trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into version-2021.12

This commit is contained in:
Jens Langhammer 2021-12-16 15:48:53 +01:00
parent 2a09fc0ae2 0ca6fbb224
commit 741822424a
28 changed files with 235 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -38,3 +38,23 @@ See [Development Documentation](https://goauthentik.io/developer-docs/?utm_sourc
## Security
See [SECURITY.md](SECURITY.md)
## Sponsors
This project is proudly sponsored by:
<p>
<a href="https://www.digitalocean.com/?utm_medium=opensource&utm_source=goauthentik.io">
<img src="https://opensource.nyc3.cdn.digitaloceanspaces.com/attribution/assets/SVG/DO_Logo_horizontal_blue.svg" width="201px">
</a>
</p>
DigitalOcean provides development and testing resources for authentik.
<p>
<a href="https://www.netlify.com">
<img src="https://www.netlify.com/img/global/badges/netlify-color-accent.svg" alt="Deploys by Netlify" />
</a>
</p>
Netlify hosts the [goauthentik.io](goauthentik.io) site.

8
authentik/core/models.py
View File

@ -278,7 +278,13 @@ class Application(PolicyBindingModel):
"""Get casted provider instance"""
if not self.provider:
return None
return Provider.objects.get_subclass(pk=self.provider.pk)
# if the Application class has been cache, self.provider is set
# but doing a direct query lookup will fail.
# In that case, just return None
try:
return Provider.objects.get_subclass(pk=self.provider.pk)
except Provider.DoesNotExist:
return None
def __str__(self):
return self.name

7
authentik/events/models.py
View File

@ -2,7 +2,7 @@
import time
from collections import Counter
from datetime import timedelta
from inspect import getmodule, stack
from inspect import currentframe
from smtplib import SMTPException
from typing import TYPE_CHECKING, Optional, Type, Union
from uuid import uuid4
@ -192,14 +192,15 @@ class Event(ExpiringModel):
def new(
action: Union[str, EventAction],
app: Optional[str] = None,
_inspect_offset: int = 1,
**kwargs,
) -> "Event":
"""Create new Event instance from arguments. Instance is NOT saved."""
if not isinstance(action, EventAction):
action = EventAction.CUSTOM_PREFIX + action
if not app:
app = getmodule(stack()[_inspect_offset][0]).__name__
current = currentframe()
parent = current.f_back
app = parent.f_globals["__name__"]
cleaned_kwargs = cleanse_dict(sanitize_dict(kwargs))
event = Event(action=action, app=app, context=cleaned_kwargs)
return event

2
authentik/root/settings.py
View File

@ -28,6 +28,7 @@ from sentry_sdk.integrations.boto3 import Boto3Integration
from sentry_sdk.integrations.celery import CeleryIntegration
from sentry_sdk.integrations.django import DjangoIntegration
from sentry_sdk.integrations.redis import RedisIntegration
from sentry_sdk.integrations.threading import ThreadingIntegration
from authentik import ENV_GIT_HASH_KEY, __version__
from authentik.core.middleware import structlog_add_request_id
@ -424,6 +425,7 @@ if _ERROR_REPORTING:
CeleryIntegration(),
RedisIntegration(),
Boto3Integration(),
ThreadingIntegration(propagate_hub=True),
],
before_send=before_send,
release=f"authentik@{__version__}",

