Merge branch 'main' into application-wizard-2-with-api-and-tests

* main: (23 commits)
  ci: test with postgres 16
  translate: Updates for file web/xliff/en.xlf in fr (#7189)
  web: bump the esbuild group in /web with 2 updates (#7195)
  web: bump the eslint group in /tests/wdio with 2 updates (#7192)
  core: bump ruff from 0.0.292 to 0.1.0 (#7194)
  web: bump the eslint group in /web with 2 updates (#7193)
  web: the return of pseudolocalization (#7190)
  rbac: revisions (#7188)
  website: bump @babel/traverse from 7.21.4 to 7.23.2 in /website (#7187)
  web: bump API Client version (#7186)
  core: Initial RBAC (#6806)
  lifecycle: re-fix system migrations (#7185)
  outposts: use channel groups instead of saving channel names (#7183)
  sources/ldap: made ldap_sync_single calls from ldap_sync_all asynchronous (#6862)
  website/docs: fix API OAuth token usage (#7159)
  web: bump rollup from 4.1.3 to 4.1.4 in /web (#7181)
  web: bump @formatjs/intl-listformat from 7.4.2 to 7.5.0 in /web (#7182)
  web: bump @rollup/plugin-replace from 5.0.3 to 5.0.4 in /web (#7177)
  web: bump the sentry group in /web with 2 updates (#7175)
  web: bump @rollup/plugin-commonjs from 25.0.5 to 25.0.7 in /web (#7178)
  ...

.github/codecov.yml

@@ -6,5 +6,5 @@ coverage:
         # adjust accordingly based on how flaky your tests are
         # this allows a 1% drop from the previous base commit coverage
         threshold: 1%
-  notify:
+comment:
   after_n_builds: 3

.github/workflows/ci-main.yml

@@ -90,6 +90,7 @@ jobs:
         psql:
           - 12-alpine
           - 15-alpine
+          - 16-alpine
     steps:
       - uses: actions/checkout@v4
       - name: Setup authentik env

Makefile

@@ -62,8 +62,9 @@ lint-fix:  ## Lint and automatically fix errors in the python source code. Repor
 	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
-	pylint $(PY_SOURCES)
 	bandit -r $(PY_SOURCES) -x node_modules
+	./web/node_modules/.bin/pyright $(PY_SOURCES)
+	pylint $(PY_SOURCES)
 	golangci-lint run -v
 
 migrate: ## Run the Authentik Django server's migrations

authentik/admin/api/meta.py

@@ -1,7 +1,7 @@
 """Meta API"""
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import CharField
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
@@ -21,7 +21,7 @@ class AppSerializer(PassiveSerializer):
 class AppsViewSet(ViewSet):
     """Read-only view list all installed apps"""
 
-    permission_classes = [IsAdminUser]
+    permission_classes = [IsAuthenticated]
 
     @extend_schema(responses={200: AppSerializer(many=True)})
     def list(self, request: Request) -> Response:
@@ -35,7 +35,7 @@ class AppsViewSet(ViewSet):
 class ModelViewSet(ViewSet):
     """Read-only view list all installed models"""
 
-    permission_classes = [IsAdminUser]
+    permission_classes = [IsAuthenticated]
 
     @extend_schema(responses={200: AppSerializer(many=True)})
     def list(self, request: Request) -> Response:

authentik/admin/api/metrics.py

@@ -5,7 +5,7 @@ from django.db.models.functions import ExtractHour
 from drf_spectacular.utils import extend_schema, extend_schema_field
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import IntegerField, SerializerMethodField
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -68,7 +68,7 @@ class LoginMetricsSerializer(PassiveSerializer):
 class AdministrationMetricsViewSet(APIView):
     """Login Metrics per 1h"""
 
-    permission_classes = [IsAdminUser]
+    permission_classes = [IsAuthenticated]
 
     @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
     def get(self, request: Request) -> Response:

authentik/admin/api/system.py

@@ -8,7 +8,6 @@ from django.utils.timezone import now
 from drf_spectacular.utils import extend_schema
 from gunicorn import version_info as gunicorn_version
 from rest_framework.fields import SerializerMethodField
-from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -17,6 +16,7 @@ from authentik.core.api.utils import PassiveSerializer
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
+from authentik.rbac.permissions import HasPermission
 
 
 class RuntimeDict(TypedDict):
@@ -88,7 +88,7 @@ class SystemSerializer(PassiveSerializer):
 class SystemView(APIView):
     """Get system information."""
 
-    permission_classes = [IsAdminUser]
+    permission_classes = [HasPermission("authentik_rbac.view_system_info")]
     pagination_class = None
     filter_backends = []
     serializer_class = SystemSerializer

authentik/admin/api/tasks.py

@@ -14,14 +14,15 @@ from rest_framework.fields import (
     ListField,
     SerializerMethodField,
 )
-from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 from structlog.stdlib import get_logger
 
+from authentik.api.decorators import permission_required
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.monitored_tasks import TaskInfo, TaskResultStatus
+from authentik.rbac.permissions import HasPermission
 
 LOGGER = get_logger()
 
@@ -63,7 +64,7 @@ class TaskSerializer(PassiveSerializer):
 class TaskViewSet(ViewSet):
     """Read-only view set that returns all background tasks"""
 
-    permission_classes = [IsAdminUser]
+    permission_classes = [HasPermission("authentik_rbac.view_system_tasks")]
     serializer_class = TaskSerializer
 
     @extend_schema(
@@ -93,6 +94,7 @@ class TaskViewSet(ViewSet):
         tasks = sorted(TaskInfo.all().values(), key=lambda task: task.task_name)
         return Response(TaskSerializer(tasks, many=True).data)
 
+    @permission_required(None, ["authentik_rbac.run_system_tasks"])
     @extend_schema(
         request=OpenApiTypes.NONE,
         responses={

authentik/admin/api/workers.py

@@ -2,18 +2,18 @@
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.fields import IntegerField
-from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from authentik.rbac.permissions import HasPermission
 from authentik.root.celery import CELERY_APP
 
 
 class WorkerView(APIView):
     """Get currently connected worker count."""
 
-    permission_classes = [IsAdminUser]
+    permission_classes = [HasPermission("authentik_rbac.view_system_info")]
 
     @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
     def get(self, request: Request) -> Response:

authentik/api/authorization.py

@@ -7,9 +7,9 @@ from rest_framework.authentication import get_authorization_header
 from rest_framework.filters import BaseFilterBackend
 from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
-from rest_framework_guardian.filters import ObjectPermissionsFilter
 
 from authentik.api.authentication import validate_auth
+from authentik.rbac.filters import ObjectFilter
 
 
 class OwnerFilter(BaseFilterBackend):
@@ -26,14 +26,14 @@ class OwnerFilter(BaseFilterBackend):
 class SecretKeyFilter(DjangoFilterBackend):
     """Allow access to all objects when authenticated with secret key as token.
 
-    Replaces both DjangoFilterBackend and ObjectPermissionsFilter"""
+    Replaces both DjangoFilterBackend and ObjectFilter"""
 
     def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
         auth_header = get_authorization_header(request)
         token = validate_auth(auth_header)
         if token and token == settings.SECRET_KEY:
             return queryset
-        queryset = ObjectPermissionsFilter().filter_queryset(request, queryset, view)
+        queryset = ObjectFilter().filter_queryset(request, queryset, view)
         return super().filter_queryset(request, queryset, view)
 
 

authentik/api/decorators.py

@@ -10,7 +10,7 @@ from structlog.stdlib import get_logger
 LOGGER = get_logger()
 
 
-def permission_required(perm: Optional[str] = None, other_perms: Optional[list[str]] = None):
+def permission_required(obj_perm: Optional[str] = None, global_perms: Optional[list[str]] = None):
     """Check permissions for a single custom action"""
 
     def wrapper_outter(func: Callable):
@@ -18,15 +18,17 @@ def permission_required(perm: Optional[str] = None, other_perms: Optional[list[s
 
         @wraps(func)
         def wrapper(self: ModelViewSet, request: Request, *args, **kwargs) -> Response:
-            if perm:
+            if obj_perm:
                 obj = self.get_object()
-                if not request.user.has_perm(perm, obj):
+                if not request.user.has_perm(obj_perm, obj):
-                    LOGGER.debug("denying access for object", user=request.user, perm=perm, obj=obj)
+                    LOGGER.debug(
+                        "denying access for object", user=request.user, perm=obj_perm, obj=obj
+                    )
                     return self.permission_denied(request)
-            if other_perms:
+            if global_perms:
-                for other_perm in other_perms:
+                for other_perm in global_perms:
                     if not request.user.has_perm(other_perm):
-                        LOGGER.debug("denying access for other", user=request.user, perm=perm)
+                        LOGGER.debug("denying access for other", user=request.user, perm=other_perm)
                         return self.permission_denied(request)
             return func(self, request, *args, **kwargs)
 

authentik/api/pagination.py

@@ -77,3 +77,10 @@ class Pagination(pagination.PageNumberPagination):
             },
             "required": ["pagination", "results"],
         }
+
+
+class SmallerPagination(Pagination):
+    """Smaller pagination for objects which might require a lot of queries
+    to retrieve all data for."""
+
+    max_page_size = 10

authentik/api/tests/test_viewsets.py

@@ -16,6 +16,7 @@ def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
 
     def tester(self: TestModelViewSets):
         self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
+        self.assertIsNotNone(getattr(test_viewset, "ordering", None))
         filterset_class = getattr(test_viewset, "filterset_class", None)
         if not filterset_class:
             self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))

authentik/blueprints/api.py

@@ -4,7 +4,6 @@ from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField, JSONField
-from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer
@@ -87,11 +86,11 @@ class BlueprintInstanceSerializer(ModelSerializer):
 class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     """Blueprint instances"""
 
-    permission_classes = [IsAdminUser]
     serializer_class = BlueprintInstanceSerializer
     queryset = BlueprintInstance.objects.all()
     search_fields = ["name", "path"]
     filterset_fields = ["name", "path"]
+    ordering = ["name"]
 
     @extend_schema(
         responses={

authentik/blueprints/v1/importer.py

@@ -35,25 +35,28 @@ from authentik.core.models import (
     Source,
     UserSourceConnection,
 )
+from authentik.enterprise.models import LicenseUsage
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
+from authentik.providers.scim.models import SCIMGroup, SCIMUser
 
 # Context set when the serializer is created in a blueprint context
 # Update website/developer-docs/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 
 
-def is_model_allowed(model: type[Model]) -> bool:
+def excluded_models() -> list[type[Model]]:
-    """Check if model is allowed"""
+    """Return a list of all excluded models that shouldn't be exposed via API
+    or other means (internal only, base classes, non-used objects, etc)"""
     # pylint: disable=imported-auth-user
     from django.contrib.auth.models import Group as DjangoGroup
     from django.contrib.auth.models import User as DjangoUser
 
-    excluded_models = (
+    return (
         DjangoUser,
         DjangoGroup,
         # Base classes
@@ -69,8 +72,15 @@ def is_model_allowed(model: type[Model]) -> bool:
         AuthenticatedSession,
         # Classes which are only internally managed
         FlowToken,
+        LicenseUsage,
+        SCIMGroup,
+        SCIMUser,
     )
-    return model not in excluded_models and issubclass(model, (SerializerModel, BaseMetaModel))
+
+
+def is_model_allowed(model: type[Model]) -> bool:
+    """Check if model is allowed"""
+    return model not in excluded_models() and issubclass(model, (SerializerModel, BaseMetaModel))
 
 
 class DoRollback(SentryIgnoredException):

authentik/core/api/applications.py

@@ -17,7 +17,6 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
-from rest_framework_guardian.filters import ObjectPermissionsFilter
 from structlog.stdlib import get_logger
 from structlog.testing import capture_logs
 
@@ -38,6 +37,7 @@ from authentik.lib.utils.file import (
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyResult
+from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
@@ -122,7 +122,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
     def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
         """Custom filter_queryset method which ignores guardian, but still supports sorting"""
         for backend in list(self.filter_backends):
-            if backend == ObjectPermissionsFilter:
+            if backend == ObjectFilter:
                 continue
             queryset = backend().filter_queryset(self.request, queryset, self)
         return queryset

authentik/core/api/groups.py

@@ -2,7 +2,6 @@
 from json import loads
 from typing import Optional
 
-from django.db.models.query import QuerySet
 from django.http import Http404
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
@@ -14,12 +13,12 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
-from rest_framework_guardian.filters import ObjectPermissionsFilter
 
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import Group, User
+from authentik.rbac.api.roles import RoleSerializer
 
 
 class GroupMemberSerializer(ModelSerializer):
@@ -49,6 +48,12 @@ class GroupSerializer(ModelSerializer):
     users_obj = ListSerializer(
         child=GroupMemberSerializer(), read_only=True, source="users", required=False
     )
+    roles_obj = ListSerializer(
+        child=RoleSerializer(),
+        read_only=True,
+        source="roles",
+        required=False,
+    )
     parent_name = CharField(source="parent.name", read_only=True, allow_null=True)
 
     num_pk = IntegerField(read_only=True)
@@ -71,8 +76,10 @@ class GroupSerializer(ModelSerializer):
             "parent",
             "parent_name",
             "users",
-            "attributes",
             "users_obj",
+            "attributes",
+            "roles",
+            "roles_obj",
         ]
         extra_kwargs = {
             "users": {
@@ -138,19 +145,6 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     filterset_class = GroupFilter
     ordering = ["name"]
 
-    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
-        """Custom filter_queryset method which ignores guardian, but still supports sorting"""
-        for backend in list(self.filter_backends):
-            if backend == ObjectPermissionsFilter:
-                continue
-            queryset = backend().filter_queryset(self.request, queryset, self)
-        return queryset
-
-    def filter_queryset(self, queryset):
-        if self.request.user.has_perm("authentik_core.view_group"):
-            return self._filter_queryset_for_list(queryset)
-        return super().filter_queryset(queryset)
-
     @permission_required(None, ["authentik_core.add_user"])
     @extend_schema(
         request=UserAccountSerializer,

authentik/core/api/transactional_applications.py

@@ -119,6 +119,7 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
     """Create provider and application and attach them in a single transaction"""
 
+    # TODO: Migrate to a more specific permission
     permission_classes = [IsAdminUser]
 
     @extend_schema(

authentik/core/api/used_by.py

@@ -73,6 +73,11 @@ class UsedByMixin:
             # but so we only apply them once, have a simple flag for the first object
             first_object = True
 
+            # TODO: This will only return the used-by references that the user can see
+            # Either we have to leak model information here to not make the list
+            # useless if the user doesn't have all permissions, or we need to double
+            # query and check if there is a difference between modes the user can see
+            # and can't see and add a warning
             for obj in get_objects_for_user(
                 request.user, f"{app}.view_{model_name}", manager
             ).all():

authentik/core/api/users.py

@@ -7,7 +7,6 @@ from django.contrib.auth import update_session_auth_hash
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
-from django.db.models.query import QuerySet
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@@ -52,7 +51,6 @@ from rest_framework.serializers import (
 )
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
-from rest_framework_guardian.filters import ObjectPermissionsFilter
 from structlog.stdlib import get_logger
 
 from authentik.admin.api.metrics import CoordinateSerializer
@@ -205,6 +203,7 @@ class UserSelfSerializer(ModelSerializer):
     groups = SerializerMethodField()
     uid = CharField(read_only=True)
     settings = SerializerMethodField()
+    system_permissions = SerializerMethodField()
 
     @extend_schema_field(
         ListSerializer(
@@ -226,6 +225,14 @@ class UserSelfSerializer(ModelSerializer):
         """Get user settings with tenant and group settings applied"""
         return user.group_attributes(self._context["request"]).get("settings", {})
 
+    def get_system_permissions(self, user: User) -> list[str]:
+        """Get all system permissions assigned to the user"""
+        return list(
+            user.user_permissions.filter(
+                content_type__app_label="authentik_rbac", content_type__model="systempermission"
+            ).values_list("codename", flat=True)
+        )
+
     class Meta:
         model = User
         fields = [
@@ -240,6 +247,7 @@ class UserSelfSerializer(ModelSerializer):
             "uid",
             "settings",
             "type",
+            "system_permissions",
         ]
         extra_kwargs = {
             "is_active": {"read_only": True},
@@ -654,19 +662,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
 
         return Response(status=204)
 
-    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
-        """Custom filter_queryset method which ignores guardian, but still supports sorting"""
-        for backend in list(self.filter_backends):
-            if backend == ObjectPermissionsFilter:
-                continue
-            queryset = backend().filter_queryset(self.request, queryset, self)
-        return queryset
-
-    def filter_queryset(self, queryset):
-        if self.request.user.has_perm("authentik_core.view_user"):
-            return self._filter_queryset_for_list(queryset)
-        return super().filter_queryset(queryset)
-
     @extend_schema(
         responses={
             200: inline_serializer(

authentik/core/migrations/0032_group_roles.py

@@ -0,0 +1,45 @@
+# Generated by Django 4.2.6 on 2023-10-11 13:37
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_core", "0031_alter_user_type"),
+        ("authentik_rbac", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="group",
+            options={"verbose_name": "Group", "verbose_name_plural": "Groups"},
+        ),
+        migrations.AlterModelOptions(
+            name="token",
+            options={
+                "permissions": [("view_token_key", "View token's key")],
+                "verbose_name": "Token",
+                "verbose_name_plural": "Tokens",
+            },
+        ),
+        migrations.AlterModelOptions(
+            name="user",
+            options={
+                "permissions": [
+                    ("reset_user_password", "Reset Password"),
+                    ("impersonate", "Can impersonate other users"),
+                    ("assign_user_permissions", "Can assign permissions to users"),
+                    ("unassign_user_permissions", "Can unassign permissions from users"),
+                ],
+                "verbose_name": "User",
+                "verbose_name_plural": "Users",
+            },
+        ),
+        migrations.AddField(
+            model_name="group",
+            name="roles",
+            field=models.ManyToManyField(
+                blank=True, related_name="ak_groups", to="authentik_rbac.role"
+            ),
+        ),
+    ]

authentik/core/models.py

@@ -1,7 +1,7 @@
 """authentik core models"""
 from datetime import timedelta
 from hashlib import sha256
-from typing import Any, Optional
+from typing import Any, Optional, Self
 from uuid import uuid4
 
 from deepmerge import always_merger
@@ -88,6 +88,8 @@ class Group(SerializerModel):
         default=False, help_text=_("Users added to this group will be superusers.")
     )
 
+    roles = models.ManyToManyField("authentik_rbac.Role", related_name="ak_groups", blank=True)
+
     parent = models.ForeignKey(
         "Group",
         blank=True,
@@ -115,6 +117,38 @@ class Group(SerializerModel):
         """Recursively check if `user` is member of us, or any parent."""
         return user.all_groups().filter(group_uuid=self.group_uuid).exists()
 
+    def children_recursive(self: Self | QuerySet["Group"]) -> QuerySet["Group"]:
+        """Recursively get all groups that have this as parent or are indirectly related"""
+        direct_groups = []
+        if isinstance(self, QuerySet):
+            direct_groups = list(x for x in self.all().values_list("pk", flat=True).iterator())
+        else:
+            direct_groups = [self.pk]
+        if len(direct_groups) < 1:
+            return Group.objects.none()
+        query = """
+        WITH RECURSIVE parents AS (
+            SELECT authentik_core_group.*, 0 AS relative_depth
+            FROM authentik_core_group
+            WHERE authentik_core_group.group_uuid = ANY(%s)
+
+            UNION ALL
+
+            SELECT authentik_core_group.*, parents.relative_depth + 1
+            FROM authentik_core_group, parents
+            WHERE (
+                authentik_core_group.group_uuid = parents.parent_id and
+                parents.relative_depth < 20
+            )
+        )
+        SELECT group_uuid
+        FROM parents
+        GROUP BY group_uuid, name
+        ORDER BY name;
+        """
+        group_pks = [group.pk for group in Group.objects.raw(query, [direct_groups]).iterator()]
+        return Group.objects.filter(pk__in=group_pks)
+
     def __str__(self):
         return f"Group {self.name}"
 
@@ -125,6 +159,8 @@ class Group(SerializerModel):
                 "parent",
             ),
         )
+        verbose_name = _("Group")
+        verbose_name_plural = _("Groups")
 
 
 class UserManager(DjangoUserManager):
@@ -160,33 +196,7 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         """Recursively get all groups this user is a member of.
         At least one query is done to get the direct groups of the user, with groups
         there are at most 3 queries done"""
-        direct_groups = list(
+        return Group.children_recursive(self.ak_groups.all())
-            x for x in self.ak_groups.all().values_list("pk", flat=True).iterator()
-        )
-        if len(direct_groups) < 1:
-            return Group.objects.none()
-        query = """
-        WITH RECURSIVE parents AS (
-            SELECT authentik_core_group.*, 0 AS relative_depth
-            FROM authentik_core_group
-            WHERE authentik_core_group.group_uuid = ANY(%s)
-
-            UNION ALL
-
-            SELECT authentik_core_group.*, parents.relative_depth + 1
-            FROM authentik_core_group, parents
-            WHERE (
-                authentik_core_group.group_uuid = parents.parent_id and
-                parents.relative_depth < 20
-            )
-        )
-        SELECT group_uuid
-        FROM parents
-        GROUP BY group_uuid, name
-        ORDER BY name;
-        """
-        group_pks = [group.pk for group in Group.objects.raw(query, [direct_groups]).iterator()]
-        return Group.objects.filter(pk__in=group_pks)
 
     def group_attributes(self, request: Optional[HttpRequest] = None) -> dict[str, Any]:
         """Get a dictionary containing the attributes from all groups the user belongs to,
@@ -261,12 +271,14 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         return get_avatar(self)
 
     class Meta:
-        permissions = (
-            ("reset_user_password", "Reset Password"),
-            ("impersonate", "Can impersonate other users"),
-        )
         verbose_name = _("User")
         verbose_name_plural = _("Users")
+        permissions = [
+            ("reset_user_password", _("Reset Password")),
+            ("impersonate", _("Can impersonate other users")),
+            ("assign_user_permissions", _("Can assign permissions to users")),
+            ("unassign_user_permissions", _("Can unassign permissions from users")),
+        ]
 
 
 class Provider(SerializerModel):
@@ -675,7 +687,7 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
             models.Index(fields=["identifier"]),
             models.Index(fields=["key"]),
         ]
-        permissions = (("view_token_key", "View token's key"),)
+        permissions = [("view_token_key", _("View token's key"))]
 
 
 class PropertyMapping(SerializerModel, ManagedModel):

authentik/core/signals.py

@@ -7,6 +7,7 @@ from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest
+from structlog.stdlib import get_logger
 
 from authentik.core.models import Application, AuthenticatedSession, BackchannelProvider, User
 
@@ -15,6 +16,8 @@ password_changed = Signal()
 # Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
 login_failed = Signal()
 
