Merge branch 'main' into web/playground/table-architecture-2

* main: (125 commits) sources/ldap: clean-up certs written from db (#7617) web: bump the eslint group in /tests/wdio with 1 update (#7635) core: compile backend translations (#7637) core: bump psycopg from 3.1.12 to 3.1.13 (#7625) core: bump ruff from 0.1.5 to 0.1.6 (#7626) core: bump twilio from 8.10.1 to 8.10.2 (#7627) web: bump the eslint group in /web with 1 update (#7629) web: bump the esbuild group in /web with 2 updates (#7630) web: bump rollup from 4.4.1 to 4.5.0 in /web (#7631) web: bump core-js from 3.33.2 to 3.33.3 in /web (#7633) core: bump goauthentik.io/api/v3 from 3.2023103.3 to 3.2023103.4 (#7634) web: bump the wdio group in /tests/wdio with 4 updates (#7636) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_TW (#7628) root: specify node and python versions in respective config files, deduplicate in CI (#7620) translate: Updates for file web/xliff/en.xlf in zh-Hans (#7619) translate: Updates for file web/xliff/en.xlf in zh_CN (#7618) tests: better per-test timeouts (#7612) web: bump API Client version (#7613) stages/identification: add option to pretend user exists (#7610) events: stop spam (#7611) ...
goauthentik · Nov 20, 2023 · 6f46c80 · 6f46c80
2 parents c91ac4a + c0b7d32
commit 6f46c80
Show file tree

Hide file tree

Showing 154 changed files with 5,886 additions and 3,591 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.2
+current_version = 2023.10.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -9,23 +9,27 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install poetry
+    - name: Install poetry & deps
       shell: bash
       run: |
         pipx install poetry || true
-        sudo apt update
-        sudo apt install -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
     - name: Setup python and restore poetry
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
-        python-version: "3.11"
+        python-version-file: 'pyproject.toml'
         cache: "poetry"
     - name: Setup node
       uses: actions/setup-node@v3
       with:
-        node-version: "20"
+        node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
+    - name: Setup go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: "go.mod"
     - name: Setup dependencies
       shell: bash
       run: |

diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
@@ -117,7 +117,7 @@ jobs:
         uses: helm/kind-action@v1.8.0
       - name: run integration
         run: |
-          poetry run coverage run manage.py test tests/integration
+          poetry run coverage run manage.py test --randomly-seed=2100196988 tests/integration
           poetry run coverage xml
       - if: ${{ always() }}
         uses: codecov/codecov-action@v3
@@ -187,6 +187,7 @@ jobs:
     needs: ci-core-mark
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     timeout-minutes: 120
     steps:
@@ -239,6 +240,7 @@ jobs:
     needs: ci-core-mark
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     timeout-minutes: 120
     steps:

diff --git a/.github/workflows/ci-outpost.yml b/.github/workflows/ci-outpost.yml
@@ -67,6 +67,7 @@ jobs:
           - radius
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     steps:
       - uses: actions/checkout@v4
@@ -129,7 +130,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Generate API

diff --git a/.github/workflows/ci-web.yml b/.github/workflows/ci-web.yml
@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -40,7 +40,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -62,7 +62,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -110,7 +110,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/

diff --git a/.github/workflows/ci-website.yml b/.github/workflows/ci-website.yml
@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -53,7 +53,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/

diff --git a/.github/workflows/gha-cache-cleanup.yml b/.github/workflows/gha-cache-cleanup.yml
@@ -6,6 +6,10 @@ on:
     types:
       - closed
 
+permissions:
+  # Permission to delete cache
+  actions: write
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release-next-branch.yml b/.github/workflows/release-next-branch.yml
@@ -6,6 +6,7 @@ on:
   workflow_dispatch:
 
 permissions:
+  # Needed to be able to push to the next branch
   contents: write
 
 jobs:

diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
@@ -8,6 +8,7 @@ jobs:
   build-server:
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     steps:
       - uses: actions/checkout@v4
@@ -55,6 +56,7 @@ jobs:
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     strategy:
       fail-fast: false
@@ -110,6 +112,9 @@ jobs:
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload binaries to the release
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -126,7 +131,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Build web

diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
@@ -30,7 +30,7 @@ jobs:
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |

diff --git a/.github/workflows/repo-stale.yml b/.github/workflows/repo-stale.yml
@@ -6,8 +6,8 @@ on:
   workflow_dispatch:
 
 permissions:
+  # Needed to update issues and PRs
   issues: write
-  pull-requests: write
 
 jobs:
   stale:

diff --git a/.github/workflows/translation-advice.yml b/.github/workflows/translation-advice.yml
@@ -7,7 +7,12 @@ on:
     paths:
       - "!**"
       - "locale/**"
-      - "web/src/locales/**"
+      - "!locale/en/**"
+      - "web/xliff/**"
+
+permissions:
+  # Permission to write comment
+  pull-requests: write
 
 jobs:
   post-comment:

diff --git a/.github/workflows/translation-rename.yml b/.github/workflows/translation-rename.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     types: [opened, reopened]
 
+permissions:
+  # Permission to rename PR
+  pull-requests: write
+
 jobs:
   rename_pr:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/web-api-publish.yml b/.github/workflows/web-api-publish.yml
@@ -19,7 +19,7 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Generate API Client
         run: make gen-client-ts

diff --git a/Dockerfile b/Dockerfile
@@ -35,7 +35,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.3-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH

diff --git a/authentik/__init__.py b/authentik/__init__.py
@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.2"
+__version__ = "2023.10.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

diff --git a/authentik/admin/api/system.py b/authentik/admin/api/system.py
@@ -30,7 +30,7 @@ class RuntimeDict(TypedDict):
     uname: str
 
 
-class SystemSerializer(PassiveSerializer):
+class SystemInfoSerializer(PassiveSerializer):
     """Get system information."""
 
     http_headers = SerializerMethodField()
@@ -91,14 +91,14 @@ class SystemView(APIView):
     permission_classes = [HasPermission("authentik_rbac.view_system_info")]
     pagination_class = None
     filter_backends = []
-    serializer_class = SystemSerializer
+    serializer_class = SystemInfoSerializer
 
-    @extend_schema(responses={200: SystemSerializer(many=False)})
+    @extend_schema(responses={200: SystemInfoSerializer(many=False)})
     def get(self, request: Request) -> Response:
         """Get system information."""
-        return Response(SystemSerializer(request).data)
+        return Response(SystemInfoSerializer(request).data)
 
-    @extend_schema(responses={200: SystemSerializer(many=False)})
+    @extend_schema(responses={200: SystemInfoSerializer(many=False)})
     def post(self, request: Request) -> Response:
         """Get system information."""
-        return Response(SystemSerializer(request).data)
+        return Response(SystemInfoSerializer(request).data)
diff --git a/authentik/api/v3/config.py b/authentik/api/v3/config.py
@@ -93,10 +93,10 @@ def get_config(self) -> ConfigSerializer:
                     "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                 },
                 "capabilities": self.get_capabilities(),
-                "cache_timeout": CONFIG.get_int("redis.cache_timeout"),
-                "cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
-                "cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
+                "cache_timeout": CONFIG.get_int("cache.timeout"),
+                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
+                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
+                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
             }
         )
 

diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
@@ -171,6 +171,11 @@ def validate_type(self, user_type: str) -> str:
             raise ValidationError("Setting a user to internal service account is not allowed.")
         return user_type
 
+    def validate(self, attrs: dict) -> dict:
+        if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            raise ValidationError("Can't modify internal service account users")
+        return super().validate(attrs)
+
     class Meta:
         model = User
         fields = [

diff --git a/authentik/core/management/commands/worker.py b/authentik/core/management/commands/worker.py
@@ -17,9 +17,15 @@ class Command(BaseCommand):
     """Run worker"""
 
     def add_arguments(self, parser):
-        parser.add_argument("-b", "--beat", action="store_true")
+        parser.add_argument(
+            "-b",
+            "--beat",
+            action="store_false",
+            help="When set, this worker will _not_ run Beat (scheduled) tasks",
+        )
 
     def handle(self, **options):
+        LOGGER.debug("Celery options", **options)
         close_old_connections()
         if CONFIG.get_bool("remote_debug"):
             import debugpy