9
internal/outpost/flow.go
View File

@ -60,6 +60,7 @@ type FlowExecutor struct {
func NewFlowExecutor(ctx context.Context, flowSlug string, refConfig *api.Configuration, logFields log.Fields) *FlowExecutor {
rsp := sentry.StartSpan(ctx, "authentik.outposts.flow_executor")
rsp.Description = flowSlug
l := log.WithField("flow", flowSlug).WithFields(logFields)
jar, err := cookiejar.New(nil)
@ -153,8 +154,8 @@ func (fe *FlowExecutor) solveFlowChallenge(depth int) (bool, error) {
}
ch := challenge.GetActualInstance().(ChallengeInt)
fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got challenge")
gcsp.SetTag("ak_challenge", string(ch.GetType()))
gcsp.SetTag("ak_component", ch.GetComponent())
gcsp.SetTag("authentik.flow.challenge", string(ch.GetType()))
gcsp.SetTag("authentik.flow.component", ch.GetComponent())
gcsp.Finish()
FlowTimingGet.With(prometheus.Labels{
"stage": ch.GetComponent(),
@ -202,8 +203,8 @@ func (fe *FlowExecutor) solveFlowChallenge(depth int) (bool, error) {
response, _, err := responseReq.Execute()
ch = response.GetActualInstance().(ChallengeInt)
fe.log.WithField("component", ch.GetComponent()).WithField("type", ch.GetType()).Debug("Got response")
scsp.SetTag("ak_challenge", string(ch.GetType()))
scsp.SetTag("ak_component", ch.GetComponent())
scsp.SetTag("authentik.flow.challenge", string(ch.GetType()))
scsp.SetTag("authentik.flow.component", ch.GetComponent())
scsp.Finish()
switch ch.GetComponent() {

11
internal/outpost/ldap/bind/request.go
View File

@ -23,9 +23,18 @@ type Request struct {
func NewRequest(bindDN string, bindPW string, conn net.Conn) (*Request, *sentry.Span) {
span := sentry.StartSpan(context.TODO(), "authentik.providers.ldap.bind",
sentry.TransactionName("authentik.providers.ldap.bind"))
span.Description = bindDN
rid := uuid.New().String()
span.SetTag("request_uid", rid)
span.SetTag("user.username", bindDN)
hub := sentry.GetHubFromContext(span.Context())
if hub == nil {
hub = sentry.CurrentHub()
}
hub.Scope().SetUser(sentry.User{
Username: bindDN,
ID: bindDN,
IPAddress: utils.GetIP(conn.RemoteAddr()),
})
bindDN = strings.ToLower(bindDN)
return &Request{

16
internal/outpost/ldap/search/request.go
View File

@ -2,6 +2,7 @@ package search
import (
"context"
"fmt"
"net"
"strings"
@ -27,10 +28,19 @@ func NewRequest(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (*Re
bindDN = strings.ToLower(bindDN)
searchReq.BaseDN = strings.ToLower(searchReq.BaseDN)
span := sentry.StartSpan(context.TODO(), "authentik.providers.ldap.search", sentry.TransactionName("authentik.providers.ldap.search"))
span.Description = fmt.Sprintf("%s (%s)", searchReq.BaseDN, ldap.ScopeMap[searchReq.Scope])
span.SetTag("request_uid", rid)
span.SetTag("user.username", bindDN)
span.SetTag("ak_filter", searchReq.Filter)
span.SetTag("ak_base_dn", searchReq.BaseDN)
hub := sentry.GetHubFromContext(span.Context())
if hub == nil {
hub = sentry.CurrentHub()
}
hub.Scope().SetUser(sentry.User{
Username: bindDN,
ID: bindDN,
IPAddress: utils.GetIP(conn.RemoteAddr()),
})
span.SetTag("ldap_filter", searchReq.Filter)
span.SetTag("ldap_base_dn", searchReq.BaseDN)
return &Request{
SearchRequest: searchReq,
BindDN: bindDN,

12
internal/outpost/proxyv2/application/application.go
View File

@ -12,6 +12,8 @@ import (
"time"
"github.com/coreos/go-oidc"
"github.com/getsentry/sentry-go"
sentryhttp "github.com/getsentry/sentry-go/http"
"github.com/gorilla/mux"
"github.com/gorilla/sessions"
"github.com/pkg/errors"
@ -109,6 +111,15 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
user := ""
if c != nil {
user = c.PreferredUsername
hub := sentry.GetHubFromContext(r.Context())
if hub == nil {
hub = sentry.CurrentHub()
}
hub.Scope().SetUser(sentry.User{
Username: user,
ID: c.Sub,
IPAddress: r.RemoteAddr,
})
}
before := time.Now()
inner.ServeHTTP(rw, r)
@ -124,6 +135,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
}).Observe(float64(after))
})
})
mux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
// Support /start and /sign_in for backwards compatibility
mux.HandleFunc("/akprox/start", a.handleRedirect)