+LOGGER = get_logger()
+
 
 @receiver(post_save, sender=Application)
 def post_save_application(sender: type[Model], instance, created: bool, **_):

authentik/core/tests/utils.py

@@ -21,10 +21,9 @@ def create_test_flow(
     )
 
 
-def create_test_admin_user(name: Optional[str] = None, **kwargs) -> User:
+def create_test_user(name: Optional[str] = None, **kwargs) -> User:
-    """Generate a test-admin user"""
+    """Generate a test user"""
     uid = generate_id(20) if not name else name
-    group = Group.objects.create(name=uid, is_superuser=True)
     kwargs.setdefault("email", f"{uid}@goauthentik.io")
     kwargs.setdefault("username", uid)
     user: User = User.objects.create(
@@ -33,6 +32,13 @@ def create_test_admin_user(name: Optional[str] = None, **kwargs) -> User:
     )
     user.set_password(uid)
     user.save()
+    return user
+
+
+def create_test_admin_user(name: Optional[str] = None, **kwargs) -> User:
+    """Generate a test-admin user"""
+    user = create_test_user(name, **kwargs)
+    group = Group.objects.create(name=user.name or name, is_superuser=True)
     group.users.add(user)
     return user
 

authentik/enterprise/api.py

@@ -6,7 +6,7 @@ from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, DateTimeField, IntegerField
-from rest_framework.permissions import IsAdminUser, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
@@ -84,7 +84,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
             200: inline_serializer("InstallIDSerializer", {"install_id": CharField(required=True)}),
         },
     )
-    @action(detail=False, methods=["GET"], permission_classes=[IsAdminUser])
+    @action(detail=False, methods=["GET"])
     def get_install_id(self, request: Request) -> Response:
         """Get install_id"""
         return Response(

authentik/enterprise/migrations/0002_rename_users_license_internal_users_and_more.py

@@ -33,4 +33,8 @@ class Migration(migrations.Migration):
                 "verbose_name_plural": "License Usage Records",
             },
         ),
+        migrations.AlterModelOptions(
+            name="license",
+            options={"verbose_name": "License", "verbose_name_plural": "Licenses"},
+        ),
     ]

authentik/enterprise/models.py

@@ -19,8 +19,10 @@ from django.utils.translation import gettext as _
 from guardian.shortcuts import get_anonymous_user
 from jwt import PyJWTError, decode, get_unverified_header
 from rest_framework.exceptions import ValidationError
+from rest_framework.serializers import BaseSerializer
 
 from authentik.core.models import ExpiringModel, User, UserTypes
+from authentik.lib.models import SerializerModel
 from authentik.root.install_id import get_install_id
 
 
@@ -151,7 +153,7 @@ class LicenseKey:
         return usage.record_date
 
 
-class License(models.Model):
+class License(SerializerModel):
     """An authentik enterprise license"""
 
     license_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@@ -162,6 +164,12 @@ class License(models.Model):
     internal_users = models.BigIntegerField()
     external_users = models.BigIntegerField()
 
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.enterprise.api import LicenseSerializer
+
+        return LicenseSerializer
+
     @property
     def status(self) -> LicenseKey:
         """Get parsed license status"""
@@ -169,6 +177,8 @@ class License(models.Model):
 
     class Meta:
         indexes = (HashIndex(fields=("key",)),)
+        verbose_name = _("License")
+        verbose_name_plural = _("Licenses")
 
 
 def usage_expiry():

authentik/flows/api/bindings.py

@@ -45,3 +45,4 @@ class FlowStageBindingViewSet(UsedByMixin, ModelViewSet):
     serializer_class = FlowStageBindingSerializer
     filterset_fields = "__all__"
     search_fields = ["stage__name"]
+    ordering = ["order"]

authentik/flows/challenge.py

@@ -132,13 +132,6 @@ class PermissionDict(TypedDict):
     name: str
 
 
-class PermissionSerializer(PassiveSerializer):
-    """Permission used for consent"""
-
-    name = CharField(allow_blank=True)
-    id = CharField()
-
-
 class ChallengeResponse(PassiveSerializer):
     """Base class for all challenge responses"""
 

authentik/flows/migrations/0026_alter_flow_options.py

@@ -0,0 +1,25 @@
+# Generated by Django 4.2.6 on 2023-10-10 17:18
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_flows", "0025_alter_flowstagebinding_evaluate_on_plan_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="flow",
+            options={
+                "permissions": [
+                    ("export_flow", "Can export a Flow"),
+                    ("inspect_flow", "Can inspect a Flow's execution"),
+                    ("view_flow_cache", "View Flow's cache metrics"),
+                    ("clear_flow_cache", "Clear Flow's cache metrics"),
+                ],
+                "verbose_name": "Flow",
+                "verbose_name_plural": "Flows",
+            },
+        ),
+    ]

authentik/flows/models.py

@@ -194,9 +194,10 @@ class Flow(SerializerModel, PolicyBindingModel):
         verbose_name_plural = _("Flows")
 
         permissions = [
-            ("export_flow", "Can export a Flow"),
+            ("export_flow", _("Can export a Flow")),
-            ("view_flow_cache", "View Flow's cache metrics"),
+            ("inspect_flow", _("Can inspect a Flow's execution")),
-            ("clear_flow_cache", "Clear Flow's cache metrics"),
+            ("view_flow_cache", _("View Flow's cache metrics")),
+            ("clear_flow_cache", _("Clear Flow's cache metrics")),
         ]
 
 

authentik/flows/views/inspector.py

@@ -3,6 +3,7 @@ from hashlib import sha256
 from typing import Any
 
 from django.conf import settings
+from django.http import Http404
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
 from django.shortcuts import get_object_or_404
@@ -11,7 +12,6 @@ from django.views.decorators.clickjacking import xframe_options_sameorigin
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.fields import BooleanField, ListField, SerializerMethodField
-from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -68,21 +68,19 @@ class FlowInspectionSerializer(PassiveSerializer):
 class FlowInspectorView(APIView):
     """Flow inspector API"""
 
-    permission_classes = [IsAdminUser]
-
     flow: Flow
     _logger: BoundLogger
-
+    permission_classes = []
-    def check_permissions(self, request):
-        """Always allow access when in debug mode"""
-        if settings.DEBUG:
-            return None
-        return super().check_permissions(request)
 
     def setup(self, request: HttpRequest, flow_slug: str):
         super().setup(request, flow_slug=flow_slug)
-        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
         self._logger = get_logger().bind(flow_slug=flow_slug)
+        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
+        if settings.DEBUG:
+            return
+        if request.user.has_perm("authentik_flow.inspect_flow", self.flow):
+            return
+        raise Http404
 
     @extend_schema(
         responses={

authentik/lib/validators.py

@@ -0,0 +1,32 @@
+"""Serializer validators"""
+from typing import Optional
+
+from django.utils.translation import gettext_lazy as _
+from rest_framework.exceptions import ValidationError
+from rest_framework.serializers import Serializer
+from rest_framework.utils.representation import smart_repr
+
+
+class RequiredTogetherValidator:
+    """Serializer-level validator that ensures all fields in `fields` are only
+    used together"""
+
+    fields: list[str]
+    requires_context = True
+    message = _("The fields {field_names} must be used together.")
+
+    def __init__(self, fields: list[str], message: Optional[str] = None) -> None:
+        self.fields = fields
+        self.message = message or self.message
+
+    def __call__(self, attrs: dict, serializer: Serializer):
+        """Check that if any of the fields in `self.fields` are set, all of them must be set"""
+        if any(field in attrs for field in self.fields) and not all(
+            field in attrs for field in self.fields
+        ):
+            field_names = ", ".join(self.fields)
+            message = self.message.format(field_names=field_names)
+            raise ValidationError(message, code="required")
+
+    def __repr__(self):
+        return "<%s(fields=%s)>" % (self.__class__.__name__, smart_repr(self.fields))

authentik/outposts/consumer.py

@@ -4,6 +4,7 @@ from datetime import datetime
 from enum import IntEnum
 from typing import Any, Optional
 
+from asgiref.sync import async_to_sync
 from channels.exceptions import DenyConnection
 from dacite.core import from_dict
 from dacite.data import Data
@@ -14,6 +15,8 @@ from authentik.core.channels import AuthJsonConsumer
 from authentik.outposts.apps import GAUGE_OUTPOSTS_CONNECTED, GAUGE_OUTPOSTS_LAST_UPDATE
 from authentik.outposts.models import OUTPOST_HELLO_INTERVAL, Outpost, OutpostState
 
+OUTPOST_GROUP = "group_outpost_%(outpost_pk)s"
+
 
 class WebsocketMessageInstruction(IntEnum):
     """Commands which can be triggered over Websocket"""
@@ -47,8 +50,6 @@ class OutpostConsumer(AuthJsonConsumer):
 
     last_uid: Optional[str] = None
 
-    first_msg = False
-
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.logger = get_logger()
@@ -71,22 +72,26 @@ class OutpostConsumer(AuthJsonConsumer):
             raise DenyConnection()
         self.outpost = outpost
         self.last_uid = self.channel_name
+        async_to_sync(self.channel_layer.group_add)(
+            OUTPOST_GROUP % {"outpost_pk": str(self.outpost.pk)}, self.channel_name
+        )
+        GAUGE_OUTPOSTS_CONNECTED.labels(
+            outpost=self.outpost.name,
+            uid=self.last_uid,
+            expected=self.outpost.config.kubernetes_replicas,
+        ).inc()
 
     def disconnect(self, code):
+        if self.outpost:
+            async_to_sync(self.channel_layer.group_discard)(
+                OUTPOST_GROUP % {"outpost_pk": str(self.outpost.pk)}, self.channel_name
+            )
         if self.outpost and self.last_uid:
-            state = OutpostState.for_instance_uid(self.outpost, self.last_uid)
-            if self.channel_name in state.channel_ids:
-                state.channel_ids.remove(self.channel_name)
-                state.save()
             GAUGE_OUTPOSTS_CONNECTED.labels(
                 outpost=self.outpost.name,
                 uid=self.last_uid,
                 expected=self.outpost.config.kubernetes_replicas,
             ).dec()
-        self.logger.debug(
-            "removed outpost instance from cache",
-            instance_uuid=self.last_uid,
-        )
 
     def receive_json(self, content: Data):
         msg = from_dict(WebsocketMessage, content)
@@ -97,26 +102,13 @@ class OutpostConsumer(AuthJsonConsumer):
             raise DenyConnection()
 
         state = OutpostState.for_instance_uid(self.outpost, uid)
-        if self.channel_name not in state.channel_ids:
-            state.channel_ids.append(self.channel_name)
         state.last_seen = datetime.now()
-        state.hostname = msg.args.get("hostname", "")
+        state.hostname = msg.args.pop("hostname", "")
-
-        if not self.first_msg:
-            GAUGE_OUTPOSTS_CONNECTED.labels(
-                outpost=self.outpost.name,
-                uid=self.last_uid,
-                expected=self.outpost.config.kubernetes_replicas,
-            ).inc()
-            self.logger.debug(
-                "added outpost instance to cache",
-                instance_uuid=self.last_uid,
-            )
-            self.first_msg = True
 
         if msg.instruction == WebsocketMessageInstruction.HELLO:
-            state.version = msg.args.get("version", None)
+            state.version = msg.args.pop("version", None)
-            state.build_hash = msg.args.get("buildHash", "")
+            state.build_hash = msg.args.pop("buildHash", "")
+            state.args = msg.args
         elif msg.instruction == WebsocketMessageInstruction.ACK:
             return
         GAUGE_OUTPOSTS_LAST_UPDATE.labels(

authentik/outposts/migrations/0020_alter_outpost_type.py

@@ -28,4 +28,8 @@ class Migration(migrations.Migration):
                 verbose_name="Managed by authentik",
             ),
         ),
+        migrations.AlterModelOptions(
+            name="outpost",
+            options={"verbose_name": "Outpost", "verbose_name_plural": "Outposts"},
+        ),
     ]

authentik/outposts/models.py

@@ -405,18 +405,22 @@ class Outpost(SerializerModel, ManagedModel):
     def __str__(self) -> str:
         return f"Outpost {self.name}"
 
+    class Meta:
+        verbose_name = _("Outpost")
+        verbose_name_plural = _("Outposts")
+
 
 @dataclass
 class OutpostState:
     """Outpost instance state, last_seen and version"""
 
     uid: str
-    channel_ids: list[str] = field(default_factory=list)
     last_seen: Optional[datetime] = field(default=None)
     version: Optional[str] = field(default=None)
     version_should: Version = field(default=OUR_VERSION)
     build_hash: str = field(default="")
     hostname: str = field(default="")
+    args: dict = field(default_factory=dict)
 
     _outpost: Optional[Outpost] = field(default=None)
 

authentik/outposts/tasks.py

@@ -25,6 +25,7 @@ from authentik.events.monitored_tasks import (
 )
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import path_to_class
+from authentik.outposts.consumer import OUTPOST_GROUP
 from authentik.outposts.controllers.base import BaseController, ControllerException
 from authentik.outposts.controllers.docker import DockerClient
 from authentik.outposts.controllers.kubernetes import KubernetesClient
@@ -34,7 +35,6 @@ from authentik.outposts.models import (
     Outpost,
     OutpostModel,
     OutpostServiceConnection,
-    OutpostState,
     OutpostType,
     ServiceConnectionInvalid,
 )
@@ -243,10 +243,9 @@ def _outpost_single_update(outpost: Outpost, layer=None):
     outpost.build_user_permissions(outpost.user)
     if not layer:  # pragma: no cover
         layer = get_channel_layer()
-    for state in OutpostState.for_outpost(outpost):
+    group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
-        for channel in state.channel_ids:
+    LOGGER.debug("sending update", channel=group, outpost=outpost)
-            LOGGER.debug("sending update", channel=channel, instance=state.uid, outpost=outpost)
+    async_to_sync(layer.group_send)(group, {"type": "event.update"})
-            async_to_sync(layer.send)(channel, {"type": "event.update"})
 
 
 @CELERY_APP.task(

authentik/outposts/tests/test_ws.py

@@ -7,7 +7,7 @@ from django.test import TransactionTestCase
 
 from authentik import __version__
 from authentik.core.tests.utils import create_test_flow
-from authentik.outposts.channels import WebsocketMessage, WebsocketMessageInstruction
+from authentik.outposts.consumer import WebsocketMessage, WebsocketMessageInstruction
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.root import websocket

authentik/outposts/urls.py

@@ -7,7 +7,7 @@ from authentik.outposts.api.service_connections import (
     KubernetesServiceConnectionViewSet,
     ServiceConnectionViewSet,
 )
-from authentik.outposts.channels import OutpostConsumer
+from authentik.outposts.consumer import OutpostConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
 
 websocket_urlpatterns = [

authentik/policies/models.py

@@ -190,8 +190,8 @@ class Policy(SerializerModel, CreatedUpdatedModel):
         verbose_name_plural = _("Policies")
 
         permissions = [
-            ("view_policy_cache", "View Policy's cache metrics"),
+            ("view_policy_cache", _("View Policy's cache metrics")),
-            ("clear_policy_cache", "Clear Policy's cache metrics"),
+            ("clear_policy_cache", _("Clear Policy's cache metrics")),
         ]
 
     class PolicyMeta:

authentik/providers/proxy/tasks.py

@@ -3,7 +3,8 @@ from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.db import DatabaseError, InternalError, ProgrammingError
 
-from authentik.outposts.models import Outpost, OutpostState, OutpostType
+from authentik.outposts.consumer import OUTPOST_GROUP
+from authentik.outposts.models import Outpost, OutpostType
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.root.celery import CELERY_APP
 
@@ -23,10 +24,9 @@ def proxy_on_logout(session_id: str):
     """Update outpost instances connected to a single outpost"""
     layer = get_channel_layer()
     for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
-        for state in OutpostState.for_outpost(outpost):
+        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
-            for channel in state.channel_ids:
+        async_to_sync(layer.group_send)(
-                async_to_sync(layer.send)(
+            group,
-                    channel,
             {
                 "type": "event.provider.specific",
                 "sub_type": "logout",

authentik/rbac/api/rbac.py

@@ -0,0 +1,130 @@
+"""common RBAC serializers"""
+from django.apps import apps
+from django.contrib.auth.models import Permission
+from django.db.models import QuerySet
+from django_filters.filters import ModelChoiceFilter
+from django_filters.filterset import FilterSet
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import (
+    CharField,
+    ChoiceField,
+    ListField,
+    ReadOnlyField,
+    SerializerMethodField,
+)
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ReadOnlyModelViewSet
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.core.models import User
+from authentik.lib.validators import RequiredTogetherValidator
+from authentik.policies.event_matcher.models import model_choices
+from authentik.rbac.models import Role
+
+
+class PermissionSerializer(ModelSerializer):
+    """Global permission"""
+
+    app_label = ReadOnlyField(source="content_type.app_label")
+    app_label_verbose = SerializerMethodField()
+    model = ReadOnlyField(source="content_type.model")
+    model_verbose = SerializerMethodField()
+
+    def get_app_label_verbose(self, instance: Permission) -> str:
+        """Human-readable app label"""
+        return apps.get_app_config(instance.content_type.app_label).verbose_name
+
+    def get_model_verbose(self, instance: Permission) -> str:
+        """Human-readable model name"""
+        return apps.get_model(
+            instance.content_type.app_label, instance.content_type.model
+        )._meta.verbose_name
+
+    class Meta:
+        model = Permission
+        fields = [
+            "id",
+            "name",
+            "codename",
+            "model",
+            "app_label",
+            "app_label_verbose",
+            "model_verbose",
+        ]
+
+
+class PermissionFilter(FilterSet):
+    """Filter permissions"""
+
+    role = ModelChoiceFilter(queryset=Role.objects.all(), method="filter_role")
+    user = ModelChoiceFilter(queryset=User.objects.all())
+
+    def filter_role(self, queryset: QuerySet, name, value: Role) -> QuerySet:
+        """Filter permissions based on role"""
+        return queryset.filter(group__role=value)
+
+    class Meta:
+        model = Permission
+        fields = [
+            "codename",
+            "content_type__model",
+            "content_type__app_label",
+            "role",
+            "user",
+        ]
+
+
+class RBACPermissionViewSet(ReadOnlyModelViewSet):
+    """Read-only list of all permissions, filterable by model and app"""
+
+    queryset = Permission.objects.none()
+    serializer_class = PermissionSerializer
+    ordering = ["name"]
+    filterset_class = PermissionFilter
+    search_fields = [
+        "codename",
+        "content_type__model",
+        "content_type__app_label",
+    ]
+
+    def get_queryset(self) -> QuerySet:
+        return (
+            Permission.objects.all()
+            .select_related("content_type")
+            .filter(
+                content_type__app_label__startswith="authentik",
+            )
+        )
+
+
+class PermissionAssignSerializer(PassiveSerializer):
+    """Request to assign a new permission"""
+
+    permissions = ListField(child=CharField())
+    model = ChoiceField(choices=model_choices(), required=False)
+    object_pk = CharField(required=False)
+
+    validators = [RequiredTogetherValidator(fields=["model", "object_pk"])]
+
+    def validate(self, attrs: dict) -> dict:
+        model_instance = None
+        # Check if we're setting an object-level perm or global
+        model = attrs.get("model")
+        object_pk = attrs.get("object_pk")
+        if model and object_pk:
+            model = apps.get_model(attrs["model"])
+            model_instance = model.objects.filter(pk=attrs["object_pk"]).first()
+        attrs["model_instance"] = model_instance
+        if attrs.get("model"):
+            return attrs
+        permissions = attrs.get("permissions", [])
+        if not all("." in perm for perm in permissions):
+            raise ValidationError(
+                {
+                    "permissions": (
+                        "When assigning global permissions, codename must be given as "
+                        "app_label.codename"
+                    )
+                }
+            )
+        return attrs

authentik/rbac/api/rbac_assigned_by_roles.py

@@ -0,0 +1,123 @@
+"""common RBAC serializers"""
+from django.db.models import Q, QuerySet
+from django.db.transaction import atomic
+from django_filters.filters import CharFilter, ChoiceFilter
+from django_filters.filterset import FilterSet
+from drf_spectacular.utils import OpenApiResponse, extend_schema
+from guardian.models import GroupObjectPermission
+from guardian.shortcuts import assign_perm, remove_perm
+from rest_framework.decorators import action
+from rest_framework.fields import CharField, ReadOnlyField
+from rest_framework.mixins import ListModelMixin
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.api.decorators import permission_required
+from authentik.core.api.utils import PassiveSerializer
+from authentik.policies.event_matcher.models import model_choices
+from authentik.rbac.api.rbac import PermissionAssignSerializer
+from authentik.rbac.models import Role
+
+
+class RoleObjectPermissionSerializer(ModelSerializer):
+    """Role-bound object level permission"""
+
+    app_label = ReadOnlyField(source="content_type.app_label")
+    model = ReadOnlyField(source="content_type.model")
+    codename = ReadOnlyField(source="permission.codename")
+    name = ReadOnlyField(source="permission.name")
+    object_pk = ReadOnlyField()
+
+    class Meta:
+        model = GroupObjectPermission
+        fields = ["id", "codename", "model", "app_label", "object_pk", "name"]
+
+
+class RoleAssignedObjectPermissionSerializer(PassiveSerializer):
+    """Roles assigned object permission serializer"""
+
+    role_pk = CharField(source="group.role.pk", read_only=True)
+    name = CharField(source="group.name", read_only=True)
+    permissions = RoleObjectPermissionSerializer(
+        many=True, source="group.groupobjectpermission_set"
+    )
+
+    class Meta:
+        model = Role
+        fields = ["role_pk", "name", "permissions"]
+
+
+class RoleAssignedPermissionFilter(FilterSet):
+    """Role Assigned permission filter"""
+
+    model = ChoiceFilter(choices=model_choices(), method="filter_model", required=True)
+    object_pk = CharFilter(method="filter_object_pk")
+
+    def filter_model(self, queryset: QuerySet, name, value: str) -> QuerySet:
+        """Filter by object type"""
+        app, _, model = value.partition(".")
+        return queryset.filter(
+            Q(
+                group__permissions__content_type__app_label=app,
+                group__permissions__content_type__model=model,
+            )
+            | Q(
+                group__groupobjectpermission__permission__content_type__app_label=app,
+                group__groupobjectpermission__permission__content_type__model=model,
+            )
+        ).distinct()
+
+    def filter_object_pk(self, queryset: QuerySet, name, value: str) -> QuerySet:
+        """Filter by object primary key"""
+        return queryset.filter(Q(group__groupobjectpermission__object_pk=value)).distinct()
+
+
+class RoleAssignedPermissionViewSet(ListModelMixin, GenericViewSet):
+    """Get assigned object permissions for a single object"""
+
+    serializer_class = RoleAssignedObjectPermissionSerializer
+    ordering = ["name"]
+    # The filtering is done in the filterset,
+    # which has a required filter that does the heavy lifting
+    queryset = Role.objects.all()
+    filterset_class = RoleAssignedPermissionFilter
+
+    @permission_required("authentik_rbac.assign_role_permissions")
+    @extend_schema(
+        request=PermissionAssignSerializer(),
+        responses={
+            204: OpenApiResponse(description="Successfully assigned"),
+        },
+    )
+    @action(methods=["POST"], detail=True, pagination_class=None, filter_backends=[])
+    def assign(self, request: Request, *args, **kwargs) -> Response:
+        """Assign permission(s) to role. When `object_pk` is set, the permissions
+        are only assigned to the specific object, otherwise they are assigned globally."""
+        role: Role = self.get_object()
+        data = PermissionAssignSerializer(data=request.data)
+        data.is_valid(raise_exception=True)
+        with atomic():
+            for perm in data.validated_data["permissions"]:
+                assign_perm(perm, role.group, data.validated_data["model_instance"])
+        return Response(status=204)
+
+    @permission_required("authentik_rbac.unassign_role_permissions")
+    @extend_schema(
+        request=PermissionAssignSerializer(),
+        responses={
+            204: OpenApiResponse(description="Successfully unassigned"),
+        },
+    )
+    @action(methods=["PATCH"], detail=True, pagination_class=None, filter_backends=[])
+    def unassign(self, request: Request, *args, **kwargs) -> Response:
+        """Unassign permission(s) to role. When `object_pk` is set, the permissions
+        are only assigned to the specific object, otherwise they are assigned globally."""
+        role: Role = self.get_object()
+        data = PermissionAssignSerializer(data=request.data)
+        data.is_valid(raise_exception=True)
+        with atomic():
+            for perm in data.validated_data["permissions"]:
+                remove_perm(perm, role.group, data.validated_data["model_instance"])
+        return Response(status=204)

authentik/rbac/api/rbac_assigned_by_users.py

@@ -0,0 +1,129 @@
+"""common RBAC serializers"""
+from django.db.models import Q, QuerySet
+from django.db.transaction import atomic
+from django_filters.filters import CharFilter, ChoiceFilter
+from django_filters.filterset import FilterSet
+from drf_spectacular.utils import OpenApiResponse, extend_schema
+from guardian.models import UserObjectPermission
+from guardian.shortcuts import assign_perm, remove_perm
+from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import BooleanField, ReadOnlyField
+from rest_framework.mixins import ListModelMixin
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.api.decorators import permission_required
+from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.models import User, UserTypes
+from authentik.policies.event_matcher.models import model_choices
+from authentik.rbac.api.rbac import PermissionAssignSerializer
+
+
+class UserObjectPermissionSerializer(ModelSerializer):
+    """User-bound object level permission"""
+
+    app_label = ReadOnlyField(source="content_type.app_label")
+    model = ReadOnlyField(source="content_type.model")
+    codename = ReadOnlyField(source="permission.codename")
+    name = ReadOnlyField(source="permission.name")
+    object_pk = ReadOnlyField()
+
+    class Meta:
+        model = UserObjectPermission
+        fields = ["id", "codename", "model", "app_label", "object_pk", "name"]
+
+
+class UserAssignedObjectPermissionSerializer(GroupMemberSerializer):
+    """Users assigned object permission serializer"""
+
+    permissions = UserObjectPermissionSerializer(many=True, source="userobjectpermission_set")
+    is_superuser = BooleanField()
+
+    class Meta:
+        model = GroupMemberSerializer.Meta.model
+        fields = GroupMemberSerializer.Meta.fields + ["permissions", "is_superuser"]
+
+
+class UserAssignedPermissionFilter(FilterSet):
+    """Assigned permission filter"""
+
+    model = ChoiceFilter(choices=model_choices(), method="filter_model", required=True)
+    object_pk = CharFilter(method="filter_object_pk")
+
+    def filter_model(self, queryset: QuerySet, name, value: str) -> QuerySet:
+        """Filter by object type"""
+        app, _, model = value.partition(".")
+        return queryset.filter(
+            Q(
+                user_permissions__content_type__app_label=app,
+                user_permissions__content_type__model=model,
+            )
+            | Q(
+                userobjectpermission__permission__content_type__app_label=app,
+                userobjectpermission__permission__content_type__model=model,
+            )
+            | Q(ak_groups__is_superuser=True)
+        ).distinct()
+
+    def filter_object_pk(self, queryset: QuerySet, name, value: str) -> QuerySet:
+        """Filter by object primary key"""
+        return queryset.filter(
+            Q(userobjectpermission__object_pk=value) | Q(ak_groups__is_superuser=True),
+        ).distinct()
+
+
+class UserAssignedPermissionViewSet(ListModelMixin, GenericViewSet):
+    """Get assigned object permissions for a single object"""
+
+    serializer_class = UserAssignedObjectPermissionSerializer
+    ordering = ["username"]
+    # The filtering is done in the filterset,
+    # which has a required filter that does the heavy lifting
+    queryset = User.objects.all()
+    filterset_class = UserAssignedPermissionFilter
+
+    @permission_required("authentik_core.assign_user_permissions")
+    @extend_schema(
+        request=PermissionAssignSerializer(),
+        responses={
+            204: OpenApiResponse(description="Successfully assigned"),
+        },
+    )
+    @action(methods=["POST"], detail=True, pagination_class=None, filter_backends=[])
+    def assign(self, request: Request, *args, **kwargs) -> Response:
+        """Assign permission(s) to user"""
+        user: User = self.get_object()
+        if user.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            raise ValidationError("Permissions cannot be assigned to an internal service account.")
+        data = PermissionAssignSerializer(data=request.data)
+        data.is_valid(raise_exception=True)
+        with atomic():
+            for perm in data.validated_data["permissions"]:
+                assign_perm(perm, user, data.validated_data["model_instance"])
+        return Response(status=204)
+
+    @permission_required("authentik_core.unassign_user_permissions")
+    @extend_schema(
+        request=PermissionAssignSerializer(),
+        responses={
+            204: OpenApiResponse(description="Successfully unassigned"),
+        },
+    )
+    @action(methods=["PATCH"], detail=True, pagination_class=None, filter_backends=[])
+    def unassign(self, request: Request, *args, **kwargs) -> Response:
+        """Unassign permission(s) to user. When `object_pk` is set, the permissions
+        are only assigned to the specific object, otherwise they are assigned globally."""
+        user: User = self.get_object()
+        if user.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            raise ValidationError(
+                "Permissions cannot be unassigned from an internal service account."
+            )
+        data = PermissionAssignSerializer(data=request.data)
+        data.is_valid(raise_exception=True)
+        with atomic():
+            for perm in data.validated_data["permissions"]:
+                remove_perm(perm, user, data.validated_data["model_instance"])
+        return Response(status=204)

authentik/rbac/api/rbac_roles.py

@@ -0,0 +1,71 @@
+"""common RBAC serializers"""
+from typing import Optional
+
+from django.apps import apps
+from django_filters.filters import UUIDFilter
+from django_filters.filterset import FilterSet
+from guardian.models import GroupObjectPermission
+from guardian.shortcuts import get_objects_for_group
+from rest_framework.fields import SerializerMethodField
+from rest_framework.mixins import ListModelMixin
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.api.pagination import SmallerPagination
+from authentik.rbac.api.rbac_assigned_by_roles import RoleObjectPermissionSerializer
+
+
+class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
+    """User permission with additional object-related data"""
+
+    app_label_verbose = SerializerMethodField()
+    model_verbose = SerializerMethodField()
+
+    object_description = SerializerMethodField()
+
+    def get_app_label_verbose(self, instance: GroupObjectPermission) -> str:
+        """Get app label from permission's model"""
+        return apps.get_app_config(instance.content_type.app_label).verbose_name
+
+    def get_model_verbose(self, instance: GroupObjectPermission) -> str:
+        """Get model label from permission's model"""
+        return apps.get_model(
+            instance.content_type.app_label, instance.content_type.model
+        )._meta.verbose_name
+
+    def get_object_description(self, instance: GroupObjectPermission) -> Optional[str]:
+        """Get model description from attached model. This operation takes at least
+        one additional query, and the description is only shown if the user/role has the
+        view_ permission on the object"""
+        app_label = instance.content_type.app_label
+        model = instance.content_type.model
+        model_class = apps.get_model(app_label, model)
+        objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class)
+        obj = objects.first()
+        if not obj:
+            return None
+        return str(obj)
+
+    class Meta(RoleObjectPermissionSerializer.Meta):
+        fields = RoleObjectPermissionSerializer.Meta.fields + [
+            "app_label_verbose",
+            "model_verbose",
+            "object_description",
+        ]
+
+
+class RolePermissionFilter(FilterSet):
+    """Role permission filter"""
+
+    uuid = UUIDFilter("group__role__uuid", required=True)
+
+
+class RolePermissionViewSet(ListModelMixin, GenericViewSet):
+    """Get a role's assigned object permissions"""
+
+    serializer_class = ExtraRoleObjectPermissionSerializer
+    ordering = ["group__role__name"]
+    pagination_class = SmallerPagination
+    # The filtering is done in the filterset,
+    # which has a required filter that does the heavy lifting
+    queryset = GroupObjectPermission.objects.select_related("content_type", "group__role").all()
+    filterset_class = RolePermissionFilter

authentik/rbac/api/rbac_users.py

@@ -0,0 +1,71 @@
+"""common RBAC serializers"""
+from typing import Optional
+
+from django.apps import apps
+from django_filters.filters import NumberFilter
+from django_filters.filterset import FilterSet
+from guardian.models import UserObjectPermission
+from guardian.shortcuts import get_objects_for_user
+from rest_framework.fields import SerializerMethodField
+from rest_framework.mixins import ListModelMixin
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.api.pagination import SmallerPagination
+from authentik.rbac.api.rbac_assigned_by_users import UserObjectPermissionSerializer
+
+
+class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
+    """User permission with additional object-related data"""
+
+    app_label_verbose = SerializerMethodField()
+    model_verbose = SerializerMethodField()
+
+    object_description = SerializerMethodField()
+
+    def get_app_label_verbose(self, instance: UserObjectPermission) -> str:
+        """Get app label from permission's model"""
+        return apps.get_app_config(instance.content_type.app_label).verbose_name
+
+    def get_model_verbose(self, instance: UserObjectPermission) -> str:
+        """Get model label from permission's model"""
+        return apps.get_model(
+            instance.content_type.app_label, instance.content_type.model
+        )._meta.verbose_name
+
+    def get_object_description(self, instance: UserObjectPermission) -> Optional[str]:
+        """Get model description from attached model. This operation takes at least
+        one additional query, and the description is only shown if the user/role has the
+        view_ permission on the object"""
+        app_label = instance.content_type.app_label
+        model = instance.content_type.model
+        model_class = apps.get_model(app_label, model)
+        objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class)
+        obj = objects.first()
+        if not obj:
+            return None
+        return str(obj)
+
+    class Meta(UserObjectPermissionSerializer.Meta):
+        fields = UserObjectPermissionSerializer.Meta.fields + [
+            "app_label_verbose",
+            "model_verbose",
+            "object_description",
+        ]
+
+
+class UserPermissionFilter(FilterSet):
+    """User-assigned permission filter"""
+
+    user_id = NumberFilter("user__id", required=True)
+
+
+class UserPermissionViewSet(ListModelMixin, GenericViewSet):
+    """Get a users's assigned object permissions"""
+
+    serializer_class = ExtraUserObjectPermissionSerializer
+    ordering = ["user__username"]
+    pagination_class = SmallerPagination
+    # The filtering is done in the filterset,
+    # which has a required filter that does the heavy lifting
+    queryset = UserObjectPermission.objects.select_related("content_type", "user").all()
+    filterset_class = UserPermissionFilter

authentik/rbac/api/roles.py

@@ -0,0 +1,24 @@
+"""RBAC Roles"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.rbac.models import Role
+
+
+class RoleSerializer(ModelSerializer):
+    """Role serializer"""
+
+    class Meta:
+        model = Role
+        fields = ["pk", "name"]
+
+
+class RoleViewSet(UsedByMixin, ModelViewSet):
+    """Role viewset"""
+
+    serializer_class = RoleSerializer
+    queryset = Role.objects.all()
+    search_fields = ["group__name"]
+    ordering = ["group__name"]
+    filterset_fields = ["group__name"]

authentik/rbac/apps.py

@@ -0,0 +1,15 @@
+"""authentik rbac app config"""
+from authentik.blueprints.apps import ManagedAppConfig
+
+
+class AuthentikRBACConfig(ManagedAppConfig):
+    """authentik rbac app config"""
+
+    name = "authentik.rbac"
+    label = "authentik_rbac"
+    verbose_name = "authentik RBAC"
+    default = True
+
+    def reconcile_load_rbac_signals(self):
+        """Load rbac signals"""
+        self.import_module("authentik.rbac.signals")

authentik/rbac/filters.py

@@ -0,0 +1,33 @@
+"""RBAC API Filter"""
+from django.db.models import QuerySet
+from rest_framework.exceptions import PermissionDenied
+from rest_framework.request import Request
+from rest_framework_guardian.filters import ObjectPermissionsFilter
+
+from authentik.core.models import UserTypes
+
+
+class ObjectFilter(ObjectPermissionsFilter):
+    """Object permission filter that grants global permission higher priority than
+    per-object permissions"""
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        permission = self.perm_format % {
+            "app_label": queryset.model._meta.app_label,
+            "model_name": queryset.model._meta.model_name,
+        }
+        # having the global permission set on a user has higher priority than
+        # per-object permissions
+        if request.user.has_perm(permission):
+            return queryset
+        queryset = super().filter_queryset(request, queryset, view)
+        # Outposts (which are the only objects using internal service accounts)
+        # except requests to return an empty list when they have no objects
+        # assigned
+        if request.user.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            return queryset
+        if not queryset.exists():
+            # User doesn't have direct permission to all objects
+            # and also no object permissions assigned (directly or via role)
+            raise PermissionDenied()
+        return queryset

authentik/rbac/migrations/0001_initial.py

@@ -0,0 +1,47 @@
+# Generated by Django 4.2.6 on 2023-10-11 13:37
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    initial = True
+
+    dependencies = [
+        ("auth", "0012_alter_user_first_name_max_length"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Role",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                        unique=True,
+                    ),
+                ),
+                ("name", models.TextField(max_length=150, unique=True)),
+                (
+                    "group",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE, to="auth.group"
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Role",
+                "verbose_name_plural": "Roles",
+                "permissions": [
+                    ("assign_role_permissions", "Can assign permissions to users"),
+                    ("unassign_role_permissions", "Can unassign permissions from users"),
+                ],
+            },
+        ),
+    ]

authentik/rbac/migrations/0002_systempermission.py

@@ -0,0 +1,35 @@
+# Generated by Django 4.2.6 on 2023-10-12 15:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_rbac", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SystemPermission",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+            ],
+            options={
+                "permissions": [
+                    ("view_system_info", "Can view system info"),
+                    ("view_system_tasks", "Can view system tasks"),
+                    ("run_system_tasks", "Can run system tasks"),
+                    ("access_admin_interface", "Can access admin interface"),
+                ],
+                "verbose_name": "System permission",
+                "verbose_name_plural": "System permissions",
+                "managed": False,
+                "default_permissions": (),
+            },
+        ),
+    ]

authentik/rbac/models.py

@@ -0,0 +1,73 @@
+"""RBAC models"""
+from typing import Optional
+from uuid import uuid4
+
+from django.db import models
+from django.db.transaction import atomic
+from django.utils.translation import gettext_lazy as _
+from guardian.shortcuts import assign_perm
+from rest_framework.serializers import BaseSerializer
+
+from authentik.lib.models import SerializerModel
+
+
+class Role(SerializerModel):
+    """RBAC role, which can have different permissions (both global and per-object) attached
+    to it."""
+
+    uuid = models.UUIDField(default=uuid4, editable=False, unique=True, primary_key=True)
+    # Due to the way django and django-guardian work, this is somewhat of a hack.
+    # Django and django-guardian allow for setting permissions on users and groups, but they
+    # only allow for a custom user object, not a custom group object, which is why
+    # we have both authentik and django groups. With this model, we use the inbuilt group system
+    # for RBAC. This means that every Role needs a single django group that its assigned to
+    # which will hold all of the actual permissions
+    # The main advantage of that is that all the permission checking just works out of the box,
+    # as these permissions are checked by default by django and most other libraries that build
+    # on top of django
+    group = models.OneToOneField("auth.Group", on_delete=models.CASCADE)
+
+    # name field has the same constraints as the group model
+    name = models.TextField(max_length=150, unique=True)
+
+    def assign_permission(self, *perms: str, obj: Optional[models.Model] = None):
+        """Assign permission to role, can handle multiple permissions,
+        but when assigning multiple permissions to an object the permissions
+        must all belong to the object given"""
+        with atomic():
+            for perm in perms:
+                assign_perm(perm, self.group, obj)
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.rbac.api.roles import RoleSerializer
+
+        return RoleSerializer
+
+    def __str__(self) -> str:
+        return f"Role {self.name}"
+
+    class Meta:
+        verbose_name = _("Role")
+        verbose_name_plural = _("Roles")
+        permissions = [
+            ("assign_role_permissions", _("Can assign permissions to users")),
+            ("unassign_role_permissions", _("Can unassign permissions from users")),
+        ]
+
+
+class SystemPermission(models.Model):
+    """System-wide permissions that are not related to any direct
+    database model"""
+
+    class Meta:
+        managed = False
+        default_permissions = ()
+        verbose_name = _("System permission")
+        verbose_name_plural = _("System permissions")
+        permissions = [
+            ("view_system_info", _("Can view system info")),
+            ("view_system_tasks", _("Can view system tasks")),
+            ("run_system_tasks", _("Can run system tasks")),
+            ("access_admin_interface", _("Can access admin interface")),
+        ]

authentik/rbac/permissions.py

@@ -0,0 +1,30 @@
+"""RBAC Permissions"""
+from django.db.models import Model
+from rest_framework.permissions import BasePermission, DjangoObjectPermissions
+from rest_framework.request import Request
+
+
+class ObjectPermissions(DjangoObjectPermissions):
+    """RBAC Permissions"""
+
+    def has_object_permission(self, request: Request, view, obj: Model):
+        queryset = self._queryset(view)
+        model_cls = queryset.model
+        perms = self.get_required_object_permissions(request.method, model_cls)
+        # Rank global permissions higher than per-object permissions
+        if request.user.has_perms(perms):
+            return True
+        return super().has_object_permission(request, view, obj)
+
+
+# pylint: disable=invalid-name
+def HasPermission(*perm: str) -> type[BasePermission]:
+    """Permission checker for any non-object permissions, returns
+    a BasePermission class that can be used with rest_framework"""
+
+    # pylint: disable=missing-class-docstring, invalid-name
+    class checker(BasePermission):
+        def has_permission(self, request: Request, view):
+            return bool(request.user and request.user.has_perms(perm))
+
+    return checker

authentik/rbac/signals.py

@@ -0,0 +1,67 @@
+"""rbac signals"""
+from django.contrib.auth.models import Group as DjangoGroup
+from django.db.models.signals import m2m_changed, pre_save
+from django.db.transaction import atomic
+from django.dispatch import receiver
+from structlog.stdlib import get_logger
+
+from authentik.core.models import Group
+from authentik.rbac.models import Role
+
+LOGGER = get_logger()
+
+
+@receiver(pre_save, sender=Role)
+def rbac_role_pre_save(sender: type[Role], instance: Role, **_):
+    """Ensure role has a group object created for it"""
+    if hasattr(instance, "group"):
+        return
+    group, _ = DjangoGroup.objects.get_or_create(name=instance.name)
+    instance.group = group
+
+
+@receiver(m2m_changed, sender=Group.roles.through)
+def rbac_group_role_m2m(sender: type[Group], action: str, instance: Group, reverse: bool, **_):
+    """RBAC: Sync group members into roles when roles are assigned"""
+    if action not in ["post_add", "post_remove", "post_clear"]:
+        return
+    with atomic():
+        group_users = list(
+            instance.children_recursive()
+            .exclude(users__isnull=True)
+            .values_list("users", flat=True)
+        )
+        if not group_users:
+            return
+        for role in instance.roles.all():
+            role: Role
+            role.group.user_set.set(group_users)
+        LOGGER.debug("Updated users in group", group=instance)
+
+
+# pylint: disable=no-member
+@receiver(m2m_changed, sender=Group.users.through)
+def rbac_group_users_m2m(
+    sender: type[Group], action: str, instance: Group, pk_set: set, reverse: bool, **_
+):
+    """Handle Group/User m2m and mirror it to roles"""
+    if action not in ["post_add", "post_remove"]:
+        return
+    # reverse: instance is a Group, pk_set is a list of user pks
+    # non-reverse: instance is a User, pk_set is a list of groups
+    with atomic():
+        if reverse:
+            for role in instance.roles.all():
+                role: Role
+                if action == "post_add":
+                    role.group.user_set.add(*pk_set)
+                elif action == "post_remove":
+                    role.group.user_set.remove(*pk_set)
+        else:
+            for group in Group.objects.filter(pk__in=pk_set):
+                for role in group.roles.all():
+                    role: Role
+                    if action == "post_add":
+                        role.group.user_set.add(instance)
+                    elif action == "post_remove":
+                        role.group.user_set.remove(instance)

authentik/rbac/tests/test_api_assigned_by_roles.py

@@ -0,0 +1,151 @@
+"""Test RoleAssignedPermissionViewSet api"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Group
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.lib.generators import generate_id
+from authentik.rbac.api.rbac_assigned_by_roles import RoleAssignedObjectPermissionSerializer
+from authentik.rbac.models import Role
+from authentik.stages.invitation.models import Invitation
+
+
+class TestRBACRoleAPI(APITestCase):
+    """Test RoleAssignedPermissionViewSet api"""
+
+    def setUp(self) -> None:
+        self.superuser = create_test_admin_user()
+
+        self.user = create_test_user()
+        self.role = Role.objects.create(name=generate_id())
+        self.group = Group.objects.create(name=generate_id())
+        self.group.roles.add(self.role)
+        self.group.users.add(self.user)
+
+    def test_filter_assigned(self):
+        """Test RoleAssignedPermissionViewSet's filters"""
+        inv = Invitation.objects.create(
+            name=generate_id(),
+            created_by=self.superuser,
+        )
+        self.role.assign_permission("authentik_stages_invitation.view_invitation", obj=inv)
+        # self.user doesn't have permissions to see their (object) permissions
+        self.client.force_login(self.superuser)
+        res = self.client.get(
+            reverse("authentik_api:permissions-assigned-by-roles-list"),
+            {
+                "model": "authentik_stages_invitation.invitation",
+                "object_pk": str(inv.pk),
+                "ordering": "pk",
+            },
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "pagination": {
+                    "next": 0,
+                    "previous": 0,
+                    "count": 1,
+                    "current": 1,
+                    "total_pages": 1,
+                    "start_index": 1,
+                    "end_index": 1,
+                },
+                "results": [
+                    RoleAssignedObjectPermissionSerializer(instance=self.role).data,
+                ],
+            },
+        )
+
+    def test_assign_global(self):
+        """Test permission assign"""
+        self.client.force_login(self.superuser)
+        res = self.client.post(
+            reverse(
+                "authentik_api:permissions-assigned-by-roles-assign",
+                kwargs={
+                    "pk": self.role.pk,
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+            },
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertTrue(self.user.has_perm("authentik_stages_invitation.view_invitation"))
+
+    def test_assign_object(self):
+        """Test permission assign (object)"""
+        inv = Invitation.objects.create(
+            name=generate_id(),
+            created_by=self.superuser,
+        )
+        self.client.force_login(self.superuser)
+        res = self.client.post(
+            reverse(
+                "authentik_api:permissions-assigned-by-roles-assign",
+                kwargs={
+                    "pk": self.role.pk,
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+                "model": "authentik_stages_invitation.invitation",
+                "object_pk": str(inv.pk),
+            },
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertTrue(
+            self.user.has_perm(
+                "authentik_stages_invitation.view_invitation",
+                inv,
+            )
+        )
+
+    def test_unassign_global(self):
+        """Test permission unassign"""
+        self.role.assign_permission("authentik_stages_invitation.view_invitation")
+        self.client.force_login(self.superuser)
+        res = self.client.patch(
+            reverse(
+                "authentik_api:permissions-assigned-by-roles-unassign",
+                kwargs={
+                    "pk": str(self.role.pk),
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+            },
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertFalse(self.user.has_perm("authentik_stages_invitation.view_invitation"))
+
+    def test_unassign_object(self):
+        """Test permission unassign (object)"""
+        inv = Invitation.objects.create(
+            name=generate_id(),
+            created_by=self.superuser,
+        )
+        self.role.assign_permission("authentik_stages_invitation.view_invitation", obj=inv)
+        self.client.force_login(self.superuser)
+        res = self.client.patch(
+            reverse(
+                "authentik_api:permissions-assigned-by-roles-unassign",
+                kwargs={
+                    "pk": str(self.role.pk),
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+                "model": "authentik_stages_invitation.invitation",
+                "object_pk": str(inv.pk),
+            },
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertFalse(
+            self.user.has_perm(
+                "authentik_stages_invitation.view_invitation",
+                inv,
+            )
+        )

authentik/rbac/tests/test_api_assigned_by_users.py

@@ -0,0 +1,196 @@
+"""Test UserAssignedPermissionViewSet api"""
+from django.urls import reverse
+from guardian.shortcuts import assign_perm
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Group, UserTypes
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.lib.generators import generate_id
+from authentik.rbac.api.rbac_assigned_by_users import UserAssignedObjectPermissionSerializer
+from authentik.rbac.models import Role
+from authentik.stages.invitation.models import Invitation
+
+
+class TestRBACUserAPI(APITestCase):
+    """Test UserAssignedPermissionViewSet api"""
+
+    def setUp(self) -> None:
+        self.superuser = create_test_admin_user()
+
+        self.user = create_test_user()
+        self.role = Role.objects.create(name=generate_id())
+        self.group = Group.objects.create(name=generate_id())
+        self.group.roles.add(self.role)
+        self.group.users.add(self.user)
+
+    def test_filter_assigned(self):
+        """Test UserAssignedPermissionViewSet's filters"""
+        inv = Invitation.objects.create(
+            name=generate_id(),
+            created_by=self.superuser,
+        )
+        assign_perm("authentik_stages_invitation.view_invitation", self.user, inv)
+        # self.user doesn't have permissions to see their (object) permissions
+        self.client.force_login(self.superuser)
+        res = self.client.get(
+            reverse("authentik_api:permissions-assigned-by-users-list"),
+            {
+                "model": "authentik_stages_invitation.invitation",
+                "object_pk": str(inv.pk),
+                "ordering": "pk",
+            },
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "pagination": {
+                    "next": 0,
+                    "previous": 0,
+                    "count": 2,
+                    "current": 1,
+                    "total_pages": 1,
+                    "start_index": 1,
+                    "end_index": 2,
+                },
+                "results": sorted(
+                    [
+                        UserAssignedObjectPermissionSerializer(instance=self.user).data,
+                        UserAssignedObjectPermissionSerializer(instance=self.superuser).data,
+                    ],
+                    key=lambda u: u["pk"],
+                ),
+            },
+        )
+
+    def test_assign_global(self):
+        """Test permission assign"""
+        self.client.force_login(self.superuser)
+        res = self.client.post(
+            reverse(
+                "authentik_api:permissions-assigned-by-users-assign",
+                kwargs={
+                    "pk": self.user.pk,
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+            },
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertTrue(self.user.has_perm("authentik_stages_invitation.view_invitation"))
+
+    def test_assign_global_internal_sa(self):
+        """Test permission assign (to internal service account)"""
+        self.client.force_login(self.superuser)
+        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
+        self.user.save()
+        res = self.client.post(
+            reverse(
+                "authentik_api:permissions-assigned-by-users-assign",
+                kwargs={
+                    "pk": self.user.pk,
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertFalse(self.user.has_perm("authentik_stages_invitation.view_invitation"))
+
+    def test_assign_object(self):
+        """Test permission assign (object)"""
+        inv = Invitation.objects.create(
+            name=generate_id(),
+            created_by=self.superuser,
+        )
+        self.client.force_login(self.superuser)
+        res = self.client.post(
+            reverse(
+                "authentik_api:permissions-assigned-by-users-assign",
+                kwargs={
+                    "pk": self.user.pk,
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+                "model": "authentik_stages_invitation.invitation",
+                "object_pk": str(inv.pk),
+            },
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertTrue(
+            self.user.has_perm(
+                "authentik_stages_invitation.view_invitation",
+                inv,
+            )
+        )
+
+    def test_unassign_global(self):
+        """Test permission unassign"""
+        assign_perm("authentik_stages_invitation.view_invitation", self.user)
+        self.client.force_login(self.superuser)
+        res = self.client.patch(
+            reverse(
+                "authentik_api:permissions-assigned-by-users-unassign",
+                kwargs={
+                    "pk": self.user.pk,
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+            },
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertFalse(self.user.has_perm("authentik_stages_invitation.view_invitation"))
+
+    def test_unassign_global_internal_sa(self):
+        """Test permission unassign (from internal service account)"""
+        self.client.force_login(self.superuser)
+        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
+        self.user.save()
+        assign_perm("authentik_stages_invitation.view_invitation", self.user)
+        self.client.force_login(self.superuser)
+        res = self.client.patch(
+            reverse(
+                "authentik_api:permissions-assigned-by-users-unassign",
+                kwargs={
+                    "pk": self.user.pk,
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertTrue(self.user.has_perm("authentik_stages_invitation.view_invitation"))
+
+    def test_unassign_object(self):
+        """Test permission unassign (object)"""
+        inv = Invitation.objects.create(
+            name=generate_id(),
+            created_by=self.superuser,
+        )
+        assign_perm("authentik_stages_invitation.view_invitation", self.user, inv)
+        self.client.force_login(self.superuser)
+        res = self.client.patch(
+            reverse(
+                "authentik_api:permissions-assigned-by-users-unassign",
+                kwargs={
+                    "pk": self.user.pk,
+                },
+            ),
+            {
+                "permissions": ["authentik_stages_invitation.view_invitation"],
+                "model": "authentik_stages_invitation.invitation",
+                "object_pk": str(inv.pk),
+            },
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertFalse(
+            self.user.has_perm(
+                "authentik_stages_invitation.view_invitation",
+                inv,
+            )
+        )

authentik/rbac/tests/test_api_filters.py

@@ -0,0 +1,122 @@
+"""RBAC role tests"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Group
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.lib.generators import generate_id
+from authentik.rbac.models import Role
+from authentik.stages.invitation.api import InvitationSerializer
+from authentik.stages.invitation.models import Invitation
+
+
+class TestAPIPerms(APITestCase):
+    """Test API Permission and filtering"""
+
+    def setUp(self) -> None:
+        self.superuser = create_test_admin_user()
+
+        self.user = create_test_user()
+        self.role = Role.objects.create(name=generate_id())
+        self.group = Group.objects.create(name=generate_id())
+        self.group.roles.add(self.role)
+        self.group.users.add(self.user)
+
+    def test_list_simple(self):
+        """Test list (single object, role has global permission)"""
+        self.client.force_login(self.user)
+        self.role.assign_permission("authentik_stages_invitation.view_invitation")
+
+        Invitation.objects.all().delete()
+        inv = Invitation.objects.create(
+            name=generate_id(),
+            created_by=self.superuser,
+        )
+        res = self.client.get(reverse("authentik_api:invitation-list"))
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "pagination": {
+                    "next": 0,
+                    "previous": 0,
+                    "count": 1,
+                    "current": 1,
+                    "total_pages": 1,
+                    "start_index": 1,
+                    "end_index": 1,
+                },
+                "results": [
+                    InvitationSerializer(instance=inv).data,
+                ],
+            },
+        )
+
+    def test_list_object_perm(self):
+        """Test list"""
+        self.client.force_login(self.user)
+
+        Invitation.objects.all().delete()
+        Invitation.objects.create(
+            name=generate_id(),
+            created_by=self.superuser,
+        )
+        inv2 = Invitation.objects.create(
+            name=generate_id(),
+            created_by=self.superuser,
+        )
+        self.role.assign_permission("authentik_stages_invitation.view_invitation", obj=inv2)
+
+        res = self.client.get(reverse("authentik_api:invitation-list"))
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "pagination": {
+                    "next": 0,
+                    "previous": 0,
+                    "count": 1,
+                    "current": 1,
+                    "total_pages": 1,
+                    "start_index": 1,
+                    "end_index": 1,
+                },
+                "results": [
+                    InvitationSerializer(instance=inv2).data,
+                ],
+            },
+        )
+
+    def test_list_denied(self):
+        """Test list without adding permission"""
+        self.client.force_login(self.user)
+
+        res = self.client.get(reverse("authentik_api:invitation-list"))
+        self.assertEqual(res.status_code, 403)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {"detail": "You do not have permission to perform this action."},
+        )
+
+    def test_create_simple(self):
+        """Test create with permission"""
+        self.client.force_login(self.user)
+        self.role.assign_permission("authentik_stages_invitation.add_invitation")
+        res = self.client.post(
+            reverse("authentik_api:invitation-list"),
+            data={
+                "name": generate_id(),
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    def test_create_simple_denied(self):
+        """Test create without assigning permission"""
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:invitation-list"),
+            data={
+                "name": generate_id(),
+            },
+        )
+        self.assertEqual(res.status_code, 403)

authentik/rbac/tests/test_roles.py

@@ -0,0 +1,35 @@
+"""RBAC role tests"""
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Group
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.rbac.models import Role
+
+
+class TestRoles(APITestCase):
+    """Test roles"""
+
+    def test_role_create(self):
+        """Test creation"""
+        user = create_test_admin_user()
+        group = Group.objects.create(name=generate_id())
+        role = Role.objects.create(name=generate_id())
+        role.assign_permission("authentik_core.view_application")
+        group.roles.add(role)
+        group.users.add(user)
+        self.assertEqual(list(role.group.user_set.all()), [user])
+        self.assertTrue(user.has_perm("authentik_core.view_application"))
+
+    def test_role_create_remove(self):
+        """Test creation and remove"""
+        user = create_test_admin_user()
+        group = Group.objects.create(name=generate_id())
+        role = Role.objects.create(name=generate_id())
+        role.assign_permission("authentik_core.view_application")
+        group.roles.add(role)
+        group.users.add(user)
+        self.assertEqual(list(role.group.user_set.all()), [user])
+        self.assertTrue(user.has_perm("authentik_core.view_application"))
+        user.delete()
+        self.assertEqual(list(role.group.user_set.all()), [])

authentik/rbac/urls.py

@@ -0,0 +1,24 @@
+"""RBAC API urls"""
+from authentik.rbac.api.rbac import RBACPermissionViewSet
+from authentik.rbac.api.rbac_assigned_by_roles import RoleAssignedPermissionViewSet
+from authentik.rbac.api.rbac_assigned_by_users import UserAssignedPermissionViewSet
+from authentik.rbac.api.rbac_roles import RolePermissionViewSet
+from authentik.rbac.api.rbac_users import UserPermissionViewSet
+from authentik.rbac.api.roles import RoleViewSet
+
+api_urlpatterns = [
+    (
+        "rbac/permissions/assigned_by_users",
+        UserAssignedPermissionViewSet,
+        "permissions-assigned-by-users",
+    ),
+    (
+        "rbac/permissions/assigned_by_roles",
+        RoleAssignedPermissionViewSet,
+        "permissions-assigned-by-roles",
+    ),
+    ("rbac/permissions/users", UserPermissionViewSet, "permissions-users"),
+    ("rbac/permissions/roles", RolePermissionViewSet, "permissions-roles"),
+    ("rbac/permissions", RBACPermissionViewSet),
+    ("rbac/roles", RoleViewSet),
+]

authentik/root/settings.py

@@ -77,6 +77,7 @@ INSTALLED_APPS = [
     "authentik.providers.radius",
     "authentik.providers.saml",
     "authentik.providers.scim",
+    "authentik.rbac",
     "authentik.recovery",
     "authentik.sources.ldap",
     "authentik.sources.oauth",
@@ -156,7 +157,7 @@ REST_FRAMEWORK = {
     "DEFAULT_PAGINATION_CLASS": "authentik.api.pagination.Pagination",
     "PAGE_SIZE": 100,
     "DEFAULT_FILTER_BACKENDS": [
-        "rest_framework_guardian.filters.ObjectPermissionsFilter",
+        "authentik.rbac.filters.ObjectFilter",
         "django_filters.rest_framework.DjangoFilterBackend",
         "rest_framework.filters.OrderingFilter",
         "rest_framework.filters.SearchFilter",
@@ -164,7 +165,7 @@ REST_FRAMEWORK = {
     "DEFAULT_PARSER_CLASSES": [
         "rest_framework.parsers.JSONParser",
     ],
-    "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.DjangoObjectPermissions",),
+    "DEFAULT_PERMISSION_CLASSES": ("authentik.rbac.permissions.ObjectPermissions",),
     "DEFAULT_AUTHENTICATION_CLASSES": (
         "authentik.api.authentication.TokenAuthentication",
         "rest_framework.authentication.SessionAuthentication",
@@ -253,10 +254,10 @@ ASGI_APPLICATION = "authentik.root.asgi.application"
 
 CHANNEL_LAYERS = {
     "default": {
-        "BACKEND": "channels_redis.core.RedisChannelLayer",
+        "BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
         "CONFIG": {
             "hosts": [f"{_redis_url}/{CONFIG.get('redis.db')}"],
-            "prefix": "authentik_channels",
+            "prefix": "authentik_channels_",
         },
     },
 }
@@ -410,6 +411,9 @@ if DEBUG:
     INSTALLED_APPS.append("silk")
     SILKY_PYTHON_PROFILER = True
     MIDDLEWARE = ["silk.middleware.SilkyMiddleware"] + MIDDLEWARE
+    REST_FRAMEWORK["DEFAULT_RENDERER_CLASSES"].append(
+        "rest_framework.renderers.BrowsableAPIRenderer"
+    )
 
 INSTALLED_APPS.append("authentik.core")
 

authentik/sources/ldap/password.py

@@ -49,6 +49,11 @@ class LDAPPasswordChanger:
         self._source = source
         self._connection = source.connection()
 
+    @staticmethod
+    def should_check_user(user: User) -> bool:
+        """Check if the user has LDAP parameters and needs to be checked"""
+        return LDAP_DISTINGUISHED_NAME in user.attributes
+
     def get_domain_root_dn(self) -> str:
         """Attempt to get root DN via MS specific fields or generic LDAP fields"""
         info = self._connection.server.info

authentik/sources/ldap/signals.py

@@ -41,11 +41,12 @@ def ldap_password_validate(sender, password: str, plan_context: dict[str, Any],
     if not sources.exists():
         return
     source = sources.first()
+    user = plan_context.get(PLAN_CONTEXT_PENDING_USER, None)
+    if user and not LDAPPasswordChanger.should_check_user(user):
+        return
     changer = LDAPPasswordChanger(source)
     if changer.check_ad_password_complexity_enabled():
-        passing = changer.ad_password_complexity(
+        passing = changer.ad_password_complexity(password, user)
-            password, plan_context.get(PLAN_CONTEXT_PENDING_USER, None)
-        )
         if not passing:
             raise ValidationError(_("Password does not match Active Directory Complexity."))
 
@@ -57,6 +58,8 @@ def ldap_sync_password(sender, user: User, password: str, **_):
     if not sources.exists():
         return
     source = sources.first()
+    if not LDAPPasswordChanger.should_check_user(user):
+        return
     try:
         changer = LDAPPasswordChanger(source)
         changer.change_password(user, password)

authentik/sources/ldap/tasks.py

@@ -32,7 +32,7 @@ CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
 def ldap_sync_all():
     """Sync all sources"""
     for source in LDAPSource.objects.filter(enabled=True):
-        ldap_sync_single(source.pk)
+        ldap_sync_single.apply_async(args=[source.pk])
 
 
 @CELERY_APP.task(

authentik/stages/authenticator_static/migrations/0009_throttling.py

@@ -30,4 +30,12 @@ class Migration(migrations.Migration):
             name="staticdevice",
             options={"verbose_name": "Static device", "verbose_name_plural": "Static devices"},
         ),
+        migrations.AlterModelOptions(
+            name="staticdevice",
+            options={"verbose_name": "Static Device", "verbose_name_plural": "Static Devices"},
+        ),
+        migrations.AlterModelOptions(
+            name="statictoken",
+            options={"verbose_name": "Static Token", "verbose_name_plural": "Static Tokens"},
+        ),
     ]

authentik/stages/authenticator_static/models.py

@@ -95,8 +95,8 @@ class StaticDevice(SerializerModel, ThrottlingMixin, Device):
         return match is not None
 
     class Meta(Device.Meta):
-        verbose_name = _("Static device")
+        verbose_name = _("Static Device")
-        verbose_name_plural = _("Static devices")
+        verbose_name_plural = _("Static Devices")
 
 
 class StaticToken(models.Model):
@@ -124,3 +124,7 @@ class StaticToken(models.Model):
 
         """
         return b32encode(urandom(5)).decode("utf-8").lower()
+
+    class Meta:
+        verbose_name = _("Static Token")
+        verbose_name_plural = _("Static Tokens")

authentik/stages/authenticator_totp/migrations/0010_alter_totpdevice_key.py

@@ -25,4 +25,8 @@ class Migration(migrations.Migration):
             name="totpdevice",
             options={"verbose_name": "TOTP device", "verbose_name_plural": "TOTP devices"},
         ),
+        migrations.AlterModelOptions(
+            name="totpdevice",
+            options={"verbose_name": "TOTP Device", "verbose_name_plural": "TOTP Devices"},
+        ),
     ]

authentik/stages/authenticator_totp/models.py

@@ -241,5 +241,5 @@ class TOTPDevice(SerializerModel, ThrottlingMixin, Device):
         return None
 
     class Meta(Device.Meta):
-        verbose_name = _("TOTP device")
+        verbose_name = _("TOTP Device")
-        verbose_name_plural = _("TOTP devices")
+        verbose_name_plural = _("TOTP Devices")

authentik/stages/consent/stage.py

@@ -6,11 +6,11 @@ from django.http import HttpRequest, HttpResponse
 from django.utils.timezone import now
 from rest_framework.fields import CharField
 
+from authentik.core.api.utils import PassiveSerializer
 from authentik.flows.challenge import (
     Challenge,
     ChallengeResponse,
     ChallengeTypes,
-    PermissionSerializer,
     WithUserInfoChallenge,
 )
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_PENDING_USER
@@ -25,12 +25,19 @@ PLAN_CONTEXT_CONSENT_EXTRA_PERMISSIONS = "consent_additional_permissions"
 SESSION_KEY_CONSENT_TOKEN = "authentik/stages/consent/token"  # nosec
 
 
+class ConsentPermissionSerializer(PassiveSerializer):
+    """Permission used for consent"""
+
+    name = CharField(allow_blank=True)
+    id = CharField()
+
+
 class ConsentChallenge(WithUserInfoChallenge):
     """Challenge info for consent screens"""
 
     header_text = CharField(required=False)
-    permissions = PermissionSerializer(many=True)
+    permissions = ConsentPermissionSerializer(many=True)
-    additional_permissions = PermissionSerializer(many=True)
+    additional_permissions = ConsentPermissionSerializer(many=True)
     component = CharField(default="ak-stage-consent")
     token = CharField(required=True)
 

authentik/stages/prompt/api.py

@@ -71,6 +71,7 @@ class PromptViewSet(UsedByMixin, ModelViewSet):
 
     queryset = Prompt.objects.all().prefetch_related("promptstage_set")
     serializer_class = PromptSerializer
+    ordering = ["field_key"]
     filterset_fields = ["field_key", "name", "label", "type", "placeholder"]
     search_fields = ["field_key", "name", "label", "type", "placeholder"]
 

blueprints/schema.json

@@ -1188,6 +1188,43 @@
                             }
                         }
                     },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_rbac.role"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_rbac.role"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_rbac.role"
+                            }
+                        }
+                    },
                     {
                         "type": "object",
                         "required": [
@@ -2705,6 +2742,43 @@
                             }
                         }
                     },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_enterprise.license"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_enterprise.license"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_enterprise.license"
+                            }
+                        }
+                    },
                     {
                         "type": "object",
                         "required": [
@@ -3372,6 +3446,7 @@
                         "authentik.providers.radius",
                         "authentik.providers.saml",
                         "authentik.providers.scim",
+                        "authentik.rbac",
                         "authentik.recovery",
                         "authentik.sources.ldap",
                         "authentik.sources.oauth",
@@ -3443,6 +3518,7 @@
                         "authentik_providers_saml.samlpropertymapping",
                         "authentik_providers_scim.scimprovider",
                         "authentik_providers_scim.scimmapping",
+                        "authentik_rbac.role",
                         "authentik_sources_ldap.ldapsource",
                         "authentik_sources_ldap.ldappropertymapping",
                         "authentik_sources_oauth.oauthsource",
@@ -3483,7 +3559,8 @@
                         "authentik_core.group",
                         "authentik_core.user",
                         "authentik_core.application",
-                        "authentik_core.token"
+                        "authentik_core.token",
+                        "authentik_enterprise.license"
                     ],
                     "title": "Model",
                     "description": "Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched."
@@ -4944,6 +5021,18 @@
             },
             "required": []
         },
+        "model_authentik_rbac.role": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "maxLength": 150,
+                    "minLength": 1,
+                    "title": "Name"
+                }
+            },
+            "required": []
+        },
         "model_authentik_sources_ldap.ldapsource": {
             "type": "object",
             "properties": {
@@ -8405,6 +8494,13 @@
                     "type": "object",
                     "additionalProperties": true,
                     "title": "Attributes"
+                },
+                "roles": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    },
+                    "title": "Roles"
                 }
             },
             "required": []
@@ -8599,6 +8695,17 @@
             },
             "required": []
         },
+        "model_authentik_enterprise.license": {
+            "type": "object",
+            "properties": {
+                "key": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Key"
+                }
+            },
+            "required": []
+        },
         "model_authentik_blueprints.metaapplyblueprint": {
             "type": "object",
             "properties": {

