core: fix token update/delete not working

# Conflicts:
#	authentik/admin/views/applications.py

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.13.3-stable
+current_version = 0.13.5-stable
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.github/workflows/release.yml

@@ -18,11 +18,11 @@ jobs:
       - name: Building Docker Image
         run: docker build
           --no-cache
-          -t beryju/authentik:0.13.3-stable
+          -t beryju/authentik:0.13.5-stable
           -t beryju/authentik:latest
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik:0.13.3-stable
+        run: docker push beryju/authentik:0.13.5-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/authentik:latest
   build-proxy:
@@ -48,11 +48,11 @@ jobs:
           cd proxy/
           docker build \
           --no-cache \
-          -t beryju/authentik-proxy:0.13.3-stable \
+          -t beryju/authentik-proxy:0.13.5-stable \
           -t beryju/authentik-proxy:latest \
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-proxy:0.13.3-stable
+        run: docker push beryju/authentik-proxy:0.13.5-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/authentik-proxy:latest
   build-static:
@@ -69,11 +69,11 @@ jobs:
           cd web/
           docker build \
           --no-cache \
-          -t beryju/authentik-static:0.13.3-stable \
+          -t beryju/authentik-static:0.13.5-stable \
           -t beryju/authentik-static:latest \
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-static:0.13.3-stable
+        run: docker push beryju/authentik-static:0.13.5-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/authentik-static:latest
   test-release:
@@ -107,5 +107,5 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          tagName: 0.13.3-stable
+          tagName: 0.13.5-stable
           environment: beryjuorg-prod

authentik/__init__.py

@@ -1,2 +1,2 @@
 """authentik"""
-__version__ = "0.13.3-stable"
+__version__ = "0.13.5-stable"

authentik/admin/templates/administration/policy/list.html

@@ -81,7 +81,7 @@
                             <div slot="modal"></div>
                         </ak-modal-button>
                         <ak-modal-button href="{% url 'authentik_admin:policy-test' pk=policy.pk %}">
-                            <ak-spinner-button slot="trigger" class="pf-m-tertiary">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
                                 {% trans 'Test' %}
                             </ak-spinner-button>
                             <div slot="modal"></div>

authentik/admin/templates/administration/stage_invitation/list.html

@@ -37,8 +37,9 @@
         <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
             <thead>
                 <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'ID' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Created by' %}</th>
                     <th role="columnheader" scope="col">{% trans 'Expiry' %}</th>
-                    <th role="columnheader" scope="col">{% trans 'Link' %}</th>
                     <th role="cell"></th>
                 </tr>
             </thead>
@@ -47,12 +48,17 @@
                 <tr role="row">
                     <td role="cell">
                         <span>
-                            {{ invitation.expiry }}
+                            {{ invitation.invite_uuid }}
                         </span>
                     </td>
                     <td role="cell">
                         <span>
-                            {{ invitation.Link }}
+                            {{ invitation.created_by }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ invitation.expiry|default:"-" }}
                         </span>
                     </td>
                     <td>

authentik/core/api/applications.py

@@ -13,6 +13,7 @@ from rest_framework_guardian.filters import ObjectPermissionsFilter
 
 from authentik.admin.api.metrics import get_events_per_1h
 from authentik.audit.models import EventAction
+from authentik.core.api.providers import ProviderSerializer
 from authentik.core.models import Application
 from authentik.policies.engine import PolicyEngine
 
@@ -21,6 +22,7 @@ class ApplicationSerializer(ModelSerializer):
     """Application Serializer"""
 
     launch_url = SerializerMethodField()
+    provider = ProviderSerializer(source="get_provider", required=False)
 
     def get_launch_url(self, instance: Application) -> str:
         """Get generated launch URL"""

authentik/core/api/users.py

@@ -1,5 +1,6 @@
 """User API Views"""
 from drf_yasg2.utils import swagger_auto_schema
+from guardian.utils import get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -33,9 +34,12 @@ class UserSerializer(ModelSerializer):
 class UserViewSet(ModelViewSet):
     """User Viewset"""
 
-    queryset = User.objects.all()
+    queryset = User.objects.all().exclude(pk=get_anonymous_user().pk)
     serializer_class = UserSerializer
 
+    def get_queryset(self):
+        return User.objects.all().exclude(pk=get_anonymous_user().pk)
+
     @swagger_auto_schema(responses={200: UserSerializer(many=False)})
     @action(detail=False)
     # pylint: disable=invalid-name

