rewite some things on the release notes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.2
+current_version = 2023.10.6
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.dockerignore

@@ -9,3 +9,4 @@ blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
+!gen-go-api/

.github/actions/setup/action.yml

@@ -2,36 +2,39 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"
 
 inputs:
-  postgresql_tag:
+  postgresql_version:
     description: "Optional postgresql image tag"
-    default: "12"
+    default: "16"
 
 runs:
   using: "composite"
   steps:
-    - name: Install poetry
+    - name: Install poetry & deps
       shell: bash
       run: |
         pipx install poetry || true
-        sudo apt update
-        sudo apt install -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
     - name: Setup python and restore poetry
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
-        python-version: "3.11"
+        python-version-file: "pyproject.toml"
         cache: "poetry"
     - name: Setup node
       uses: actions/setup-node@v3
       with:
-        node-version: "20"
+        node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
+    - name: Setup go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: "go.mod"
     - name: Setup dependencies
       shell: bash
       run: |
-        export PSQL_TAG=${{ inputs.postgresql_tag }}
+        export PSQL_TAG=${{ inputs.postgresql_version }}
         docker-compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry env use python3.11
         poetry install
         cd web && npm ci
     - name: Generate config

.github/actions/setup/docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   postgresql:
-    image: docker.io/library/postgres:${PSQL_TAG:-12}
+    image: docker.io/library/postgres:${PSQL_TAG:-16}
     volumes:
       - db-data:/var/lib/postgresql/data
     environment:

.github/codespell-words.txt

@@ -2,3 +2,4 @@ keypair
 keypairs
 hass
 warmup
+ontext

.github/dependabot.yml

@@ -35,6 +35,7 @@ updates:
       sentry:
         patterns:
           - "@sentry/*"
+          - "@spotlightjs/*"
       babel:
         patterns:
           - "@babel/*"
@@ -66,6 +67,7 @@ updates:
       sentry:
         patterns:
           - "@sentry/*"
+          - "@spotlightjs/*"
       babel:
         patterns:
           - "@babel/*"

.github/workflows/ci-main.yml

@@ -11,6 +11,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 env:
   POSTGRES_DB: authentik
@@ -47,25 +48,34 @@ jobs:
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        psql:
+          - 12-alpine
+          - 15-alpine
+          - 16-alpine
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
       - name: checkout stable
         run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
+          git checkout version/$(python -c "from authentik import __version__; print(__version__)")
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
-      - name: Setup authentik env (ensure stable deps are installed)
+      - name: Setup authentik env (stable)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
         run: poetry run python -m lifecycle.migrate
       - name: checkout current code
@@ -75,11 +85,21 @@ jobs:
           git reset --hard HEAD
           git clean -d -fx .
           git checkout $GITHUB_SHA
-          poetry install
+          # Delete previous poetry env
+          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
-        run: poetry run python -m lifecycle.migrate
+        run: |
+          poetry run python -m lifecycle.migrate
+      - name: run tests
+        env:
+          # Test in the main database that we just migrated from the previous stable version
+          AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
+        run: |
+          poetry run make test
   test-unittest:
     name: test-unittest - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
@@ -96,7 +116,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
-          postgresql_tag: ${{ matrix.psql }}
+          postgresql_version: ${{ matrix.psql }}
       - name: run unittest
         run: |
           poetry run make test
@@ -185,6 +205,9 @@ jobs:
   build:
     needs: ci-core-mark
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
@@ -226,15 +249,12 @@ jobs:
             VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-      - name: Comment on PR
-        if: github.event_name == 'pull_request'
-        continue-on-error: true
-        uses: ./.github/actions/comment-pr-instructions
-        with:
-          tag: gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
   build-arm64:
     needs: ci-core-mark
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
@@ -277,3 +297,26 @@ jobs:
           platforms: linux/arm64
           cache-from: type=gha
           cache-to: type=gha,mode=max
+  pr-comment:
+    needs:
+      - build
+      - build-arm64
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'pull_request' }}
+    permissions:
+      # Needed to write comments on PRs
+      pull-requests: write
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      - name: Comment on PR
+        uses: ./.github/actions/comment-pr-instructions
+        with:
+          tag: gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}

.github/workflows/ci-outpost.yml

@@ -9,13 +9,14 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -36,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
@@ -64,7 +65,11 @@ jobs:
           - proxy
           - ldap
           - radius
+          - rac
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -115,18 +120,19 @@ jobs:
           - proxy
           - ldap
           - radius
+          - rac
         goos: [linux]
         goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Generate API

.github/workflows/ci-web.yml

@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 jobs:
   lint-eslint:
@@ -23,7 +24,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -39,7 +40,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -61,7 +62,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -77,7 +78,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -109,7 +110,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/

.github/workflows/ci-website.yml

@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 jobs:
   lint-prettier:
@@ -17,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -31,7 +32,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -52,7 +53,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/

.github/workflows/codeql-analysis.yml

@@ -27,10 +27,10 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3

.github/workflows/gha-cache-cleanup.yml

@@ -6,6 +6,10 @@ on:
     types:
       - closed
 
+permissions:
+  # Permission to delete cache
+  actions: write
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest

.github/workflows/release-next-branch.yml

@@ -6,6 +6,7 @@ on:
   workflow_dispatch:
 
 permissions:
+  # Needed to be able to push to the next branch
   contents: write
 
 jobs:

.github/workflows/release-publish.yml

@@ -7,6 +7,9 @@ on:
 jobs:
   build-server:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
@@ -52,6 +55,9 @@ jobs:
             VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
   build-outpost:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -59,9 +65,10 @@ jobs:
           - proxy
           - ldap
           - radius
+          - rac
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
@@ -106,6 +113,9 @@ jobs:
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload binaries to the release
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -117,12 +127,12 @@ jobs:
         goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Build web

.github/workflows/release-tag.yml

@@ -30,7 +30,7 @@ jobs:
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |

.github/workflows/repo-stale.yml

@@ -6,8 +6,8 @@ on:
   workflow_dispatch:
 
 permissions:
+  # Needed to update issues and PRs
   issues: write
-  pull-requests: write
 
 jobs:
   stale:
@@ -18,7 +18,7 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@v8
+      - uses: actions/stale@v9
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

.github/workflows/translation-advice.yml

@@ -7,7 +7,12 @@ on:
     paths:
       - "!**"
       - "locale/**"
-      - "web/src/locales/**"
+      - "!locale/en/**"
+      - "web/xliff/**"
+
+permissions:
+  # Permission to write comment
+  pull-requests: write
 
 jobs:
   post-comment:

.github/workflows/translation-rename.yml

@@ -6,6 +6,10 @@ on:
   pull_request:
     types: [opened, reopened]
 
+permissions:
+  # Permission to rename PR
+  pull-requests: write
+
 jobs:
   rename_pr:
     runs-on: ubuntu-latest

.github/workflows/web-api-publish.yml

@@ -19,7 +19,7 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Generate API Client
         run: make gen-client-ts

.vscode/extensions.json

@@ -14,6 +14,7 @@
         "ms-python.pylint",
         "ms-python.python",
         "ms-python.vscode-pylance",
+        "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
         "unifiedjs.vscode-mdx",

.vscode/settings.json

@@ -19,10 +19,8 @@
         "slo",
         "scim",
     ],
-    "python.linting.pylintEnabled": true,
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
-    "python.formatting.provider": "black",
     "yaml.customTags": [
         "!Find sequence",
         "!KeyOf scalar",

Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # Stage 1: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
 
@@ -7,7 +9,7 @@ WORKDIR /work/website
 
 RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
     --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,target=/root/.npm \
+    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./website /work/website/
@@ -25,7 +27,7 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=cache,target=/root/.npm \
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./web /work/web/
@@ -35,7 +37,14 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM docker.io/golang:1.21.3-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.6-bookworm AS go-builder
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+ARG GOOS=$TARGETOS
+ARG GOARCH=$TARGETARCH
 
 WORKDIR /go/src/goauthentik.io
 
@@ -55,14 +64,14 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 
 ENV CGO_ENABLED=0
 
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target=/root/.cache/go-build \
-    go build -o /go/authentik ./cmd/server
+RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
+    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
+    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM ghcr.io/maxmind/geoipupdate:v6.0 as geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.1 as geoip
 
-ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
+ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="true"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
 ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
@@ -74,7 +83,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM docker.io/python:3.11.5-bookworm AS python-deps
+FROM docker.io/python:3.12.1-slim-bookworm AS python-deps
 
 WORKDIR /ak-root/poetry
 
@@ -82,7 +91,9 @@ ENV VENV_PATH="/ak-root/venv" \
     POETRY_VIRTUALENVS_CREATE=false \
     PATH="/ak-root/venv/bin:$PATH"
 
-RUN --mount=type=cache,target=/var/cache/apt \
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
+RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
     apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev
@@ -97,7 +108,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     poetry install --only=main --no-ansi --no-interaction
 
 # Stage 6: Run
-FROM docker.io/python:3.11.5-slim-bookworm AS final-image
+FROM docker.io/python:3.12.1-slim-bookworm AS final-image
 
 ARG GIT_BUILD_HASH
 ARG VERSION
@@ -114,7 +125,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 && \
+    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 ca-certificates && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
     apt-get clean && \

Makefile

@@ -58,7 +58,7 @@ test: ## Run the server tests and produce a coverage report (locally)
 lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	isort $(PY_SOURCES)
 	black $(PY_SOURCES)
-	ruff $(PY_SOURCES)
+	ruff --fix $(PY_SOURCES)
 	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
@@ -94,8 +94,14 @@ dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik
 #########################
 
 gen-build:  ## Extract the schema from the database
-	AUTHENTIK_DEBUG=true ak make_blueprint_schema > blueprints/schema.json
-	AUTHENTIK_DEBUG=true ak spectacular --file schema.yml
+	AUTHENTIK_DEBUG=true \
+		AUTHENTIK_TENANTS__ENABLED=true \
+		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
+		ak make_blueprint_schema > blueprints/schema.json
+	AUTHENTIK_DEBUG=true \
+		AUTHENTIK_TENANTS__ENABLED=true \
+		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
+		ak spectacular --file schema.yml
 
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -110,13 +116,20 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
+	sed -i 's/{/{/g' diff.md
+	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
-gen-clean:
-	rm -rf web/api/src/
-	rm -rf api/
+gen-clean-ts:  ## Remove generated API client for Typescript
+	rm -rf gen-ts-api/
+	rm -rf web/node_modules/@goauthentik/api/
 
-gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
+gen-clean-go:  ## Remove generated API client for Go
+	rm -rf gen-go-api/
+
+gen-clean: gen-clean-ts gen-clean-go  ## Remove generated API clients
+
+gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
@@ -132,7 +145,7 @@ gen-client-ts:  ## Build and install the authentik API for Typescript into the a
 	cd gen-ts-api && npm i
 	\cp -rfv gen-ts-api/* web/node_modules/@goauthentik/api
 
-gen-client-go:  ## Build and install the authentik API for Golang
+gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	mkdir -p ./gen-go-api ./gen-go-api/templates
 	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./gen-go-api/config.yaml
 	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./gen-go-api/templates/README.mustache
@@ -152,7 +165,7 @@ gen-client-go:  ## Build and install the authentik API for Golang
 gen-dev-config:  ## Generate a local development config file
 	python -m scripts.generate_config
 
-gen: gen-build gen-clean gen-client-ts
+gen: gen-build gen-client-ts
 
 #########################
 ## Web

SECURITY.md

@@ -1,5 +1,9 @@
 authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
 
+## Independent audits and pentests
+
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
+
 ## What authentik classifies as a CVE
 
 CVE (Common Vulnerability and Exposure) is a system designed to aggregate all vulnerabilities. As such, a CVE will be issued when there is a either vulnerability or exposure. Per NIST, A vulnerability is:

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.2"
+__version__ = "2023.10.6"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/system.py

@@ -13,6 +13,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from authentik.core.api.utils import PassiveSerializer
+from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
@@ -30,15 +31,16 @@ class RuntimeDict(TypedDict):
     uname: str
 
 
-class SystemSerializer(PassiveSerializer):
+class SystemInfoSerializer(PassiveSerializer):
     """Get system information."""
 
     http_headers = SerializerMethodField()
     http_host = SerializerMethodField()
     http_is_secure = SerializerMethodField()
     runtime = SerializerMethodField()
-    tenant = SerializerMethodField()
+    brand = SerializerMethodField()
     server_time = SerializerMethodField()
+    embedded_outpost_disabled = SerializerMethodField()
     embedded_outpost_host = SerializerMethodField()
 
     def get_http_headers(self, request: Request) -> dict[str, str]:
@@ -69,14 +71,18 @@ class SystemSerializer(PassiveSerializer):
             "uname": " ".join(platform.uname()),
         }
 
-    def get_tenant(self, request: Request) -> str:
-        """Currently active tenant"""
-        return str(request._request.tenant)
+    def get_brand(self, request: Request) -> str:
+        """Currently active brand"""
+        return str(request._request.brand)
 
     def get_server_time(self, request: Request) -> datetime:
         """Current server time"""
         return now()
 
+    def get_embedded_outpost_disabled(self, request: Request) -> bool:
+        """Whether the embedded outpost is disabled"""
+        return CONFIG.get_bool("outposts.disable_embedded_outpost", False)
+
     def get_embedded_outpost_host(self, request: Request) -> str:
         """Get the FQDN configured on the embedded outpost"""
         outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
@@ -91,14 +97,14 @@ class SystemView(APIView):
     permission_classes = [HasPermission("authentik_rbac.view_system_info")]
     pagination_class = None
     filter_backends = []
-    serializer_class = SystemSerializer
+    serializer_class = SystemInfoSerializer
 
-    @extend_schema(responses={200: SystemSerializer(many=False)})
+    @extend_schema(responses={200: SystemInfoSerializer(many=False)})
     def get(self, request: Request) -> Response:
         """Get system information."""
-        return Response(SystemSerializer(request).data)
+        return Response(SystemInfoSerializer(request).data)
 
-    @extend_schema(responses={200: SystemSerializer(many=False)})
+    @extend_schema(responses={200: SystemInfoSerializer(many=False)})
     def post(self, request: Request) -> Response:
         """Get system information."""
-        return Response(SystemSerializer(request).data)
+        return Response(SystemInfoSerializer(request).data)

authentik/admin/apps.py

@@ -15,6 +15,6 @@ class AuthentikAdminConfig(ManagedAppConfig):
     verbose_name = "authentik Admin"
     default = True
 
-    def reconcile_load_admin_signals(self):
+    def reconcile_global_load_admin_signals(self):
         """Load admin signals"""
         self.import_module("authentik.admin.signals")

authentik/api/templates/api/browser.html

@@ -3,7 +3,7 @@
 {% load static %}
 
 {% block title %}
-API Browser - {{ tenant.branding_title }}
+API Browser - {{ brand.branding_title }}
 {% endblock %}
 
 {% block head %}

authentik/api/tests/test_auth.py

@@ -12,6 +12,8 @@ from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
+from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
 
@@ -49,8 +51,12 @@ class TestAPIAuth(TestCase):
         with self.assertRaises(AuthenticationFailed):
             bearer_auth(f"Bearer {token.key}".encode())
 
-    def test_managed_outpost(self):
+    @reconcile_app("authentik_outposts")
+    def test_managed_outpost_fail(self):
         """Test managed outpost"""
+        outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
+        outpost.user.delete()
+        outpost.delete()
         with self.assertRaises(AuthenticationFailed):
             bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
 

authentik/api/v3/config.py

@@ -19,7 +19,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from authentik.core.api.utils import PassiveSerializer
-from authentik.events.geo import GEOIP_READER
+from authentik.events.context_processors.base import get_context_processors
 from authentik.lib.config import CONFIG
 
 capabilities = Signal()
@@ -30,6 +30,7 @@ class Capabilities(models.TextChoices):
 
     CAN_SAVE_MEDIA = "can_save_media"
     CAN_GEO_IP = "can_geo_ip"
+    CAN_ASN = "can_asn"
     CAN_IMPERSONATE = "can_impersonate"
     CAN_DEBUG = "can_debug"
     IS_ENTERPRISE = "is_enterprise"
@@ -68,9 +69,10 @@ class ConfigView(APIView):
         deb_test = settings.DEBUG or settings.TEST
         if Path(settings.MEDIA_ROOT).is_mount() or deb_test:
             caps.append(Capabilities.CAN_SAVE_MEDIA)
-        if GEOIP_READER.enabled:
-            caps.append(Capabilities.CAN_GEO_IP)
-        if CONFIG.get_bool("impersonation"):
+        for processor in get_context_processors():
+            if cap := processor.capability():
+                caps.append(cap)
+        if self.request.tenant.impersonation:
             caps.append(Capabilities.CAN_IMPERSONATE)
         if settings.DEBUG:  # pragma: no cover
             caps.append(Capabilities.CAN_DEBUG)
@@ -93,10 +95,10 @@ class ConfigView(APIView):
                     "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                 },
                 "capabilities": self.get_capabilities(),
-                "cache_timeout": CONFIG.get_int("redis.cache_timeout"),
-                "cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
-                "cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
+                "cache_timeout": CONFIG.get_int("cache.timeout"),
+                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
+                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
+                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
             }
         )
 

authentik/api/v3/urls.py

@@ -21,7 +21,9 @@ _other_urls = []
 for _authentik_app in get_apps():
     try:
         api_urls = import_module(f"{_authentik_app.name}.urls")
-    except (ModuleNotFoundError, ImportError) as exc:
+    except ModuleNotFoundError:
+        continue
+    except ImportError as exc:
         LOGGER.warning("Could not import app's URLs", app_name=_authentik_app.name, exc=exc)
         continue
     if not hasattr(api_urls, "api_urlpatterns"):

authentik/blueprints/api.py

@@ -3,7 +3,7 @@ from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, DateTimeField, JSONField
+from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer
@@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 
 
 class ManagedSerializer:
@@ -28,7 +28,7 @@ class MetadataSerializer(PassiveSerializer):
     """Serializer for blueprint metadata"""
 
     name = CharField()
-    labels = JSONField()
+    labels = JSONDictField()
 
 
 class BlueprintInstanceSerializer(ModelSerializer):

authentik/blueprints/apps.py

@@ -13,21 +13,23 @@ class ManagedAppConfig(AppConfig):
 
     _logger: BoundLogger
 
+    RECONCILE_GLOBAL_PREFIX: str = "reconcile_global_"
+    RECONCILE_TENANT_PREFIX: str = "reconcile_tenant_"
+
     def __init__(self, app_name: str, *args, **kwargs) -> None:
         super().__init__(app_name, *args, **kwargs)
         self._logger = get_logger().bind(app_name=app_name)
 
     def ready(self) -> None:
-        self.reconcile()
+        self.reconcile_global()
+        self.reconcile_tenant()
         return super().ready()
 
     def import_module(self, path: str):
         """Load module"""
         import_module(path)
 
-    def reconcile(self) -> None:
-        """reconcile ourselves"""
-        prefix = "reconcile_"
+    def _reconcile(self, prefix: str) -> None:
         for meth_name in dir(self):
             meth = getattr(self, meth_name)
             if not ismethod(meth):
@@ -40,7 +42,30 @@ class ManagedAppConfig(AppConfig):
                 meth()
                 self._logger.debug("Successfully reconciled", name=name)
             except (DatabaseError, ProgrammingError, InternalError) as exc:
-                self._logger.debug("Failed to run reconcile", name=name, exc=exc)
+                self._logger.warning("Failed to run reconcile", name=name, exc=exc)
+
+    def reconcile_tenant(self) -> None:
+        """reconcile ourselves for tenanted methods"""
+        from authentik.tenants.models import Tenant
+
+        try:
+            tenants = list(Tenant.objects.filter(ready=True))
+        except (DatabaseError, ProgrammingError, InternalError) as exc:
+            self._logger.debug("Failed to get tenants to run reconcile", exc=exc)
+            return
+        for tenant in tenants:
+            with tenant:
+                self._reconcile(self.RECONCILE_TENANT_PREFIX)
+
+    def reconcile_global(self) -> None:
+        """
+        reconcile ourselves for global methods.
+        Used for signals, tasks, etc. Database queries should not be made in here.
+        """
+        from django_tenants.utils import get_public_schema_name, schema_context
+
+        with schema_context(get_public_schema_name()):
+            self._reconcile(self.RECONCILE_GLOBAL_PREFIX)
 
 
 class AuthentikBlueprintsConfig(ManagedAppConfig):
@@ -51,11 +76,11 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
     verbose_name = "authentik Blueprints"
     default = True
 
-    def reconcile_load_blueprints_v1_tasks(self):
+    def reconcile_global_load_blueprints_v1_tasks(self):
         """Load v1 tasks"""
         self.import_module("authentik.blueprints.v1.tasks")
 
-    def reconcile_blueprints_discovery(self):
+    def reconcile_tenant_blueprints_discovery(self):
         """Run blueprint discovery"""
         from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
 

authentik/blueprints/management/commands/apply_blueprint.py

@@ -6,6 +6,7 @@ from structlog.stdlib import get_logger
 
 from authentik.blueprints.models import BlueprintInstance
 from authentik.blueprints.v1.importer import Importer
+from authentik.tenants.models import Tenant
 
 LOGGER = get_logger()
 
@@ -16,14 +17,16 @@ class Command(BaseCommand):
     @no_translations
     def handle(self, *args, **options):
         """Apply all blueprints in order, abort when one fails to import"""
-        for blueprint_path in options.get("blueprints", []):
-            content = BlueprintInstance(path=blueprint_path).retrieve()
-            importer = Importer.from_string(content)
-            valid, _ = importer.validate()
-            if not valid:
-                self.stderr.write("blueprint invalid")
-                sys_exit(1)
-            importer.apply()
+        for tenant in Tenant.objects.filter(ready=True):
+            with tenant:
+                for blueprint_path in options.get("blueprints", []):
+                    content = BlueprintInstance(path=blueprint_path).retrieve()
+                    importer = Importer.from_string(content)
+                    valid, _ = importer.validate()
+                    if not valid:
+                        self.stderr.write("blueprint invalid")
+                        sys_exit(1)
+                    importer.apply()
 
     def add_arguments(self, parser):
         parser.add_argument("blueprints", nargs="+", type=str)

authentik/blueprints/management/commands/export_blueprint.py

@@ -1,17 +1,18 @@
 """Export blueprint of current authentik install"""
-from django.core.management.base import BaseCommand, no_translations
+from django.core.management.base import no_translations
 from structlog.stdlib import get_logger
 
 from authentik.blueprints.v1.exporter import Exporter
+from authentik.tenants.management import TenantCommand
 
 LOGGER = get_logger()
 
 
-class Command(BaseCommand):
+class Command(TenantCommand):
     """Export blueprint of current authentik install"""
 
     @no_translations
-    def handle(self, *args, **options):
+    def handle_per_tenant(self, *args, **options):
         """Export blueprint of current authentik install"""
         exporter = Exporter()
         self.stdout.write(exporter.export_to_string())

authentik/blueprints/migrations/0001_initial.py

@@ -14,7 +14,7 @@ from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_SYSTEM
 from authentik.lib.config import CONFIG
 
 
-def check_blueprint_v1_file(BlueprintInstance: type, path: Path):
+def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
     """Check if blueprint should be imported"""
     from authentik.blueprints.models import BlueprintInstanceStatus
     from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata
@@ -29,7 +29,9 @@ def check_blueprint_v1_file(BlueprintInstance: type, path: Path):
         if version != 1:
             return
         blueprint_file.seek(0)
-    instance: BlueprintInstance = BlueprintInstance.objects.filter(path=path).first()
+    instance: BlueprintInstance = (
+        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    )
     rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
     meta = None
     if metadata:
@@ -37,7 +39,7 @@ def check_blueprint_v1_file(BlueprintInstance: type, path: Path):
         if meta.labels.get(LABEL_AUTHENTIK_INSTANTIATE, "").lower() == "false":
             return
     if not instance:
-        instance = BlueprintInstance(
+        BlueprintInstance.objects.using(db_alias).create(
             name=meta.name if meta else str(rel_path),
             path=str(rel_path),
             context={},
@@ -47,7 +49,6 @@ def check_blueprint_v1_file(BlueprintInstance: type, path: Path):
             last_applied_hash="",
             metadata=metadata or {},
         )
-        instance.save()
 
 
 def migration_blueprint_import(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@@ -56,7 +57,7 @@ def migration_blueprint_import(apps: Apps, schema_editor: BaseDatabaseSchemaEdit
 
     db_alias = schema_editor.connection.alias
     for file in glob(f"{CONFIG.get('blueprints_dir')}/**/*.yaml", recursive=True):
-        check_blueprint_v1_file(BlueprintInstance, Path(file))
+        check_blueprint_v1_file(BlueprintInstance, db_alias, Path(file))
 
     for blueprint in BlueprintInstance.objects.using(db_alias).all():
         # If we already have flows (and we should always run before flow migrations)

authentik/blueprints/tests/__init__.py

@@ -38,7 +38,7 @@ def reconcile_app(app_name: str):
         def wrapper(*args, **kwargs):
             config = apps.get_app_config(app_name)
             if isinstance(config, ManagedAppConfig):
-                config.reconcile()
+                config.ready()
             return func(*args, **kwargs)
 
         return wrapper

authentik/blueprints/tests/test_packaged.py

@@ -7,16 +7,16 @@ from django.test import TransactionTestCase
 from authentik.blueprints.models import BlueprintInstance
 from authentik.blueprints.tests import apply_blueprint
 from authentik.blueprints.v1.importer import Importer
-from authentik.tenants.models import Tenant
+from authentik.brands.models import Brand
 
 
 class TestPackaged(TransactionTestCase):
     """Empty class, test methods are added dynamically"""
 
