From afa2afe1d4f945e631349ec3cca553d9eb69e6cd Mon Sep 17 00:00:00 2001
From: Jens Langhammer
Date: Sat, 24 Apr 2021 23:32:46 +0200
Subject: [PATCH 01/31] web/flows: include ShadyDOM, always enable ShadyDOM for
flow interface
improve compatibility with password managers and iOS
Signed-off-by: Jens Langhammer
---
authentik/core/templates/base/skeleton.html | 2 ++
authentik/core/templates/if/flow.html | 4 ++++
web/package-lock.json | 5 +++++
web/package.json | 1 +
web/poly.ts | 2 ++
web/rollup.config.js | 4 +---
web/src/interfaces/flow/index.html | 1 +
7 files changed, 16 insertions(+), 3 deletions(-)
create mode 100644 web/poly.ts
diff --git a/authentik/core/templates/base/skeleton.html b/authentik/core/templates/base/skeleton.html
index 8e4e20ce5..125b531a3 100644
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@@ -15,6 +15,8 @@
+ {% block head_before %}
+ {% endblock %}
{% block head %}
diff --git a/authentik/core/templates/if/flow.html b/authentik/core/templates/if/flow.html
index 2156e8e9f..191be97ad 100644
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@@ -3,6 +3,10 @@
{% load static %}
{% load i18n %}
+{% block head_before %}
+
+{% endblock %}
+
{% block head %}
{% endblock %}
diff --git a/web/package-lock.json b/web/package-lock.json
index 54017ddd0..410cbb9cc 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -2303,6 +2303,11 @@
"resolved": "https://registry.npmjs.org/@webcomponents/shadycss/-/shadycss-1.10.2.tgz",
"integrity": "sha512-9Iseu8bRtecb0klvv+WXZOVZatsRkbaH7M97Z+f+Pt909R4lDfgUODAnra23DOZTpeMTAkVpf4m/FZztN7Ox1A=="
},
+ "@webcomponents/webcomponentsjs": {
+ "version": "2.5.0",
+ "resolved": "https://registry.npmjs.org/@webcomponents/webcomponentsjs/-/webcomponentsjs-2.5.0.tgz",
+ "integrity": "sha512-C0l51MWQZ9kLzcxOZtniOMohpIFdCLZum7/TEHv3XWFc1Fvt5HCpbSX84x8ltka/JuNKcuiDnxXFkiB2gaePcg=="
+ },
"acorn": {
"version": "7.4.1",
"resolved": "https://registry.npmjs.org/acorn/-/acorn-7.4.1.tgz",
diff --git a/web/package.json b/web/package.json
index f75c35cd8..79b59054c 100644
--- a/web/package.json
+++ b/web/package.json
@@ -57,6 +57,7 @@
"@types/grecaptcha": "^3.0.1",
"@typescript-eslint/eslint-plugin": "^4.22.0",
"@typescript-eslint/parser": "^4.22.0",
+ "@webcomponents/webcomponentsjs": "^2.5.0",
"authentik-api": "file:api",
"babel-plugin-macros": "^3.0.1",
"base64-js": "^1.5.1",
diff --git a/web/poly.ts b/web/poly.ts
new file mode 100644
index 000000000..510032fcc
--- /dev/null
+++ b/web/poly.ts
@@ -0,0 +1,2 @@
+import "construct-style-sheets-polyfill";
+import "@webcomponents/webcomponentsjs";
diff --git a/web/rollup.config.js b/web/rollup.config.js
index c761f2bc9..001108d40 100644
--- a/web/rollup.config.js
+++ b/web/rollup.config.js
@@ -76,9 +76,7 @@ export default [
},
// Polyfills (imported first)
{
- input: [
- "construct-style-sheets-polyfill"
- ],
+ input: "./poly.ts",
output: [
{
format: "iife",
diff --git a/web/src/interfaces/flow/index.html b/web/src/interfaces/flow/index.html
index 92121cbec..c990acb83 100644
--- a/web/src/interfaces/flow/index.html
+++ b/web/src/interfaces/flow/index.html
@@ -10,6 +10,7 @@
+
From b2b9093c95c38f713144f33c93436f89b964903c Mon Sep 17 00:00:00 2001
From: Jens Langhammer
Date: Sun, 25 Apr 2021 01:29:01 +0200
Subject: [PATCH 02/31] web: don't enable ShadyDOM on selenium
Signed-off-by: Jens Langhammer
---
authentik/core/templates/if/flow.html | 2 +-
web/src/interfaces/flow/index.html | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/authentik/core/templates/if/flow.html b/authentik/core/templates/if/flow.html
index 191be97ad..e8fc13e1a 100644
