Commit graph

2932 commits

Author SHA1 Message Date
Jens Langhammer d6af506a78
release: 2023.6.1 2023-07-10 13:20:22 +02:00
Jens L 080ac6b5bb
core: fix UUID filter field for users api (#6203)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-07-10 12:14:06 +02:00
Jens L 5fe737326e
sources/ldap: fix more errors (#6191) 2023-07-09 15:10:57 +02:00
Jens L ff0d3c3d63
sources/ldap: fix page size (#6187)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-07-09 15:10:51 +02:00
Jens Langhammer 7db9ced218
release: 2023.6.0 2023-07-07 13:43:16 +02:00
Jens L d22d147c8e
security: fix CVE-2023-36456 (#6171)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-07-06 18:16:26 +02:00
Jens L f306fb9c26
stages/user_write: fix duplicate source writing (#6105)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-29 21:42:42 +02:00
Jens L e712225ced
sources/ldap: improve scalability (#6056)
* sources/ldap: improve scalability

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix lint

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use cache instead of call signature for page data

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-28 17:13:42 +02:00
Jens L a987846c76
root: celery refactor (#6095)
* root: celery refactor

cleanup deprecation messages by configuring celery with a single object

run celery as django management command

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* improve debug experience

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix lint

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add debugpy to dev dependencies

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix task_always_eager

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-28 16:44:50 +02:00
Jens L 35e2b648ba
sources/ldap: fix 100% cpu usage when LDAP Server is unavailable (#6094) 2023-06-28 15:13:12 +02:00
Jens L 8bd23f1686
sources/oauth: fix OIDC client sending access token as header and query param (#6081)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-27 23:16:52 +02:00
Jens L 863454a895
flows: allow empty value in AutosubmitChallenge (#6079)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-27 23:13:58 +02:00
Jens L 416f916da6
core: fix inconsistent favicon (#6080)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-27 23:13:31 +02:00
Jens Langhammer 422b19df60
release: 2023.5.4 2023-06-26 23:33:04 +02:00
Jens L eab767fc1b
stages/authenticator_validate: fix regression (#6062)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-26 13:06:11 +02:00
Jens L b0fbd576fc
security: cure53 fix (#6039)
* ATH-01-001: resolve path and check start before loading blueprints

This is even less of an issue since 411ef239f6, since with that commit we only allow files that the listing returns

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ATH-01-010: fix missing user filter for webauthn device

This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it.

* ATH-01-008: fix web forms not submitting correctly when pressing enter

When submitting some forms with the Enter key instead of clicking "Confirm"/etc, the form would not get submitted correctly

This would in the worst case is when setting a user's password, where the new password can end up in the URL, but the password was not actually saved to the user.

* ATH-01-004: remove env from admin system endpoint

this endpoint already required admin access, but for debugging the env variables are used very little

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ATH-01-003 / ATH-01-012: disable htmlLabels in mermaid

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ATH-01-005: use hmac.compare_digest for secret_key authentication

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ATH-01-009: migrate impersonation to use API

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ATH-01-010: rework

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ATH-01-014: save authenticator validation state in flow context

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

bugfixes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ATH-01-012: escape quotation marks

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add website

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update release ntoes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update with all notes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-22 22:25:04 +02:00
Samir Musali b1de0b767e
sources/ldap: include UnwillingToPerformError as possible exception (#6031)
feat: include UnwillingToPerformError as possible exception
2023-06-21 19:45:20 +03:00
Jens L 469899233a
policies/event_matcher: change empty values to null (#6032)
* policies/event_matcher: change empty values to null

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate old default values

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-21 15:49:46 +02:00
Jens L 93575a9966
core: prevent selecting a group as a parent of itself (#6016)
* core: prevent selecting a group as a parent of itself

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api error when no parent is given

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-20 20:21:58 +02:00
Jens L 01311929d1
providers/ldap: improve password totp detection (#6006)
* providers/ldap: improve password totp detection

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add flag for totp mfa support

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* keep support for static tokens

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix migrations

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-20 12:09:13 +02:00
Jens L f6181ceb70
providers/oauth2: correctly advertise code_challenge_methods_supported (#6007)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-19 21:26:33 +02:00
Jens L a5db60129d
*: use dataclass slots wherever applicable (#6005)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-19 18:31:07 +02:00
Jens L 05d73f688c
policies/event_matcher: add model filter (#5802)
* policies/event_matcher: add model filter

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* improve logic

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove t``

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-12 22:11:11 +02:00
ChandonPierre 029395d08b
sources/ldap: add support for cert based auth (#5850)
* ldap: support cert based auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ldap: default sni switch to off

* ldap: `get_info=NONE` on insufficient access error

* fix: Make file locale script

* ldap: add google ldap attribute mappings

* ldap: move google secure ldap blueprint to examples

Revert "ldap: add google ldap attribute mappings"

This reverts commit 8a861bb92c1bd763b6e7ec0513f73b3039a1adb4.

