependencies
       shell: bash
       run: |
-        export PSQL_TAG=${{ inputs.postgresql_tag }}
+        export PSQL_TAG=${{ inputs.postgresql_version }}
         docker-compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry env use python3.11
         poetry install
         cd web && npm ci
     - name: Generate config

.github/workflows/ci-main.yml

@@ -48,25 +48,38 @@ jobs:
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        psql:
+          - 12-alpine
+          - 15-alpine
+          - 16-alpine
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup authentik env
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: checkout stable
         run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
+          git checkout version/$(python -c "from authentik import __version__; print(__version__)")
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
       - name: Setup authentik env (ensure stable deps are installed)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
         run: poetry run python -m lifecycle.migrate
       - name: checkout current code
@@ -76,9 +89,13 @@ jobs:
           git reset --hard HEAD
           git clean -d -fx .
           git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf $(poetry env info --path)
           poetry install
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
         run: poetry run python -m lifecycle.migrate
   test-unittest:
@@ -97,7 +114,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
-          postgresql_tag: ${{ matrix.psql }}
+          postgresql_version: ${{ matrix.psql }}
       - name: run unittest
         run: |
           poetry run make test
@@ -117,7 +134,7 @@ jobs:
         uses: helm/kind-action@v1.8.0
       - name: run integration
         run: |
-          poetry run coverage run manage.py test --randomly-seed=2100196988 tests/integration
+          poetry run coverage run manage.py test tests/integration
           poetry run coverage xml
       - if: ${{ always() }}
         uses: codecov/codecov-action@v3

.vscode/extensions.json

@@ -14,6 +14,7 @@
         "ms-python.pylint",
         "ms-python.python",
         "ms-python.vscode-pylance",
+        "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
         "unifiedjs.vscode-mdx",

.vscode/settings.json

@@ -19,10 +19,8 @@
         "slo",
         "scim",
     ],
-    "python.linting.pylintEnabled": true,
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
-    "python.formatting.provider": "black",
     "yaml.customTags": [
         "!Find sequence",
         "!KeyOf scalar",

Dockerfile

@@ -81,7 +81,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM docker.io/python:3.11.5-bookworm AS python-deps
+FROM docker.io/python:3.12.0-slim-bookworm AS python-deps
 
 WORKDIR /ak-root/poetry
 
@@ -104,7 +104,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     poetry install --only=main --no-ansi --no-interaction
 
 # Stage 6: Run
-FROM docker.io/python:3.11.5-slim-bookworm AS final-image
+FROM docker.io/python:3.12.0-slim-bookworm AS final-image
 
 ARG GIT_BUILD_HASH
 ARG VERSION

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.3"
+__version__ = "2023.10.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/core/models.py

@@ -517,7 +517,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     objects = InheritanceManager()
 
     @property
-    def get_icon(self) -> Optional[str]:
+    def icon_url(self) -> Optional[str]:
         """Get the URL to the Icon. If the name is /static or
         starts with http it is returned as-is"""
         if not self.icon:

authentik/events/models.py

@@ -217,6 +217,7 @@ def from_http(self, request: HttpRequest, user: Optional[User] = None) -> "Event
                 "path": request.path,
                 "method": request.method,
                 "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
+                "user_agent": request.META.get("HTTP_USER_AGENT", ""),
             }
             # Special case for events created during flow execution
             # since they keep the http query within a wrapped query

authentik/events/tests/test_event.py

@@ -53,7 +53,15 @@ def test_from_http_basic(self):
         """Test plain from_http"""
         event = Event.new("unittest").from_http(self.factory.get("/"))
         self.assertEqual(
-            event.context, {"http_request": {"args": {}, "method": "GET", "path": "/"}}
+            event.context,
+            {
+                "http_request": {
+                    "args": {},
+                    "method": "GET",
+                    "path": "/",
+                    "user_agent": "",
+                }
+            },
         )
 
     def test_from_http_clean_querystring(self):
@@ -67,6 +75,7 @@ def test_from_http_clean_querystring(self):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
+                    "user_agent": "",
                 }
             },
         )
@@ -83,6 +92,7 @@ def test_from_http_clean_querystring_flow(self):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
+                    "user_agent": "",
                 }
             },
         )

authentik/events/utils.py

@@ -5,12 +5,13 @@
 from datetime import date, datetime, time, timedelta
 from enum import Enum
 from pathlib import Path
-from types import GeneratorType
+from types import GeneratorType, NoneType
 from typing import Any, Optional
 from uuid import UUID
 
 from django.contrib.auth.models import AnonymousUser
 from django.core.handlers.wsgi import WSGIRequest
+from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.db.models.base import Model
 from django.http.request import HttpRequest
@@ -159,7 +160,14 @@ def sanitize_item(value: Any) -> Any:
             "name": value.__name__,
             "module": value.__module__,
         }
-    return value
+    # List taken from the stdlib's JSON encoder (_make_iterencode, encoder.py:415)
+    if isinstance(value, (bool, int, float, NoneType, list, tuple, dict)):
+        return value
+    try:
+        return DjangoJSONEncoder().default(value)
+    except TypeError:
+        return str(value)
+    return str(value)
 
 
 def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]: