Merge branch 'master' into next

authentik/lib/default.yml

@@ -13,6 +13,7 @@ redis:
   ws_db: 2
 
 debug: false
+
 log_level: info
 
 # Error reporting, sends stacktrace to sentry.beryju.org

authentik/policies/signals.py

@@ -26,5 +26,5 @@ def invalidate_policy_cache(sender, instance, **_):
             cache.delete_many(keys)
         LOGGER.debug("Invalidating policy cache", policy=instance, keys=total)
     # Also delete user application cache
-    keys = cache.keys(user_app_cache_key("*"))
+    keys = cache.keys(user_app_cache_key("*")) or []
     cache.delete_many(keys)

authentik/sources/oauth/forms.py

@@ -15,9 +15,11 @@ class OAuthSourceForm(forms.ModelForm):
         self.fields["authentication_flow"].queryset = Flow.objects.filter(
             designation=FlowDesignation.AUTHENTICATION
         )
+        self.fields["authentication_flow"].required = True
         self.fields["enrollment_flow"].queryset = Flow.objects.filter(
             designation=FlowDesignation.ENROLLMENT
         )
+        self.fields["enrollment_flow"].required = True
         if hasattr(self.Meta, "overrides"):
             for overide_field, overide_value in getattr(self.Meta, "overrides").items():
                 self.fields[overide_field].initial = overide_value

authentik/sources/oauth/views/callback.py

@@ -4,6 +4,7 @@ from typing import Any, Optional
 from django.conf import settings
 from django.contrib import messages
 from django.http import Http404, HttpRequest, HttpResponse
+from django.http.response import HttpResponseBadRequest
 from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.translation import gettext as _
@@ -151,6 +152,8 @@ class OAuthCallback(OAuthClientMixin, View):
                 PLAN_CONTEXT_REDIRECT: final_redirect,
             }
         )
+        if not flow:
+            return HttpResponseBadRequest()
         # We run the Flow planner here so we can pass the Pending user in the context
         planner = FlowPlanner(flow)
         plan = planner.plan(self.request, kwargs)
@@ -233,6 +236,9 @@ class OAuthCallback(OAuthClientMixin, View):
             PLAN_CONTEXT_SOURCES_OAUTH_ACCESS: access,
         }
         # We run the Flow planner here so we can pass the Pending user in the context
+        if not source.enrollment_flow:
+            LOGGER.warning("source has no enrollment flow", source=source)
+            return HttpResponseBadRequest()
         planner = FlowPlanner(source.enrollment_flow)
         plan = planner.plan(self.request, context)
         plan.append(in_memory_stage(PostUserEnrollmentStage))

docker-compose.yml

@@ -19,7 +19,7 @@ services:
     networks:
       - internal
   server:
-    image: beryju/authentik:${AUTHENTIK_TAG:-2021.3.3}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.3.3}
     command: server
     environment:
       AUTHENTIK_REDIS__HOST: redis
@@ -47,7 +47,7 @@ services:
     env_file:
       - .env
   worker:
-    image: beryju/authentik:${AUTHENTIK_TAG:-2021.3.3}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.3.3}
     command: worker
     networks:
       - internal
@@ -66,7 +66,7 @@ services:
     env_file:
       - .env
   static:
-    image: beryju/authentik-static:${AUTHENTIK_TAG:-2021.3.3}
+    image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.3.3}
     networks:
       - internal
     labels:

website/docs/installation/beta.mdx

@@ -0,0 +1,43 @@
+---
+title: Beta versions
+---
+
+You can test upcoming authentik versions by switching to the *next* images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version.
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+<Tabs
+  defaultValue="docker-compose"
+  values={[
+    {label: 'docker-compose', value: 'docker-compose'},
+    {label: 'Kubernetes', value: 'kubernetes'},
+  ]}>
+  <TabItem value="docker-compose">
+Add the following block to your `.env` file:
+
+```shell
+AUTHENTIK_IMAGE=docker.beryju.org/authentik/server
+AUTHENTIK_IMAGE_STATIC=docker.beryju.org/authentik/static
+AUTHENTIK_TAG=gh-next
+AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE=docker.beryju.org/authentik
+```
+
+Afterwards, run the upgrade commands from the [release notes](../releases/next)
+  </TabItem>
+  <TabItem value="kubernetes">
+Add the following block to your `values.yml` file:
+
+```yaml
+image:
+  name: docker.beryju.org/authentik/server
+  name_static: docker.beryju.org/authentik/static
+  name_outposts: docker.beryju.org/authentik
+  tag: gh-next
+  # pullPolicy: Always to ensure you always get the latest version
+  pullPolicy: Always
+```
+
+Afterwards, run the upgrade commands from the [release notes](../releases/next)
+  </TabItem>
+</Tabs>

website/docs/installation/docker-compose-config.md

@@ -0,0 +1,84 @@
+---
+title: docker-compose configuration
+---
+
+These are all the configuration options you can set via docker-compose. These don't apply to Kubernetes, as those settings are configured via helm.
+
+Append any of the following keys to your `.env` file, and run `docker-compose up -d` to apply them.
+
+## AUTHENTIK_LOG_LEVEL
+
+Log level for the server and worker containers. Possible values: debug, info, warning, error
+Defaults to `info`.
+
+## AUTHENTIK_ERROR_REPORTING
+
+- AUTHENTIK_ERROR_REPORTING__ENABLED
+
+  Enable error reporting. Defaults to `false`.
+
+  Error reports are sent to https://sentry.beryju.org, and are used for debugging and general feedback. Anonymous performance data is also sent.
+
+- AUTHENTIK_ERROR_REPORTING__ENVIRONMENT
+
+  Unique environment that is attached to your error reports, should be set to your email address for example. Defaults to `customer`.
+
+- AUTHENTIK_ERROR_REPORTING__SEND_PII
+
+  Whether or not to send personal data, like usernames. Defaults to `false`.
+
+## AUTHENTIK_EMAIL
+
+- AUTHENTIK_EMAIL__HOST
+
+  Default: `localhost`
+
+- AUTHENTIK_EMAIL__PORT
+
+  Default: `25`
+
+- AUTHENTIK_EMAIL__USERNAME
+
+  Default: `""`
+
+- AUTHENTIK_EMAIL__PASSWORD
+
+  Default: `""`
+
+- AUTHENTIK_EMAIL__USE_TLS
+
+  Default: `false`
+
+- AUTHENTIK_EMAIL__USE_SSL
+
+  Default: `false`
+
+- AUTHENTIK_EMAIL__TIMEOUT
+
+  Default: `10`
+
+- AUTHENTIK_EMAIL__FROM
+
+  Default: `authentik@localhost`
+
+  Email address authentik will send from, should have a correct @domain
+
+## AUTHENTIK_OUTPOSTS
+
+- AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE
+
+  This is the prefix used for authentik-managed outposts. Default: `beryju/authentik`.
+
+## AUTHENTIK_AUTHENTIK
+
+- AUTHENTIK_AUTHENTIK__AVATARS
+
+  Controls which avatars are shown. Defaults to `gravatar`. Can be set to `none` to disable avatars.
+
+- AUTHENTIK_AUTHENTIK__BRANDING__TITLE
+
+  Branding title used throughout the UI. Defaults to `authentik`.
+
+- AUTHENTIK_AUTHENTIK__BRANDING__LOGO
+
+  Logo shown in the sidebar and flow executions. Defaults to `/static/dist/assets/icons/icon_left_brand.svg`

website/docs/installation/index.md

@@ -2,6 +2,6 @@
 title: Installation
 ---
 
-If you want to try out authentik, or only want a small deployment (< 100 Users), you should use [docker-compose](./docker-compose).
+If you want to try out authentik, or only want a small deployment you should use [docker-compose](./docker-compose).
 