2
internal/outpost/proxyv2/proxyv2.go
View File

@ -10,6 +10,7 @@ import (
"sync"
"time"
sentryhttp "github.com/getsentry/sentry-go/http"
"github.com/gorilla/mux"
"github.com/pires/go-proxyproto"
log "github.com/sirupsen/logrus"
@ -52,6 +53,7 @@ func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
globalMux := rootMux.NewRoute().Subrouter()
globalMux.Use(web.NewLoggingHandler(l.WithField("logger", "authentik.outpost.proxyv2.http"), nil))
globalMux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
s := &ProxyServer{
Listen: "0.0.0.0:%d",
PortOffset: portOffset,

4
internal/utils/web/middleware.go
View File

@ -99,8 +99,8 @@ func (h loggingHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
h.handler.ServeHTTP(responseLogger, req)
duration := float64(time.Since(t)) / float64(time.Millisecond)
h.afterHandler(h.logger.WithFields(log.Fields{
"host": req.RemoteAddr,
"vhost": GetHost(req),
"remote": req.RemoteAddr,
"host": GetHost(req),
"request_protocol": req.Proto,
"runtime": fmt.Sprintf("%0.3f", duration),
"method": req.Method,

29
internal/web/middleware_log.go
View File

@ -1,29 +0,0 @@
package web
import (
"net/http"
"time"
"github.com/getsentry/sentry-go"
log "github.com/sirupsen/logrus"
"goauthentik.io/internal/utils/web"
)
func loggingMiddleware(l *log.Entry) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
span := sentry.StartSpan(r.Context(), "authentik.go.request")
before := time.Now()
// Call the next handler, which can be another middleware in the chain, or the final handler.
next.ServeHTTP(w, r)
after := time.Now()
l.WithFields(log.Fields{
"remote": r.RemoteAddr,
"method": r.Method,
"took": after.Sub(before),
"host": web.GetHost(r),
}).Info(r.RequestURI)
span.Finish()
})
}
}

44
internal/web/middleware_sentry.go
View File

@ -1,44 +0,0 @@
package web
import (
"encoding/json"
"net/http"
sentryhttp "github.com/getsentry/sentry-go/http"
log "github.com/sirupsen/logrus"
)
func recoveryMiddleware() func(next http.Handler) http.Handler {
sentryHandler := sentryhttp.New(sentryhttp.Options{})
l := log.WithField("logger", "authentik.router.sentry")
return func(next http.Handler) http.Handler {
sentryHandler.Handle(next)
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
next.ServeHTTP(w, r)
defer func() {
re := recover()
if re == nil {
return
}
err := re.(error)
if err != nil {
l.WithError(err).Warning("global panic handler")
jsonBody, _ := json.Marshal(struct {
Successful bool
Error string
}{
Successful: false,
Error: err.Error(),
})
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusInternalServerError)
_, err := w.Write(jsonBody)
if err != nil {
l.WithError(err).Warning("Failed to write sentry error body")
}
}
}()
})
}
}

