From dcf074650e33319efb37898c61b43150f0df4301 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 19 May 2021 23:10:00 +0200 Subject: [PATCH 01/11] providers/proxy: fix redirect_uris not always being set on save Signed-off-by: Jens Langhammer --- authentik/providers/proxy/api.py | 4 +++- authentik/providers/proxy/models.py | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/authentik/providers/proxy/api.py b/authentik/providers/proxy/api.py index c729d1241..b357d39a4 100644 --- a/authentik/providers/proxy/api.py +++ b/authentik/providers/proxy/api.py @@ -53,8 +53,10 @@ class ProxyProviderSerializer(ProviderSerializer): return instance def update(self, instance: ProxyProvider, validated_data): + instance = super().update(instance, validated_data) instance.set_oauth_defaults() - return super().update(instance, validated_data) + instance.save() + return instance class Meta: diff --git a/authentik/providers/proxy/models.py b/authentik/providers/proxy/models.py index 576b03a1c..0f668ab29 100644 --- a/authentik/providers/proxy/models.py +++ b/authentik/providers/proxy/models.py @@ -127,7 +127,7 @@ class ProxyProvider(OutpostModel, OAuth2Provider): """Ensure all OAuth2-related settings are correct""" self.client_type = ClientTypes.CONFIDENTIAL self.jwt_alg = JWTAlgorithms.RS256 - self.rsa_key = CertificateKeyPair.objects.first() + self.rsa_key = CertificateKeyPair.objects.exclude(key_data__iexact="").first() scopes = ScopeMapping.objects.filter( scope_name__in=[ SCOPE_OPENID, From 92f2a82c0377dddd810b6b26964fecbf0f04a92e Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 19 May 2021 23:34:27 +0200 Subject: [PATCH 02/11] providers/oauth2: fix double login required when prompt=login Signed-off-by: Jens Langhammer --- authentik/core/api/applications.py | 2 ++ authentik/providers/oauth2/views/authorize.py | 5 +++++ authentik/root/settings.py | 2 +- authentik/stages/user_login/stage.py | 2 ++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py index bcbb29b8c..9172ae3b1 100644 --- a/authentik/core/api/applications.py +++ b/authentik/core/api/applications.py @@ -23,6 +23,7 @@ from authentik.core.api.providers import ProviderSerializer from authentik.core.models import Application from authentik.events.models import EventAction from authentik.policies.engine import PolicyEngine +from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED LOGGER = get_logger() @@ -122,6 +123,7 @@ class ApplicationViewSet(ModelViewSet): ) def list(self, request: Request) -> Response: """Custom list method that checks Policy based access instead of guardian""" + self.request.session.pop(USER_LOGIN_AUTHENTICATED, None) queryset = self._filter_queryset_for_list(self.get_queryset()) self.paginate_queryset(queryset) diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index 5823631a6..5319ce40d 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -54,6 +54,7 @@ from authentik.stages.consent.stage import ( PLAN_CONTEXT_CONSENT_PERMISSIONS, ConsentStageView, ) +from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED LOGGER = get_logger() @@ -437,6 +438,10 @@ class AuthorizationFlowInitView(PolicyAccessView): if ( PROMPT_LOGIN in self.params.prompt and SESSION_NEEDS_LOGIN not in self.request.session + # To prevent the user from having to double login when prompt is set to login + # and the user has just signed it. This session variable is set in the UserLoginStage + # and is (quite hackily) removed from the session in applications's API's List method + and USER_LOGIN_AUTHENTICATED not in self.request.session ): self.request.session[SESSION_NEEDS_LOGIN] = True return self.handle_no_permission() diff --git a/authentik/root/settings.py b/authentik/root/settings.py index a10276c06..cbca48760 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -353,7 +353,7 @@ if _ERROR_REPORTING: environment=CONFIG.y("error_reporting.environment", "customer"), send_default_pii=CONFIG.y_bool("error_reporting.send_pii", False), ) - set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, "")) + set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, "tagged")) set_tag( "authentik:env", "kubernetes" if "KUBERNETES_PORT" in os.environ else "compose" ) diff --git a/authentik/stages/user_login/stage.py b/authentik/stages/user_login/stage.py index 5f82e7ac1..e6e521e11 100644 --- a/authentik/stages/user_login/stage.py +++ b/authentik/stages/user_login/stage.py @@ -12,6 +12,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND LOGGER = get_logger() DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend" +USER_LOGIN_AUTHENTICATED = "user_login_authenticated" class UserLoginStageView(StageView): @@ -43,5 +44,6 @@ class UserLoginStageView(StageView): flow_slug=self.executor.flow.slug, session_duration=self.executor.current_stage.session_duration, ) + self.request.session[USER_LOGIN_AUTHENTICATED] = True messages.success(self.request, _("Successfully logged in!")) return self.executor.stage_ok() From 63e3667e82af274561c7213b974d30739c8f47a3 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 19 May 2021 23:37:23 +0200 Subject: [PATCH 03/11] web: fix t.reset is not a function Signed-off-by: Jens Langhammer --- web/src/elements/buttons/ModalButton.ts | 2 +- web/src/elements/forms/Form.ts | 5 +---- web/src/elements/forms/ModalForm.ts | 2 +- web/src/elements/table/TableModal.ts | 2 +- 4 files changed, 4 insertions(+), 7 deletions(-) diff --git a/web/src/elements/buttons/ModalButton.ts b/web/src/elements/buttons/ModalButton.ts index 9ec77de16..b90070ff5 100644 --- a/web/src/elements/buttons/ModalButton.ts +++ b/web/src/elements/buttons/ModalButton.ts @@ -55,7 +55,7 @@ export class ModalButton extends LitElement { resetForms(): void { this.querySelectorAll("[slot=form]").forEach(form => { - form.reset(); + form?.reset(); }); } diff --git a/web/src/elements/forms/Form.ts b/web/src/elements/forms/Form.ts index 786c4cf03..84f9f9e67 100644 --- a/web/src/elements/forms/Form.ts +++ b/web/src/elements/forms/Form.ts @@ -76,10 +76,7 @@ export class Form extends LitElement { */ reset(): void { const ironForm = this.shadowRoot?.querySelector("iron-form"); - if (!ironForm) { - return; - } - ironForm.reset(); + ironForm?.reset(); } /** diff --git a/web/src/elements/forms/ModalForm.ts b/web/src/elements/forms/ModalForm.ts index ef740512c..87913f9a3 100644 --- a/web/src/elements/forms/ModalForm.ts +++ b/web/src/elements/forms/ModalForm.ts @@ -23,7 +23,7 @@ export class ModalForm extends ModalButton { return formPromise.then(() => { if (this.closeAfterSuccessfulSubmit) { this.open = false; - form.reset(); + form?.reset(); } this.dispatchEvent( new CustomEvent(EVENT_REFRESH, { diff --git a/web/src/elements/table/TableModal.ts b/web/src/elements/table/TableModal.ts index 9dc614608..ca940b17e 100644 --- a/web/src/elements/table/TableModal.ts +++ b/web/src/elements/table/TableModal.ts @@ -34,7 +34,7 @@ export abstract class TableModal extends Table { resetForms(): void { this.querySelectorAll("[slot=form]").forEach(form => { - form.reset(); + form?.reset(); }); } From 349a5b2d0058137769b5e37aaefdc98286c64854 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 20 May 2021 01:09:50 +0200 Subject: [PATCH 04/11] web/admin: fix flow form not loading data Signed-off-by: Jens Langhammer --- web/src/pages/flows/FlowListPage.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/src/pages/flows/FlowListPage.ts b/web/src/pages/flows/FlowListPage.ts index 89e9d041d..eb164f074 100644 --- a/web/src/pages/flows/FlowListPage.ts +++ b/web/src/pages/flows/FlowListPage.ts @@ -68,7 +68,7 @@ export class FlowListPage extends TablePage { ${t`Update Flow`} - +