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
-	goauthentik.io/api/v3 v3.2023083.6
+	goauthentik.io/api/v3 v3.2023083.7
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.13.0
 	golang.org/x/sync v0.4.0

go.sum

@@ -355,8 +355,8 @@ go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyK
 go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2023083.6 h1:VYVnE/3CYhggmobeZ+V3ka0TwswrUhKasxwGPmXTq0M=
+goauthentik.io/api/v3 v3.2023083.7 h1:/nS5Cgg+daTmsHVoFNxANLUQXVsJMAu4U8P7OyxeZf0=
-goauthentik.io/api/v3 v3.2023083.6/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2023083.7/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=

internal/outpost/ldap/search/memory/memory.go

@@ -162,7 +162,7 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 				for _, u := range g.UsersObj {
 					if flag.UserPk == u.Pk {
 						//TODO: Is there a better way to clone this object?
-						fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.ParentName, []api.GroupMember{u})
+						fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.ParentName, []api.GroupMember{u}, []api.Role{})
 						fg.SetUsers([]int32{flag.UserPk})
 						if g.Parent.IsSet() {
 							fg.SetParent(*g.Parent.Get())

lifecycle/migrate.py

@@ -81,8 +81,8 @@ if __name__ == "__main__":
     )
     curr = conn.cursor()
     try:
-        for migration in Path(__file__).parent.absolute().glob("system_migrations/*.py"):
+        for migration_path in Path(__file__).parent.absolute().glob("system_migrations/*.py"):
-            spec = spec_from_file_location("lifecycle.system_migrations", migration)
+            spec = spec_from_file_location("lifecycle.system_migrations", migration_path)
             if not spec:
                 continue
             mod = module_from_spec(spec)
@@ -94,9 +94,9 @@ if __name__ == "__main__":
                 migration = sub(curr, conn)
                 if migration.needs_migration():
                     wait_for_lock()
-                    LOGGER.info("Migration needs to be applied", migration=sub)
+                    LOGGER.info("Migration needs to be applied", migration=migration_path.name)
                     migration.run()
-                    LOGGER.info("Migration finished applying", migration=sub)
+                    LOGGER.info("Migration finished applying", migration=migration_path.name)
                     release_lock()
         LOGGER.info("applying django migrations")
         environ.setdefault("DJANGO_SETTINGS_MODULE", "authentik.root.settings")

lifecycle/system_migrations/to_0_10.py

@@ -2,6 +2,7 @@
 from lifecycle.migrate import BaseMigration
 
 SQL_STATEMENT = """
+BEGIN TRANSACTION;
 DELETE FROM django_migrations WHERE app = 'passbook_stages_prompt';
 DROP TABLE passbook_stages_prompt_prompt cascade;
 DROP TABLE passbook_stages_prompt_promptstage cascade;
@@ -22,6 +23,7 @@ DELETE FROM django_migrations WHERE app = 'passbook_flows' AND name = '0008_defa
 DELETE FROM django_migrations WHERE app = 'passbook_flows' AND name = '0009_source_flows';
 DELETE FROM django_migrations WHERE app = 'passbook_flows' AND name = '0010_provider_flows';
 DELETE FROM django_migrations WHERE app = 'passbook_stages_password' AND name = '0002_passwordstage_change_flow';
+COMMIT;
 """
 
 

lifecycle/system_migrations/to_0_13_authentik.py

@@ -4,7 +4,7 @@ from redis import Redis
 from authentik.lib.config import CONFIG
 from lifecycle.migrate import BaseMigration
 
-SQL_STATEMENT = """
+SQL_STATEMENT = """BEGIN TRANSACTION;
 ALTER TABLE passbook_audit_event RENAME TO authentik_audit_event;
 ALTER TABLE passbook_core_application RENAME TO authentik_core_application;
 ALTER TABLE passbook_core_group RENAME TO authentik_core_group;
@@ -92,6 +92,7 @@ ALTER SEQUENCE passbook_stages_prompt_promptstage_validation_policies_id_seq REN
 
 UPDATE django_migrations SET app = replace(app, 'passbook', 'authentik');
 UPDATE django_content_type SET app_label = replace(app_label, 'passbook', 'authentik');
+COMMIT;
 """
 
 

lifecycle/system_migrations/to_0_14_events.py

@@ -1,9 +1,12 @@
 # flake8: noqa
 from lifecycle.migrate import BaseMigration
 
-SQL_STATEMENT = """ALTER TABLE authentik_audit_event RENAME TO authentik_events_event;
+SQL_STATEMENT = """BEGIN TRANSACTION;
+ALTER TABLE authentik_audit_event RENAME TO authentik_events_event;
 UPDATE django_migrations SET app = replace(app, 'authentik_audit', 'authentik_events');
-UPDATE django_content_type SET app_label = replace(app_label, 'authentik_audit', 'authentik_events');"""
+UPDATE django_content_type SET app_label = replace(app_label, 'authentik_audit', 'authentik_events');
+
+COMMIT;"""
 
 
 class Migration(BaseMigration):

lifecycle/system_migrations/to_2021_3_authenticator.py

@@ -2,6 +2,7 @@
 from lifecycle.migrate import BaseMigration
 
 SQL_STATEMENT = """
+BEGIN TRANSACTION;
 ALTER TABLE authentik_stages_otp_static_otpstaticstage RENAME TO authentik_stages_authenticator_static_otpstaticstage;
 UPDATE django_migrations SET app = replace(app, 'authentik_stages_otp_static', 'authentik_stages_authenticator_static');
 UPDATE django_content_type SET app_label = replace(app_label, 'authentik_stages_otp_static', 'authentik_stages_authenticator_static');
@@ -13,6 +14,7 @@ UPDATE django_content_type SET app_label = replace(app_label, 'authentik_stages_
 ALTER TABLE authentik_stages_otp_validate_otpvalidatestage RENAME TO authentik_stages_authenticator_validate_otpvalidatestage;
 UPDATE django_migrations SET app = replace(app, 'authentik_stages_otp_validate', 'authentik_stages_authenticator_validate');
 UPDATE django_content_type SET app_label = replace(app_label, 'authentik_stages_otp_validate', 'authentik_stages_authenticator_validate');
+COMMIT;
 """
 
 

lifecycle/system_migrations/to_2023_1_hibp_remove.py

@@ -1,8 +1,11 @@
 # flake8: noqa
 from lifecycle.migrate import BaseMigration
 
-SQL_STATEMENT = """DROP TABLE "authentik_policies_hibp_haveibeenpwendpolicy";
+SQL_STATEMENT = """
-DELETE FROM django_migrations WHERE app = 'authentik_policies_hibp';"""
+BEGIN TRANSACTION;
+DROP TABLE "authentik_policies_hibp_haveibeenpwendpolicy";
+DELETE FROM django_migrations WHERE app = 'authentik_policies_hibp';
+COMMIT;"""
 
 
 class Migration(BaseMigration):

poetry.lock

@@ -3425,28 +3425,28 @@ pyasn1 = ">=0.1.3"
 
 [[package]]
 name = "ruff"
-version = "0.0.292"
+version = "0.1.0"
 description = "An extremely fast Python linter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "ruff-0.0.292-py3-none-macosx_10_7_x86_64.whl", hash = "sha256:02f29db018c9d474270c704e6c6b13b18ed0ecac82761e4fcf0faa3728430c96"},
+    {file = "ruff-0.1.0-py3-none-macosx_10_7_x86_64.whl", hash = "sha256:87114e254dee35e069e1b922d85d4b21a5b61aec759849f393e1dbb308a00439"},
-    {file = "ruff-0.0.292-py3-none-macosx_10_9_x86_64.macosx_11_0_arm64.macosx_10_9_universal2.whl", hash = "sha256:69654e564342f507edfa09ee6897883ca76e331d4bbc3676d8a8403838e9fade"},
+    {file = "ruff-0.1.0-py3-none-macosx_10_9_x86_64.macosx_11_0_arm64.macosx_10_9_universal2.whl", hash = "sha256:764f36d2982cc4a703e69fb73a280b7c539fd74b50c9ee531a4e3fe88152f521"},
-    {file = "ruff-0.0.292-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6c3c91859a9b845c33778f11902e7b26440d64b9d5110edd4e4fa1726c41e0a4"},
+    {file = "ruff-0.1.0-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:65f4b7fb539e5cf0f71e9bd74f8ddab74cabdd673c6fb7f17a4dcfd29f126255"},
-    {file = "ruff-0.0.292-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:f4476f1243af2d8c29da5f235c13dca52177117935e1f9393f9d90f9833f69e4"},
+    {file = "ruff-0.1.0-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:299fff467a0f163baa282266b310589b21400de0a42d8f68553422fa6bf7ee01"},
-    {file = "ruff-0.0.292-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:be8eb50eaf8648070b8e58ece8e69c9322d34afe367eec4210fdee9a555e4ca7"},
+    {file = "ruff-0.1.0-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0d412678bf205787263bb702c984012a4f97e460944c072fd7cfa2bd084857c4"},
-    {file = "ruff-0.0.292-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:9889bac18a0c07018aac75ef6c1e6511d8411724d67cb879103b01758e110a81"},
+    {file = "ruff-0.1.0-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:a5391b49b1669b540924640587d8d24128e45be17d1a916b1801d6645e831581"},
-    {file = "ruff-0.0.292-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6bdfabd4334684a4418b99b3118793f2c13bb67bf1540a769d7816410402a205"},
+    {file = "ruff-0.1.0-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ee8cd57f454cdd77bbcf1e11ff4e0046fb6547cac1922cc6e3583ce4b9c326d1"},
-    {file = "ruff-0.0.292-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:aa7c77c53bfcd75dbcd4d1f42d6cabf2485d2e1ee0678da850f08e1ab13081a8"},
+    {file = "ruff-0.1.0-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:fa7aeed7bc23861a2b38319b636737bf11cfa55d2109620b49cf995663d3e888"},
-    {file = "ruff-0.0.292-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8e087b24d0d849c5c81516ec740bf4fd48bf363cfb104545464e0fca749b6af9"},
+    {file = "ruff-0.1.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b04cd4298b43b16824d9a37800e4c145ba75c29c43ce0d74cad1d66d7ae0a4c5"},
-    {file = "ruff-0.0.292-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:f160b5ec26be32362d0774964e218f3fcf0a7da299f7e220ef45ae9e3e67101a"},
+    {file = "ruff-0.1.0-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:7186ccf54707801d91e6314a016d1c7895e21d2e4cd614500d55870ed983aa9f"},
-    {file = "ruff-0.0.292-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:ac153eee6dd4444501c4bb92bff866491d4bfb01ce26dd2fff7ca472c8df9ad0"},
+    {file = "ruff-0.1.0-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d88adfd93849bc62449518228581d132e2023e30ebd2da097f73059900d8dce3"},
-    {file = "ruff-0.0.292-py3-none-musllinux_1_2_i686.whl", hash = "sha256:87616771e72820800b8faea82edd858324b29bb99a920d6aa3d3949dd3f88fb0"},
+    {file = "ruff-0.1.0-py3-none-musllinux_1_2_i686.whl", hash = "sha256:ad2ccdb3bad5a61013c76a9c1240fdfadf2c7103a2aeebd7bcbbed61f363138f"},
-    {file = "ruff-0.0.292-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b76deb3bdbea2ef97db286cf953488745dd6424c122d275f05836c53f62d4016"},
+    {file = "ruff-0.1.0-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b77f6cfa72c6eb19b5cac967cc49762ae14d036db033f7d97a72912770fd8e1c"},
-    {file = "ruff-0.0.292-py3-none-win32.whl", hash = "sha256:e854b05408f7a8033a027e4b1c7f9889563dd2aca545d13d06711e5c39c3d003"},
+    {file = "ruff-0.1.0-py3-none-win32.whl", hash = "sha256:480bd704e8af1afe3fd444cc52e3c900b936e6ca0baf4fb0281124330b6ceba2"},
-    {file = "ruff-0.0.292-py3-none-win_amd64.whl", hash = "sha256:f27282bedfd04d4c3492e5c3398360c9d86a295be00eccc63914438b4ac8a83c"},
+    {file = "ruff-0.1.0-py3-none-win_amd64.whl", hash = "sha256:a76ba81860f7ee1f2d5651983f87beb835def94425022dc5f0803108f1b8bfa2"},
-    {file = "ruff-0.0.292-py3-none-win_arm64.whl", hash = "sha256:7f67a69c8f12fbc8daf6ae6d36705037bde315abf8b82b6e1f4c9e74eb750f68"},
+    {file = "ruff-0.1.0-py3-none-win_arm64.whl", hash = "sha256:45abdbdab22509a2c6052ecf7050b3f5c7d6b7898dc07e82869401b531d46da4"},
-    {file = "ruff-0.0.292.tar.gz", hash = "sha256:1093449e37dd1e9b813798f6ad70932b57cf614e5c2b5c51005bf67d55db33ac"},
+    {file = "ruff-0.1.0.tar.gz", hash = "sha256:ad6b13824714b19c5f8225871cf532afb994470eecb74631cd3500fe817e6b3f"},
 ]
 
 [[package]]