16
internal/web/web.go
View File

@ -6,6 +6,7 @@ import (
"net"
"net/http"
sentryhttp "github.com/getsentry/sentry-go/http"
"github.com/gorilla/handlers"
"github.com/gorilla/mux"
"github.com/pires/go-proxyproto"
@ -13,6 +14,7 @@ import (
"goauthentik.io/internal/config"
"goauthentik.io/internal/gounicorn"
"goauthentik.io/internal/outpost/proxyv2"
"goauthentik.io/internal/utils/web"
)
type WebServer struct {
@ -34,13 +36,11 @@ type WebServer struct {
func NewWebServer(g *gounicorn.GoUnicorn) *WebServer {
l := log.WithField("logger", "authentik.router")
mainHandler := mux.NewRouter()
if config.G.ErrorReporting.Enabled {
mainHandler.Use(recoveryMiddleware())
}
mainHandler.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
mainHandler.Use(handlers.ProxyHeaders)
mainHandler.Use(handlers.CompressHandler)
logginRouter := mainHandler.NewRoute().Subrouter()
logginRouter.Use(loggingMiddleware(l))
logginRouter.Use(web.NewLoggingHandler(l, nil))
ws := &WebServer{
LegacyProxy: true,
@ -72,7 +72,7 @@ func (ws *WebServer) Shutdown() {
func (ws *WebServer) listenPlain() {
ln, err := net.Listen("tcp", config.G.Web.Listen)
if err != nil {
ws.log.WithError(err).Fatalf("failed to listen")
ws.log.WithError(err).Fatal("failed to listen")
}
ws.log.WithField("listen", config.G.Web.Listen).Info("Listening")
@ -83,7 +83,7 @@ func (ws *WebServer) listenPlain() {
err = http.ListenAndServe(config.G.Web.Listen, ws.m)
if err != nil && !errors.Is(err, http.ErrServerClosed) {
ws.log.Errorf("ERROR: http.Serve() - %s", err)
ws.log.WithError(err).Error("failed to listen")
}
}
@ -100,14 +100,14 @@ func (ws *WebServer) serve(listener net.Listener) {
// We received an interrupt signal, shut down.
if err := srv.Shutdown(context.Background()); err != nil {
// Error from closing listeners, or context timeout:
ws.log.Printf("HTTP server Shutdown: %v", err)
ws.log.WithError(err).Warning("HTTP server Shutdown")
}
close(idleConnsClosed)
}()
err := srv.Serve(listener)
if err != nil && !errors.Is(err, http.ErrServerClosed) {
ws.log.Errorf("ERROR: http.Serve() - %s", err)
ws.log.WithError(err).Error("ERROR: http.Serve()")
}
<-idleConnsClosed
}

2
lifecycle/ak
View File

@ -67,7 +67,7 @@ if [[ "$1" == "server" ]]; then
/authentik-proxy
elif [[ "$1" == "worker" ]]; then
echo "worker" > $MODE_FILE
check_if_root "celery -A authentik.root.celery worker --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"
check_if_root "celery -A authentik.root.celery worker -Ofair --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"
elif [[ "$1" == "flower" ]]; then
echo "flower" > $MODE_FILE
celery -A authentik.root.celery flower

32
web/src/elements/Markdown.ts Normal file
View File

@ -0,0 +1,32 @@
import { CSSResult, LitElement, TemplateResult, html } from "lit";
import { customElement, property } from "lit/decorators.js";
import { unsafeHTML } from "lit/directives/unsafe-html.js";
import AKGlobal from "../authentik.css";
import PFContent from "@patternfly/patternfly/components/Content/content.css";
import PFList from "@patternfly/patternfly/components/List/list.css";
export interface MarkdownDocument {
html: string;
metadata: { [key: string]: string };
filename: string;
}
@customElement("ak-markdown")
export class Markdown extends LitElement {
@property({ attribute: false })
md?: MarkdownDocument;
static get styles(): CSSResult[] {
return [PFList, PFContent, AKGlobal];
}
render(): TemplateResult {
if (!this.md) {
return html``;
}
const finalHTML = this.md?.html.replace("<ul>", "<ul class='pf-c-list'>");
return html`${this.md?.metadata.title ? html`<h2>${this.md.metadata.title}</h2>` : html``}
${unsafeHTML(finalHTML)}`;
}
}

2
web/src/elements/PageHeader.ts
View File

@ -81,7 +81,7 @@ export class PageHeader extends LitElement {
font-size: 24px;
}
.notification-trigger.has-notifications {
color: #2b9af3;
color: var(--pf-global--active-color--100);
}
`,
];

8
web/src/elements/notifications/NotificationDrawer.ts
View File

@ -183,9 +183,15 @@ export class NotificationDrawer extends LitElement {
composed: true,
}),
);
this.dispatchEvent(
new CustomEvent(EVENT_NOTIFICATION_DRAWER_TOGGLE, {
bubbles: true,
composed: true,
}),
);
});
}}
class="pf-c-button pf-m-secondary pf-m-block"
class="pf-c-button pf-m-primary pf-m-block"
type="button"
aria-label=${t`Clear all`}
>