 If you want a larger deployment, or you want High-Availability, you should use [Kubernetes](./kubernetes).

website/docs/installation/kubernetes.md

@@ -21,10 +21,10 @@ It is also recommended to configure global email credentials. These are used by
 # Values directly affecting authentik
 ###################################
 image:
-    name: beryju/authentik
+  name: beryju/authentik
-    name_static: beryju/authentik-static
+  name_static: beryju/authentik-static
-    name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
+  name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
-    tag: 2021.3.3
+  tag: 2021.3.3
 
 serverReplicas: 1
 workerReplicas: 1
@@ -33,31 +33,38 @@ workerReplicas: 1
 kubernetesIntegration: true
 
 config:
-    # Optionally specify fixed secret_key, otherwise generated automatically
+  # Optionally specify fixed secret_key, otherwise generated automatically
-    # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
+  # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
-    # Enable error reporting
+  # Enable error reporting
-    errorReporting:
+  errorReporting:
-        enabled: false
+    enabled: false
-        environment: customer
+    environment: customer
-        sendPii: false
+    sendPii: false
-    # Log level used by web and worker
+  # Log level used by web and worker
-    # Can be either debug, info, warning, error
+  # Can be either debug, info, warning, error
-    logLevel: warning
+  logLevel: warning
-    # Global Email settings
+  # Global Email settings
-    email:
+  email:
-        # SMTP Host Emails are sent to
+    # SMTP Host Emails are sent to
-        host: localhost
+    host: localhost
-        port: 25
+    port: 25
-        # Optionally authenticate
+    # Optionally authenticate
-        username: ""
+    username: ""
-        password: ""
+    password: ""
-        # Use StartTLS
+    # Use StartTLS
-        useTls: false
+    useTls: false
-        # Use SSL
+    # Use SSL
-        useSsl: false
+    useSsl: false
-        timeout: 10
+    timeout: 10
-        # Email address authentik will send from, should have a correct @domain
+    # Email address authentik will send from, should have a correct @domain
-        from: authentik@localhost
+    from: authentik@localhost
+
+# Enable MaxMind GeoIP
+# geoip:
+#   enabled: false
+#   accountId: ""
+#   licenseKey: ""
+#   image: maxmindinc/geoipupdate:latest
 
 # Enable Database Backups to S3
 # backup:
@@ -68,33 +75,22 @@ config:
 #   host: s3-host
 
 ingress:
-    annotations:
+  annotations:
-        {}
+    {}
-        # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/ingress.class: nginx
-        # kubernetes.io/tls-acme: "true"
+    # kubernetes.io/tls-acme: "true"
-    hosts:
+  hosts:
-        - authentik.k8s.local
+    - authentik.k8s.local
-    tls: []
+  tls: []
-    #  - secretName: chart-example-tls
+  #  - secretName: chart-example-tls
-    #    hosts:
+  #    hosts:
-    #      - authentik.k8s.local
+  #      - authentik.k8s.local
 
 ###################################
 # Values controlling dependencies
 ###################################
 
 install:
-    postgresql: true
+  postgresql: true
-    redis: true
+  redis: true
-
-# These values influence the bundled postgresql and redis charts, but are also used by authentik to connect
-postgresql:
-    postgresqlDatabase: authentik
-
-redis:
-    cluster:
-        enabled: false
-    master:
-        persistence:
-            enabled: false
 ```

website/docs/releases/next.md

@@ -0,0 +1,17 @@
+---
+title: Next
+---
+
+# TBD
+
+## Upgrading
+
+This release does not introduce any new requirements.
+
+### docker-compose
+
+Download the latest docker-compose file from [here](https://raw.githubusercontent.com/BeryJu/authentik/version-2021.4/docker-compose.yml). Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`.
+
+### Kubernetes
+
+Run `helm repo update` and then upgrade your release with `helm upgrade passbook authentik/authentik --devel -f values.yaml`.

website/sidebars.js

@@ -14,8 +14,10 @@ module.exports = {
             items: [
                 "installation/index",
                 "installation/docker-compose",
-                "installation/kubernetes",
+                "installation/docker-compose-config",
                 "installation/reverse-proxy",
+                "installation/kubernetes",
+                "installation/beta",
             ],
         },
         {