tests/wdio/package-lock.json

@@ -7,11 +7,11 @@
             "name": "@goauthentik/web-tests",
             "devDependencies": {
                 "@trivago/prettier-plugin-sort-imports": "^4.2.0",
-                "@typescript-eslint/eslint-plugin": "^6.7.5",
+                "@typescript-eslint/eslint-plugin": "^6.8.0",
-                "@typescript-eslint/parser": "^6.7.5",
+                "@typescript-eslint/parser": "^6.8.0",
-                "@wdio/cli": "^8.18.0",
+                "@wdio/cli": "^8.18.2",
-                "@wdio/local-runner": "^8.18.0",
+                "@wdio/local-runner": "^8.18.2",
-                "@wdio/mocha-framework": "^8.18.0",
+                "@wdio/mocha-framework": "^8.18.2",
                 "@wdio/spec-reporter": "^8.18.1",
                 "eslint": "^8.51.0",
                 "eslint-config-google": "^0.14.0",
@@ -878,16 +878,16 @@
             }
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.8.0.tgz",
-            "integrity": "sha512-JhtAwTRhOUcP96D0Y6KYnwig/MRQbOoLGXTON2+LlyB/N35SP9j1boai2zzwXb7ypKELXMx3DVk9UTaEq1vHEw==",
+            "integrity": "sha512-GosF4238Tkes2SHPQ1i8f6rMtG6zlKwMEB0abqSJ3Npvos+doIlc/ATG+vX1G9coDF3Ex78zM3heXHLyWEwLUw==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/regexpp": "^4.5.1",
-                "@typescript-eslint/scope-manager": "6.7.5",
+                "@typescript-eslint/scope-manager": "6.8.0",
-                "@typescript-eslint/type-utils": "6.7.5",
+                "@typescript-eslint/type-utils": "6.8.0",
-                "@typescript-eslint/utils": "6.7.5",
+                "@typescript-eslint/utils": "6.8.0",
-                "@typescript-eslint/visitor-keys": "6.7.5",
+                "@typescript-eslint/visitor-keys": "6.8.0",
                 "debug": "^4.3.4",
                 "graphemer": "^1.4.0",
                 "ignore": "^5.2.4",
@@ -913,15 +913,15 @@
             }
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.8.0.tgz",
-            "integrity": "sha512-bIZVSGx2UME/lmhLcjdVc7ePBwn7CLqKarUBL4me1C5feOd663liTGjMBGVcGr+BhnSLeP4SgwdvNnnkbIdkCw==",
+            "integrity": "sha512-5tNs6Bw0j6BdWuP8Fx+VH4G9fEPDxnVI7yH1IAPkQH5RUtvKwRoqdecAPdQXv4rSOADAaz1LFBZvZG7VbXivSg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/scope-manager": "6.7.5",
+                "@typescript-eslint/scope-manager": "6.8.0",
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
-                "@typescript-eslint/typescript-estree": "6.7.5",
+                "@typescript-eslint/typescript-estree": "6.8.0",
-                "@typescript-eslint/visitor-keys": "6.7.5",
+                "@typescript-eslint/visitor-keys": "6.8.0",
                 "debug": "^4.3.4"
             },
             "engines": {
@@ -941,13 +941,13 @@
             }
         },
         "node_modules/@typescript-eslint/scope-manager": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.8.0.tgz",
-            "integrity": "sha512-GAlk3eQIwWOJeb9F7MKQ6Jbah/vx1zETSDw8likab/eFcqkjSD7BI75SDAeC5N2L0MmConMoPvTsmkrg71+B1A==",
+            "integrity": "sha512-xe0HNBVwCph7rak+ZHcFD6A+q50SMsFwcmfdjs9Kz4qDh5hWhaPhFjRs/SODEhroBI5Ruyvyz9LfwUJ624O40g==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
-                "@typescript-eslint/visitor-keys": "6.7.5"
+                "@typescript-eslint/visitor-keys": "6.8.0"
             },
             "engines": {
                 "node": "^16.0.0 || >=18.0.0"
@@ -958,13 +958,13 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.8.0.tgz",
-            "integrity": "sha512-Gs0qos5wqxnQrvpYv+pf3XfcRXW6jiAn9zE/K+DlmYf6FcpxeNYN0AIETaPR7rHO4K2UY+D0CIbDP9Ut0U4m1g==",
+            "integrity": "sha512-RYOJdlkTJIXW7GSldUIHqc/Hkto8E+fZN96dMIFhuTJcQwdRoGN2rEWA8U6oXbLo0qufH7NPElUb+MceHtz54g==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/typescript-estree": "6.7.5",
+                "@typescript-eslint/typescript-estree": "6.8.0",
-                "@typescript-eslint/utils": "6.7.5",
+                "@typescript-eslint/utils": "6.8.0",
                 "debug": "^4.3.4",
                 "ts-api-utils": "^1.0.1"
             },
@@ -985,9 +985,9 @@
             }
         },
         "node_modules/@typescript-eslint/types": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.8.0.tgz",
-            "integrity": "sha512-WboQBlOXtdj1tDFPyIthpKrUb+kZf2VroLZhxKa/VlwLlLyqv/PwUNgL30BlTVZV1Wu4Asu2mMYPqarSO4L5ZQ==",
+            "integrity": "sha512-p5qOxSum7W3k+llc7owEStXlGmSl8FcGvhYt8Vjy7FqEnmkCVlM3P57XQEGj58oqaBWDQXbJDZxwUWMS/EAPNQ==",
             "dev": true,
             "engines": {
                 "node": "^16.0.0 || >=18.0.0"
@@ -998,13 +998,13 @@
             }
         },
         "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.8.0.tgz",
-            "integrity": "sha512-NhJiJ4KdtwBIxrKl0BqG1Ur+uw7FiOnOThcYx9DpOGJ/Abc9z2xNzLeirCG02Ig3vkvrc2qFLmYSSsaITbKjlg==",
+            "integrity": "sha512-ISgV0lQ8XgW+mvv5My/+iTUdRmGspducmQcDw5JxznasXNnZn3SKNrTRuMsEXv+V/O+Lw9AGcQCfVaOPCAk/Zg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
-                "@typescript-eslint/visitor-keys": "6.7.5",
+                "@typescript-eslint/visitor-keys": "6.8.0",
                 "debug": "^4.3.4",
                 "globby": "^11.1.0",
                 "is-glob": "^4.0.3",
@@ -1025,17 +1025,17 @@
             }
         },
         "node_modules/@typescript-eslint/utils": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.8.0.tgz",
-            "integrity": "sha512-pfRRrH20thJbzPPlPc4j0UNGvH1PjPlhlCMq4Yx7EGjV7lvEeGX0U6MJYe8+SyFutWgSHsdbJ3BXzZccYggezA==",
+            "integrity": "sha512-dKs1itdE2qFG4jr0dlYLQVppqTE+Itt7GmIf/vX6CSvsW+3ov8PbWauVKyyfNngokhIO9sKZeRGCUo1+N7U98Q==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.4.0",
                 "@types/json-schema": "^7.0.12",
                 "@types/semver": "^7.5.0",
-                "@typescript-eslint/scope-manager": "6.7.5",
+                "@typescript-eslint/scope-manager": "6.8.0",
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
-                "@typescript-eslint/typescript-estree": "6.7.5",
+                "@typescript-eslint/typescript-estree": "6.8.0",
                 "semver": "^7.5.4"
             },
             "engines": {
@@ -1050,12 +1050,12 @@
             }
         },
         "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.8.0.tgz",
-            "integrity": "sha512-3MaWdDZtLlsexZzDSdQWsFQ9l9nL8B80Z4fImSpyllFC/KLqWQRdEcB+gGGO+N3Q2uL40EsG66wZLsohPxNXvg==",
+            "integrity": "sha512-oqAnbA7c+pgOhW2OhGvxm0t1BULX5peQI/rLsNDpGM78EebV3C9IGbX5HNZabuZ6UQrYveCLjKo8Iy/lLlBkkg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
                 "eslint-visitor-keys": "^3.4.1"
             },
             "engines": {
@@ -1067,18 +1067,18 @@
             }
         },
         "node_modules/@wdio/cli": {
-            "version": "8.18.0",
+            "version": "8.18.2",
-            "resolved": "https://registry.npmjs.org/@wdio/cli/-/cli-8.18.0.tgz",
+            "resolved": "https://registry.npmjs.org/@wdio/cli/-/cli-8.18.2.tgz",
-            "integrity": "sha512-zLt6pEbSwW/S7sBH5uZrYn9HhexB57ufqMV6IAKgX0SsJQwqOu1hdCIOiH1ZAfAHr2bPjpqIDIW+WOvV7mug9g==",
+            "integrity": "sha512-vjMedd7PEHZywxbRE/rHzAPbj+hsCJz5b7vPTXu9QuwH2wWU2ab79ZqQpaUMKwZx8yXJfG6neb89tEbF9ximqQ==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.1",
-                "@wdio/config": "8.18.0",
+                "@wdio/config": "8.18.2",
-                "@wdio/globals": "8.18.0",
+                "@wdio/globals": "8.18.2",
                 "@wdio/logger": "8.16.17",
                 "@wdio/protocols": "8.18.0",
                 "@wdio/types": "8.17.0",
-                "@wdio/utils": "8.18.0",
+                "@wdio/utils": "8.18.2",
                 "async-exit-hook": "^2.0.1",
                 "chalk": "^5.2.0",
                 "chokidar": "^3.5.3",
@@ -1093,7 +1093,7 @@
                 "lodash.union": "^4.6.0",
                 "read-pkg-up": "10.1.0",
                 "recursive-readdir": "^2.2.3",
-                "webdriverio": "8.18.0",
+                "webdriverio": "8.18.2",
                 "yargs": "^17.7.2",
                 "yarn-install": "^1.0.0"
             },
@@ -1117,14 +1117,14 @@
             }
         },
         "node_modules/@wdio/config": {
-            "version": "8.18.0",
+            "version": "8.18.2",
-            "resolved": "https://registry.npmjs.org/@wdio/config/-/config-8.18.0.tgz",
+            "resolved": "https://registry.npmjs.org/@wdio/config/-/config-8.18.2.tgz",
-            "integrity": "sha512-sS5OXyxRtPCXDKloCqtEFuhei9WCxFzM7B5CyTKanbZ+xF4+t21aNF49OXXzWZXhUylK88whGB7amwO8tfJFww==",
+            "integrity": "sha512-O3K36Wk/G/P5t9NfI/jBjLMdJq1KEDQTmbLvrbRckqzX5SQmPFg2pg18gE9N3JQE4A7qR+imxVo45HmhFDyn4w==",
             "dev": true,
             "dependencies": {
                 "@wdio/logger": "8.16.17",
                 "@wdio/types": "8.17.0",
-                "@wdio/utils": "8.18.0",
+                "@wdio/utils": "8.18.2",
                 "decamelize": "^6.0.0",
                 "deepmerge-ts": "^5.0.0",
                 "glob": "^10.2.2",
@@ -1136,28 +1136,28 @@
             }
         },
         "node_modules/@wdio/globals": {
-            "version": "8.18.0",
+            "version": "8.18.2",
-            "resolved": "https://registry.npmjs.org/@wdio/globals/-/globals-8.18.0.tgz",
+            "resolved": "https://registry.npmjs.org/@wdio/globals/-/globals-8.18.2.tgz",
-            "integrity": "sha512-r6BvpMaqD3+pf7U7Lq1EnbahGhf/3BRO6aqQP7z7IlwakoeU9ih/yTA31BGt36wj0Vx8dhFfR0JpFhMXpvDqiA==",
+            "integrity": "sha512-hHZqqWlvEaVHru+e5bMXsTBbPqKi85JO5q2XKX+ixS4XWoZXoMjN5WzL/3N9GkF2mJqIkyb9DHUT0T2vvf3oNA==",
             "dev": true,
             "engines": {
                 "node": "^16.13 || >=18"
             },
             "optionalDependencies": {
                 "expect-webdriverio": "^4.2.5",
-                "webdriverio": "8.18.0"
+                "webdriverio": "8.18.2"
             }
         },
         "node_modules/@wdio/local-runner": {
-            "version": "8.18.0",
+            "version": "8.18.2",
-            "resolved": "https://registry.npmjs.org/@wdio/local-runner/-/local-runner-8.18.0.tgz",
+            "resolved": "https://registry.npmjs.org/@wdio/local-runner/-/local-runner-8.18.2.tgz",
-            "integrity": "sha512-fArLIgYbMPP7gqajy6lZSMgECkyKFNRJG75UA0NjMoTBmZLzJavgadnB/uF42dXyNBdZ218abikF90qMLF1RJg==",
+            "integrity": "sha512-W5QRXmH+MngHEVktsX6WXyoP/WI3mSlN66E1xGYLtMVwPhp3wMXDIrk1K/0UCAViX7lQ3tvo0B2QoZhsAXVT+A==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.16.17",
                 "@wdio/repl": "8.10.1",
-                "@wdio/runner": "8.18.0",
+                "@wdio/runner": "8.18.2",
                 "@wdio/types": "8.17.0",
                 "async-exit-hook": "^2.0.1",
                 "split2": "^4.1.0",
@@ -1195,16 +1195,16 @@
             }
         },
         "node_modules/@wdio/mocha-framework": {
-            "version": "8.18.0",
+            "version": "8.18.2",
-            "resolved": "https://registry.npmjs.org/@wdio/mocha-framework/-/mocha-framework-8.18.0.tgz",
+            "resolved": "https://registry.npmjs.org/@wdio/mocha-framework/-/mocha-framework-8.18.2.tgz",
-            "integrity": "sha512-8c+z3il5s9nWqZ4NqQxOherex2VbMC4xNAllJO4pixeJkKhRI30mB0f1/gMM4YjO7sW801AHSSMD1lWNh/kDOg==",
+            "integrity": "sha512-vsuPyuPbkw8FOsOeru9BJXwbSyk9//MiFnqNWwCdbFqVTc0M+RIYklnVgDUyx7Fnl87XewVWDioOWr71FH4ZhQ==",
             "dev": true,
             "dependencies": {
                 "@types/mocha": "^10.0.0",
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.16.17",
                 "@wdio/types": "8.17.0",
-                "@wdio/utils": "8.18.0",
+                "@wdio/utils": "8.18.2",
                 "mocha": "^10.0.0"
             },
             "engines": {
@@ -1246,22 +1246,22 @@
             }
         },
         "node_modules/@wdio/runner": {
-            "version": "8.18.0",
+            "version": "8.18.2",
-            "resolved": "https://registry.npmjs.org/@wdio/runner/-/runner-8.18.0.tgz",
+            "resolved": "https://registry.npmjs.org/@wdio/runner/-/runner-8.18.2.tgz",
-            "integrity": "sha512-5I9DWh1cW9/Om+E7vNWFNx7BqavAzOFvvj1cihTzT766Y3I2wLHAUAE0OJoOZsk53beBJNYnCIOwrOWjk7RdZQ==",
+            "integrity": "sha512-UPfvKA9yunEadHHDZwveZmKL0ayHDCkUegzUzgHFYmhnijUAa1Xeo837NpBe9y753TWt5PgRA4BIXSDlxJ9ySA==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
-                "@wdio/config": "8.18.0",
+                "@wdio/config": "8.18.2",
-                "@wdio/globals": "8.18.0",
+                "@wdio/globals": "8.18.2",
                 "@wdio/logger": "8.16.17",
                 "@wdio/types": "8.17.0",
-                "@wdio/utils": "8.18.0",
+                "@wdio/utils": "8.18.2",
                 "deepmerge-ts": "^5.0.0",
                 "expect-webdriverio": "^4.2.5",
                 "gaze": "^1.1.2",
-                "webdriver": "8.18.0",
+                "webdriver": "8.18.2",
-                "webdriverio": "8.18.0"
+                "webdriverio": "8.18.2"
             },
             "engines": {
                 "node": "^16.13 || >=18"
@@ -1308,9 +1308,9 @@
             }
         },
         "node_modules/@wdio/utils": {
-            "version": "8.18.0",
+            "version": "8.18.2",
-            "resolved": "https://registry.npmjs.org/@wdio/utils/-/utils-8.18.0.tgz",
+            "resolved": "https://registry.npmjs.org/@wdio/utils/-/utils-8.18.2.tgz",
-            "integrity": "sha512-ziXToU5BZSW96KNPhTGYl3eVmHQV5YeI+lsBozXJ5tGofaBCYMtbxdAI573IwR6lo8+evEdNTIGJgZXp8lDOxQ==",
+            "integrity": "sha512-TQrrKv+knFn4Z/T/e/+wdnBoykNBg6rfo0NsAwaWh4PbJ1tf+Dc9GjzWhvJTgHwZf4v78K8Z+77qkqoLCF1wSg==",
             "dev": true,
             "dependencies": {
                 "@puppeteer/browsers": "^1.6.0",
@@ -8693,18 +8693,18 @@
             }
         },
         "node_modules/webdriver": {
-            "version": "8.18.0",
+            "version": "8.18.2",
-            "resolved": "https://registry.npmjs.org/webdriver/-/webdriver-8.18.0.tgz",
+            "resolved": "https://registry.npmjs.org/webdriver/-/webdriver-8.18.2.tgz",
-            "integrity": "sha512-OImB/K2BMGVP77yGpB4qrAwzAVrlusL5egaqoA9sl4inh1Ff+6n+LwQmPfe/dezejm5Fxuaf/HWvWEq91WbghQ==",
+            "integrity": "sha512-7xr8K2jlrRdhqK6LLHrg96OiccWT5EeBIQXk9xAifgIbs6l/JfzCjC9WqC0AmX9plXjR8wf2LS+Ob9Ajhx6v+A==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@types/ws": "^8.5.3",
-                "@wdio/config": "8.18.0",
+                "@wdio/config": "8.18.2",
                 "@wdio/logger": "8.16.17",
                 "@wdio/protocols": "8.18.0",
                 "@wdio/types": "8.17.0",
-                "@wdio/utils": "8.18.0",
+                "@wdio/utils": "8.18.2",
                 "deepmerge-ts": "^5.1.0",
                 "got": "^ 12.6.1",
                 "ky": "^0.33.0",
@@ -8752,18 +8752,18 @@
             }
         },
         "node_modules/webdriverio": {
-            "version": "8.18.0",
+            "version": "8.18.2",
-            "resolved": "https://registry.npmjs.org/webdriverio/-/webdriverio-8.18.0.tgz",
+            "resolved": "https://registry.npmjs.org/webdriverio/-/webdriverio-8.18.2.tgz",
-            "integrity": "sha512-LVgmZHn36NOL4O1RszBa7TPYf5VAyakmgkkDtWe1tVVQ2AkbIKnhKGLar6BQd/wfLIn61pKfvvmmYwDjnXgkhg==",
+            "integrity": "sha512-vX+U4QH9HdyT3upcOzP6YMpnAA1oZJJAZetvf9aWZ9KnBzgkL60LiZ/q9xCX+VWYKEIvNZ66ekppbuZ8FpobIQ==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
-                "@wdio/config": "8.18.0",
+                "@wdio/config": "8.18.2",
                 "@wdio/logger": "8.16.17",
                 "@wdio/protocols": "8.18.0",
                 "@wdio/repl": "8.10.1",
                 "@wdio/types": "8.17.0",
-                "@wdio/utils": "8.18.0",
+                "@wdio/utils": "8.18.2",
                 "archiver": "^6.0.0",
                 "aria-query": "^5.0.0",
                 "css-shorthand-properties": "^1.1.1",
@@ -8780,7 +8780,7 @@
                 "resq": "^1.9.1",
                 "rgb2hex": "0.2.5",
                 "serialize-error": "^11.0.1",
-                "webdriver": "8.18.0"
+                "webdriver": "8.18.2"
             },
             "engines": {
                 "node": "^16.13 || >=18"

tests/wdio/package.json

@@ -4,11 +4,11 @@
     "type": "module",
     "devDependencies": {
         "@trivago/prettier-plugin-sort-imports": "^4.2.0",
-        "@typescript-eslint/eslint-plugin": "^6.7.5",
+        "@typescript-eslint/eslint-plugin": "^6.8.0",
-        "@typescript-eslint/parser": "^6.7.5",
+        "@typescript-eslint/parser": "^6.8.0",
-        "@wdio/cli": "^8.18.0",
+        "@wdio/cli": "^8.18.2",
-        "@wdio/local-runner": "^8.18.0",
+        "@wdio/local-runner": "^8.18.2",
-        "@wdio/mocha-framework": "^8.18.0",
+        "@wdio/mocha-framework": "^8.18.2",
         "@wdio/spec-reporter": "^8.18.1",
         "eslint": "^8.51.0",
         "eslint-config-google": "^0.14.0",

web/.gitignore

@@ -109,3 +109,5 @@ temp/
 # End of https://www.gitignore.io/api/node
 api/**
 storybook-static/
+scripts/*.mjs
+scripts/*.js

