Merge branch 'main' into web/bad-default-in-select

* main: (21 commits)
  stages/authenticator_validate: use friendly_name for stage selector when enrolling (#8255)
  web: bump vite from 5.0.10 to 5.0.12 in /web (#8241)
  web: bump the wdio group in /tests/wdio with 4 updates (#8253)
  web: bump rollup from 4.9.5 to 4.9.6 in /web (#8251)
  web: bump core-js from 3.35.0 to 3.35.1 in /web (#8250)
  web: bump the sentry group in /web with 1 update (#8249)
  core: bump ruff from 0.1.13 to 0.1.14 (#8247)
  website: bump react-tooltip from 5.25.2 to 5.26.0 in /website (#8248)
  Update applications.md
  website/docs: fix nginx ingress proxy example (#8245)
  website/blog: add Rebecca's byline, add links for Reddit screenshots (#8238)
  website/blog: Security hygiene Blog (#8225)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#8235)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#8232)
  web: bump the storybook group in /web with 7 updates (#8231)
  core: bump drf-spectacular from 0.27.0 to 0.27.1 (#8230)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#8233)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#8234)
  web/components: improve error handling in ak-search-select (#8228)
  rbac: fix invitations listing with restricted permissions (#8227)
  ...

Makefile

@@ -67,16 +67,18 @@ lint: ## Lint the python and golang sources
 	pylint $(PY_SOURCES)
 	golangci-lint run -v
 
+core-install:
+	poetry install
+
 migrate: ## Run the Authentik Django server's migrations
 	python -m lifecycle.migrate
 
-i18n-extract: i18n-extract-core web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
+i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
-i18n-extract-core:
+core-i18n-extract:
 	ak makemessages --ignore web --ignore internal --ignore web --ignore web-api --ignore website -l en
 
-install: web-install website-install  ## Install all requires dependencies for `web`, `website` and `core`
-	poetry install
+install: web-install website-install core-install  ## Install all requires dependencies for `web`, `website` and `core`
 
 dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}

authentik/core/api/users.py

@@ -227,9 +227,9 @@ def get_settings(self, user: User) -> dict[str, Any]:
     def get_system_permissions(self, user: User) -> list[str]:
         """Get all system permissions assigned to the user"""
         return list(
-            user.user_permissions.filter(
-                content_type__app_label="authentik_rbac", content_type__model="systempermission"
-            ).values_list("codename", flat=True)
+            x.split(".", maxsplit=1)[1]
+            for x in user.get_all_permissions()
+            if x.startswith("authentik_rbac")
         )
 
     class Meta:

authentik/stages/authenticator_static/migrations/0009_throttling.py

@@ -38,4 +38,11 @@ class Migration(migrations.Migration):
             name="statictoken",
             options={"verbose_name": "Static Token", "verbose_name_plural": "Static Tokens"},
         ),
+        migrations.AlterModelOptions(
+            name="authenticatorstaticstage",
+            options={
+                "verbose_name": "Static Authenticator Setup Stage",
+                "verbose_name_plural": "Static Authenticator Setup Stages",
+            },
+        ),
     ]

authentik/stages/authenticator_static/models.py

@@ -46,11 +46,11 @@ def ui_user_settings(self) -> Optional[UserSettingSerializer]:
         )
 
     def __str__(self) -> str:
-        return f"Static Authenticator Stage {self.name}"
+        return f"Static Authenticator Setup Stage {self.name}"
 
     class Meta:
-        verbose_name = _("Static Authenticator Stage")
-        verbose_name_plural = _("Static Authenticator Stages")
+        verbose_name = _("Static Authenticator Setup Stage")
+        verbose_name_plural = _("Static Authenticator Setup Stages")
 
 
 class StaticDevice(SerializerModel, ThrottlingMixin, Device):

authentik/stages/authenticator_validate/stage.py

@@ -300,8 +300,10 @@ def get_challenge(self) -> AuthenticatorValidationChallenge:
             serializer = SelectableStageSerializer(
                 data={
                     "pk": stage.pk,
-                    "name": stage.name,
-                    "verbose_name": str(stage._meta.verbose_name),
+                    "name": stage.friendly_name or stage.name,
+                    "verbose_name": str(stage._meta.verbose_name)
+                    .replace("Setup Stage", "")
+                    .strip(),
                     "meta_model_name": f"{stage._meta.app_label}.{stage._meta.model_name}",
                 }
             )