21
web/src/elements/table/TablePage.ts
View File

@ -4,6 +4,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
import PFContent from "@patternfly/patternfly/components/Content/content.css";
import PFPage from "@patternfly/patternfly/components/Page/page.css";
import PFSidebar from "@patternfly/patternfly/components/Sidebar/sidebar.css";
import "../../elements/PageHeader";
import { Table } from "./Table";
@ -14,7 +15,15 @@ export abstract class TablePage<T> extends Table<T> {
abstract pageIcon(): string;
static get styles(): CSSResult[] {
return super.styles.concat(PFPage, PFContent);
return super.styles.concat(PFPage, PFContent, PFSidebar);
}
renderSidebarBefore(): TemplateResult {
return html``;
}
renderSidebarAfter(): TemplateResult {
return html``;
}
render(): TemplateResult {
@ -25,7 +34,15 @@ export abstract class TablePage<T> extends Table<T> {
>
</ak-page-header>
<section class="pf-c-page__main-section pf-m-no-padding-mobile">
<div class="pf-c-card">${this.renderTable()}</div>
<div class="pf-c-sidebar pf-m-gutter">
<div class="pf-c-sidebar__main">
${this.renderSidebarBefore()}
<div class="pf-c-sidebar__content">
<div class="pf-c-card">${this.renderTable()}</div>
</div>
${this.renderSidebarAfter()}
</div>
</div>
</section>`;
}
}

2
web/src/global.d.ts vendored
View File

@ -1,7 +1,7 @@
declare module "*.css";
declare module "*.md" {
const html: string;
const metadata: object;
const metadata: { [key: string]: string };
const filename: string;
}

4
web/src/locales/en.po
View File

@ -122,6 +122,10 @@ msgstr "API Token (can be used to access the API programmatically)"
msgid "API request failed"
msgstr "API request failed"
#: src/pages/applications/ApplicationListPage.ts
msgid "About applications"
msgstr "About applications"
#: src/pages/sources/oauth/OAuthSourceViewPage.ts
msgid "Access Key"
msgstr "Access Key"

4
web/src/locales/fr_FR.po
View File

@ -128,6 +128,10 @@ msgstr "Jeton d'API (peut être utilisé pour accéder à l'API via un programme
msgid "API request failed"
msgstr "Requête d'API échouée"
#: src/pages/applications/ApplicationListPage.ts
msgid "About applications"
msgstr ""
#: src/pages/sources/oauth/OAuthSourceViewPage.ts
msgid "Access Key"
msgstr "Clé d'accès"

4
web/src/locales/pseudo-LOCALE.po
View File

@ -122,6 +122,10 @@ msgstr ""
msgid "API request failed"
msgstr ""
#: src/pages/applications/ApplicationListPage.ts
msgid "About applications"
msgstr ""
#: src/pages/sources/oauth/OAuthSourceViewPage.ts
msgid "Access Key"
msgstr ""

15
web/src/pages/applications/ApplicationListPage.ts
View File

@ -5,12 +5,15 @@ import { customElement, property } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js";
import PFAvatar from "@patternfly/patternfly/components/Avatar/avatar.css";
import PFCard from "@patternfly/patternfly/components/Card/card.css";
import { Application, CoreApi } from "@goauthentik/api";
import MDApplication from "../../../../website/docs/core/applications.md";
import { AKResponse } from "../../api/Client";
import { DEFAULT_CONFIG } from "../../api/Config";
import { uiConfig } from "../../common/config";
import "../../elements/Markdown";
import "../../elements/buttons/SpinnerButton";
import "../../elements/forms/DeleteBulkForm";
import "../../elements/forms/ModalForm";
@ -52,6 +55,7 @@ export class ApplicationListPage extends TablePage<Application> {
static get styles(): CSSResult[] {
return super.styles.concat(
PFAvatar,
PFCard,
css`
tr td:first-child {
width: auto;
@ -74,6 +78,17 @@ export class ApplicationListPage extends TablePage<Application> {
];
}
renderSidebarAfter(): TemplateResult {
return html`<div class="pf-c-sidebar__panel pf-m-width-25">
<div class="pf-c-card">
<div class="pf-c-card__title">${t`About applications`}</div>
<div class="pf-c-card__body">
<ak-markdown .md=${MDApplication}></ak-markdown>
</div>
</div>
</div>`;
}
renderToolbarSelected(): TemplateResult {
const disabled = this.selectedElements.length < 1;
return html`<ak-forms-delete-bulk