web/package-lock.json

@@ -15,17 +15,17 @@
                 "@codemirror/lang-xml": "^6.0.2",
                 "@codemirror/legacy-modes": "^6.3.3",
                 "@codemirror/theme-one-dark": "^6.1.2",
-                "@formatjs/intl-listformat": "^7.4.2",
+                "@formatjs/intl-listformat": "^7.5.0",
                 "@fortawesome/fontawesome-free": "^6.4.2",
-                "@goauthentik/api": "^2023.8.3-1696847703",
+                "@goauthentik/api": "^2023.8.3-1697470337",
                 "@lit-labs/context": "^0.4.1",
                 "@lit-labs/task": "^3.1.0",
                 "@lit/localize": "^0.11.4",
                 "@open-wc/lit-helpers": "^0.6.0",
                 "@patternfly/elements": "^2.4.0",
                 "@patternfly/patternfly": "^4.224.2",
-                "@sentry/browser": "^7.73.0",
+                "@sentry/browser": "^7.74.0",
-                "@sentry/tracing": "^7.73.0",
+                "@sentry/tracing": "^7.74.0",
                 "@webcomponents/webcomponentsjs": "^2.8.0",
                 "base64-js": "^1.5.1",
                 "chart.js": "^4.4.0",
@@ -40,7 +40,7 @@
                 "rapidoc": "^9.3.4",
                 "style-mod": "^4.1.0",
                 "webcomponent-qr-code": "^1.2.0",
-                "yaml": "^2.3.2"
+                "yaml": "^2.3.3"
             },
             "devDependencies": {
                 "@babel/core": "^7.23.2",
@@ -56,9 +56,9 @@
                 "@jeysal/storybook-addon-css-user-preferences": "^0.2.0",
                 "@lit/localize-tools": "^0.7.0",
                 "@rollup/plugin-babel": "^6.0.4",
-                "@rollup/plugin-commonjs": "^25.0.5",
+                "@rollup/plugin-commonjs": "^25.0.7",
                 "@rollup/plugin-node-resolve": "^15.2.3",
-                "@rollup/plugin-replace": "^5.0.3",
+                "@rollup/plugin-replace": "^5.0.4",
                 "@rollup/plugin-terser": "^0.4.4",
                 "@rollup/plugin-typescript": "^11.1.5",
                 "@storybook/addon-essentials": "^7.4.6",
@@ -70,8 +70,8 @@
                 "@types/chart.js": "^2.9.38",
                 "@types/codemirror": "5.60.10",
                 "@types/grecaptcha": "^3.0.5",
-                "@typescript-eslint/eslint-plugin": "^6.7.5",
+                "@typescript-eslint/eslint-plugin": "^6.8.0",
-                "@typescript-eslint/parser": "^6.7.5",
+                "@typescript-eslint/parser": "^6.8.0",
                 "babel-plugin-macros": "^3.1.0",
                 "babel-plugin-tsconfig-paths": "^1.0.3",
                 "cross-env": "^7.0.3",
@@ -84,10 +84,11 @@
                 "lit-analyzer": "^1.2.1",
                 "npm-run-all": "^4.1.5",
                 "prettier": "^3.0.3",
+                "pseudolocale": "^2.0.0",
                 "pyright": "^1.1.331",
                 "react": "^18.2.0",
                 "react-dom": "^18.2.0",
-                "rollup": "^4.0.2",
+                "rollup": "^4.1.4",
                 "rollup-plugin-copy": "^3.5.0",
                 "rollup-plugin-cssimport": "^1.0.3",
                 "rollup-plugin-postcss-lit": "^2.1.0",
@@ -100,9 +101,9 @@
                 "vite-tsconfig-paths": "^4.2.1"
             },
             "optionalDependencies": {
-                "@esbuild/darwin-arm64": "^0.19.4",
+                "@esbuild/darwin-arm64": "^0.19.5",
                 "@esbuild/linux-amd64": "^0.18.11",
-                "@esbuild/linux-arm64": "^0.19.4"
+                "@esbuild/linux-arm64": "^0.19.5"
             }
         },
         "node_modules/@aashutoshrathi/word-wrap": {
@@ -2402,9 +2403,9 @@
             }
         },
         "node_modules/@esbuild/darwin-arm64": {
-            "version": "0.19.4",
+            "version": "0.19.5",
-            "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.19.4.tgz",
+            "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.19.5.tgz",
-            "integrity": "sha512-Lviw8EzxsVQKpbS+rSt6/6zjn9ashUZ7Tbuvc2YENgRl0yZTktGlachZ9KMJUsVjZEGFVu336kl5lBgDN6PmpA==",
+            "integrity": "sha512-mvXGcKqqIqyKoxq26qEDPHJuBYUA5KizJncKOAf9eJQez+L9O+KfvNFu6nl7SCZ/gFb2QPaRqqmG0doSWlgkqw==",
             "cpu": [
                 "arm64"
             ],
@@ -2481,9 +2482,9 @@
             }
         },
         "node_modules/@esbuild/linux-arm64": {
-            "version": "0.19.4",
+            "version": "0.19.5",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.19.4.tgz",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.19.5.tgz",
-            "integrity": "sha512-ZWmWORaPbsPwmyu7eIEATFlaqm0QGt+joRE9sKcnVUG3oBbr/KYdNE2TnkzdQwX6EDRdg/x8Q4EZQTXoClUqqA==",
+            "integrity": "sha512-o3vYippBmSrjjQUCEEiTZ2l+4yC0pVJD/Dl57WfPwwlvFkrxoSO7rmBZFii6kQB3Wrn/6GwJUPLU5t52eq2meA==",
             "cpu": [
                 "arm64"
             ],
@@ -2855,9 +2856,9 @@
             }
         },
         "node_modules/@formatjs/intl-listformat": {
-            "version": "7.4.2",
+            "version": "7.5.0",
-            "resolved": "https://registry.npmjs.org/@formatjs/intl-listformat/-/intl-listformat-7.4.2.tgz",
+            "resolved": "https://registry.npmjs.org/@formatjs/intl-listformat/-/intl-listformat-7.5.0.tgz",
-            "integrity": "sha512-+6bSVudEQkf12Hh7kuKt8Xv/MyFlqdwA4V4NLnTZW8uYdF9RxlOELDD0rPaOc2++TMKIzI5o6XXwHPvpL6VrPA==",
+            "integrity": "sha512-n9FsXGl1T2ZbX6wSyrzCDJHrbJR0YJ9ZNsAqUvHXfbY3nsOmGnSTf5+bkuIp1Xiywu7m1X1Pfm/Ngp/yK1H84A==",
             "dependencies": {
                 "@formatjs/ecma402-abstract": "1.17.2",
                 "@formatjs/intl-localematcher": "0.4.2",
@@ -2882,9 +2883,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2023.8.3-1696847703",
+            "version": "2023.8.3-1697470337",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2023.8.3-1696847703.tgz",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2023.8.3-1697470337.tgz",
-            "integrity": "sha512-RsOANX4L6RHaGXvMhJNq9g+E0ZLW3cwgl/t5CyQxLYvWgmVvZU4t78hxlOF7vFREoO5nhZUZnOOlD2+n5gOqLg=="
+            "integrity": "sha512-LHFqHXOR4dkVnI2EKRLLUyFQxdfHfxvYnbu/caFNlmrFeAQ2T/KYiOfTcWAvHIQ/unK9STF5EAzeFJ18m6RIdQ=="
         },
         "node_modules/@hcaptcha/types": {
             "version": "1.0.3",
@@ -4416,9 +4417,9 @@
             }
         },
         "node_modules/@rollup/plugin-commonjs": {
-            "version": "25.0.5",
+            "version": "25.0.7",
-            "resolved": "https://registry.npmjs.org/@rollup/plugin-commonjs/-/plugin-commonjs-25.0.5.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/plugin-commonjs/-/plugin-commonjs-25.0.7.tgz",
-            "integrity": "sha512-xY8r/A9oisSeSuLCTfhssyDjo9Vp/eDiRLXkg1MXCcEEgEjPmLU+ZyDB20OOD0NlyDa/8SGbK5uIggF5XTx77w==",
+            "integrity": "sha512-nEvcR+LRjEjsaSsc4x3XZfCCvZIaSMenZu/OiwOKGN2UhQpAYI7ru7czFvyWbErlpoGjnSX3D5Ch5FcMA3kRWQ==",
             "dev": true,
             "dependencies": {
                 "@rollup/pluginutils": "^5.0.1",
@@ -4426,7 +4427,7 @@
                 "estree-walker": "^2.0.2",
                 "glob": "^8.0.3",
                 "is-reference": "1.2.1",
-                "magic-string": "^0.27.0"
+                "magic-string": "^0.30.3"
             },
             "engines": {
                 "node": ">=14.0.0"
@@ -4466,13 +4467,13 @@
             }
         },
         "node_modules/@rollup/plugin-replace": {
-            "version": "5.0.3",
+            "version": "5.0.4",
-            "resolved": "https://registry.npmjs.org/@rollup/plugin-replace/-/plugin-replace-5.0.3.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/plugin-replace/-/plugin-replace-5.0.4.tgz",
-            "integrity": "sha512-je7fu05B800IrMlWjb2wzJcdXzHYW46iTipfChnBDbIbDXhASZs27W1B58T2Yf45jZtJUONegpbce+9Ut2Ti/Q==",
+            "integrity": "sha512-E2hmRnlh09K8HGT0rOnnri9OTh+BILGr7NVJGB30S4E3cLRn3J0xjdiyOZ74adPs4NiAMgrjUMGAZNJDBgsdmQ==",
             "dev": true,
             "dependencies": {
                 "@rollup/pluginutils": "^5.0.1",
-                "magic-string": "^0.27.0"
+                "magic-string": "^0.30.3"
             },
             "engines": {
                 "node": ">=14.0.0"
@@ -4557,9 +4558,9 @@
             }
         },
         "node_modules/@rollup/rollup-android-arm-eabi": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.1.4.tgz",
-            "integrity": "sha512-xDvk1pT4vaPU2BOLy0MqHMdYZyntqpaBf8RhBiezlqG9OjY8F50TyctHo8znigYKd+QCFhCmlmXHOL/LoaOl3w==",
+            "integrity": "sha512-WlzkuFvpKl6CLFdc3V6ESPt7gq5Vrimd2Yv9IzKXdOpgbH4cdDSS1JLiACX8toygihtH5OlxyQzhXOph7Ovlpw==",
             "cpu": [
                 "arm"
             ],
@@ -4570,9 +4571,9 @@
             ]
         },
         "node_modules/@rollup/rollup-android-arm64": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.1.4.tgz",
-            "integrity": "sha512-lqCglytY3E6raze27DD9VQJWohbwCxzqs9aSHcj5X/8hJpzZfNdbsr4Ja9Hqp6iPyF53+5PtPx0pKRlkSvlHZg==",
+            "integrity": "sha512-D1e+ABe56T9Pq2fD+R3ybe1ylCDzu3tY4Qm2Mj24R9wXNCq35+JbFbOpc2yrroO2/tGhTobmEl2Bm5xfE/n8RA==",
             "cpu": [
                 "arm64"
             ],
@@ -4583,9 +4584,9 @@
             ]
         },
         "node_modules/@rollup/rollup-darwin-arm64": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.1.4.tgz",
-            "integrity": "sha512-nkBKItS6E6CCzvRwgiKad+j+1ibmL7SIInj7oqMWmdkCjiSX6VeVZw2mLlRKIUL+JjsBgpATTfo7BiAXc1v0jA==",
+            "integrity": "sha512-7vTYrgEiOrjxnjsgdPB+4i7EMxbVp7XXtS+50GJYj695xYTTEMn3HZVEvgtwjOUkAP/Q4HDejm4fIAjLeAfhtg==",
             "cpu": [
                 "arm64"
             ],
@@ -4596,9 +4597,9 @@
             ]
         },
         "node_modules/@rollup/rollup-darwin-x64": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.1.4.tgz",
-            "integrity": "sha512-vX2C8xvWPIbpEgQht95+dY6BReKAvtDgPDGi0XN0kWJKkm4WdNmq5dnwscv/zxvi+n6jUTBhs6GtpkkWT4q8Gg==",
+            "integrity": "sha512-eGJVZScKSLZkYjhTAESCtbyTBq9SXeW9+TX36ki5gVhDqJtnQ5k0f9F44jNK5RhAMgIj0Ht9+n6HAgH0gUUyWQ==",
             "cpu": [
                 "x64"
             ],
@@ -4609,9 +4610,9 @@
             ]
         },
         "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.1.4.tgz",
-            "integrity": "sha512-DVFIfcHOjgmeHOAqji4xNz2wczt1Bmzy9MwBZKBa83SjBVO/i38VHDR+9ixo8QpBOiEagmNw12DucG+v55tCrg==",
+            "integrity": "sha512-HnigYSEg2hOdX1meROecbk++z1nVJDpEofw9V2oWKqOWzTJlJf1UXVbDE6Hg30CapJxZu5ga4fdAQc/gODDkKg==",
             "cpu": [
                 "arm"
             ],
@@ -4622,9 +4623,9 @@
             ]
         },
         "node_modules/@rollup/rollup-linux-arm64-gnu": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.1.4.tgz",
-            "integrity": "sha512-GCK/a9ItUxPI0V5hQEJjH4JtOJO90GF2Hja7TO+EZ8rmkGvEi8/ZDMhXmcuDpQT7/PWrTT9RvnG8snMd5SrhBQ==",
+            "integrity": "sha512-TzJ+N2EoTLWkaClV2CUhBlj6ljXofaYzF/R9HXqQ3JCMnCHQZmQnbnZllw7yTDp0OG5whP4gIPozR4QiX+00MQ==",
             "cpu": [
                 "arm64"
             ],
@@ -4635,9 +4636,9 @@
             ]
         },
         "node_modules/@rollup/rollup-linux-arm64-musl": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.1.4.tgz",
-            "integrity": "sha512-cLuBp7rOjIB1R2j/VazjCmHC7liWUur2e9mFflLJBAWCkrZ+X0+QwHLvOQakIwDymungzAKv6W9kHZnTp/Mqrg==",
+            "integrity": "sha512-aVPmNMdp6Dlo2tWkAduAD/5TL/NT5uor290YvjvFvCv0Q3L7tVdlD8MOGDL+oRSw5XKXKAsDzHhUOPUNPRHVTQ==",
             "cpu": [
                 "arm64"
             ],
@@ -4648,9 +4649,9 @@
             ]
         },
         "node_modules/@rollup/rollup-linux-x64-gnu": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.1.4.tgz",
-            "integrity": "sha512-Zqw4iVnJr2naoyQus0yLy7sLtisCQcpdMKUCeXPBjkJtpiflRime/TMojbnl8O3oxUAj92mxr+t7im/RbgA20w==",
+            "integrity": "sha512-77Fb79ayiDad0grvVsz4/OB55wJRyw9Ao+GdOBA9XywtHpuq5iRbVyHToGxWquYWlEf6WHFQQnFEttsAzboyKg==",
             "cpu": [
                 "x64"
             ],
@@ -4661,9 +4662,9 @@
             ]
         },
         "node_modules/@rollup/rollup-linux-x64-musl": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.1.4.tgz",
-            "integrity": "sha512-jJRU9TyUD/iMqjf8aLAp7XiN3pIj5v6Qcu+cdzBfVTKDD0Fvua4oUoK8eVJ9ZuKBEQKt3WdlcwJXFkpmMLk6kg==",
+            "integrity": "sha512-/t6C6niEQTqmQTVTD9TDwUzxG91Mlk69/v0qodIPUnjjB3wR4UA3klg+orR2SU3Ux2Cgf2pWPL9utK80/1ek8g==",
             "cpu": [
                 "x64"
             ],
@@ -4674,9 +4675,9 @@
             ]
         },
         "node_modules/@rollup/rollup-win32-arm64-msvc": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.1.4.tgz",
-            "integrity": "sha512-ZkS2NixCxHKC4zbOnw64ztEGGDVIYP6nKkGBfOAxEPW71Sji9v8z3yaHNuae/JHPwXA+14oDefnOuVfxl59SmQ==",
+            "integrity": "sha512-ZY5BHHrOPkMbCuGWFNpJH0t18D2LU6GMYKGaqaWTQ3CQOL57Fem4zE941/Ek5pIsVt70HyDXssVEFQXlITI5Gg==",
             "cpu": [
                 "arm64"
             ],
@@ -4687,9 +4688,9 @@
             ]
         },
         "node_modules/@rollup/rollup-win32-ia32-msvc": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.1.4.tgz",
-            "integrity": "sha512-3SKjj+tvnZ0oZq2BKB+fI+DqYI83VrRzk7eed8tJkxeZ4zxJZcLSE8YDQLYGq1tZAnAX+H076RHHB4gTZXsQzw==",
+            "integrity": "sha512-XG2mcRfFrJvYyYaQmvCIvgfkaGinfXrpkBuIbJrTl9SaIQ8HumheWTIwkNz2mktCKwZfXHQNpO7RgXLIGQ7HXA==",
             "cpu": [
                 "ia32"
             ],
@@ -4700,9 +4701,9 @@
             ]
         },
         "node_modules/@rollup/rollup-win32-x64-msvc": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.1.4.tgz",
-            "integrity": "sha512-MBdJIOxRauKkry7t2q+rTHa3aWjVez2eioWg+etRVS3dE4tChhmt5oqZYr48R6bPmcwEhxQr96gVRfeQrLbqng==",
+            "integrity": "sha512-ANFqWYPwkhIqPmXw8vm0GpBEHiPpqcm99jiiAp71DbCSqLDhrtr019C5vhD0Bw4My+LmMvciZq6IsWHqQpl2ZQ==",
             "cpu": [
                 "x64"
             ],
@@ -4713,13 +4714,13 @@
             ]
         },
         "node_modules/@sentry-internal/tracing": {
-            "version": "7.73.0",
+            "version": "7.74.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/tracing/-/tracing-7.73.0.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/tracing/-/tracing-7.74.0.tgz",
-            "integrity": "sha512-ig3WL/Nqp8nRQ52P205NaypGKNfIl/G+cIqge9xPW6zfRb5kJdM1YParw9GSJ1SPjEZBkBORGAML0on5H2FILw==",
+            "integrity": "sha512-JK6IRGgdtZjswGfaGIHNWIThffhOHzVIIaGmglui+VFIzOsOqePjoxaDV0MEvzafxXZD7eWqGE5RGuZ0n6HFVg==",
             "dependencies": {
-                "@sentry/core": "7.73.0",
+                "@sentry/core": "7.74.0",
-                "@sentry/types": "7.73.0",
+                "@sentry/types": "7.74.0",
-                "@sentry/utils": "7.73.0",
+                "@sentry/utils": "7.74.0",
                 "tslib": "^2.4.1 || ^1.9.3"
             },
             "engines": {
@@ -4727,15 +4728,15 @@
             }
         },
         "node_modules/@sentry/browser": {
-            "version": "7.73.0",
+            "version": "7.74.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.73.0.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.74.0.tgz",
-            "integrity": "sha512-e301hUixcJ5+HNKCJwajFF5smF4opXEFSclyWsJuFNufv5J/1C1SDhbwG2JjBt5zzdSoKWJKT1ewR6vpICyoDw==",
+            "integrity": "sha512-Njr8216Z1dFUcl6NqBOk20dssK9SjoVddY74Xq+Q4p3NfXBG3lkMcACXor7SFoJRZXq8CZWGS13Cc5KwViRw4g==",
             "dependencies": {
-                "@sentry-internal/tracing": "7.73.0",
+                "@sentry-internal/tracing": "7.74.0",
-                "@sentry/core": "7.73.0",
+                "@sentry/core": "7.74.0",
-                "@sentry/replay": "7.73.0",
+                "@sentry/replay": "7.74.0",
-                "@sentry/types": "7.73.0",
+                "@sentry/types": "7.74.0",
-                "@sentry/utils": "7.73.0",
+                "@sentry/utils": "7.74.0",
                 "tslib": "^2.4.1 || ^1.9.3"
             },
             "engines": {
@@ -4743,12 +4744,12 @@
             }
         },
         "node_modules/@sentry/core": {
-            "version": "7.73.0",
+            "version": "7.74.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.73.0.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.74.0.tgz",
-            "integrity": "sha512-9FEz4Gq848LOgVN2OxJGYuQqxv7cIVw69VlAzWHEm3njt8mjvlTq+7UiFsGRo84+59V2FQuHxzA7vVjl90WfSg==",
+            "integrity": "sha512-83NRuqn7nDZkSVBN5yJQqcpXDG4yMYiB7TkYUKrGTzBpRy6KUOrkCdybuKk0oraTIGiGSe5WEwCFySiNgR9FzA==",
             "dependencies": {
-                "@sentry/types": "7.73.0",
+                "@sentry/types": "7.74.0",
-                "@sentry/utils": "7.73.0",
+                "@sentry/utils": "7.74.0",
                 "tslib": "^2.4.1 || ^1.9.3"
             },
             "engines": {
@@ -4756,43 +4757,43 @@
             }
         },
         "node_modules/@sentry/replay": {
-            "version": "7.73.0",
+            "version": "7.74.0",
-            "resolved": "https://registry.npmjs.org/@sentry/replay/-/replay-7.73.0.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/replay/-/replay-7.74.0.tgz",
-            "integrity": "sha512-a8IC9SowBisLYD2IdLkXzx7gN4iVwHDJhQvLp2B8ARs1PyPjJ7gCxSMHeGrYp94V0gOXtorNYkrxvuX8ayPROA==",
+            "integrity": "sha512-GoYa3cHTTFVI/J1cnZ0i4X128mf/JljaswO3PWNTe2k3lSHq/LM5aV0keClRvwM0W8hlix8oOTT06nnenOUmmw==",
             "dependencies": {
-                "@sentry/core": "7.73.0",
+                "@sentry/core": "7.74.0",
-                "@sentry/types": "7.73.0",
+                "@sentry/types": "7.74.0",
-                "@sentry/utils": "7.73.0"
+                "@sentry/utils": "7.74.0"
             },
             "engines": {
                 "node": ">=12"
             }
         },
         "node_modules/@sentry/tracing": {
-            "version": "7.73.0",
+            "version": "7.74.0",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.73.0.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.74.0.tgz",
-            "integrity": "sha512-LOQR6Hkc8ZoflCXWtMlxTbCBEwv0MSOr3vesnRsmlFG8TW1YUIneU+wKnVxToWAZ8fq+6ubclnuIUKHfqTk/Tg==",
+            "integrity": "sha512-rSFJADhh3J3zmkzJ1EXCOwS3h7F6o/lSKu7CWZSZ6k5kBvbCJ5AXvGQadhPdWPJMMcPFzCJaOyTKEPcwL4tbCw==",
             "dependencies": {
-                "@sentry-internal/tracing": "7.73.0"
+                "@sentry-internal/tracing": "7.74.0"
             },
             "engines": {
                 "node": ">=8"
             }
         },
         "node_modules/@sentry/types": {
-            "version": "7.73.0",
+            "version": "7.74.0",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.73.0.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.74.0.tgz",
-            "integrity": "sha512-/v8++bly8jW7r4cP2wswYiiVpn7eLLcqwnfPUMeCQze4zj3F3nTRIKc9BGHzU0V+fhHa3RwRC2ksqTGq1oJMDg==",
+            "integrity": "sha512-rI5eIRbUycWjn6s6o3yAjjWtIvYSxZDdnKv5je2EZINfLKcMPj1dkl6wQd2F4y7gLfD/N6Y0wZYIXC3DUdJQQg==",
             "engines": {
                 "node": ">=8"
             }
         },
         "node_modules/@sentry/utils": {
-            "version": "7.73.0",
+            "version": "7.74.0",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.73.0.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.74.0.tgz",
-            "integrity": "sha512-h3ZK/qpf4k76FhJV9uiSbvMz3V/0Ovy94C+5/9UgPMVCJXFmVsdw8n/dwANJ7LupVPfYP23xFGgebDMFlK1/2w==",
+            "integrity": "sha512-k3np8nuTPtx5KDODPtULfFln4UXdE56MZCcF19Jv6Ljxf+YN/Ady1+0Oi3e0XoSvFpWNyWnglauT7M65qCE6kg==",
             "dependencies": {
-                "@sentry/types": "7.73.0",
+                "@sentry/types": "7.74.0",
                 "tslib": "^2.4.1 || ^1.9.3"
             },
             "engines": {
@@ -7689,18 +7690,6 @@
                 "node": ">=14.14"
             }
         },
-        "node_modules/@storybook/builder-vite/node_modules/magic-string": {
-            "version": "0.30.4",
-            "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.4.tgz",
-            "integrity": "sha512-Q/TKtsC5BPm0kGqgBIF9oXAs/xEf2vRKiIB4wCRQTJOQIByZ1d+NnUOotvJOvNpi5RNIgVOMC3pOuaP1ZTDlVg==",
-            "dev": true,
-            "dependencies": {
-                "@jridgewell/sourcemap-codec": "^1.4.15"
-            },
-            "engines": {
-                "node": ">=12"
-            }
-        },
         "node_modules/@storybook/builder-vite/node_modules/rollup": {
             "version": "3.29.4",
             "resolved": "https://registry.npmjs.org/rollup/-/rollup-3.29.4.tgz",
@@ -9424,18 +9413,6 @@
                 "react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0"
             }
         },
-        "node_modules/@storybook/web-components-vite/node_modules/magic-string": {
-            "version": "0.30.3",
-            "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.3.tgz",
-            "integrity": "sha512-B7xGbll2fG/VjP+SWg4sX3JynwIU0mjoTc6MPpKNuIvftk6u6vqhDnk1R80b8C2GBR6ywqy+1DcKBrevBg+bmw==",
-            "dev": true,
-            "dependencies": {
-                "@jridgewell/sourcemap-codec": "^1.4.15"
-            },
-            "engines": {
-                "node": ">=12"
-            }
-        },
         "node_modules/@storybook/web-components/node_modules/@storybook/channels": {
             "version": "7.4.6",
             "resolved": "https://registry.npmjs.org/@storybook/channels/-/channels-7.4.6.tgz",
@@ -10515,16 +10492,16 @@
             "dev": true
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.8.0.tgz",
-            "integrity": "sha512-JhtAwTRhOUcP96D0Y6KYnwig/MRQbOoLGXTON2+LlyB/N35SP9j1boai2zzwXb7ypKELXMx3DVk9UTaEq1vHEw==",
+            "integrity": "sha512-GosF4238Tkes2SHPQ1i8f6rMtG6zlKwMEB0abqSJ3Npvos+doIlc/ATG+vX1G9coDF3Ex78zM3heXHLyWEwLUw==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/regexpp": "^4.5.1",
-                "@typescript-eslint/scope-manager": "6.7.5",
+                "@typescript-eslint/scope-manager": "6.8.0",
-                "@typescript-eslint/type-utils": "6.7.5",
+                "@typescript-eslint/type-utils": "6.8.0",
-                "@typescript-eslint/utils": "6.7.5",
+                "@typescript-eslint/utils": "6.8.0",
-                "@typescript-eslint/visitor-keys": "6.7.5",
+                "@typescript-eslint/visitor-keys": "6.8.0",
                 "debug": "^4.3.4",
                 "graphemer": "^1.4.0",
                 "ignore": "^5.2.4",
@@ -10583,15 +10560,15 @@
             "dev": true
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.8.0.tgz",
-            "integrity": "sha512-bIZVSGx2UME/lmhLcjdVc7ePBwn7CLqKarUBL4me1C5feOd663liTGjMBGVcGr+BhnSLeP4SgwdvNnnkbIdkCw==",
+            "integrity": "sha512-5tNs6Bw0j6BdWuP8Fx+VH4G9fEPDxnVI7yH1IAPkQH5RUtvKwRoqdecAPdQXv4rSOADAaz1LFBZvZG7VbXivSg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/scope-manager": "6.7.5",
+                "@typescript-eslint/scope-manager": "6.8.0",
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
-                "@typescript-eslint/typescript-estree": "6.7.5",
+                "@typescript-eslint/typescript-estree": "6.8.0",
-                "@typescript-eslint/visitor-keys": "6.7.5",
+                "@typescript-eslint/visitor-keys": "6.8.0",
                 "debug": "^4.3.4"
             },
             "engines": {
@@ -10611,13 +10588,13 @@
             }
         },
         "node_modules/@typescript-eslint/scope-manager": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.8.0.tgz",
-            "integrity": "sha512-GAlk3eQIwWOJeb9F7MKQ6Jbah/vx1zETSDw8likab/eFcqkjSD7BI75SDAeC5N2L0MmConMoPvTsmkrg71+B1A==",
+            "integrity": "sha512-xe0HNBVwCph7rak+ZHcFD6A+q50SMsFwcmfdjs9Kz4qDh5hWhaPhFjRs/SODEhroBI5Ruyvyz9LfwUJ624O40g==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
-                "@typescript-eslint/visitor-keys": "6.7.5"
+                "@typescript-eslint/visitor-keys": "6.8.0"
             },
             "engines": {
                 "node": "^16.0.0 || >=18.0.0"
@@ -10628,13 +10605,13 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.8.0.tgz",
-            "integrity": "sha512-Gs0qos5wqxnQrvpYv+pf3XfcRXW6jiAn9zE/K+DlmYf6FcpxeNYN0AIETaPR7rHO4K2UY+D0CIbDP9Ut0U4m1g==",
+            "integrity": "sha512-RYOJdlkTJIXW7GSldUIHqc/Hkto8E+fZN96dMIFhuTJcQwdRoGN2rEWA8U6oXbLo0qufH7NPElUb+MceHtz54g==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/typescript-estree": "6.7.5",
+                "@typescript-eslint/typescript-estree": "6.8.0",
-                "@typescript-eslint/utils": "6.7.5",
+                "@typescript-eslint/utils": "6.8.0",
                 "debug": "^4.3.4",
                 "ts-api-utils": "^1.0.1"
             },
@@ -10655,9 +10632,9 @@
             }
         },
         "node_modules/@typescript-eslint/types": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.8.0.tgz",
-            "integrity": "sha512-WboQBlOXtdj1tDFPyIthpKrUb+kZf2VroLZhxKa/VlwLlLyqv/PwUNgL30BlTVZV1Wu4Asu2mMYPqarSO4L5ZQ==",
+            "integrity": "sha512-p5qOxSum7W3k+llc7owEStXlGmSl8FcGvhYt8Vjy7FqEnmkCVlM3P57XQEGj58oqaBWDQXbJDZxwUWMS/EAPNQ==",
             "dev": true,
             "engines": {
                 "node": "^16.0.0 || >=18.0.0"
@@ -10668,13 +10645,13 @@
             }
         },
         "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.8.0.tgz",
-            "integrity": "sha512-NhJiJ4KdtwBIxrKl0BqG1Ur+uw7FiOnOThcYx9DpOGJ/Abc9z2xNzLeirCG02Ig3vkvrc2qFLmYSSsaITbKjlg==",
+            "integrity": "sha512-ISgV0lQ8XgW+mvv5My/+iTUdRmGspducmQcDw5JxznasXNnZn3SKNrTRuMsEXv+V/O+Lw9AGcQCfVaOPCAk/Zg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
-                "@typescript-eslint/visitor-keys": "6.7.5",
+                "@typescript-eslint/visitor-keys": "6.8.0",
                 "debug": "^4.3.4",
                 "globby": "^11.1.0",
                 "is-glob": "^4.0.3",
@@ -10728,17 +10705,17 @@
             "dev": true
         },
         "node_modules/@typescript-eslint/utils": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.8.0.tgz",
-            "integrity": "sha512-pfRRrH20thJbzPPlPc4j0UNGvH1PjPlhlCMq4Yx7EGjV7lvEeGX0U6MJYe8+SyFutWgSHsdbJ3BXzZccYggezA==",
+            "integrity": "sha512-dKs1itdE2qFG4jr0dlYLQVppqTE+Itt7GmIf/vX6CSvsW+3ov8PbWauVKyyfNngokhIO9sKZeRGCUo1+N7U98Q==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.4.0",
                 "@types/json-schema": "^7.0.12",
                 "@types/semver": "^7.5.0",
-                "@typescript-eslint/scope-manager": "6.7.5",
+                "@typescript-eslint/scope-manager": "6.8.0",
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
-                "@typescript-eslint/typescript-estree": "6.7.5",
+                "@typescript-eslint/typescript-estree": "6.8.0",
                 "semver": "^7.5.4"
             },
             "engines": {
@@ -10786,12 +10763,12 @@
             "dev": true
         },
         "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "6.7.5",
+            "version": "6.8.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.7.5.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.8.0.tgz",
-            "integrity": "sha512-3MaWdDZtLlsexZzDSdQWsFQ9l9nL8B80Z4fImSpyllFC/KLqWQRdEcB+gGGO+N3Q2uL40EsG66wZLsohPxNXvg==",
+            "integrity": "sha512-oqAnbA7c+pgOhW2OhGvxm0t1BULX5peQI/rLsNDpGM78EebV3C9IGbX5HNZabuZ6UQrYveCLjKo8Iy/lLlBkkg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.7.5",
+                "@typescript-eslint/types": "6.8.0",
                 "eslint-visitor-keys": "^3.4.1"
             },
             "engines": {
@@ -17197,12 +17174,12 @@
             }
         },
         "node_modules/magic-string": {
-            "version": "0.27.0",
+            "version": "0.30.5",
-            "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.27.0.tgz",
+            "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.5.tgz",
-            "integrity": "sha512-8UnnX2PeRAPZuN12svgR9j7M1uWMovg/CEnIwIG0LFkXSJJe4PdfUGiTGl8V9bsBHFUtfVINcSyYxd7q+kx9fA==",
+            "integrity": "sha512-7xlpfBaQaP/T6Vh8MO/EqXSW5En6INHEvEXQiuff7Gku0PWjU3uf6w/j9o7O+SpB5fOAkrI5HeoNgwjEO0pFsA==",
             "dev": true,
             "dependencies": {
-                "@jridgewell/sourcemap-codec": "^1.4.13"
+                "@jridgewell/sourcemap-codec": "^1.4.15"
             },
             "engines": {
                 "node": ">=12"
@@ -19319,6 +19296,30 @@
             "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
             "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg=="
         },
+        "node_modules/pseudolocale": {
+            "version": "2.0.0",
+            "resolved": "https://registry.npmjs.org/pseudolocale/-/pseudolocale-2.0.0.tgz",
+            "integrity": "sha512-g1K9tCQYY4e3UGtnW8qs3kGWAOONxt7i5wuOFvf3N1EIIRhiLVIhZ9AM/ZyGTxsp231JbFywJU/EbJ5ZoqnZdg==",
+            "dev": true,
+            "dependencies": {
+                "commander": "^10.0.0"
+            },
+            "bin": {
+                "pseudolocale": "dist/cli.mjs"
+            },
+            "engines": {
+                "node": ">=16.0.0"
+            }
+        },
+        "node_modules/pseudolocale/node_modules/commander": {
+            "version": "10.0.1",
+            "resolved": "https://registry.npmjs.org/commander/-/commander-10.0.1.tgz",
+            "integrity": "sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==",
+            "dev": true,
+            "engines": {
+                "node": ">=14"
+            }
+        },
         "node_modules/pump": {
             "version": "3.0.0",
             "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz",
@@ -20239,9 +20240,9 @@
             "integrity": "sha512-IXgzBWvWQwE6PrDI05OvmXUIruQTcoMDzRsOd5CDvHCVLcLHMTSYvOK5Cm46kWqlV3yAbuSpBZdJ5oP5OUoStg=="
         },
         "node_modules/rollup": {
-            "version": "4.0.2",
+            "version": "4.1.4",
-            "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.1.4.tgz",
-            "integrity": "sha512-MCScu4usMPCeVFaiLcgMDaBQeYi1z6vpWxz0r0hq0Hv77Y2YuOTZldkuNJ54BdYBH3e+nkrk6j0Rre/NLDBYzg==",
+            "integrity": "sha512-U8Yk1lQRKqCkDBip/pMYT+IKaN7b7UesK3fLSTuHBoBJacCE+oBqo/dfG/gkUdQNNB2OBmRP98cn2C2bkYZkyw==",
             "dev": true,
             "bin": {
                 "rollup": "dist/bin/rollup"
@@ -20251,18 +20252,18 @@
                 "npm": ">=8.0.0"
             },
             "optionalDependencies": {
-                "@rollup/rollup-android-arm-eabi": "4.0.2",
+                "@rollup/rollup-android-arm-eabi": "4.1.4",
-                "@rollup/rollup-android-arm64": "4.0.2",
+                "@rollup/rollup-android-arm64": "4.1.4",
-                "@rollup/rollup-darwin-arm64": "4.0.2",
+                "@rollup/rollup-darwin-arm64": "4.1.4",
-                "@rollup/rollup-darwin-x64": "4.0.2",
+                "@rollup/rollup-darwin-x64": "4.1.4",
-                "@rollup/rollup-linux-arm-gnueabihf": "4.0.2",
+                "@rollup/rollup-linux-arm-gnueabihf": "4.1.4",
-                "@rollup/rollup-linux-arm64-gnu": "4.0.2",
+                "@rollup/rollup-linux-arm64-gnu": "4.1.4",
-                "@rollup/rollup-linux-arm64-musl": "4.0.2",
+                "@rollup/rollup-linux-arm64-musl": "4.1.4",
-                "@rollup/rollup-linux-x64-gnu": "4.0.2",
+                "@rollup/rollup-linux-x64-gnu": "4.1.4",
-                "@rollup/rollup-linux-x64-musl": "4.0.2",
+                "@rollup/rollup-linux-x64-musl": "4.1.4",
-                "@rollup/rollup-win32-arm64-msvc": "4.0.2",
+                "@rollup/rollup-win32-arm64-msvc": "4.1.4",
-                "@rollup/rollup-win32-ia32-msvc": "4.0.2",
+                "@rollup/rollup-win32-ia32-msvc": "4.1.4",
-                "@rollup/rollup-win32-x64-msvc": "4.0.2",
+                "@rollup/rollup-win32-x64-msvc": "4.1.4",
                 "fsevents": "~2.3.2"
             }
         },
@@ -23404,9 +23405,9 @@
             "dev": true
         },
         "node_modules/yaml": {
-            "version": "2.3.2",
+            "version": "2.3.3",
-            "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.3.2.tgz",
+            "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.3.3.tgz",
-            "integrity": "sha512-N/lyzTPaJasoDmfV7YTrYCI0G/3ivm/9wdG0aHuheKowWQwGTsK0Eoiw6utmzAnI6pkJa0DUVygvp3spqqEKXg==",
+            "integrity": "sha512-zw0VAJxgeZ6+++/su5AFoqBbZbrEakwu+X0M5HmcwUiBL7AzcuPKjj5we4xfQLp78LkEMpD0cOnUhmgOVy3KdQ==",
             "engines": {
                 "node": ">= 14"
             }