-    @apply_blueprint("default/default-tenant.yaml")
+    @apply_blueprint("default/default-brand.yaml")
     def test_decorator_static(self):
         """Test @apply_blueprint decorator"""
-        self.assertTrue(Tenant.objects.filter(domain="authentik-default").exists())
+        self.assertTrue(Brand.objects.filter(domain="authentik-default").exists())
 
 
 def blueprint_tester(file_name: Path) -> Callable:

authentik/blueprints/v1/importer.py

@@ -35,7 +35,7 @@ from authentik.core.models import (
     Source,
     UserSourceConnection,
 )
-from authentik.enterprise.models import LicenseUsage
+from authentik.enterprise.models import LicenseKey, LicenseUsage
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
@@ -43,6 +43,7 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
+from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
 # Update website/developer-docs/blueprints/v1/models.md when used
@@ -57,6 +58,7 @@ def excluded_models() -> list[type[Model]]:
     from django.contrib.auth.models import User as DjangoUser
 
     return (
+        Tenant,
         DjangoUser,
         DjangoGroup,
         # Base classes
@@ -108,12 +110,16 @@ class Importer:
         self.__pk_map: dict[Any, Model] = {}
         self._import = blueprint
         self.logger = get_logger()
-        ctx = {}
+        ctx = self.default_context()
         always_merger.merge(ctx, self._import.context)
         if context:
             always_merger.merge(ctx, context)
         self._import.context = ctx
 
+    def default_context(self):
+        """Default context"""
+        return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()}
+
     @staticmethod
     def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
         """Parse YAML string and create blueprint importer from it"""

authentik/blueprints/v1/meta/apply_blueprint.py

@@ -2,11 +2,11 @@
 from typing import TYPE_CHECKING
 
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import BooleanField, JSONField
+from rest_framework.fields import BooleanField
 from structlog.stdlib import get_logger
 
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, MetaResult, registry
-from authentik.core.api.utils import PassiveSerializer, is_dict
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 
 if TYPE_CHECKING:
     from authentik.blueprints.models import BlueprintInstance
@@ -17,7 +17,7 @@ LOGGER = get_logger()
 class ApplyBlueprintMetaSerializer(PassiveSerializer):
     """Serializer for meta apply blueprint model"""
 
-    identifiers = JSONField(validators=[is_dict])
+    identifiers = JSONDictField()
     required = BooleanField(default=True)
 
     # We cannot override `instance` as that will confuse rest_framework

authentik/blueprints/v1/tasks.py

@@ -38,6 +38,7 @@ from authentik.events.monitored_tasks import (
 from authentik.events.utils import sanitize_dict
 from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
+from authentik.tenants.models import Tenant
 
 LOGGER = get_logger()
 _file_watcher_started = False
@@ -75,16 +76,21 @@ class BlueprintEventHandler(FileSystemEventHandler):
             return
         if event.is_directory:
             return
-        if isinstance(event, FileCreatedEvent):
-            LOGGER.debug("new blueprint file created, starting discovery")
-            blueprints_discovery.delay()
-        if isinstance(event, FileModifiedEvent):
-            path = Path(event.src_path)
-            root = Path(CONFIG.get("blueprints_dir")).absolute()
-            rel_path = str(path.relative_to(root))
-            for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
-                LOGGER.debug("modified blueprint file, starting apply", instance=instance)
-                apply_blueprint.delay(instance.pk.hex)
+        root = Path(CONFIG.get("blueprints_dir")).absolute()
+        path = Path(event.src_path).absolute()
+        rel_path = str(path.relative_to(root))
+        for tenant in Tenant.objects.filter(ready=True):
+            with tenant:
+                root = Path(CONFIG.get("blueprints_dir")).absolute()
+                path = Path(event.src_path).absolute()
+                rel_path = str(path.relative_to(root))
+                if isinstance(event, FileCreatedEvent):
+                    LOGGER.debug("new blueprint file created, starting discovery", path=rel_path)
+                    blueprints_discovery.delay(rel_path)
+                if isinstance(event, FileModifiedEvent):
+                    for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
+                        LOGGER.debug("modified blueprint file, starting apply", instance=instance)
+                        apply_blueprint.delay(instance.pk.hex)
 
 
 @CELERY_APP.task(
@@ -98,39 +104,32 @@ def blueprints_find_dict():
     return blueprints
 
 
-def blueprints_find():
+def blueprints_find() -> list[BlueprintFile]:
     """Find blueprints and return valid ones"""
     blueprints = []
     root = Path(CONFIG.get("blueprints_dir"))
     for path in root.rglob("**/*.yaml"):
+        rel_path = path.relative_to(root)
         # Check if any part in the path starts with a dot and assume a hidden file
         if any(part for part in path.parts if part.startswith(".")):
             continue
-        LOGGER.debug("found blueprint", path=str(path))
         with open(path, "r", encoding="utf-8") as blueprint_file:
             try:
                 raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
             except YAMLError as exc:
                 raw_blueprint = None
-                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(path))
+                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(rel_path))
             if not raw_blueprint:
                 continue
             metadata = raw_blueprint.get("metadata", None)
             version = raw_blueprint.get("version", 1)
             if version != 1:
-                LOGGER.warning("invalid blueprint version", version=version, path=str(path))
+                LOGGER.warning("invalid blueprint version", version=version, path=str(rel_path))
                 continue
         file_hash = sha512(path.read_bytes()).hexdigest()
-        blueprint = BlueprintFile(
-            str(path.relative_to(root)), version, file_hash, int(path.stat().st_mtime)
-        )
+        blueprint = BlueprintFile(str(rel_path), version, file_hash, int(path.stat().st_mtime))
         blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
         blueprints.append(blueprint)
-        LOGGER.debug(
-            "parsed & loaded blueprint",
-            hash=file_hash,
-            path=str(path),
-        )
     return blueprints
 
 
@@ -138,10 +137,12 @@ def blueprints_find():
     throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
 )
 @prefill_task
-def blueprints_discovery(self: MonitoredTask):
+def blueprints_discovery(self: MonitoredTask, path: Optional[str] = None):
     """Find blueprints and check if they need to be created in the database"""
     count = 0
     for blueprint in blueprints_find():
+        if path and blueprint.path != path:
+            continue
         check_blueprint_v1_file(blueprint)
         count += 1
     self.set_status(
@@ -171,7 +172,11 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
             metadata={},
         )
         instance.save()
+        LOGGER.info(
+            "Creating new blueprint instance from file", instance=instance, path=instance.path
+        )
     if instance.last_applied_hash != blueprint.hash:
+        LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
         apply_blueprint.delay(str(instance.pk))
 
 

authentik/brands/api.py

@@ -1,4 +1,4 @@
-"""Serializer for tenant models"""
+"""Serializer for brands models"""
 from typing import Any
 
 from django.db import models
@@ -14,10 +14,10 @@ from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import SecretKeyFilter
+from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.config import CONFIG
-from authentik.tenants.models import Tenant
+from authentik.tenants.utils import get_current_tenant
 
 
 class FooterLinkSerializer(PassiveSerializer):
@@ -27,22 +27,22 @@ class FooterLinkSerializer(PassiveSerializer):
     name = CharField(read_only=True)
 
 
-class TenantSerializer(ModelSerializer):
-    """Tenant Serializer"""
+class BrandSerializer(ModelSerializer):
+    """Brand Serializer"""
 
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         if attrs.get("default", False):
-            tenants = Tenant.objects.filter(default=True)
+            brands = Brand.objects.filter(default=True)
             if self.instance:
-                tenants = tenants.exclude(pk=self.instance.pk)
-            if tenants.exists():
-                raise ValidationError({"default": "Only a single Tenant can be set as default."})
+                brands = brands.exclude(pk=self.instance.pk)
+            if brands.exists():
+                raise ValidationError({"default": "Only a single brand can be set as default."})
         return super().validate(attrs)
 
     class Meta:
-        model = Tenant
+        model = Brand
         fields = [
-            "tenant_uuid",
+            "brand_uuid",
             "domain",
             "default",
             "branding_title",
@@ -54,7 +54,6 @@ class TenantSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
-            "event_retention",
             "web_certificate",
             "attributes",
         ]
@@ -68,8 +67,13 @@ class Themes(models.TextChoices):
     DARK = "dark"
 
 
-class CurrentTenantSerializer(PassiveSerializer):
-    """Partial tenant information for styling"""
+def get_default_ui_footer_links():
+    """Get default UI footer links based on current tenant settings"""
+    return get_current_tenant().footer_links
+
+
+class CurrentBrandSerializer(PassiveSerializer):
+    """Partial brand information for styling"""
 
     matched_domain = CharField(source="domain")
     branding_title = CharField()
@@ -78,7 +82,7 @@ class CurrentTenantSerializer(PassiveSerializer):
     ui_footer_links = ListField(
         child=FooterLinkSerializer(),
         read_only=True,
-        default=CONFIG.get("footer_links", []),
+        default=get_default_ui_footer_links,
     )
     ui_theme = ChoiceField(
         choices=Themes.choices,
@@ -97,18 +101,18 @@ class CurrentTenantSerializer(PassiveSerializer):
     default_locale = CharField(read_only=True)
 
 
-class TenantViewSet(UsedByMixin, ModelViewSet):
-    """Tenant Viewset"""
+class BrandViewSet(UsedByMixin, ModelViewSet):
+    """Brand Viewset"""
 
-    queryset = Tenant.objects.all()
-    serializer_class = TenantSerializer
+    queryset = Brand.objects.all()
+    serializer_class = BrandSerializer
     search_fields = [
         "domain",
         "branding_title",
         "web_certificate__name",
     ]
     filterset_fields = [
-        "tenant_uuid",
+        "brand_uuid",
         "domain",
         "default",
         "branding_title",
@@ -120,7 +124,6 @@ class TenantViewSet(UsedByMixin, ModelViewSet):
         "flow_unenrollment",
         "flow_user_settings",
         "flow_device_code",
-        "event_retention",
         "web_certificate",
     ]
     ordering = ["domain"]
@@ -128,10 +131,10 @@ class TenantViewSet(UsedByMixin, ModelViewSet):
     filter_backends = [SecretKeyFilter, OrderingFilter, SearchFilter]
 
     @extend_schema(
-        responses=CurrentTenantSerializer(many=False),
+        responses=CurrentBrandSerializer(many=False),
     )
     @action(methods=["GET"], detail=False, permission_classes=[AllowAny])
     def current(self, request: Request) -> Response:
-        """Get current tenant"""
-        tenant: Tenant = request._request.tenant
-        return Response(CurrentTenantSerializer(tenant).data)
+        """Get current brand"""
+        brand: Brand = request._request.brand
+        return Response(CurrentBrandSerializer(brand).data)

authentik/brands/apps.py

@@ -0,0 +1,10 @@
+"""authentik brands app"""
+from django.apps import AppConfig
+
+
+class AuthentikBrandsConfig(AppConfig):
+    """authentik Brand app"""
+
+    name = "authentik.brands"
+    label = "authentik_brands"
+    verbose_name = "authentik Brands"

authentik/brands/middleware.py

@@ -0,0 +1,26 @@
+"""Inject brand into current request"""
+from typing import Callable
+
+from django.http.request import HttpRequest
+from django.http.response import HttpResponse
+from django.utils.translation import activate
+
+from authentik.brands.utils import get_brand_for_request
+
+
+class BrandMiddleware:
+    """Add current brand to http request"""
+
+    get_response: Callable[[HttpRequest], HttpResponse]
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest) -> HttpResponse:
+        if not hasattr(request, "brand"):
+            brand = get_brand_for_request(request)
+            setattr(request, "brand", brand)
+            locale = brand.default_locale
+            if locale != "":
+                activate(locale)
+        return self.get_response(request)

authentik/brands/migrations/0001_squashed_0005_tenant_web_certificate.py

@@ -10,11 +10,11 @@ import authentik.lib.utils.time
 
 class Migration(migrations.Migration):
     replaces = [
-        ("authentik_tenants", "0001_initial"),
-        ("authentik_tenants", "0002_default"),
-        ("authentik_tenants", "0003_tenant_branding_favicon"),
-        ("authentik_tenants", "0004_tenant_event_retention"),
-        ("authentik_tenants", "0005_tenant_web_certificate"),
+        ("authentik_brands", "0001_initial"),
+        ("authentik_brands", "0002_default"),
+        ("authentik_brands", "0003_tenant_branding_favicon"),
+        ("authentik_brands", "0004_tenant_event_retention"),
+        ("authentik_brands", "0005_tenant_web_certificate"),
     ]
 
     initial = True
@@ -25,7 +25,7 @@ class Migration(migrations.Migration):
 
     operations = [
         migrations.CreateModel(
-            name="Tenant",
+            name="Brand",
             fields=[
                 (
                     "tenant_uuid",
@@ -37,7 +37,7 @@ class Migration(migrations.Migration):
                     "domain",
                     models.TextField(
                         help_text=(
-                            "Domain that activates this tenant. Can be a superset, i.e. `a.b` for"
+                            "Domain that activates this brand. Can be a superset, i.e. `a.b` for"
                             " `aa.b` and `ba.b`"
                         )
                     ),
@@ -53,7 +53,7 @@ class Migration(migrations.Migration):
                     models.ForeignKey(
                         null=True,
                         on_delete=django.db.models.deletion.SET_NULL,
-                        related_name="tenant_authentication",
+                        related_name="brand_authentication",
                         to="authentik_flows.flow",
                     ),
                 ),
@@ -62,7 +62,7 @@ class Migration(migrations.Migration):
                     models.ForeignKey(
                         null=True,
                         on_delete=django.db.models.deletion.SET_NULL,
-                        related_name="tenant_invalidation",
+                        related_name="brand_invalidation",
                         to="authentik_flows.flow",
                     ),
                 ),
@@ -71,7 +71,7 @@ class Migration(migrations.Migration):
                     models.ForeignKey(
                         null=True,
                         on_delete=django.db.models.deletion.SET_NULL,
-                        related_name="tenant_recovery",
+                        related_name="brand_recovery",
                         to="authentik_flows.flow",
                     ),
                 ),
@@ -80,23 +80,23 @@ class Migration(migrations.Migration):
                     models.ForeignKey(
                         null=True,
                         on_delete=django.db.models.deletion.SET_NULL,
-                        related_name="tenant_unenrollment",
+                        related_name="brand_unenrollment",
                         to="authentik_flows.flow",
                     ),
                 ),
             ],
             options={
-                "verbose_name": "Tenant",
-                "verbose_name_plural": "Tenants",
+                "verbose_name": "Brand",
+                "verbose_name_plural": "Brands",
             },
         ),
         migrations.AddField(
-            model_name="tenant",
+            model_name="brand",
             name="branding_favicon",
             field=models.TextField(default="/static/dist/assets/icons/icon.png"),
         ),
         migrations.AddField(
-            model_name="tenant",
+            model_name="brand",
             name="event_retention",
             field=models.TextField(
                 default="days=365",
@@ -108,7 +108,7 @@ class Migration(migrations.Migration):
             ),
         ),
         migrations.AddField(
-            model_name="tenant",
+            model_name="brand",
             name="web_certificate",
             field=models.ForeignKey(
                 default=None,

authentik/brands/migrations/0002_tenant_flow_user_settings.py

@@ -8,17 +8,17 @@ class Migration(migrations.Migration):
     dependencies = [
         ("authentik_stages_prompt", "0007_prompt_placeholder_expression"),
         ("authentik_flows", "0021_auto_20211227_2103"),
-        ("authentik_tenants", "0001_squashed_0005_tenant_web_certificate"),
+        ("authentik_brands", "0001_squashed_0005_tenant_web_certificate"),
     ]
 
     operations = [
         migrations.AddField(
-            model_name="tenant",
+            model_name="brand",
             name="flow_user_settings",
             field=models.ForeignKey(
                 null=True,
                 on_delete=django.db.models.deletion.SET_NULL,
-                related_name="tenant_user_settings",
+                related_name="brand_user_settings",
                 to="authentik_flows.flow",
             ),
         ),

authentik/brands/migrations/0003_tenant_attributes.py

@@ -5,12 +5,12 @@ from django.db import migrations, models
 
 class Migration(migrations.Migration):
     dependencies = [
-        ("authentik_tenants", "0002_tenant_flow_user_settings"),
+        ("authentik_brands", "0002_tenant_flow_user_settings"),
     ]
 
     operations = [
         migrations.AddField(
-            model_name="tenant",
+            model_name="brand",
             name="attributes",
             field=models.JSONField(blank=True, default=dict),
         ),

authentik/brands/migrations/0004_tenant_flow_device_code.py

@@ -7,17 +7,17 @@ from django.db import migrations, models
 class Migration(migrations.Migration):
     dependencies = [
         ("authentik_flows", "0023_flow_denied_action"),
-        ("authentik_tenants", "0003_tenant_attributes"),
+        ("authentik_brands", "0003_tenant_attributes"),
     ]
 
     operations = [
         migrations.AddField(
-            model_name="tenant",
+            model_name="brand",
             name="flow_device_code",
             field=models.ForeignKey(
                 null=True,
                 on_delete=django.db.models.deletion.SET_NULL,
-                related_name="tenant_device_code",
+                related_name="brand_device_code",
                 to="authentik_flows.flow",
             ),
         ),

authentik/brands/migrations/0005_tenantuuid_to_branduuid.py

@@ -0,0 +1,21 @@
+# Generated by Django 4.2.7 on 2023-12-12 06:41
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_brands", "0004_tenant_flow_device_code"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="brand",
+            old_name="tenant_uuid",
+            new_name="brand_uuid",
+        ),
+        migrations.RemoveField(
+            model_name="brand",
+            name="event_retention",
+        ),
+    ]

authentik/brands/models.py

@@ -0,0 +1,85 @@
+"""brand models"""
+from uuid import uuid4
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from rest_framework.serializers import Serializer
+from structlog.stdlib import get_logger
+
+from authentik.crypto.models import CertificateKeyPair
+from authentik.flows.models import Flow
+from authentik.lib.models import SerializerModel
+
+LOGGER = get_logger()
+
+
+class Brand(SerializerModel):
+    """Single brand"""
+
+    brand_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    domain = models.TextField(
+        help_text=_(
+            "Domain that activates this brand. Can be a superset, i.e. `a.b` for `aa.b` and `ba.b`"
+        )
+    )
+    default = models.BooleanField(
+        default=False,
+    )
+
+    branding_title = models.TextField(default="authentik")
+
+    branding_logo = models.TextField(default="/static/dist/assets/icons/icon_left_brand.svg")
+    branding_favicon = models.TextField(default="/static/dist/assets/icons/icon.png")
+
+    flow_authentication = models.ForeignKey(
+        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_authentication"
+    )
+    flow_invalidation = models.ForeignKey(
+        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_invalidation"
+    )
+    flow_recovery = models.ForeignKey(
+        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_recovery"
+    )
+    flow_unenrollment = models.ForeignKey(
+        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_unenrollment"
+    )
+    flow_user_settings = models.ForeignKey(
+        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_user_settings"
+    )
+    flow_device_code = models.ForeignKey(
+        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
+    )
+
+    web_certificate = models.ForeignKey(
+        CertificateKeyPair,
+        null=True,
+        default=None,
+        on_delete=models.SET_DEFAULT,
+        help_text=_("Web Certificate used by the authentik Core webserver."),
+    )
+    attributes = models.JSONField(default=dict, blank=True)
+
+    @property
+    def serializer(self) -> Serializer:
+        from authentik.brands.api import BrandSerializer
+
+        return BrandSerializer
+
+    @property
+    def default_locale(self) -> str:
+        """Get default locale"""
+        try:
+            return self.attributes.get("settings", {}).get("locale", "")
+        # pylint: disable=broad-except
+        except Exception as exc:
+            LOGGER.warning("Failed to get default locale", exc=exc)
+            return ""
+
+    def __str__(self) -> str:
+        if self.default:
+            return "Default brand"
+        return f"Brand {self.domain}"
+
+    class Meta:
+        verbose_name = _("Brand")
+        verbose_name_plural = _("Brands")

authentik/brands/tests.py

@@ -0,0 +1,76 @@
+"""Test brands"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.brands.api import Themes
+from authentik.brands.models import Brand
+from authentik.core.tests.utils import create_test_admin_user, create_test_brand
+
+
+class TestBrands(APITestCase):
+    """Test brands"""
+
+    def test_current_brand(self):
+        """Test Current brand API"""
+        brand = create_test_brand()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "authentik",
+                "matched_domain": brand.domain,
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+            },
+        )
+
+    def test_brand_subdomain(self):
+        """Test Current brand API"""
+        Brand.objects.all().delete()
+        Brand.objects.create(domain="bar.baz", branding_title="custom")
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom",
+                "matched_domain": "bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+            },
+        )
+
+    def test_fallback(self):
+        """Test fallback brand"""
+        Brand.objects.all().delete()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "authentik",
+                "matched_domain": "fallback",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+            },
+        )
+
+    def test_create_default_multiple(self):
+        """Test attempted creation of multiple default brands"""
+        Brand.objects.create(
+            domain="foo",
+            default=True,
+            branding_title="custom",
+        )
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        response = self.client.post(
+            reverse("authentik_api:brand-list"), data={"domain": "bar", "default": True}
+        )
+        self.assertEqual(response.status_code, 400)

authentik/brands/urls.py

@@ -0,0 +1,6 @@
+"""API URLs"""
+from authentik.brands.api import BrandViewSet
+
+api_urlpatterns = [
+    ("core/brands", BrandViewSet),
+]

authentik/brands/utils.py

@@ -0,0 +1,42 @@
+"""Brand utilities"""
+from typing import Any
+
+from django.db.models import F, Q
+from django.db.models import Value as V
+from django.http.request import HttpRequest
+from sentry_sdk.hub import Hub
+
+from authentik import get_full_version
+from authentik.brands.models import Brand
+from authentik.tenants.utils import get_current_tenant
+
+_q_default = Q(default=True)
+DEFAULT_BRAND = Brand(domain="fallback")
+
+
+def get_brand_for_request(request: HttpRequest) -> Brand:
+    """Get brand object for current request"""
+    db_brands = (
+        Brand.objects.annotate(host_domain=V(request.get_host()))
+        .filter(Q(host_domain__iendswith=F("domain")) | _q_default)
+        .order_by("default")
+    )
+    brands = list(db_brands.all())
+    if len(brands) < 1:
+        return DEFAULT_BRAND
+    return brands[0]
+
+
+def context_processor(request: HttpRequest) -> dict[str, Any]:
+    """Context Processor that injects brand object into every template"""
+    brand = getattr(request, "brand", DEFAULT_BRAND)
+    trace = ""
+    span = Hub.current.scope.span
+    if span:
+        trace = span.to_traceparent()
+    return {
+        "brand": brand,
+        "footer_links": get_current_tenant().footer_links,
+        "sentry_trace": trace,
+        "version": get_full_version(),
+    }

authentik/core/api/authenticated_sessions.py

@@ -14,7 +14,8 @@ from ua_parser import user_agent_parser
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.models import AuthenticatedSession
-from authentik.events.geo import GEOIP_READER, GeoIPDict
+from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
+from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict
 
 
 class UserAgentDeviceDict(TypedDict):
@@ -59,6 +60,7 @@ class AuthenticatedSessionSerializer(ModelSerializer):
     current = SerializerMethodField()
     user_agent = SerializerMethodField()
     geo_ip = SerializerMethodField()
+    asn = SerializerMethodField()
 
     def get_current(self, instance: AuthenticatedSession) -> bool:
         """Check if session is currently active session"""
@@ -70,8 +72,12 @@ class AuthenticatedSessionSerializer(ModelSerializer):
         return user_agent_parser.Parse(instance.last_user_agent)
 
     def get_geo_ip(self, instance: AuthenticatedSession) -> Optional[GeoIPDict]:  # pragma: no cover
-        """Get parsed user agent"""
-        return GEOIP_READER.city_dict(instance.last_ip)
+        """Get GeoIP Data"""
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)
+
+    def get_asn(self, instance: AuthenticatedSession) -> Optional[ASNDict]:  # pragma: no cover
+        """Get ASN Data"""
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)
 
     class Meta:
         model = AuthenticatedSession
@@ -80,6 +86,7 @@ class AuthenticatedSessionSerializer(ModelSerializer):
             "current",
             "user_agent",
             "geo_ip",
+            "asn",
             "user",
             "last_ip",
             "last_user_agent",

authentik/core/api/groups.py

@@ -8,7 +8,7 @@ from django_filters.filterset import FilterSet
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, IntegerField, JSONField
+from rest_framework.fields import CharField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
@@ -16,7 +16,7 @@ from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer, is_dict
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 
@@ -24,7 +24,7 @@ from authentik.rbac.api.roles import RoleSerializer
 class GroupMemberSerializer(ModelSerializer):
     """Stripped down user serializer to show relevant users for groups"""
 
-    attributes = JSONField(validators=[is_dict], required=False)
+    attributes = JSONDictField(required=False)
     uid = CharField(read_only=True)
 
     class Meta:
@@ -44,7 +44,7 @@ class GroupMemberSerializer(ModelSerializer):
 class GroupSerializer(ModelSerializer):
     """Group Serializer"""
 
-    attributes = JSONField(validators=[is_dict], required=False)
+    attributes = JSONDictField(required=False)
     users_obj = ListSerializer(
         child=GroupMemberSerializer(), read_only=True, source="users", required=False
     )

authentik/core/api/propertymappings.py

@@ -19,6 +19,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, PassiveSerializer, TypeCreateSerializer
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
 from authentik.core.models import PropertyMapping
+from authentik.enterprise.apps import EnterpriseConfig
 from authentik.events.utils import sanitize_item
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.exec import PolicyTestSerializer
@@ -95,6 +96,7 @@ class PropertyMappingViewSet(
                     "description": subclass.__doc__,
                     "component": subclass().component,
                     "model_name": subclass._meta.model_name,
+                    "requires_enterprise": isinstance(subclass._meta.app_config, EnterpriseConfig),
                 }
             )
         return Response(TypeCreateSerializer(data, many=True).data)

authentik/core/api/providers.py

@@ -16,6 +16,7 @@ from rest_framework.viewsets import GenericViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Provider
+from authentik.enterprise.apps import EnterpriseConfig
 from authentik.lib.utils.reflection import all_subclasses
 
 
@@ -113,6 +114,7 @@ class ProviderViewSet(
                     "description": subclass.__doc__,
                     "component": subclass().component,
                     "model_name": subclass._meta.model_name,
+                    "requires_enterprise": isinstance(subclass._meta.app_config, EnterpriseConfig),
                 }
             )
         data.append(

authentik/core/api/sources.py

@@ -38,7 +38,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 
     managed = ReadOnlyField()
     component = SerializerMethodField()
-    icon = ReadOnlyField(source="get_icon")
+    icon = ReadOnlyField(source="icon_url")
 
     def get_component(self, obj: Source) -> str:
         """Get object component so that we know how to edit the object"""

authentik/core/api/users.py

@@ -32,13 +32,7 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_anonymous_user, get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import (
-    CharField,
-    IntegerField,
-    JSONField,
-    ListField,
-    SerializerMethodField,
-)
+from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
@@ -56,8 +50,9 @@ from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.decorators import permission_required
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
+from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
+from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
 from authentik.core.middleware import (
     SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
     SESSION_KEY_IMPERSONATE_USER,
@@ -77,11 +72,9 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
-from authentik.lib.config import CONFIG
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
-from authentik.tenants.models import Tenant
 
 LOGGER = get_logger()
 
@@ -89,7 +82,7 @@ LOGGER = get_logger()
 class UserGroupSerializer(ModelSerializer):
     """Simplified Group Serializer for user's groups"""
 
-    attributes = JSONField(required=False)
+    attributes = JSONDictField(required=False)
     parent_name = CharField(source="parent.name", read_only=True)
 
     class Meta:
@@ -110,7 +103,7 @@ class UserSerializer(ModelSerializer):
 
     is_superuser = BooleanField(read_only=True)
     avatar = CharField(read_only=True)
-    attributes = JSONField(validators=[is_dict], required=False)
+    attributes = JSONDictField(required=False)
     groups = PrimaryKeyRelatedField(
         allow_empty=True, many=True, source="ak_groups", queryset=Group.objects.all(), default=list
     )
@@ -171,6 +164,11 @@ class UserSerializer(ModelSerializer):
             raise ValidationError("Setting a user to internal service account is not allowed.")
         return user_type
 
+    def validate(self, attrs: dict) -> dict:
+        if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            raise ValidationError("Can't modify internal service account users")
+        return super().validate(attrs)
+
     class Meta:
         model = User
         fields = [
@@ -222,7 +220,7 @@ class UserSelfSerializer(ModelSerializer):
             }
 
     def get_settings(self, user: User) -> dict[str, Any]:
-        """Get user settings with tenant and group settings applied"""
+        """Get user settings with brand and group settings applied"""
         return user.group_attributes(self._context["request"]).get("settings", {})
 
     def get_system_permissions(self, user: User) -> list[str]:
@@ -383,11 +381,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         return User.objects.all().exclude(pk=get_anonymous_user().pk)
 
     def _create_recovery_link(self) -> tuple[Optional[str], Optional[Token]]:
-        """Create a recovery link (when the current tenant has a recovery flow set),
+        """Create a recovery link (when the current brand has a recovery flow set),
         that can either be shown to an admin or sent to the user directly"""
-        tenant: Tenant = self.request._request.tenant
+        brand: Brand = self.request._request.brand
         # Check that there is a recovery flow, if not return an error
-        flow = tenant.flow_recovery
+        flow = brand.flow_recovery
         if not flow:
             LOGGER.debug("No recovery flow set")
             return None, None
@@ -619,7 +617,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     @action(detail=True, methods=["POST"])
     def impersonate(self, request: Request, pk: int) -> Response:
         """Impersonate a user"""
-        if not CONFIG.get_bool("impersonation"):
+        if not request.tenant.impersonation:
             LOGGER.debug("User attempted to impersonate", user=request.user)
             return Response(status=401)
         if not request.user.has_perm("impersonate"):

authentik/core/api/utils.py

@@ -2,7 +2,10 @@
 from typing import Any
 
 from django.db.models import Model
-from rest_framework.fields import CharField, IntegerField, JSONField
+from drf_spectacular.extensions import OpenApiSerializerFieldExtension
+from drf_spectacular.plumbing import build_basic_type
+from drf_spectacular.types import OpenApiTypes
+from rest_framework.fields import BooleanField, CharField, IntegerField, JSONField
 from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError
 
 
@@ -13,6 +16,21 @@ def is_dict(value: Any):
     raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
 
 
+class JSONDictField(JSONField):
+    """JSON Field which only allows dictionaries"""
+
+    default_validators = [is_dict]
+
+
+class JSONExtension(OpenApiSerializerFieldExtension):
+    """Generate API Schema for JSON fields as"""
+
+    target_class = "authentik.core.api.utils.JSONDictField"
+
+    def map_serializer_field(self, auto_schema, direction):
+        return build_basic_type(OpenApiTypes.OBJECT)
+
+
 class PassiveSerializer(Serializer):
     """Base serializer class which doesn't implement create/update methods"""
 
@@ -26,7 +44,7 @@ class PassiveSerializer(Serializer):
 class PropertyMappingPreviewSerializer(PassiveSerializer):
     """Preview how the current user is mapped via the property mappings selected in a provider"""
 
-    preview = JSONField(read_only=True)
+    preview = JSONDictField(read_only=True)
 
 
 class MetaNameSerializer(PassiveSerializer):
@@ -56,6 +74,7 @@ class TypeCreateSerializer(PassiveSerializer):
     description = CharField(required=True)
     component = CharField(required=True)
     model_name = CharField(required=True)
+    requires_enterprise = BooleanField(default=False)
 
 
 class CacheSerializer(PassiveSerializer):

authentik/core/apps.py

@@ -13,18 +13,18 @@ class AuthentikCoreConfig(ManagedAppConfig):
     mountpoint = ""
     default = True
 
-    def reconcile_load_core_signals(self):
+    def reconcile_global_load_core_signals(self):
         """Load core signals"""
         self.import_module("authentik.core.signals")
 
-    def reconcile_debug_worker_hook(self):
+    def reconcile_global_debug_worker_hook(self):
         """Dispatch startup tasks inline when debugging"""
         if settings.DEBUG:
             from authentik.root.celery import worker_ready_hook
 
             worker_ready_hook()
 
-    def reconcile_source_inbuilt(self):
+    def reconcile_tenant_source_inbuilt(self):
         """Reconcile inbuilt source"""
         from authentik.core.models import Source
 

authentik/core/channels.py

@@ -1,22 +1,29 @@
 """Channels base classes"""
+from channels.db import database_sync_to_async
 from channels.exceptions import DenyConnection
-from channels.generic.websocket import JsonWebsocketConsumer
 from rest_framework.exceptions import AuthenticationFailed
 from structlog.stdlib import get_logger
 
 from authentik.api.authentication import bearer_auth
-from authentik.core.models import User
 
 LOGGER = get_logger()
 
 
-class AuthJsonConsumer(JsonWebsocketConsumer):
+class TokenOutpostMiddleware:
     """Authorize a client with a token"""
 
-    user: User
+    def __init__(self, inner):
+        self.inner = inner
 
-    def connect(self):
-        headers = dict(self.scope["headers"])
+    async def __call__(self, scope, receive, send):
+        scope = dict(scope)
+        await self.auth(scope)
+        return await self.inner(scope, receive, send)
+
+    @database_sync_to_async
+    def auth(self, scope):
+        """Authenticate request from header"""
+        headers = dict(scope["headers"])
         if b"authorization" not in headers:
             LOGGER.warning("WS Request without authorization header")
             raise DenyConnection()
@@ -32,4 +39,4 @@ class AuthJsonConsumer(JsonWebsocketConsumer):
             LOGGER.warning("Failed to authenticate", exc=exc)
             raise DenyConnection()
 
-        self.user = user
+        scope["user"] = user

authentik/core/expression/evaluator.py

@@ -44,6 +44,7 @@ class PropertyMappingEvaluator(BaseEvaluator):
         if request:
             req.http_request = request
         self._context["request"] = req
+        req.context.update(**kwargs)
         self._context.update(**kwargs)
         self.dry_run = dry_run
 

authentik/core/management/commands/bootstrap_tasks.py

@@ -1,13 +1,20 @@
 """Run bootstrap tasks"""
 from django.core.management.base import BaseCommand
+from django_tenants.utils import get_public_schema_name
 
-from authentik.root.celery import _get_startup_tasks
+from authentik.root.celery import _get_startup_tasks_all_tenants, _get_startup_tasks_default_tenant
+from authentik.tenants.models import Tenant
 
 
 class Command(BaseCommand):
     """Run bootstrap tasks to ensure certain objects are created"""
 
     def handle(self, **options):
-        tasks = _get_startup_tasks()
-        for task in tasks:
-            task()
+        for task in _get_startup_tasks_default_tenant():
+            with Tenant.objects.get(schema_name=get_public_schema_name()):
+                task()
+
+        for task in _get_startup_tasks_all_tenants():
+            for tenant in Tenant.objects.filter(ready=True):
+                with tenant:
+                    task()

authentik/core/management/commands/repair_permissions.py

@@ -4,6 +4,8 @@ from django.contrib.auth.management import create_permissions
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user
 
+from authentik.tenants.models import Tenant
+
 
 class Command(BaseCommand):
     """Repair missing permissions"""
@@ -11,7 +13,9 @@ class Command(BaseCommand):
     @no_translations
     def handle(self, *args, **options):
         """Check permissions for all apps"""
-        for app in apps.get_app_configs():
-            self.stdout.write(f"Checking app {app.name} ({app.label})\n")
-            create_permissions(app, verbosity=0)
-        create_anonymous_user(None, using="default")
+        for tenant in Tenant.objects.filter(ready=True):
+            with tenant:
+                for app in apps.get_app_configs():
+                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
+                    create_permissions(app, verbosity=0)
+                create_anonymous_user(None, using="default")

authentik/core/management/commands/worker.py

@@ -17,9 +17,15 @@ class Command(BaseCommand):
     """Run worker"""
 
     def add_arguments(self, parser):
-        parser.add_argument("-b", "--beat", action="store_true")
+        parser.add_argument(
+            "-b",
+            "--beat",
+            action="store_false",
+            help="When set, this worker will _not_ run Beat (scheduled) tasks",
+        )
 
     def handle(self, **options):
+        LOGGER.debug("Celery options", **options)
         close_old_connections()
         if CONFIG.get_bool("remote_debug"):
             import debugpy

authentik/core/models.py

@@ -30,7 +30,6 @@ from authentik.lib.models import (
     DomainlessFormattedURLValidator,
     SerializerModel,
 )
-from authentik.lib.utils.http import get_client_ip
 from authentik.policies.models import PolicyBindingModel
 from authentik.root.install_id import get_install_id
 
@@ -202,8 +201,8 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         """Get a dictionary containing the attributes from all groups the user belongs to,
         including the users attributes"""
         final_attributes = {}
-        if request and hasattr(request, "tenant"):
-            always_merger.merge(final_attributes, request.tenant.attributes)
+        if request and hasattr(request, "brand"):
+            always_merger.merge(final_attributes, request.brand.attributes)
         for group in self.all_groups().order_by("name"):
             always_merger.merge(final_attributes, group.attributes)
         always_merger.merge(final_attributes, self.attributes)
@@ -262,7 +261,7 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         except Exception as exc:
             LOGGER.warning("Failed to get default locale", exc=exc)
         if request:
-            return request.tenant.locale
+            return request.brand.locale
         return ""
 
     @property
@@ -517,7 +516,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     objects = InheritanceManager()
 