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@@ -4,7 +4,7 @@
{% load i18n %}
{% block head_before %}
-
+
{% endblock %}
{% block head %}
diff --git a/web/src/interfaces/flow/index.html b/web/src/interfaces/flow/index.html
index c990acb83..b03ab73b4 100644
--- a/web/src/interfaces/flow/index.html
+++ b/web/src/interfaces/flow/index.html
@@ -10,7 +10,7 @@
-
+
From 58712828a478a1d1bb1c4953049a587aafe386a4 Mon Sep 17 00:00:00 2001
From: Jens Langhammer
Date: Sun, 25 Apr 2021 18:50:19 +0200
Subject: [PATCH 03/31] web/flows/identification: fix phrasing account recovery
Signed-off-by: Jens Langhammer
---
web/src/elements/PageHeader.ts | 2 +-
.../flows/stages/identification/IdentificationStage.ts | 1 -
web/src/locales/en.po | 9 ++++-----
web/src/locales/pseudo-LOCALE.po | 9 ++++-----
4 files changed, 9 insertions(+), 12 deletions(-)
diff --git a/web/src/elements/PageHeader.ts b/web/src/elements/PageHeader.ts
index 7be03f728..e0aff235a 100644
--- a/web/src/elements/PageHeader.ts
+++ b/web/src/elements/PageHeader.ts
@@ -44,7 +44,7 @@ export class PageHeader extends LitElement {
flex-direction: row;
min-height: 114px;
}
- button.sidebar-trigger {
+ button.pf-c-button.pf-m-plain.sidebar-trigger {
background-color: var(--pf-c-page__main-section--m-light--BackgroundColor);
border-radius: 0px;
}
diff --git a/web/src/flows/stages/identification/IdentificationStage.ts b/web/src/flows/stages/identification/IdentificationStage.ts
index c6fa5490c..c44511052 100644
--- a/web/src/flows/stages/identification/IdentificationStage.ts
+++ b/web/src/flows/stages/identification/IdentificationStage.ts
@@ -149,7 +149,6 @@ export class IdentificationStage extends BaseStage {
` : html``}
${this.challenge.recovery_url ? html`
- ${t`Need an account?`}
${t`Forgot username or password?`}
` : html``}
`;
diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index aaa1f86a9..9825f5408 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -1079,7 +1079,7 @@ msgstr "Email"
msgid "Email address"
msgstr "Email address"
-#: src/flows/stages/identification/IdentificationStage.ts:151
+#: src/flows/stages/identification/IdentificationStage.ts:150
msgid "Email or Username"
msgstr "Email or Username"
@@ -1382,7 +1382,7 @@ msgstr "Force the user to configure an authenticator"
msgid "Forgot password?"
msgstr "Forgot password?"
-#: src/flows/stages/identification/IdentificationStage.ts:125
+#: src/flows/stages/identification/IdentificationStage.ts:124
msgid "Forgot username or password?"
msgstr "Forgot username or password?"
@@ -1677,7 +1677,7 @@ msgstr "Library"
#: src/flows/stages/consent/ConsentStage.ts:28
#: src/flows/stages/dummy/DummyStage.ts:27
#: src/flows/stages/email/EmailStage.ts:26
-#: src/flows/stages/identification/IdentificationStage.ts:134
+#: src/flows/stages/identification/IdentificationStage.ts:133
#: src/flows/stages/password/PasswordStage.ts:31
#: src/flows/stages/prompt/PromptStage.ts:126
#: src/pages/applications/ApplicationViewPage.ts:43
@@ -1752,7 +1752,7 @@ msgstr "Log the currently pending user in."
msgid "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
msgstr "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
-#: src/flows/stages/identification/IdentificationStage.ts:146
+#: src/flows/stages/identification/IdentificationStage.ts:145
msgid "Login to continue to {0}."
msgstr "Login to continue to {0}."
@@ -1930,7 +1930,6 @@ msgid "NameID Property Mapping"
msgstr "NameID Property Mapping"
#: src/flows/stages/identification/IdentificationStage.ts:119
-#: src/flows/stages/identification/IdentificationStage.ts:124
msgid "Need an account?"
msgstr "Need an account?"
