Merge branch 'main' into dev

* main: (27 commits) root: use custom model serializer that saves m2m without bulk (#10139) core: bump urllib3 from 2.2.1 to 2.2.2 (#10143) ci: bump docker/build-push-action from 5 to 6 (#10144) web: bump the storybook group in /web with 7 updates (#10147) web: bump ws from 8.16.0 to 8.17.1 in /web (#10149) web: fix needed because recent upgrade to task breaks spinner button (#10142) core: include version in built JS files (#9558) website/integations/services: Slack integration docs (#9933) web: fix early modal stack depletion (#10068) website: bump react-tooltip from 5.26.4 to 5.27.0 in /website (#10129) web: bump @patternfly/elements from 3.0.1 to 3.0.2 in /web (#10132) core: bump github.com/gorilla/sessions from 1.2.2 to 1.3.0 (#10135) web: bump chromedriver from 126.0.0 to 126.0.1 in /tests/wdio (#10136) core: bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#10133) core, web: update translations (#10127) core: bump ruff from 0.4.8 to 0.4.9 (#10128) core: bump goauthentik.io/api/v3 from 3.2024042.11 to 3.2024042.13 (#10134) core, web: update translations (#10118) translate: Updates for file web/xliff/en.xlf in zh-Hans (#10121) translate: Updates for file web/xliff/en.xlf in zh_CN (#10120) ...
goauthentik · Jun 18, 2024 · 7b208d9 · 7b208d9
2 parents c49185d + 2c781ae
commit 7b208d9
Show file tree

Hide file tree

Showing 94 changed files with 916 additions and 708 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -17,6 +17,8 @@ optional_value = final
 
 [bumpversion:file:pyproject.toml]
 
+[bumpversion:file:package.json]
+
 [bumpversion:file:docker-compose.yml]
 
 [bumpversion:file:schema.yml]

diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
@@ -240,7 +240,7 @@ jobs:
       - name: generate ts client
         run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           secrets: |

diff --git a/.github/workflows/ci-outpost.yml b/.github/workflows/ci-outpost.yml
@@ -96,7 +96,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile

diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
@@ -40,7 +40,7 @@ jobs:
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
@@ -94,7 +94,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           push: true
           tags: ${{ steps.ev.outputs.imageTags }}

diff --git a/Dockerfile b/Dockerfile
@@ -31,6 +31,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
+COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api

diff --git a/authentik/admin/api/system.py b/authentik/admin/api/system.py
@@ -33,7 +33,7 @@ class RuntimeDict(TypedDict):
     platform: str
     uname: str
     openssl_version: str
-    openssl_fips_mode: bool | None
+    openssl_fips_enabled: bool | None
     authentik_version: str
 
 

diff --git a/authentik/api/templates/api/browser.html b/authentik/api/templates/api/browser.html
@@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}
 
-{% load static %}
+{% load authentik_core %}
 
 {% block title %}
 API Browser - {{ brand.branding_title }}
 {% endblock %}
 
 {% block head %}
-<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

diff --git a/authentik/brands/api.py b/authentik/brands/api.py
@@ -11,14 +11,13 @@
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.tenants.utils import get_current_tenant
 
 

diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py
@@ -17,7 +17,6 @@
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
@@ -26,6 +25,7 @@
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction

diff --git a/authentik/core/api/authenticated_sessions.py b/authentik/core/api/authenticated_sessions.py
@@ -8,12 +8,12 @@
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict

diff --git a/authentik/core/api/groups.py b/authentik/core/api/groups.py
@@ -17,12 +17,12 @@
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
+from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required

diff --git a/authentik/core/api/property_mappings.py b/authentik/core/api/property_mappings.py
@@ -8,18 +8,18 @@
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.fields import BooleanField, CharField
+from rest_framework.fields import BooleanField, CharField, SerializerMethodField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.blueprints.api import ManagedSerializer
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
     MetaNameSerializer,
+    ModelSerializer,
     PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator

diff --git a/authentik/core/api/providers.py b/authentik/core/api/providers.py
@@ -6,13 +6,12 @@
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from rest_framework import mixins
-from rest_framework.fields import ReadOnlyField
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
+from rest_framework.fields import ReadOnlyField, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import Provider
 
 

diff --git a/authentik/core/api/sources.py b/authentik/core/api/sources.py
@@ -11,15 +11,14 @@
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (

diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py
@@ -12,15 +12,14 @@
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,

diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
@@ -40,7 +40,6 @@
     BooleanField,
     DateTimeField,
     ListSerializer,
-    ModelSerializer,
     PrimaryKeyRelatedField,
     ValidationError,
 )
@@ -52,7 +51,12 @@
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
+from authentik.core.api.utils import (
+    JSONDictField,
+    LinkSerializer,
+    ModelSerializer,
+    PassiveSerializer,
+)
 from authentik.core.middleware import (
     SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
     SESSION_KEY_IMPERSONATE_USER,

diff --git a/authentik/core/api/utils.py b/authentik/core/api/utils.py
@@ -12,9 +12,12 @@
     JSONField,
     SerializerMethodField,
 )
+from rest_framework.serializers import ModelSerializer as BaseModelSerializer
 from rest_framework.serializers import (
     Serializer,
     ValidationError,
+    model_meta,
+    raise_errors_on_nested_writes,
 )
 