authentik/core/templates/partials/form_horizontal.html

@@ -31,7 +31,7 @@
             <p class="pf-c-form__helper-text">{{ field.help_text }}</p>
             {% endif %}
         </div>
-    {% elif field.field.widget|fieldtype == 'Select' %}
+    {% elif field.field.widget|fieldtype == 'Select' or field.field.widget|fieldtype == "SelectMultiple" %}
         <div class="pf-c-form__group-label">
             <label class="pf-c-form__label" for="{{ field.name }}-{{ forloop.counter0 }}">
                 <span class="pf-c-form__label-text">{{ field.label }}</span>
@@ -46,6 +46,9 @@
                 {% if field.help_text %}
                 <p class="pf-c-form__helper-text">{{ field.help_text|safe }}</p>
                 {% endif %}
+                {% if field.field.widget|fieldtype == 'SelectMultiple' %}
+                <p class="pf-c-form__helper-text">{% trans 'Hold control/command to select multiple items.' %}</p>
+                {% endif %}
             </div>
         </div>
     {% elif field.field.widget|fieldtype == 'CheckboxInput' %}

authentik/core/views/user.py

@@ -94,11 +94,6 @@ class TokenCreateView(
     success_url = reverse_lazy("authentik_core:user-tokens")
     success_message = _("Successfully created Token")
 
-    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["container_template"] = "user/base.html"
-        return kwargs
-
     def form_valid(self, form: UserTokenForm) -> HttpResponse:
         form.instance.user = self.request.user
         form.instance.intent = TokenIntents.INTENT_API
@@ -112,21 +107,16 @@ class TokenUpdateView(
 
     model = Token
     form_class = UserTokenForm
-    permission_required = "authentik_core.update_token"
+    permission_required = "authentik_core.change_token"
     template_name = "generic/update.html"
     success_url = reverse_lazy("authentik_core:user-tokens")
     success_message = _("Successfully updated Token")
 
-    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["container_template"] = "user/base.html"
-        return kwargs
-
     def get_object(self) -> Token:
         identifier = self.kwargs.get("identifier")
         return get_objects_for_user(
-            self.request.user, "authentik_core.update_token", self.model
+            self.request.user, self.permission_required, self.model
-        ).filter(intent=TokenIntents.INTENT_API, identifier=identifier)
+        ).filter(intent=TokenIntents.INTENT_API, identifier=identifier).first()
 
 
 class TokenDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
@@ -138,7 +128,8 @@ class TokenDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessage
     success_url = reverse_lazy("authentik_core:user-tokens")
     success_message = _("Successfully deleted Token")
 
-    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
+    def get_object(self) -> Token:
-        kwargs = super().get_context_data(**kwargs)
+        identifier = self.kwargs.get("identifier")
-        kwargs["container_template"] = "user/base.html"
+        return get_objects_for_user(
-        return kwargs
+            self.request.user, self.permission_required, self.model
+        ).filter(intent=TokenIntents.INTENT_API, identifier=identifier).first()

authentik/outposts/forms.py

@@ -1,7 +1,11 @@
 """Outpost forms"""
 
 from django import forms
+from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _
+from kubernetes.client.configuration import Configuration
+from kubernetes.config.config_exception import ConfigException
+from kubernetes.config.kube_config import load_kube_config_from_dict
 
 from authentik.admin.fields import CodeMirrorWidget, YAMLField
 from authentik.crypto.models import CertificateKeyPair
@@ -71,6 +75,23 @@ class DockerServiceConnectionForm(forms.ModelForm):
 class KubernetesServiceConnectionForm(forms.ModelForm):
     """Kubernetes service-connection form"""
 
+    def clean_kubeconfig(self):
+        """Validate kubeconfig by attempting to load it"""
+        kubeconfig = self.cleaned_data["kubeconfig"]
+        if kubeconfig == {}:
+            if not self.cleaned_data["local"]:
+                raise ValidationError(
+                    _("You can only use an empty kubeconfig when local is enabled.")
+                )
+            # Empty kubeconfig is valid
+            return kubeconfig
+        config = Configuration()
+        try:
+            load_kube_config_from_dict(kubeconfig, client_configuration=config)
+        except ConfigException:
+            raise ValidationError(_("Invalid kubeconfig"))
+        return kubeconfig
+
     class Meta:
 
         model = KubernetesServiceConnection

authentik/outposts/migrations/0015_auto_20201224_1206.py

@@ -0,0 +1,21 @@
+# Generated by Django 3.1.4 on 2020-12-24 12:06
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_outposts", "0014_auto_20201213_1407"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="kubernetesserviceconnection",
+            name="kubeconfig",
+            field=models.JSONField(
+                blank=True,
+                help_text="Paste your kubeconfig here. authentik will automatically use the currently selected context.",
+            ),
+        ),
+    ]

authentik/outposts/models.py

@@ -234,7 +234,8 @@ class KubernetesServiceConnection(OutpostServiceConnection):
                 "Paste your kubeconfig here. authentik will automatically use "
                 "the currently selected context."
             )
-        )
+        ),
+        blank=True,
     )
 