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index a346554c3..5ed3a220d 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -1071,7 +1071,7 @@ msgstr ""
msgid "Email address"
msgstr ""
-#: src/flows/stages/identification/IdentificationStage.ts:151
+#: src/flows/stages/identification/IdentificationStage.ts:150
msgid "Email or Username"
msgstr ""
@@ -1374,7 +1374,7 @@ msgstr ""
msgid "Forgot password?"
msgstr ""
-#: src/flows/stages/identification/IdentificationStage.ts:125
+#: src/flows/stages/identification/IdentificationStage.ts:124
msgid "Forgot username or password?"
msgstr ""
@@ -1669,7 +1669,7 @@ msgstr ""
#: src/flows/stages/consent/ConsentStage.ts:28
#: src/flows/stages/dummy/DummyStage.ts:27
#: src/flows/stages/email/EmailStage.ts:26
-#: src/flows/stages/identification/IdentificationStage.ts:134
+#: src/flows/stages/identification/IdentificationStage.ts:133
#: src/flows/stages/password/PasswordStage.ts:31
#: src/flows/stages/prompt/PromptStage.ts:126
#: src/pages/applications/ApplicationViewPage.ts:43
@@ -1744,7 +1744,7 @@ msgstr ""
msgid "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
msgstr ""
-#: src/flows/stages/identification/IdentificationStage.ts:146
+#: src/flows/stages/identification/IdentificationStage.ts:145
msgid "Login to continue to {0}."
msgstr ""
@@ -1922,7 +1922,6 @@ msgid "NameID Property Mapping"
msgstr ""
#: src/flows/stages/identification/IdentificationStage.ts:119
-#: src/flows/stages/identification/IdentificationStage.ts:124
msgid "Need an account?"
msgstr ""
From 50f0c11c0bdb4ccfddfd956ceab82fe331cad1d9 Mon Sep 17 00:00:00 2001
From: Jens Langhammer
Date: Mon, 26 Apr 2021 17:45:09 +0200
Subject: [PATCH 04/31] web/flows: fix redirect loop when sentry is enabled
Signed-off-by: Jens Langhammer
---
web/src/api/Sentry.ts | 4 ++--
web/src/elements/sidebar/SidebarBrand.ts | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/web/src/api/Sentry.ts b/web/src/api/Sentry.ts
index ef7f9f2e4..e012bfd05 100644
--- a/web/src/api/Sentry.ts
+++ b/web/src/api/Sentry.ts
@@ -6,7 +6,7 @@ import { me } from "./Users";
import { config } from "./Config";
import { Config } from "authentik-api";
-export function configureSentry(): Promise {
+export function configureSentry(canDoPpi: boolean = false): Promise {
return config().then((config) => {
if (config.errorReportingEnabled) {
Sentry.init({
@@ -47,7 +47,7 @@ export function configureSentry(): Promise {
},
});
console.debug("authentik/config: Sentry enabled.");
- if (config.errorReportingSendPii) {
+ if (config.errorReportingSendPii && canDoPpi) {
me().then(user => {
Sentry.setUser({ email: user.user.email });
console.debug("authentik/config: Sentry with PII enabled.");
diff --git a/web/src/elements/sidebar/SidebarBrand.ts b/web/src/elements/sidebar/SidebarBrand.ts
index 63f8a2d6e..69873309d 100644
--- a/web/src/elements/sidebar/SidebarBrand.ts
+++ b/web/src/elements/sidebar/SidebarBrand.ts
@@ -41,7 +41,7 @@ export class SidebarBrand extends LitElement {
}
firstUpdated(): void {
- configureSentry().then((c) => {this.config = c;});
+ configureSentry(true).then((c) => {this.config = c;});
}
render(): TemplateResult {
From 378402fcf0eb430477be27c7f80d4db676568eb5 Mon Sep 17 00:00:00 2001
From: Jens Langhammer
Date: Tue, 27 Apr 2021 14:52:42 +0200
Subject: [PATCH 05/31] stages/user_login: add tests for explicit session
length
Signed-off-by: Jens Langhammer
---
authentik/stages/user_login/tests.py | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/authentik/stages/user_login/tests.py b/authentik/stages/user_login/tests.py
index 98da7ab45..33c921e17 100644
--- a/authentik/stages/user_login/tests.py
+++ b/authentik/stages/user_login/tests.py
@@ -1,4 +1,5 @@
"""login tests"""
+from time import sleep
from unittest.mock import patch
from django.test import Client, TestCase
@@ -51,6 +52,31 @@ class TestUserLoginStage(TestCase):