     @property
-    def get_icon(self) -> Optional[str]:
+    def icon_url(self) -> Optional[str]:
         """Get the URL to the Icon. If the name is /static or
         starts with http it is returned as-is"""
         if not self.icon:
@@ -748,12 +747,14 @@ class AuthenticatedSession(ExpiringModel):
     @staticmethod
     def from_request(request: HttpRequest, user: User) -> Optional["AuthenticatedSession"]:
         """Create a new session from a http request"""
+        from authentik.root.middleware import ClientIPMiddleware
+
         if not hasattr(request, "session") or not request.session.session_key:
             return None
         return AuthenticatedSession(
             session_key=request.session.session_key,
             user=user,
-            last_ip=get_client_ip(request),
+            last_ip=ClientIPMiddleware.get_client_ip(request),
             last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
             expires=request.session.get_expiry_date(),
         )

authentik/core/templates/base/header_js.html

@@ -5,7 +5,7 @@
     window.authentik = {
         locale: "{{ LANGUAGE_CODE }}",
         config: JSON.parse('{{ config_json|escapejs }}'),
-        tenant: JSON.parse('{{ tenant_json|escapejs }}'),
+        brand: JSON.parse('{{ brand_json|escapejs }}'),
         versionFamily: "{{ version_family }}",
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",

authentik/core/templates/base/skeleton.html

@@ -7,13 +7,12 @@
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        <title>{% block title %}{% trans title|default:tenant.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ tenant.branding_favicon }}">
-        <link rel="shortcut icon" href="{{ tenant.branding_favicon }}">
+        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
+        <link rel="icon" href="{{ brand.branding_favicon }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
         <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
         <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>

authentik/core/templates/if/end_session.html

@@ -4,7 +4,7 @@
 {% load i18n %}
 
 {% block title %}
-{% trans 'End session' %} - {{ tenant.branding_title }}
+{% trans 'End session' %} - {{ brand.branding_title }}
 {% endblock %}
 
 {% block card_title %}
@@ -16,7 +16,7 @@ You've logged out of {{ application }}.
 {% block card %}
 <form method="POST" class="pf-c-form">
     <p>
-        {% blocktrans with application=application.name branding_title=tenant.branding_title %}
+        {% blocktrans with application=application.name branding_title=brand.branding_title %}
             You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
         {% endblocktrans %}
     </p>
@@ -26,7 +26,7 @@ You've logged out of {{ application }}.
     </a>
 
     <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">
-        {% blocktrans with branding_title=tenant.branding_title %}
+        {% blocktrans with branding_title=brand.branding_title %}
             Log out of {{ branding_title }}
         {% endblocktrans %}
     </a>

authentik/core/templates/if/error.html

@@ -4,7 +4,7 @@
 {% load i18n %}
 
 {% block title %}
-{{ tenant.branding_title }}
+{{ brand.branding_title }}
 {% endblock %}
 
 {% block card_title %}

authentik/core/templates/if/flow.html

@@ -27,7 +27,7 @@ window.authentik.flow = {
 
 {% block body %}
 <ak-message-container></ak-message-container>
-<ak-flow-executor>
+<ak-flow-executor flowSlug="{{ flow.slug }}">
     <ak-loading></ak-loading>
 </ak-flow-executor>
 {% endblock %}

authentik/core/templates/login/base_full.html

@@ -6,6 +6,7 @@
 {% block head_before %}
 <link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}
 
@@ -43,28 +44,14 @@
 
 {% block body %}
 <div class="pf-c-background-image">
-    <svg xmlns="http://www.w3.org/2000/svg" class="pf-c-background-image__filter" width="0" height="0">
-        <filter id="image_overlay">
-            <feColorMatrix in="SourceGraphic" type="matrix" values="1.3 0 0 0 0 0 1.3 0 0 0 0 0 1.3 0 0 0 0 0 1 0" />
-            <feComponentTransfer color-interpolation-filters="sRGB" result="duotone">
-                <feFuncR type="table" tableValues="0.086274509803922 0.43921568627451"></feFuncR>
-                <feFuncG type="table" tableValues="0.086274509803922 0.43921568627451"></feFuncG>
-                <feFuncB type="table" tableValues="0.086274509803922 0.43921568627451"></feFuncB>
-                <feFuncA type="table" tableValues="0 1"></feFuncA>
-            </feComponentTransfer>
-        </filter>
-    </svg>
 </div>
 <ak-message-container></ak-message-container>
-<div class="pf-c-login">
+<div class="pf-c-login stacked">
     <div class="ak-login-container">
-        <header class="pf-c-login__header">
-            <div class="pf-c-brand ak-brand">
-                <img src="{{ tenant.branding_logo }}" alt="authentik Logo" />
-            </div>
-        </header>
-        {% block main_container %}
         <main class="pf-c-login__main">
+            <div class="pf-c-login__main-header pf-c-brand ak-brand">
+                <img src="{{ brand.branding_logo }}" alt="authentik Logo" />
+            </div>
             <header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">
                     {% block card_title %}
@@ -76,7 +63,6 @@
                 {% endblock %}
             </div>
         </main>
-        {% endblock %}
         <footer class="pf-c-login__footer">
             <ul class="pf-c-list pf-m-inline">
                 {% for link in footer_links %}

authentik/core/tests/test_applications_views.py

@@ -3,10 +3,10 @@ from unittest.mock import MagicMock, patch
 
 from django.urls import reverse
 
+from authentik.brands.models import Brand
 from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
+from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
 from authentik.flows.tests import FlowTestCase
-from authentik.tenants.models import Tenant
 
 
 class TestApplicationsViews(FlowTestCase):
@@ -21,9 +21,9 @@ class TestApplicationsViews(FlowTestCase):
     def test_check_redirect(self):
         """Test redirect"""
         empty_flow = create_test_flow()
-        tenant: Tenant = create_test_tenant()
-        tenant.flow_authentication = empty_flow
-        tenant.save()
+        brand: Brand = create_test_brand()
+        brand.flow_authentication = empty_flow
+        brand.save()
         response = self.client.get(
             reverse(
                 "authentik_core:application-launch",
@@ -45,9 +45,9 @@ class TestApplicationsViews(FlowTestCase):
         """Test redirect"""
         self.client.force_login(self.user)
         empty_flow = create_test_flow()
-        tenant: Tenant = create_test_tenant()
-        tenant.flow_authentication = empty_flow
-        tenant.save()
+        brand: Brand = create_test_brand()
+        brand.flow_authentication = empty_flow
+        brand.save()
         response = self.client.get(
             reverse(
                 "authentik_core:application-launch",

authentik/core/tests/test_impersonation.py

@@ -6,7 +6,7 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.config import CONFIG
+from authentik.tenants.utils import get_current_tenant
 
 
 class TestImpersonation(APITestCase):
@@ -56,9 +56,11 @@ class TestImpersonation(APITestCase):
         response_body = loads(response.content.decode())
         self.assertEqual(response_body["user"]["username"], self.other_user.username)
 
-    @CONFIG.patch("impersonation", False)
     def test_impersonate_disabled(self):
         """test impersonation that is disabled"""
+        tenant = get_current_tenant()
+        tenant.impersonation = False
+        tenant.save()
         self.client.force_login(self.user)
 
         response = self.client.post(

authentik/core/tests/test_users_api.py

@@ -7,6 +7,7 @@ from django.core.cache import cache
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
+from authentik.brands.models import Brand
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     AuthenticatedSession,
@@ -14,11 +15,10 @@ from authentik.core.models import (
     User,
     UserTypes,
 )
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
+from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
 from authentik.flows.models import FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.email.models import EmailStage
-from authentik.tenants.models import Tenant
 
 
 class TestUsersAPI(APITestCase):
@@ -80,9 +80,9 @@ class TestUsersAPI(APITestCase):
     def test_recovery(self):
         """Test user recovery link (no recovery flow set)"""
         flow = create_test_flow(FlowDesignation.RECOVERY)
-        tenant: Tenant = create_test_tenant()
-        tenant.flow_recovery = flow
-        tenant.save()
+        brand: Brand = create_test_brand()
+        brand.flow_recovery = flow
+        brand.save()
         self.client.force_login(self.admin)
         response = self.client.get(
             reverse("authentik_api:user-recovery", kwargs={"pk": self.user.pk})
@@ -108,9 +108,9 @@ class TestUsersAPI(APITestCase):
         self.user.email = "foo@bar.baz"
         self.user.save()
         flow = create_test_flow(designation=FlowDesignation.RECOVERY)
-        tenant: Tenant = create_test_tenant()
-        tenant.flow_recovery = flow
-        tenant.save()
+        brand: Brand = create_test_brand()
+        brand.flow_recovery = flow
+        brand.save()
         self.client.force_login(self.admin)
         response = self.client.get(
             reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk})
@@ -122,9 +122,9 @@ class TestUsersAPI(APITestCase):
         self.user.email = "foo@bar.baz"
         self.user.save()
         flow = create_test_flow(FlowDesignation.RECOVERY)
-        tenant: Tenant = create_test_tenant()
-        tenant.flow_recovery = flow
-        tenant.save()
+        brand: Brand = create_test_brand()
+        brand.flow_recovery = flow
+        brand.save()
 
         stage = EmailStage.objects.create(name="email")
 

authentik/core/tests/test_users_avatars.py

@@ -8,6 +8,7 @@ from rest_framework.test import APITestCase
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.config import CONFIG
+from authentik.tenants.utils import get_current_tenant
 
 
 class TestUsersAvatars(APITestCase):
@@ -17,18 +18,25 @@ class TestUsersAvatars(APITestCase):
         self.admin = create_test_admin_user()
         self.user = User.objects.create(username="test-user")
 
+    def set_avatar_mode(self, mode: str):
+        """Set the avatar mode on the current tenant."""
+        tenant = get_current_tenant()
+        tenant.avatars = mode
+        tenant.save()
+
     @CONFIG.patch("avatars", "none")
     def test_avatars_none(self):
         """Test avatars none"""
+        self.set_avatar_mode("none")
         self.client.force_login(self.admin)
         response = self.client.get(reverse("authentik_api:user-me"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content.decode())
         self.assertEqual(body["user"]["avatar"], "/static/dist/assets/images/user_default.png")
 
-    @CONFIG.patch("avatars", "gravatar")
     def test_avatars_gravatar(self):
         """Test avatars gravatar"""
+        self.set_avatar_mode("gravatar")
         self.admin.email = "static@t.goauthentik.io"
         self.admin.save()
         self.client.force_login(self.admin)
@@ -45,27 +53,27 @@ class TestUsersAvatars(APITestCase):
         body = loads(response.content.decode())
         self.assertIn("gravatar", body["user"]["avatar"])
 
-    @CONFIG.patch("avatars", "initials")
     def test_avatars_initials(self):
         """Test avatars initials"""
+        self.set_avatar_mode("initials")
         self.client.force_login(self.admin)
         response = self.client.get(reverse("authentik_api:user-me"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content.decode())
         self.assertIn("data:image/svg+xml;base64,", body["user"]["avatar"])
 
-    @CONFIG.patch("avatars", "foo://%(username)s")
     def test_avatars_custom(self):
         """Test avatars custom"""
+        self.set_avatar_mode("foo://%(username)s")
         self.client.force_login(self.admin)
         response = self.client.get(reverse("authentik_api:user-me"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content.decode())
         self.assertEqual(body["user"]["avatar"], f"foo://{self.admin.username}")
 
-    @CONFIG.patch("avatars", "attributes.foo.avatar")
     def test_avatars_attributes(self):
         """Test avatars attributes"""
+        self.set_avatar_mode("attributes.foo.avatar")
         self.admin.attributes = {"foo": {"avatar": "bar"}}
         self.admin.save()
         self.client.force_login(self.admin)
@@ -74,9 +82,9 @@ class TestUsersAvatars(APITestCase):
         body = loads(response.content.decode())
         self.assertEqual(body["user"]["avatar"], "bar")
 
-    @CONFIG.patch("avatars", "attributes.foo.avatar,initials")
     def test_avatars_fallback(self):
         """Test fallback"""
+        self.set_avatar_mode("attributes.foo.avatar,initials")
         self.client.force_login(self.admin)
         response = self.client.get(reverse("authentik_api:user-me"))
         self.assertEqual(response.status_code, 200)

authentik/core/tests/utils.py

@@ -3,12 +3,12 @@ from typing import Optional
 
 from django.utils.text import slugify
 
+from authentik.brands.models import Brand
 from authentik.core.models import Group, User
 from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.lib.generators import generate_id
-from authentik.tenants.models import Tenant
 
 
 def create_test_flow(
@@ -43,12 +43,12 @@ def create_test_admin_user(name: Optional[str] = None, **kwargs) -> User:
     return user
 