36
web/src/pages/providers/proxy/ProxyProviderViewPage.ts
View File

@ -1,7 +1,6 @@
import { t } from "@lingui/macro";
import { CSSResult, LitElement, TemplateResult, html } from "lit";
import { unsafeHTML } from "lit-html/directives/unsafe-html.js";
import { customElement, property } from "lit/decorators.js";
import AKGlobal from "../../../authentik.css";
@ -28,6 +27,8 @@ import { DEFAULT_CONFIG } from "../../../api/Config";
import { EVENT_REFRESH } from "../../../constants";
import "../../../elements/CodeMirror";
import { PFColor } from "../../../elements/Label";
import "../../../elements/Markdown";
import { MarkdownDocument } from "../../../elements/Markdown";
import "../../../elements/Tabs";
import "../../../elements/buttons/ModalButton";
import "../../../elements/buttons/SpinnerButton";
@ -90,20 +91,19 @@ export class ProxyProviderViewPage extends LitElement {
});
}
renderConfigTemplate(tmpl: string): TemplateResult {
renderConfigTemplate(markdown: MarkdownDocument): MarkdownDocument {
// See website/docs/providers/proxy/forward_auth.mdx
let final = "";
if (this.provider?.mode === ProxyMode.ForwardSingle) {
final = tmpl
markdown.html = markdown.html
.replaceAll("authentik.company", window.location.hostname)
.replaceAll("outpost.company", window.location.hostname)
.replaceAll("app.company", this.provider?.externalHost || "");
} else if (this.provider?.mode == ProxyMode.ForwardDomain) {
final = tmpl
markdown.html = markdown.html
.replaceAll("authentik.company", window.location.hostname)
.replaceAll("outpost.company", this.provider?.externalHost || "");
}
return html`${unsafeHTML(final)}`;
return markdown;
}
render(): TemplateResult {
@ -250,42 +250,54 @@ export class ProxyProviderViewPage extends LitElement {
data-tab-title="${t`Nginx (Ingress)`}"
class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
>
${this.renderConfigTemplate(MDNginxIngress.html)}
<ak-markdown
.md=${this.renderConfigTemplate(MDNginxIngress)}
></ak-markdown>
</section>
<section
slot="page-nginx-proxy-manager"
data-tab-title="${t`Nginx (Proxy Manager)`}"
class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
>
${this.renderConfigTemplate(MDNginxPM.html)}
<ak-markdown
.md=${this.renderConfigTemplate(MDNginxPM)}
></ak-markdown>
</section>
<section
slot="page-nginx-standalone"
data-tab-title="${t`Nginx (standalone)`}"
class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
>
${this.renderConfigTemplate(MDNginxStandalone.html)}
<ak-markdown
.md=${this.renderConfigTemplate(MDNginxStandalone)}
></ak-markdown>
</section>
<section
slot="page-traefik-ingress"
data-tab-title="${t`Traefik (Ingress)`}"
class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
>
${this.renderConfigTemplate(MDTraefikIngres.html)}
<ak-markdown
.md=${this.renderConfigTemplate(MDTraefikIngres)}
></ak-markdown>
</section>
<section
slot="page-traefik-compose"
data-tab-title="${t`Traefik (Compose)`}"
class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
>
${this.renderConfigTemplate(MDTraefikCompose.html)}
<ak-markdown
.md=${this.renderConfigTemplate(MDTraefikCompose)}
></ak-markdown>
</section>
<section
slot="page-traefik-standalone"
data-tab-title="${t`Traefik (Standalone)`}"
class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
>
${this.renderConfigTemplate(MDTraefikStandalone.html)}
<ak-markdown
.md=${this.renderConfigTemplate(MDTraefikStandalone)}
></ak-markdown>
</section>
</ak-tabs>
`