web/package.json

@@ -21,6 +21,9 @@
         "precommit": "run-s tsc lit-analyse lint:precommit lint:spelling prettier",
         "prettier-check": "prettier --check .",
         "prettier": "prettier --write .",
+        "pseudolocalize:build-extract-script": "cd scripts && tsc --esModuleInterop --module es2020 --moduleResolution 'node' pseudolocalize.ts && mv pseudolocalize.js pseudolocalize.mjs",
+        "pseudolocalize:extract": "node scripts/pseudolocalize.mjs",
+        "pseudolocalize": "run-s pseudolocalize:build-extract-script pseudolocalize:extract",
         "tsc:execute": "tsc --noEmit -p .",
         "tsc": "run-s build-locales tsc:execute",
         "storybook": "storybook dev -p 6006",
@@ -33,17 +36,17 @@
         "@codemirror/lang-xml": "^6.0.2",
         "@codemirror/legacy-modes": "^6.3.3",
         "@codemirror/theme-one-dark": "^6.1.2",
-        "@formatjs/intl-listformat": "^7.4.2",
+        "@formatjs/intl-listformat": "^7.5.0",
         "@fortawesome/fontawesome-free": "^6.4.2",
-        "@goauthentik/api": "^2023.8.3-1696847703",
+        "@goauthentik/api": "^2023.8.3-1697470337",
         "@lit-labs/context": "^0.4.1",
         "@lit-labs/task": "^3.1.0",
         "@lit/localize": "^0.11.4",
         "@open-wc/lit-helpers": "^0.6.0",
         "@patternfly/elements": "^2.4.0",
         "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^7.73.0",
+        "@sentry/browser": "^7.74.0",
-        "@sentry/tracing": "^7.73.0",
+        "@sentry/tracing": "^7.74.0",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "chart.js": "^4.4.0",
@@ -58,7 +61,7 @@
         "rapidoc": "^9.3.4",
         "style-mod": "^4.1.0",
         "webcomponent-qr-code": "^1.2.0",
-        "yaml": "^2.3.2"
+        "yaml": "^2.3.3"
     },
     "devDependencies": {
         "@babel/core": "^7.23.2",
@@ -74,9 +77,9 @@
         "@jeysal/storybook-addon-css-user-preferences": "^0.2.0",
         "@lit/localize-tools": "^0.7.0",
         "@rollup/plugin-babel": "^6.0.4",
-        "@rollup/plugin-commonjs": "^25.0.5",
+        "@rollup/plugin-commonjs": "^25.0.7",
         "@rollup/plugin-node-resolve": "^15.2.3",
-        "@rollup/plugin-replace": "^5.0.3",
+        "@rollup/plugin-replace": "^5.0.4",
         "@rollup/plugin-terser": "^0.4.4",
         "@rollup/plugin-typescript": "^11.1.5",
         "@storybook/addon-essentials": "^7.4.6",
@@ -88,8 +91,8 @@
         "@types/chart.js": "^2.9.38",
         "@types/codemirror": "5.60.10",
         "@types/grecaptcha": "^3.0.5",
-        "@typescript-eslint/eslint-plugin": "^6.7.5",
+        "@typescript-eslint/eslint-plugin": "^6.8.0",
-        "@typescript-eslint/parser": "^6.7.5",
+        "@typescript-eslint/parser": "^6.8.0",
         "babel-plugin-macros": "^3.1.0",
         "babel-plugin-tsconfig-paths": "^1.0.3",
         "cross-env": "^7.0.3",
@@ -102,10 +105,11 @@
         "lit-analyzer": "^1.2.1",
         "npm-run-all": "^4.1.5",
         "prettier": "^3.0.3",
+        "pseudolocale": "^2.0.0",
         "pyright": "^1.1.331",
         "react": "^18.2.0",
         "react-dom": "^18.2.0",
-        "rollup": "^4.0.2",
+        "rollup": "^4.1.4",
         "rollup-plugin-copy": "^3.5.0",
         "rollup-plugin-cssimport": "^1.0.3",
         "rollup-plugin-postcss-lit": "^2.1.0",
@@ -118,8 +122,8 @@
         "vite-tsconfig-paths": "^4.2.1"
     },
     "optionalDependencies": {
-        "@esbuild/darwin-arm64": "^0.19.4",
+        "@esbuild/darwin-arm64": "^0.19.5",
         "@esbuild/linux-amd64": "^0.18.11",
-        "@esbuild/linux-arm64": "^0.19.4"
+        "@esbuild/linux-arm64": "^0.19.5"
     }
 }

web/scripts/pseudolocalize.ts

@@ -0,0 +1,47 @@
+import { readFileSync } from "fs";
+import path from "path";
+import pseudolocale from "pseudolocale";
+import { fileURLToPath } from "url";
+
+import { makeFormatter } from "@lit/localize-tools/lib/formatters/index.js";
+import type { Message, ProgramMessage } from "@lit/localize-tools/lib/messages.d.ts";
+import { sortProgramMessages } from "@lit/localize-tools/lib/messages.js";
+import { TransformLitLocalizer } from "@lit/localize-tools/lib/modes/transform.js";
+import type { Config } from "@lit/localize-tools/lib/types/config.d.ts";
+import type { Locale } from "@lit/localize-tools/lib/types/locale.d.ts";
+import type { TransformOutputConfig } from "@lit/localize-tools/lib/types/modes.d.ts";
+
+const __dirname = fileURLToPath(new URL(".", import.meta.url));
+const pseudoLocale: Locale = "pseudo-LOCALE" as Locale;
+const targetLocales: Locale[] = [pseudoLocale];
+const baseConfig = JSON.parse(readFileSync(path.join(__dirname, "../lit-localize.json"), "utf-8"));
+
+// Need to make some internal specifications to satisfy the transformer. It doesn't actually matter
+// which Localizer we use (transformer or runtime), because all of the functionality we care about
+// is in their common parent class, but I had to pick one.  Everything else here is just pure
+// exploitation of the lit/localize-tools internals.
+
+const config: Config = {
+    ...baseConfig,
+    baseDir: path.join(__dirname, ".."),
+    targetLocales,
+    output: {
+        ...baseConfig,
+        mode: "transform",
+    },
+    resolve: (path: string) => path,
+} as Config;
+
+const pseudoMessagify = (message: ProgramMessage) => ({
+    name: message.name,
+    contents: message.contents.map((content) =>
+        typeof content === "string" ? pseudolocale(content, { prepend: "", append: "" }) : content,
+    ),
+});
+
+const localizer = new TransformLitLocalizer(config as Config & { output: TransformOutputConfig });
+const { messages } = localizer.extractSourceMessages();
+const translations = messages.map(pseudoMessagify);
+const sorted = sortProgramMessages([...messages]);
+const formatter = makeFormatter(config);
+formatter.writeOutput(sorted, new Map<Locale, Message[]>([[pseudoLocale, translations]]));

web/src/admin/AdminInterface.ts

@@ -116,7 +116,11 @@ export class AdminInterface extends Interface {
         configureSentry(true);
         this.version = await new AdminApi(DEFAULT_CONFIG).adminVersionRetrieve();
         this.user = await me();
-        if (!this.user.user.isSuperuser && this.user.user.pk > 0) {
+        const canAccessAdmin =
+            this.user.user.isSuperuser ||
+            // TODO: somehow add `access_admin_interface` to the API schema
+            this.user.user.systemPermissions.includes("access_admin_interface");
+        if (!canAccessAdmin && this.user.user.pk > 0) {
             window.location.assign("/if/user");
         }
     }
@@ -211,6 +215,7 @@ export class AdminInterface extends Interface {
             [null, msg("Directory"), null, [
                 ["/identity/users", msg("Users"), [`^/identity/users/(?<id>${ID_REGEX})$`]],
                 ["/identity/groups", msg("Groups"), [`^/identity/groups/(?<id>${UUID_REGEX})$`]],
+                ["/identity/roles", msg("Roles"), [`^/identity/roles/(?<id>${UUID_REGEX})$`]],
                 ["/core/sources", msg("Federation and Social login"), [`^/core/sources/(?<slug>${SLUG_REGEX})$`]],
                 ["/core/tokens", msg("Tokens and App passwords")],
                 ["/flow/stages/invitations", msg("Invitations")]]],

web/src/admin/Routes.ts

@@ -80,6 +80,14 @@ export const ROUTES: Route[] = [
         await import("@goauthentik/admin/users/UserViewPage");
         return html`<ak-user-view .userId=${parseInt(args.id, 10)}></ak-user-view>`;
     }),
+    new Route(new RegExp("^/identity/roles$"), async () => {
+        await import("@goauthentik/admin/roles/RoleListPage");
+        return html`<ak-role-list></ak-role-list>`;
+    }),
+    new Route(new RegExp(`^/identity/roles/(?<id>${UUID_REGEX})$`), async (args) => {
+        await import("@goauthentik/admin/roles/RoleViewPage");
+        return html`<ak-role-view roleId=${args.id}></ak-role-view>`;
+    }),
     new Route(new RegExp("^/flow/stages/invitations$"), async () => {
         await import("@goauthentik/admin/stages/invitation/InvitationListPage");
         return html`<ak-stage-invitation-list></ak-stage-invitation-list>`;

web/src/admin/admin-overview/cards/AdminStatusCard.ts

@@ -2,9 +2,12 @@ import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import { PFSize } from "@goauthentik/elements/Spinner";
 import { AggregateCard } from "@goauthentik/elements/cards/AggregateCard";
 
+import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { until } from "lit/directives/until.js";
 
+import { ResponseError } from "@goauthentik/api";
+
 export interface AdminStatus {
     icon: string;
     message?: TemplateResult;
@@ -41,6 +44,12 @@ export abstract class AdminStatusCard<T> extends AggregateCard {
                             ${status.message
                                 ? html`<p class="subtext">${status.message}</p>`
                                 : html``}`;
+                    })
+                    .catch((exc: ResponseError) => {
+                        return html` <p>
+                                <i class="fa fa-times"></i>&nbsp;${exc.response.statusText}
+                            </p>
+                            <p class="subtext">${msg("Failed to fetch")}</p>`;
                     }),
                 html`<ak-spinner size="${PFSize.Large}"></ak-spinner>`,
             )}

web/src/admin/applications/ApplicationViewPage.ts

@@ -3,6 +3,7 @@ import "@goauthentik/admin/applications/ApplicationCheckAccessForm";
 import "@goauthentik/admin/applications/ApplicationForm";
 import "@goauthentik/admin/policies/BoundPoliciesList";
 import { PFSize } from "@goauthentik/app/elements/Spinner";
+import "@goauthentik/app/elements/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-app-icon";
 import "@goauthentik/components/events/ObjectChangelog";
@@ -27,7 +28,12 @@ import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
-import { Application, CoreApi, OutpostsApi } from "@goauthentik/api";
+import {
+    Application,
+    CoreApi,
+    OutpostsApi,
+    RbacPermissionsAssignedByUsersListModelEnum,
+} from "@goauthentik/api";
 
 @customElement("ak-application-view")
 export class ApplicationViewPage extends AKElement {
@@ -299,6 +305,12 @@ export class ApplicationViewPage extends AKElement {
                     </ak-bound-policies-list>
                 </div>
             </section>
+            <ak-rbac-object-permission-page
+                slot="page-permissions"
+                data-tab-title="${msg("Permissions")}"
+                model=${RbacPermissionsAssignedByUsersListModelEnum.CoreApplication}
+                objectPk=${this.application.pk}
+            ></ak-rbac-object-permission-page>
         </ak-tabs>`;
     }
 }

web/src/admin/blueprints/BlueprintListPage.ts

@@ -7,6 +7,7 @@ import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
+import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";
@@ -18,7 +19,12 @@ import { customElement, property } from "lit/decorators.js";
 
 import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
 
-import { BlueprintInstance, BlueprintInstanceStatusEnum, ManagedApi } from "@goauthentik/api";
+import {
+    BlueprintInstance,
+    BlueprintInstanceStatusEnum,
+    ManagedApi,
+    RbacPermissionsAssignedByUsersListModelEnum,
+} from "@goauthentik/api";
 
 export function BlueprintStatus(blueprint?: BlueprintInstance): string {
     if (!blueprint) return "";
@@ -151,6 +157,11 @@ export class BlueprintListPage extends TablePage<BlueprintInstance> {
                         </pf-tooltip>
                     </button>
                 </ak-forms-modal>
+                <ak-rbac-object-permission-modal
+                    model=${RbacPermissionsAssignedByUsersListModelEnum.BlueprintsBlueprintinstance}
+                    objectPk=${item.pk}
+                >
+                </ak-rbac-object-permission-modal>
                 <ak-action-button
                     class="pf-m-plain"
                     .apiRequest=${() => {

web/src/admin/crypto/CertificateKeyPairListPage.ts

@@ -6,6 +6,7 @@ import { PFColor } from "@goauthentik/elements/Label";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
+import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";
@@ -17,7 +18,11 @@ import { customElement, property } from "lit/decorators.js";
 
 import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
 
-import { CertificateKeyPair, CryptoApi } from "@goauthentik/api";
+import {
+    CertificateKeyPair,
+    CryptoApi,
+    RbacPermissionsAssignedByUsersListModelEnum,
+} from "@goauthentik/api";
 
 @customElement("ak-crypto-certificate-list")
 export class CertificateKeyPairListPage extends TablePage<CertificateKeyPair> {
@@ -128,7 +133,12 @@ export class CertificateKeyPairListPage extends TablePage<CertificateKeyPair> {
                             <i class="fas fa-edit"></i>
                         </pf-tooltip>
                     </button>
-            </ak-forms-modal>`,
+                </ak-forms-modal>
+                <ak-rbac-object-permission-modal
+                    model=${RbacPermissionsAssignedByUsersListModelEnum.CryptoCertificatekeypair}
+                    objectPk=${item.pk}
+                >
+                </ak-rbac-object-permission-modal>`,
         ];
     }
 

web/src/admin/enterprise/EnterpriseLicenseListPage.ts

@@ -7,6 +7,7 @@ import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/cards/AggregateCard";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
+import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";
@@ -23,7 +24,13 @@ import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList
 import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 
-import { EnterpriseApi, License, LicenseForecast, LicenseSummary } from "@goauthentik/api";
+import {
+    EnterpriseApi,
+    License,
+    LicenseForecast,
+    LicenseSummary,
+    RbacPermissionsAssignedByUsersListModelEnum,
+} from "@goauthentik/api";
 
 @customElement("ak-enterprise-license-list")
 export class EnterpriseLicenseListPage extends TablePage<License> {
@@ -230,7 +237,12 @@ export class EnterpriseLicenseListPage extends TablePage<License> {
                             <i class="fas fa-edit"></i>
                         </pf-tooltip>
                     </button>
-            </ak-forms-modal>`,
+                </ak-forms-modal>
+                <ak-rbac-object-permission-modal
+                    model=${RbacPermissionsAssignedByUsersListModelEnum.EnterpriseLicense}
+                    objectPk=${item.licenseUuid}
+                >
+                </ak-rbac-object-permission-modal> `,
         ];
     }
 

web/src/admin/events/RuleListPage.ts

@@ -6,6 +6,8 @@ import { uiConfig } from "@goauthentik/common/ui/config";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
+import "@goauthentik/elements/rbac/ObjectPermissionModal";
+import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";
@@ -15,7 +17,11 @@ import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 
-import { EventsApi, NotificationRule } from "@goauthentik/api";
+import {
+    EventsApi,
+    NotificationRule,
+    RbacPermissionsAssignedByUsersListModelEnum,
+} from "@goauthentik/api";
 
 @customElement("ak-event-rule-list")
 export class RuleListPage extends TablePage<NotificationRule> {
@@ -96,7 +102,13 @@ export class RuleListPage extends TablePage<NotificationRule> {
                             <i class="fas fa-edit"></i>
                         </pf-tooltip>
                     </button>
-            </ak-forms-modal>`,
+                </ak-forms-modal>
+
+                <ak-rbac-object-permission-modal
+                    model=${RbacPermissionsAssignedByUsersListModelEnum.EventsNotificationrule}
+                    objectPk=${item.pk}
+                >
+                </ak-rbac-object-permission-modal>`,
         ];
     }
 

web/src/admin/events/TransportListPage.ts

@@ -5,6 +5,8 @@ import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
+import "@goauthentik/elements/rbac/ObjectPermissionModal";
+import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";
@@ -14,7 +16,11 @@ import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 
-import { EventsApi, NotificationTransport } from "@goauthentik/api";
+import {
+    EventsApi,
+    NotificationTransport,
+    RbacPermissionsAssignedByUsersListModelEnum,
+} from "@goauthentik/api";
 
 @customElement("ak-event-transport-list")
 export class TransportListPage extends TablePage<NotificationTransport> {
@@ -90,6 +96,12 @@ export class TransportListPage extends TablePage<NotificationTransport> {
                         </pf-tooltip>
                     </button>
                 </ak-forms-modal>
+
+                <ak-rbac-object-permission-modal
+                    model=${RbacPermissionsAssignedByUsersListModelEnum.EventsNotificationtransport}
+                    objectPk=${item.pk}
+                >
+                </ak-rbac-object-permission-modal>
                 <ak-action-button
                     class="pf-m-plain"
                     .apiRequest=${() => {

web/src/admin/flows/FlowViewPage.ts

@@ -3,6 +3,7 @@ import "@goauthentik/admin/flows/FlowDiagram";
 import "@goauthentik/admin/flows/FlowForm";
 import "@goauthentik/admin/policies/BoundPoliciesList";
 import { DesignationToLabel } from "@goauthentik/app/admin/flows/utils";
+import "@goauthentik/app/elements/rbac/ObjectPermissionsPage";
 import { AndNext, DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/events/ObjectChangelog";
 import { AKElement } from "@goauthentik/elements/Base";
@@ -22,7 +23,12 @@ import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
-import { Flow, FlowsApi, ResponseError } from "@goauthentik/api";
+import {
+    Flow,
+    FlowsApi,
+    RbacPermissionsAssignedByUsersListModelEnum,
+    ResponseError,
+} from "@goauthentik/api";
 
 @customElement("ak-flow-view")
 export class FlowViewPage extends AKElement {
@@ -267,6 +273,12 @@ export class FlowViewPage extends AKElement {
                         </div>
                     </div>
                 </div>
+                <ak-rbac-object-permission-page
+                    slot="page-permissions"
+                    data-tab-title="${msg("Permissions")}"
+                    model=${RbacPermissionsAssignedByUsersListModelEnum.FlowsFlow}
+                    objectPk=${this.flow.pk}
+                ></ak-rbac-object-permission-page>
             </ak-tabs>`;
     }
 }