 
-def create_test_tenant(**kwargs) -> Tenant:
-    """Generate a test tenant, removing all other tenants to make sure this one
+def create_test_brand(**kwargs) -> Brand:
+    """Generate a test brand, removing all other brands to make sure this one
     matches."""
     uid = generate_id(20)
-    Tenant.objects.all().delete()
-    return Tenant.objects.create(domain=uid, default=True, **kwargs)
+    Brand.objects.all().delete()
+    return Brand.objects.create(domain=uid, default=True, **kwargs)
 
 
 def create_test_cert(use_ec_private_key=False) -> CertificateKeyPair:

authentik/core/views/interface.py

@@ -9,8 +9,8 @@ from rest_framework.request import Request
 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
+from authentik.brands.api import CurrentBrandSerializer
 from authentik.flows.models import Flow
-from authentik.tenants.api import CurrentTenantSerializer
 
 
 class InterfaceView(TemplateView):
@@ -18,10 +18,11 @@ class InterfaceView(TemplateView):
 
     def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
         kwargs["config_json"] = dumps(ConfigView(request=Request(self.request)).get_config().data)
-        kwargs["tenant_json"] = dumps(CurrentTenantSerializer(self.request.tenant).data)
+        kwargs["brand_json"] = dumps(CurrentBrandSerializer(self.request.brand).data)
         kwargs["version_family"] = f"{LOCAL_VERSION.major}.{LOCAL_VERSION.minor}"
         kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
         kwargs["build"] = get_build_hash()
+        kwargs["url_kwargs"] = self.kwargs
         return super().get_context_data(**kwargs)
 
 

authentik/crypto/apps.py

@@ -16,7 +16,7 @@ class AuthentikCryptoConfig(ManagedAppConfig):
     verbose_name = "authentik Crypto"
     default = True
 
-    def reconcile_load_crypto_tasks(self):
+    def reconcile_global_load_crypto_tasks(self):
         """Load crypto tasks"""
         self.import_module("authentik.crypto.tasks")
 
@@ -39,7 +39,7 @@ class AuthentikCryptoConfig(ManagedAppConfig):
             },
         )
 
-    def reconcile_managed_jwt_cert(self):
+    def reconcile_tenant_managed_jwt_cert(self):
         """Ensure managed JWT certificate"""
         from authentik.crypto.models import CertificateKeyPair
 
@@ -52,7 +52,7 @@ class AuthentikCryptoConfig(ManagedAppConfig):
         ):
             self._create_update_cert()
 
-    def reconcile_self_signed(self):
+    def reconcile_tenant_self_signed(self):
         """Create self-signed keypair"""
         from authentik.crypto.builder import CertificateBuilder
         from authentik.crypto.models import CertificateKeyPair

authentik/crypto/management/commands/import_certificate.py

@@ -1,21 +1,22 @@
 """Import certificate"""
 from sys import exit as sys_exit
 
-from django.core.management.base import BaseCommand, no_translations
+from django.core.management.base import no_translations
 from rest_framework.exceptions import ValidationError
 from structlog.stdlib import get_logger
 
 from authentik.crypto.api import CertificateKeyPairSerializer
 from authentik.crypto.models import CertificateKeyPair
+from authentik.tenants.management import TenantCommand
 
 LOGGER = get_logger()
 
 
-class Command(BaseCommand):
+class Command(TenantCommand):
     """Import certificate"""
 
     @no_translations
-    def handle(self, *args, **options):
+    def handle_per_tenant(self, *args, **options):
         """Import certificate"""
         keypair = CertificateKeyPair.objects.filter(name=options["name"]).first()
         dirty = False

authentik/enterprise/api.py

@@ -2,9 +2,11 @@
 from datetime import datetime, timedelta
 
 from django.utils.timezone import now
+from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, DateTimeField, IntegerField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
@@ -20,6 +22,18 @@ from authentik.enterprise.models import License, LicenseKey
 from authentik.root.install_id import get_install_id
 
 
+class EnterpriseRequiredMixin:
+    """Mixin to validate that a valid enterprise license
+    exists before allowing to safe the object"""
+
+    def validate(self, attrs: dict) -> dict:
+        """Check that a valid license exists"""
+        total = LicenseKey.get_total()
+        if not total.is_valid():
+            raise ValidationError(_("Enterprise is required to create/update this object."))
+        return super().validate(attrs)
+
+
 class LicenseSerializer(ModelSerializer):
     """License Serializer"""
 

authentik/enterprise/apps.py

@@ -2,7 +2,11 @@
 from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikEnterpriseConfig(ManagedAppConfig):
+class EnterpriseConfig(ManagedAppConfig):
+    """Base app config for all enterprise apps"""
+
+
+class AuthentikEnterpriseConfig(EnterpriseConfig):
     """Enterprise app config"""
 
     name = "authentik.enterprise"
@@ -10,6 +14,6 @@ class AuthentikEnterpriseConfig(ManagedAppConfig):
     verbose_name = "authentik Enterprise"
     default = True
 
-    def reconcile_load_enterprise_signals(self):
+    def reconcile_global_load_enterprise_signals(self):
         """Load enterprise signals"""
         self.import_module("authentik.enterprise.signals")

authentik/enterprise/policy.py

@@ -1,6 +1,8 @@
 """Enterprise license policies"""
 from typing import Optional
 
+from django.utils.translation import gettext_lazy as _
+
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.models import LicenseKey
 from authentik.policies.types import PolicyRequest, PolicyResult
@@ -13,10 +15,10 @@ class EnterprisePolicyAccessView(PolicyAccessView):
     def check_license(self):
         """Check license"""
         if not LicenseKey.get_total().is_valid():
-            return False
+            return PolicyResult(False, _("Enterprise required to access this feature."))
         if self.request.user.type != UserTypes.INTERNAL:
-            return False
-        return True
+            return PolicyResult(False, _("Feature only accessible for internal users."))
+        return PolicyResult(True)
 
     def user_has_access(self, user: Optional[User] = None) -> PolicyResult:
         user = user or self.request.user
@@ -24,7 +26,7 @@ class EnterprisePolicyAccessView(PolicyAccessView):
         request.http_request = self.request
         result = super().user_has_access(user)
         enterprise_result = self.check_license()
-        if not enterprise_result:
+        if not enterprise_result.passing:
             return enterprise_result
         return result
 

authentik/enterprise/providers/rac/api/endpoints.py

@@ -0,0 +1,135 @@
+"""RAC Provider API Views"""
+from typing import Optional
+
+from django.core.cache import cache
+from django.db.models import QuerySet
+from django.urls import reverse
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from rest_framework.fields import SerializerMethodField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+from structlog.stdlib import get_logger
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.models import Provider
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
+from authentik.enterprise.providers.rac.models import Endpoint
+from authentik.policies.engine import PolicyEngine
+from authentik.rbac.filters import ObjectFilter
+
+LOGGER = get_logger()
+
+
+def user_endpoint_cache_key(user_pk: str) -> str:
+    """Cache key where endpoint list for user is saved"""
+    return f"goauthentik.io/providers/rac/endpoint_access/{user_pk}"
+
+
+class EndpointSerializer(EnterpriseRequiredMixin, ModelSerializer):
+    """Endpoint Serializer"""
+
+    provider_obj = RACProviderSerializer(source="provider", read_only=True)
+    launch_url = SerializerMethodField()
+
+    def get_launch_url(self, endpoint: Endpoint) -> Optional[str]:
+        """Build actual launch URL (the provider itself does not have one, just
+        individual endpoints)"""
+        try:
+            # pylint: disable=no-member
+            return reverse(
+                "authentik_providers_rac:start",
+                kwargs={"app": endpoint.provider.application.slug, "endpoint": endpoint.pk},
+            )
+        except Provider.application.RelatedObjectDoesNotExist:
+            return None
+
+    class Meta:
+        model = Endpoint
+        fields = [
+            "pk",
+            "name",
+            "provider",
+            "provider_obj",
+            "protocol",
+            "host",
+            "settings",
+            "property_mappings",
+            "auth_mode",
+            "launch_url",
+            "maximum_connections",
+        ]
+
+
+class EndpointViewSet(UsedByMixin, ModelViewSet):
+    """Endpoint Viewset"""
+
+    queryset = Endpoint.objects.all()
+    serializer_class = EndpointSerializer
+    filterset_fields = ["name", "provider"]
+    search_fields = ["name", "protocol"]
+    ordering = ["name", "protocol"]
+
+    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
+        """Custom filter_queryset method which ignores guardian, but still supports sorting"""
+        for backend in list(self.filter_backends):
+            if backend == ObjectFilter:
+                continue
+            queryset = backend().filter_queryset(self.request, queryset, self)
+        return queryset
+
+    def _get_allowed_endpoints(self, queryset: QuerySet) -> list[Endpoint]:
+        endpoints = []
+        for endpoint in queryset:
+            engine = PolicyEngine(endpoint, self.request.user, self.request)
+            engine.build()
+            if engine.passing:
+                endpoints.append(endpoint)
+        return endpoints
+
+    @extend_schema(
+        parameters=[
+            OpenApiParameter(
+                "search",
+                OpenApiTypes.STR,
+            ),
+            OpenApiParameter(
+                name="superuser_full_list",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            ),
+        ],
+        responses={
+            200: EndpointSerializer(many=True),
+            400: OpenApiResponse(description="Bad request"),
+        },
+    )
+    def list(self, request: Request, *args, **kwargs) -> Response:
+        """List accessible endpoints"""
+        should_cache = request.GET.get("search", "") == ""
+
+        superuser_full_list = str(request.GET.get("superuser_full_list", "false")).lower() == "true"
+        if superuser_full_list and request.user.is_superuser:
+            return super().list(request)
+
+        queryset = self._filter_queryset_for_list(self.get_queryset())
+        self.paginate_queryset(queryset)
+
+        allowed_endpoints = []
+        if not should_cache:
+            allowed_endpoints = self._get_allowed_endpoints(queryset)
+        if should_cache:
+            allowed_endpoints = cache.get(user_endpoint_cache_key(self.request.user.pk))
+            if not allowed_endpoints:
+                LOGGER.debug("Caching allowed endpoint list")
+                allowed_endpoints = self._get_allowed_endpoints(queryset)
+                cache.set(
+                    user_endpoint_cache_key(self.request.user.pk),
+                    allowed_endpoints,
+                    timeout=86400,
+                )
+        serializer = self.get_serializer(allowed_endpoints, many=True)
+        return self.get_paginated_response(serializer.data)

authentik/enterprise/providers/rac/api/property_mappings.py

@@ -0,0 +1,49 @@
+"""RAC Provider API Views"""
+from django_filters.filters import AllValuesMultipleFilter
+from django_filters.filterset import FilterSet
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import extend_schema_field
+from rest_framework.fields import CharField
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.propertymappings import PropertyMappingSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import JSONDictField
+from authentik.enterprise.providers.rac.models import RACPropertyMapping
+
+
+class RACPropertyMappingSerializer(PropertyMappingSerializer):
+    """RACPropertyMapping Serializer"""
+
+    static_settings = JSONDictField()
+    expression = CharField(allow_blank=True, required=False)
+
+    def validate_expression(self, expression: str) -> str:
+        """Test Syntax"""
+        if expression == "":
+            return expression
+        return super().validate_expression(expression)
+
+    class Meta:
+        model = RACPropertyMapping
+        fields = PropertyMappingSerializer.Meta.fields + ["static_settings"]
+
+
+class RACPropertyMappingFilter(FilterSet):
+    """Filter for RACPropertyMapping"""
+
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
+
+    class Meta:
+        model = RACPropertyMapping
+        fields = ["name", "managed"]
+
+
+class RACPropertyMappingViewSet(UsedByMixin, ModelViewSet):
+    """RACPropertyMapping Viewset"""
+
+    queryset = RACPropertyMapping.objects.all()
+    serializer_class = RACPropertyMappingSerializer
+    search_fields = ["name"]
+    ordering = ["name"]
+    filterset_class = RACPropertyMappingFilter

authentik/enterprise/providers/rac/api/providers.py

@@ -0,0 +1,32 @@
+"""RAC Provider API Views"""
+from rest_framework.fields import CharField, ListField
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.providers.rac.models import RACProvider
+
+
+class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+    """RACProvider Serializer"""
+
+    outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
+
+    class Meta:
+        model = RACProvider
+        fields = ProviderSerializer.Meta.fields + ["settings", "outpost_set", "connection_expiry"]
+        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
+
+
+class RACProviderViewSet(UsedByMixin, ModelViewSet):
+    """RACProvider Viewset"""
+
+    queryset = RACProvider.objects.all()
+    serializer_class = RACProviderSerializer
+    filterset_fields = {
+        "application": ["isnull"],
+        "name": ["iexact"],
+    }
+    search_fields = ["name"]
+    ordering = ["name"]

authentik/enterprise/providers/rac/apps.py

@@ -0,0 +1,17 @@
+"""RAC app config"""
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderRAC(EnterpriseConfig):
+    """authentik enterprise rac app config"""
+
+    name = "authentik.enterprise.providers.rac"
+    label = "authentik_providers_rac"
+    verbose_name = "authentik Enterprise.Providers.RAC"
+    default = True
+    mountpoint = ""
+    ws_mountpoint = "authentik.enterprise.providers.rac.urls"
+
+    def reconcile_global_load_rac_signals(self):
+        """Load rac signals"""
+        self.import_module("authentik.enterprise.providers.rac.signals")