14
web/src/pages/stages/StageListPage.ts
View File

@ -107,11 +107,15 @@ export class StageListPage extends TablePage<Stage> {
<div>${item.name}</div>
<small>${item.verboseName}</small>
</div>`,
html`${item.flowSet?.map((flow) => {
return html`<a href="#/flow/flows/${flow.slug}">
<code>${flow.slug}</code>
</a>`;
})}`,
html`<ul class="pf-c-list">
${item.flowSet?.map((flow) => {
return html`<li>
<a href="#/flow/flows/${flow.slug}">
<code>${flow.slug}</code>
</a>
</li>`;
})}
</ul>`,
html` <ak-forms-modal>
<span slot="submit"> ${t`Update`} </span>
<span slot="header"> ${t`Update ${item.verboseName}`} </span>

20
website/docs/core/applications.md
View File

@ -3,7 +3,7 @@ title: Applications
slug: /applications
---
Applications in authentik are the counterpart of providers. They exist in a 1-to-1 relationship, each application needs a provider and every provider can be used with one application.
Applications in authentik are the other half of providers. They exist in a 1-to-1 relationship, each application needs a provider and every provider can be used with one application.
Applications are used to configure and separate the authorization / access control and the appearance in the Library page.
@ -15,23 +15,23 @@ By default, all users can access applications when no policies are bound.
When multiple policies/groups/users are attached, you can configure the *Policy engine mode* to either
- Require users to pass all bindings/be member of all groups (ALL), or
- Require users to pass either binding/be member of either group (ANY)
- Require users to pass all bindings/be member of all groups (ALL), or
- Require users to pass either binding/be member of either group (ANY)
## Appearance
The following aspects can be configured:
- *Name*: This is the name shown for the application card
- *Launch URL*: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
- *Icon (URL)*: Optionally configure an Icon for the application
- *Publisher*: Text shown below the application
- *Description*: Subtext shown on the application card below the publisher
- *Name*: This is the name shown for the application card
- *Launch URL*: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
- *Icon (URL)*: Optionally configure an Icon for the application
- *Publisher*: Text shown below the application
- *Description*: Subtext shown on the application card below the publisher
Applications are shown to users when
- The user has access defined via policies (or the application has no policies bound)
- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://
- The user has access defined via policies (or the application has no policies bound)
- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://
#### Hiding applications

13
website/docs/releases/v2021.12.md
View File

@ -151,6 +151,19 @@ This release does not have any headline features, and mostly fixes bugs.
- web/admin: update overview page
- web/flows: fix error when attempting to enroll new webauthn device
## Fixed in 2021.12.1
- core: fix error when attempting to provider from cached application
- events: improve app lookup for event creation
- internal: cleanup duplicate and redundant code, properly set sentry SDK scope settings
- lifecycle: add -Ofair to celery
- web/admin: add sidebar to applications
- web/admin: fix notification unread colours not matching on user and admin interface
- web/admin: fix stage related flows not being shown in a list
- web/elements: add Markdown component to improve rendering
- web/elements: add support for sidebar on table page
- web/elements: close notification drawer when clearing all notifications
## Upgrading
This release does not introduce any new requirements.

6
website/integrations/services/bookstack/index.md
View File

@ -101,3 +101,9 @@ BookStack will attempt to match the SAML user to an existing BookStack user base
:::note
SAML Group Sync is supported by Bookstack. Review the BookStack documentation on the required Environment variables. https://www.bookstackapp.com/docs/admin/saml2-auth/
:::
:::note
In some cases you might need to define the full SAML property name.
i.e.: `SAML2_GROUP_ATTRIBUTE="http://schemas.xmlsoap.org/claims/Group"`
See https://github.com/BookStackApp/BookStack/issues/3109 for more details.
:::