 
@@ -25,6 +28,39 @@ def is_dict(value: Any):
     raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
 
 
+class ModelSerializer(BaseModelSerializer):
+
+    def update(self, instance: Model, validated_data):
+        raise_errors_on_nested_writes("update", self, validated_data)
+        info = model_meta.get_field_info(instance)
+
+        # Simply set each attribute on the instance, and then save it.
+        # Note that unlike `.create()` we don't need to treat many-to-many
+        # relationships as being a special case. During updates we already
+        # have an instance pk for the relationships to be associated with.
+        m2m_fields = []
+        for attr, value in validated_data.items():
+            if attr in info.relations and info.relations[attr].to_many:
+                m2m_fields.append((attr, value))
+            else:
+                setattr(instance, attr, value)
+
+        instance.save()
+
+        # Note that many-to-many fields are set after updating instance.
+        # Setting m2m fields triggers signals which could potentially change
+        # updated instance and we do not want it to collide with .update()
+        for attr, value in m2m_fields:
+            field = getattr(instance, attr)
+            # We can't check for inheritance here as m2m managers are generated dynamically
+            if field.__class__.__name__ == "RelatedManager":
+                field.set(value, bulk=False)
+            else:
+                field.set(value)
+
+        return instance
+
+
 class JSONDictField(JSONField):
     """JSON Field which only allows dictionaries"""
 

diff --git a/authentik/core/templates/base/skeleton.html b/authentik/core/templates/base/skeleton.html
@@ -1,5 +1,6 @@
 {% load static %}
 {% load i18n %}
+{% load authentik_core %}
 
 <!DOCTYPE html>
 
@@ -14,8 +15,8 @@
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
-        <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
+        {% versioned_script "dist/poly-%v.js" %}
+        {% versioned_script "dist/standalone/loading/index-%v.js" %}
         {% block head %}
         {% endblock %}
         <meta name="sentry-trace" content="{{ sentry_trace }}" />

diff --git a/authentik/core/templates/if/admin.html b/authentik/core/templates/if/admin.html
@@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
 
-{% load static %}
+{% load authentik_core %}
 
 {% block head %}
-<script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/admin/AdminInterface-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}

diff --git a/authentik/core/templates/if/flow.html b/authentik/core/templates/if/flow.html
@@ -1,6 +1,7 @@
 {% extends "base/skeleton.html" %}
 
 {% load static %}
+{% load authentik_core %}
 
 {% block head_before %}
 {{ block.super }}
@@ -17,7 +18,7 @@
 {% endblock %}
 
 {% block head %}
-<script src="{% static 'dist/flow/FlowInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/flow/FlowInterface-%v.js" %}
 <style>
 :root {
     --ak-flow-background: url("{{ flow.background_url }}");

diff --git a/authentik/core/templates/if/user.html b/authentik/core/templates/if/user.html
@@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
 
-{% load static %}
+{% load authentik_core %}
 
 {% block head %}
-<script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/user/UserInterface-%v.js" %}
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}

diff --git a/authentik/core/templatetags/__init__.py b/authentik/core/templatetags/__init__.py
diff --git a/authentik/core/templatetags/authentik_core.py b/authentik/core/templatetags/authentik_core.py
@@ -0,0 +1,27 @@
+"""authentik core tags"""
+
+from django import template
+from django.templatetags.static import static as static_loader
+from django.utils.safestring import mark_safe
+
+from authentik import get_full_version
+
+register = template.Library()
+
+
+@register.simple_tag()
+def versioned_script(path: str) -> str:
+    """Wrapper around {% static %} tag that supports setting the version"""
+    returned_lines = [
+        (
+            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
+            '" type="module"></script>'
+        ),
+        # Legacy method of loading scripts used as a fallback, without the version in the filename
+        # TODO: Remove after 2024.6 or later
+        (
+            f'<script src="{static_loader(path.replace("-%v", ""))}?'
+            f'version={get_full_version()}" type="module"></script>'
+        ),
+    ]
+    return mark_safe("".join(returned_lines))  # nosec
diff --git a/authentik/crypto/api.py b/authentik/crypto/api.py
@@ -24,13 +24,12 @@
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair

diff --git a/authentik/enterprise/api.py b/authentik/enterprise/api.py
@@ -13,11 +13,10 @@
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
 from authentik.enterprise.models import License