authentik/enterprise/providers/rac/consumer_client.py

@@ -0,0 +1,163 @@
+"""RAC Client consumer"""
+from asgiref.sync import async_to_sync
+from channels.db import database_sync_to_async
+from channels.exceptions import ChannelFull, DenyConnection
+from channels.generic.websocket import AsyncWebsocketConsumer
+from django.http.request import QueryDict
+from structlog.stdlib import BoundLogger, get_logger
+
+from authentik.enterprise.providers.rac.models import ConnectionToken, RACProvider
+from authentik.outposts.consumer import OUTPOST_GROUP_INSTANCE
+from authentik.outposts.models import Outpost, OutpostState, OutpostType
+
+# Global broadcast group, which messages are sent to when the outpost connects back
+# to authentik for a specific connection
+# The `RACClientConsumer` consumer adds itself to this group on connection,
+# and removes itself once it has been assigned a specific outpost channel
+RAC_CLIENT_GROUP = "group_enterprise_rac_client"
+# A group for all connections in a given authentik session ID
+# A disconnect message is sent to this group when the session expires/is deleted
+RAC_CLIENT_GROUP_SESSION = "group_enterprise_rac_client_%(session)s"
+# A group for all connections with a specific token, which in almost all cases
+# is just one connection, however this is used to disconnect the connection
+# when the token is deleted
+RAC_CLIENT_GROUP_TOKEN = "group_enterprise_rac_token_%(token)s"  # nosec
+
+# Step 1: Client connects to this websocket endpoint
+# Step 2: We prepare all the connection args for Guac
+# Step 3: Send a websocket message to a single outpost that has this provider assigned
+#         (Currently sending to all of them)
+#         (Should probably do different load balancing algorithms)
+# Step 4: Outpost creates a websocket connection back to authentik
+#         with /ws/outpost_rac/<our_channel_id>/
+# Step 5: This consumer transfers data between the two channels
+
+
+class RACClientConsumer(AsyncWebsocketConsumer):
+    """RAC client consumer the browser connects to"""
+
+    dest_channel_id: str = ""
+    provider: RACProvider
+    token: ConnectionToken
+    logger: BoundLogger
+
+    async def connect(self):
+        await self.accept("guacamole")
+        await self.channel_layer.group_add(RAC_CLIENT_GROUP, self.channel_name)
+        await self.channel_layer.group_add(
+            RAC_CLIENT_GROUP_SESSION % {"session": self.scope["session"].session_key},
+            self.channel_name,
+        )
+        await self.init_outpost_connection()
+
+    async def disconnect(self, code):
+        self.logger.debug("Disconnecting")
+        # Tell the outpost we're disconnecting
+        await self.channel_layer.send(
+            self.dest_channel_id,
+            {
+                "type": "event.disconnect",
+            },
+        )
+
+    @database_sync_to_async
+    def init_outpost_connection(self):
+        """Initialize guac connection settings"""
+        self.token = ConnectionToken.filter_not_expired(
+            token=self.scope["url_route"]["kwargs"]["token"]
+        ).first()
+        if not self.token:
+            raise DenyConnection()
+        self.provider = self.token.provider
+        params = self.token.get_settings()
+        self.logger = get_logger().bind(
+            endpoint=self.token.endpoint.name, user=self.scope["user"].username
+        )
+        msg = {
+            "type": "event.provider.specific",
+            "sub_type": "init_connection",
+            "dest_channel_id": self.channel_name,
+            "params": params,
+            "protocol": self.token.endpoint.protocol,
+        }
+        query = QueryDict(self.scope["query_string"].decode())
+        for key in ["screen_width", "screen_height", "screen_dpi", "audio"]:
+            value = query.get(key, None)
+            if not value:
+                continue
+            msg[key] = str(value)
+        outposts = Outpost.objects.filter(
+            type=OutpostType.RAC,
+            providers__in=[self.provider],
+        )
+        if not outposts.exists():
+            self.logger.warning("Provider has no outpost")
+            raise DenyConnection()
+        for outpost in outposts:
+            # Sort all states for the outpost by connection count
+            states = sorted(
+                OutpostState.for_outpost(outpost),
+                key=lambda state: int(state.args.get("active_connections", 0)),
+            )
+            if len(states) < 1:
+                continue
+            self.logger.debug("Sending out connection broadcast")
+            async_to_sync(self.channel_layer.group_send)(
+                OUTPOST_GROUP_INSTANCE % {"outpost_pk": str(outpost.pk), "instance": states[0].uid},
+                msg,
+            )
+
+    async def receive(self, text_data=None, bytes_data=None):
+        """Mirror data received from client to the dest_channel_id
+        which is the channel talking to guacd"""
+        if self.dest_channel_id == "":
+            return
+        if self.token.is_expired:
+            await self.event_disconnect({"reason": "token_expiry"})
+            return
+        try:
+            await self.channel_layer.send(
+                self.dest_channel_id,
+                {
+                    "type": "event.send",
+                    "text_data": text_data,
+                    "bytes_data": bytes_data,
+                },
+            )
+        except ChannelFull:
+            pass
+
+    async def event_outpost_connected(self, event: dict):
+        """Handle event broadcasted from outpost consumer, and check if they
+        created a connection for us"""
+        outpost_channel = event.get("outpost_channel")
+        if event.get("client_channel") != self.channel_name:
+            return
+        if self.dest_channel_id != "":
+            # We've already selected an outpost channel, so tell the other channel to disconnect
+            # This should never happen since we remove ourselves from the broadcast group
+            await self.channel_layer.send(
+                outpost_channel,
+                {
+                    "type": "event.disconnect",
+                },
+            )
+            return
+        self.logger.debug("Connected to a single outpost instance")
+        self.dest_channel_id = outpost_channel
+        # Since we have a specific outpost channel now, we can remove
+        # ourselves from the global broadcast group
+        await self.channel_layer.group_discard(RAC_CLIENT_GROUP, self.channel_name)
+
+    async def event_send(self, event: dict):
+        """Handler called by outpost websocket that sends data to this specific
+        client connection"""
+        if self.token.is_expired:
+            await self.event_disconnect({"reason": "token_expiry"})
+            return
+        await self.send(text_data=event.get("text_data"), bytes_data=event.get("bytes_data"))
+
+    async def event_disconnect(self, event: dict):
+        """Disconnect when the session ends"""
+        self.logger.info("Disconnecting RAC connection", reason=event.get("reason"))
+        await self.close()

authentik/enterprise/providers/rac/consumer_outpost.py

@@ -0,0 +1,48 @@
+"""RAC consumer"""
+from channels.exceptions import ChannelFull
+from channels.generic.websocket import AsyncWebsocketConsumer
+
+from authentik.enterprise.providers.rac.consumer_client import RAC_CLIENT_GROUP
+
+
+class RACOutpostConsumer(AsyncWebsocketConsumer):
+    """Consumer the outpost connects to, to send specific data back to a client connection"""
+
+    dest_channel_id: str
+
+    async def connect(self):
+        self.dest_channel_id = self.scope["url_route"]["kwargs"]["channel"]
+        await self.accept()
+        await self.channel_layer.group_send(
+            RAC_CLIENT_GROUP,
+            {
+                "type": "event.outpost.connected",
+                "outpost_channel": self.channel_name,
+                "client_channel": self.dest_channel_id,
+            },
+        )
+
+    async def receive(self, text_data=None, bytes_data=None):
+        """Mirror data received from guacd running in the outpost
+        to the dest_channel_id which is the channel talking to the browser"""
+        try:
+            await self.channel_layer.send(
+                self.dest_channel_id,
+                {
+                    "type": "event.send",
+                    "text_data": text_data,
+                    "bytes_data": bytes_data,
+                },
+            )
+        except ChannelFull:
+            pass
+
+    async def event_send(self, event: dict):
+        """Handler called by client websocket that sends data to this specific
+        outpost connection"""
+        await self.send(text_data=event.get("text_data"), bytes_data=event.get("bytes_data"))
+
+    async def event_disconnect(self, event: dict):
+        """Tell outpost we're about to disconnect"""
+        await self.send(text_data="0.authentik.disconnect")
+        await self.close()

authentik/enterprise/providers/rac/controllers/docker.py

@@ -0,0 +1,11 @@
+"""RAC Provider Docker Controller"""
+from authentik.outposts.controllers.docker import DockerController
+from authentik.outposts.models import DockerServiceConnection, Outpost
+
+
+class RACDockerController(DockerController):
+    """RAC Provider Docker Controller"""
+
+    def __init__(self, outpost: Outpost, connection: DockerServiceConnection):
+        super().__init__(outpost, connection)
+        self.deployment_ports = []

authentik/enterprise/providers/rac/controllers/kubernetes.py

@@ -0,0 +1,13 @@
+"""RAC Provider Kubernetes Controller"""
+from authentik.outposts.controllers.k8s.service import ServiceReconciler
+from authentik.outposts.controllers.kubernetes import KubernetesController
+from authentik.outposts.models import KubernetesServiceConnection, Outpost
+
+
+class RACKubernetesController(KubernetesController):
+    """RAC Provider Kubernetes Controller"""
+
+    def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection):
+        super().__init__(outpost, connection)
+        self.deployment_ports = []
+        del self.reconcilers[ServiceReconciler.reconciler_name()]

authentik/enterprise/providers/rac/migrations/0001_initial.py

@@ -0,0 +1,164 @@
+# Generated by Django 4.2.8 on 2023-12-29 15:58
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import authentik.core.models
+import authentik.lib.utils.time
+
+
+class Migration(migrations.Migration):
+    initial = True
+
+    dependencies = [
+        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
+        ("authentik_core", "0032_group_roles"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="RACPropertyMapping",
+            fields=[
+                (
+                    "propertymapping_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.propertymapping",
+                    ),
+                ),
+                ("static_settings", models.JSONField(default=dict)),
+            ],
+            options={
+                "verbose_name": "RAC Property Mapping",
+                "verbose_name_plural": "RAC Property Mappings",
+            },
+            bases=("authentik_core.propertymapping",),
+        ),
+        migrations.CreateModel(
+            name="RACProvider",
+            fields=[
+                (
+                    "provider_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.provider",
+                    ),
+                ),
+                ("settings", models.JSONField(default=dict)),
+                (
+                    "auth_mode",
+                    models.TextField(
+                        choices=[("static", "Static"), ("prompt", "Prompt")], default="prompt"
+                    ),
+                ),
+                (
+                    "connection_expiry",
+                    models.TextField(
+                        default="hours=8",
+                        help_text="Determines how long a session lasts. Default of 0 means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)",
+                        validators=[authentik.lib.utils.time.timedelta_string_validator],
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "RAC Provider",
+                "verbose_name_plural": "RAC Providers",
+            },
+            bases=("authentik_core.provider",),
+        ),
+        migrations.CreateModel(
+            name="Endpoint",
+            fields=[
+                (
+                    "policybindingmodel_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_policies.policybindingmodel",
+                    ),
+                ),
+                ("name", models.TextField()),
+                ("host", models.TextField()),
+                (
+                    "protocol",
+                    models.TextField(choices=[("rdp", "Rdp"), ("vnc", "Vnc"), ("ssh", "Ssh")]),
+                ),
+                ("settings", models.JSONField(default=dict)),
+                (
+                    "auth_mode",
+                    models.TextField(choices=[("static", "Static"), ("prompt", "Prompt")]),
+                ),
+                (
+                    "property_mappings",
+                    models.ManyToManyField(
+                        blank=True, default=None, to="authentik_core.propertymapping"
+                    ),
+                ),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_rac.racprovider",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "RAC Endpoint",
+                "verbose_name_plural": "RAC Endpoints",
+            },
+            bases=("authentik_policies.policybindingmodel", models.Model),
+        ),
+        migrations.CreateModel(
+            name="ConnectionToken",
+            fields=[
+                (
+                    "expires",
+                    models.DateTimeField(default=authentik.core.models.default_token_duration),
+                ),
+                ("expiring", models.BooleanField(default=True)),
+                (
+                    "connection_token_uuid",
+                    models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False),
+                ),
+                ("token", models.TextField(default=authentik.core.models.default_token_key)),
+                ("settings", models.JSONField(default=dict)),
+                (
+                    "endpoint",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_rac.endpoint",
+                    ),
+                ),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_rac.racprovider",
+                    ),
+                ),
+                (
+                    "session",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_core.authenticatedsession",
+                    ),
+                ),
+            ],
+            options={
+                "abstract": False,
+            },
+        ),
+    ]

authentik/enterprise/providers/rac/migrations/0002_endpoint_maximum_connections.py

@@ -0,0 +1,17 @@
+# Generated by Django 5.0 on 2024-01-03 23:44
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_providers_rac", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="endpoint",
+            name="maximum_connections",
+            field=models.IntegerField(default=1),
+        ),
+    ]