{"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
)
+ def test_expiry(self):
+ """Test with expiry"""
+ self.stage.session_duration = "seconds=2"
+ self.stage.save()
+ plan = FlowPlan(
+ flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
+ )
+ plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+ session = self.client.session
+ session[SESSION_KEY_PLAN] = plan
+ session.save()
+
+ response = self.client.get(
+ reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+ )
+ self.assertEqual(response.status_code, 200)
+ self.assertJSONEqual(
+ force_str(response.content),
+ {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+ )
+ self.assertNotEqual(list(self.client.session.keys()), [])
+ sleep(3)
+ self.client.session.clear_expired()
+ self.assertEqual(list(self.client.session.keys()), [])
+
@patch(
"authentik.flows.views.to_stage_response",
TO_STAGE_RESPONSE_MOCK,
From ed49d7824e62df58e7b446afe2275b2f49bcc739 Mon Sep 17 00:00:00 2001
From: Jens Langhammer
Date: Tue, 27 Apr 2021 15:20:09 +0200
Subject: [PATCH 06/31] stages/email: catch ValueError when global email
settings are invalid
Signed-off-by: Jens Langhammer
---
authentik/stages/email/tasks.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/authentik/stages/email/tasks.py b/authentik/stages/email/tasks.py
index 38fafdeeb..462f3dae6 100644
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@@ -68,7 +68,7 @@ def send_mail(
messages=["Successfully sent Mail."],
)
)
- except (SMTPException, ConnectionError) as exc:
+ except (SMTPException, ConnectionError, ValueError) as exc:
LOGGER.debug("Error sending email, retrying...", exc=exc)
self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
raise exc
From 1af3357826a1ca3e0ef4d999fffdc7e6b097931a Mon Sep 17 00:00:00 2001
From: Jens Langhammer
Date: Tue, 27 Apr 2021 15:43:26 +0200
Subject: [PATCH 07/31] *: make logger not use .error
Signed-off-by: Jens Langhammer
---
authentik/flows/transfer/importer.py | 4 ++--
authentik/outposts/models.py | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/authentik/flows/transfer/importer.py b/authentik/flows/transfer/importer.py
index 04ed65220..5c9fde10e 100644
--- a/authentik/flows/transfer/importer.py
+++ b/authentik/flows/transfer/importer.py
@@ -160,7 +160,7 @@ class FlowImporter:
try:
model: SerializerModel = apps.get_model(model_app_label, model_name)
except LookupError:
- self.logger.error(
+ self.logger.warning(
"app or model does not exist", app=model_app_label, model=model_name
)
return False
@@ -168,7 +168,7 @@ class FlowImporter:
try:
serializer = self._validate_single(entry)
except EntryInvalidError as exc:
- self.logger.error("entry not valid", entry=entry, error=exc)
+ self.logger.warning("entry not valid", entry=entry, error=exc)
return False
model = serializer.save()
diff --git a/authentik/outposts/models.py b/authentik/outposts/models.py
index 33e653d5e..d8e75cdf4 100644
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@@ -201,7 +201,7 @@ class DockerServiceConnection(OutpostServiceConnection):
)
client.containers.list()
except DockerException as exc:
- LOGGER.error(exc)
+ LOGGER.warning(exc)
raise ServiceConnectionInvalid from exc
return client
From d82c01aa610e3a17c97d7a6f344a31e6e02f85e7 Mon Sep 17 00:00:00 2001
From: Jens Langhammer
Date: Tue, 27 Apr 2021 15:43:40 +0200
Subject: [PATCH 08/31] web/admin: don't show docker certs as required
Signed-off-by: Jens Langhammer
---
web/src/pages/outposts/ServiceConnectionDockerForm.ts | 2 --
1 file changed, 2 deletions(-)
diff --git a/web/src/pages/outposts/ServiceConnectionDockerForm.ts b/web/src/pages/outposts/ServiceConnectionDockerForm.ts
index 584dd4513..db8ceafa8 100644
--- a/web/src/pages/outposts/ServiceConnectionDockerForm.ts
+++ b/web/src/pages/outposts/ServiceConnectionDockerForm.ts
@@ -70,7 +70,6 @@ export class ServiceConnectionDockerForm extends Form {