authentik/stages/authenticator_validate/tests/test_stage.py

@@ -11,6 +11,7 @@
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
+from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_validate.stage import PLAN_CONTEXT_DEVICE_CHALLENGES
@@ -26,19 +27,22 @@ def setUp(self) -> None:
 
     def test_not_configured_action(self):
         """Test not_configured_action"""
-        conf_stage = IdentificationStage.objects.create(
+        ident_stage = IdentificationStage.objects.create(
             name=generate_id(),
             user_fields=[
                 UserFields.USERNAME,
             ],
         )
+        conf_stage = AuthenticatorStaticStage.objects.create(
+            name=generate_id(),
+        )
         stage = AuthenticatorValidateStage.objects.create(
             name=generate_id(),
             not_configured_action=NotConfiguredAction.CONFIGURE,
         )
         stage.configuration_stages.set([conf_stage])
         flow = create_test_flow()
-        FlowStageBinding.objects.create(target=flow, stage=conf_stage, order=0)
+        FlowStageBinding.objects.create(target=flow, stage=ident_stage, order=0)
         FlowStageBinding.objects.create(target=flow, stage=stage, order=1)
 
         response = self.client.get(
@@ -57,35 +61,30 @@ def test_not_configured_action(self):
         self.assertStageResponse(
             response,
             flow,
-            component="ak-stage-identification",
-            password_fields=False,
-            primary_action="Continue",
-            user_fields=["username"],
-            sources=[],
-            show_source_labels=False,
+            component="ak-stage-authenticator-static",
         )
 
     def test_not_configured_action_multiple(self):
         """Test not_configured_action"""
-        conf_stage = IdentificationStage.objects.create(
+        ident_stage = IdentificationStage.objects.create(
             name=generate_id(),
             user_fields=[
                 UserFields.USERNAME,
             ],
         )
-        conf_stage2 = IdentificationStage.objects.create(
+        conf_stage = AuthenticatorStaticStage.objects.create(
+            name=generate_id(),
+        )
+        conf_stage2 = AuthenticatorStaticStage.objects.create(
             name=generate_id(),
-            user_fields=[
-                UserFields.USERNAME,
-            ],
         )
         stage = AuthenticatorValidateStage.objects.create(
             name=generate_id(),
             not_configured_action=NotConfiguredAction.CONFIGURE,
         )
         stage.configuration_stages.set([conf_stage, conf_stage2])
         flow = create_test_flow()
-        FlowStageBinding.objects.create(target=flow, stage=conf_stage, order=0)
+        FlowStageBinding.objects.create(target=flow, stage=ident_stage, order=0)
         FlowStageBinding.objects.create(target=flow, stage=stage, order=1)
 
         # Get initial identification stage
@@ -118,12 +117,7 @@ def test_not_configured_action_multiple(self):
         self.assertStageResponse(
             response,
             flow,
-            component="ak-stage-identification",
-            password_fields=False,
-            primary_action="Continue",
-            user_fields=["username"],
-            sources=[],
-            show_source_labels=False,
+            component="ak-stage-authenticator-static",
         )
 
     def test_stage_validation(self):

blueprints/default/flow-default-authenticator-static-setup.yaml

@@ -14,6 +14,7 @@ entries:
 - attrs:
     configure_flow: !KeyOf flow
     token_count: 6
+    friendly_name: Static tokens
   identifiers:
     name: default-authenticator-static-setup
   id: default-authenticator-static-setup

blueprints/default/flow-default-authenticator-totp-setup.yaml

@@ -14,6 +14,7 @@ entries:
 - attrs:
     configure_flow: !KeyOf flow
     digits: 6
+    friendly_name: TOTP Device
   identifiers:
     name: default-authenticator-totp-setup
   id: default-authenticator-totp-setup

blueprints/default/flow-default-authenticator-webauthn-setup.yaml

@@ -13,6 +13,7 @@ entries:
   id: flow
 - attrs:
     configure_flow: !KeyOf flow
+    friendly_name: WebAuthn device
   identifiers:
     name: default-authenticator-webauthn-setup
   id: default-authenticator-webauthn-setup