* ldap: remove `validate` for client cert auth

not strictly necessary

* ldap: write temp cert files more securely

* ldap: use first array value for sni when provided csv input

* don't specify tempdir

we set $TMPDIR in the dockerfile

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* limit API to only allow certificate key pairs with private key

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use maxsplit

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update locale

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2023-06-12 15:41:44 +02:00
Jens L 51f4d4646c
providers/ldap: fix Outpost provider listing excluding backchannel providers (#5933)
* providers/ldap: fix Outpost provider listing excluding backchannel providers

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-12 11:28:00 +02:00
Jens L c45e92b17e
root: revert to use secret_key for JWT signing (#5934)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-12 11:02:05 +02:00
Jens L 4741d8aa0d
sources/ldap: fix duplicate bind when authenticating user directly to… (#5927)
sources/ldap: fix duplicate bind when authenticating user directly to LDAP source

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-12 10:24:01 +02:00
risson 0041cf88f4
providers/oauth2: launch url: if URL parsing fails, return no launch URL (#5918)
* providers/oauth2: launch url: if URL parsing fails, return no launch URL

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* add test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only get provider launch URL when no url is set

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only catch value error

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2023-06-09 21:56:34 +02:00
Jens L 69f0460f69
website: update translation docs (#5875)
* website/docs: remove lingui references

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* replace deprecated cryptography types

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* tell eslint to avoid escapes in strings when possible

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ignore generated locale code

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-06 12:32:32 +02:00
Jens Langhammer 0a1d0b85ca
Merge branch 'version-2023.5' 2023-06-01 21:00:13 +02:00
Jens Langhammer be85eecac5
release: 2023.5.3 2023-06-01 19:35:13 +02:00
Jens L e141a11475
blueprints: fix API validation with OCI blueprint path (#5822)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-31 14:52:12 +02:00
Jens L 772acb10d6
providers/ldap: fix LDAP Outpost application selection (#5812)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-31 14:51:46 +02:00
Jens L b6d338659f
blueprints: fix API validation with OCI blueprint path (#5822)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-31 14:50:39 +02:00
Jens L fd4c5f5ce7
providers/ldap: fix LDAP Outpost application selection (#5812)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-31 14:14:25 +02:00
rlew-is a7bf963409
stages/deny: fix typos (#5800)
* Fix typo in stage.py

Fix typo in "Cancells the current flow"

Signed-off-by: rlew-is <96594816+rlew-is@users.noreply.github.com>

* Fix typo in models.py

Fix typo in "Cancells the current flow"

Signed-off-by: rlew-is <96594816+rlew-is@users.noreply.github.com>

---------

Signed-off-by: rlew-is <96594816+rlew-is@users.noreply.github.com>
2023-05-30 10:54:24 +02:00
rlew-is 0b25c612c0
stages/deny: fix typos (#5800)
* Fix typo in stage.py

Fix typo in "Cancells the current flow"

Signed-off-by: rlew-is <96594816+rlew-is@users.noreply.github.com>

* Fix typo in models.py

Fix typo in "Cancells the current flow"

Signed-off-by: rlew-is <96594816+rlew-is@users.noreply.github.com>

---------

Signed-off-by: rlew-is <96594816+rlew-is@users.noreply.github.com>
2023-05-30 10:36:51 +02:00
Jens L f0619814f9
blueprints: allow setting user's passwords from blueprints (#5797)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-29 21:28:44 +02:00
Jens L d09bee7bf9
providers/proxy: add support for traefik.io API and CRD (#5801)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-29 21:12:59 +02:00
Jens Langhammer ce96600adb
Merge branch 'version-2023.5' 2023-05-28 13:23:32 +02:00
Jens Langhammer 5e5a74eebf
release: 2023.5.2 2023-05-26 23:54:12 +02:00
Jens L 5b0cc3672b
root: add method to get install_id without django being loaded (#5755)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-25 18:52:21 +02:00
Jens L 47d5fc26cc
events: fix ak_create_event using wrong request for event creation (#5731)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-24 21:52:14 +02:00
Jens L 9a996e7176
outposts: fix missing radius outpost controller (#5730)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-24 21:52:11 +02:00
Jens L 554a26442d
blueprints: support custom ports for OCI blueprints (#5727)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-24 21:52:07 +02:00
Jens L 573517bf0a
lib: add tests for ak_create_event (#5710)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
# Conflicts:
#	locale/en/LC_MESSAGES/django.po
2023-05-24 21:51:52 +02:00
Jens L 2cd68dfa87
blueprints: fix check for file path not being run on worker (#5703) 2023-05-24 21:51:30 +02:00
Jens L 8029a13be1
core: make groups field for user optional (#5702)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-24 21:51:23 +02:00
Jens L 6766b12bd1
events: fix ak_create_event using wrong request for event creation (#5731)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-24 00:51:16 +02:00
Jens L c1404285bb
outposts: fix missing radius outpost controller (#5730)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-05-24 00:49:20 +02:00