     @property

authentik/policies/expression/evaluator.py

@@ -21,6 +21,7 @@ class PolicyEvaluator(BaseEvaluator):
     def __init__(self, policy_name: str):
         super().__init__()
         self._messages = []
+        self._context["ak_logger"] = get_logger(policy_name)
         self._context["ak_message"] = self.expr_func_message
         self._context["ip_address"] = ip_address
         self._context["ip_network"] = ip_network

authentik/stages/invitation/forms.py

@@ -1,6 +1,5 @@
 """authentik flows invitation forms"""
 from django import forms
-from django.utils.translation import gettext as _
 
 from authentik.admin.fields import CodeMirrorWidget, YAMLField
 from authentik.stages.invitation.models import Invitation, InvitationStage
@@ -25,8 +24,5 @@ class InvitationForm(forms.ModelForm):
 
         model = Invitation
         fields = ["expires", "fixed_data"]
-        labels = {
-            "fixed_data": _("Optional fixed data to enforce on user enrollment."),
-        }
         widgets = {"fixed_data": CodeMirrorWidget()}
         field_classes = {"fixed_data": YAMLField}

authentik/stages/invitation/migrations/0002_auto_20201225_2143.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.1.4 on 2020-12-25 21:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_invitation", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="invitation",
+            name="fixed_data",
+            field=models.JSONField(blank=True, default=dict),
+        ),
+    ]

authentik/stages/invitation/models.py

@@ -61,7 +61,11 @@ class Invitation(models.Model):
 
     created_by = models.ForeignKey(User, on_delete=models.CASCADE)
     expires = models.DateTimeField(default=None, blank=True, null=True)
-    fixed_data = models.JSONField(default=dict)
+    fixed_data = models.JSONField(
+        default=dict,
+        blank=True,
+        help_text=_("Optional fixed data to enforce on user enrollment."),
+    )
 
     def __str__(self):
         return f"Invitation {self.invite_uuid.hex} created by {self.created_by}"

authentik/stages/password/forms.py

@@ -53,5 +53,5 @@ class PasswordStageForm(forms.ModelForm):
         fields = ["name", "backends", "configure_flow", "failed_attempts_before_cancel"]
         widgets = {
             "name": forms.TextInput(),
-            "backends": forms.SelectMultiple(get_authentication_backends()),
+            "backends": forms.SelectMultiple(choices=get_authentication_backends()),
         }

docker-compose.yml

@@ -19,7 +19,7 @@ services:
     networks:
       - internal
   server:
-    image: beryju/authentik:${AUTHENTIK_TAG:-0.13.3-stable}
+    image: beryju/authentik:${AUTHENTIK_TAG:-0.13.5-stable}
     command: server
     environment:
       AUTHENTIK_REDIS__HOST: redis
@@ -44,7 +44,7 @@ services:
     env_file:
       - .env
   worker:
-    image: beryju/authentik:${AUTHENTIK_TAG:-0.13.3-stable}
+    image: beryju/authentik:${AUTHENTIK_TAG:-0.13.5-stable}
     command: worker
     networks:
       - internal
@@ -60,7 +60,7 @@ services:
     env_file:
       - .env
   static:
-    image: beryju/authentik-static:${AUTHENTIK_TAG:-0.13.3-stable}
+    image: beryju/authentik-static:${AUTHENTIK_TAG:-0.13.5-stable}
     networks:
       - internal
     labels:

helm/Chart.yaml

@@ -4,7 +4,7 @@ name: authentik
 home: https://goauthentik.io
 sources:
   - https://github.com/BeryJu/authentik
-version: "0.13.3-stable"
+version: "0.13.5-stable"
 icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg
 dependencies:
   - name: postgresql

helm/README.md

@@ -4,7 +4,7 @@
 |-----------------------------------|-------------------------|-------------|
 | image.name                        | beryju/authentik         | Image used to run the authentik server and worker |
 | image.name_static                 | beryju/authentik-static  | Image used to run the authentik static server (CSS and JS Files) |
-| image.tag                         | 0.13.3-stable              | Image tag |
+| image.tag                         | 0.13.5-stable              | Image tag |
 | image.pullPolicy                  | IfNotPresent            | Image Pull Policy used for all deployments |
 | serverReplicas                    | 1                       | Replicas for the Server deployment |
 | workerReplicas                    | 1                       | Replicas for the Worker deployment |

helm/values.yaml

@@ -5,7 +5,7 @@ image:
   name: beryju/authentik
   name_static: beryju/authentik-static
   name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
-  tag: 0.13.3-stable
+  tag: 0.13.5-stable
   pullPolicy: IfNotPresent
 
 serverReplicas: 1

proxy/pkg/version.go

@@ -1,3 +1,3 @@
 package pkg
 
-const VERSION = "0.13.3-stable"
+const VERSION = "0.13.5-stable"

swagger.yaml

@@ -7345,7 +7345,6 @@ definitions:
     description: KubernetesServiceConnection Serializer
     required:
       - name
-      - kubeconfig
     type: object
     properties:
       pk:
@@ -8596,6 +8595,7 @@ definitions:
         x-nullable: true
       fixed_data:
         title: Fixed data
+        description: Optional fixed data to enforce on user enrollment.
         type: object
   OTPStaticStage:
     description: OTPStaticStage Serializer

web/src/authentik.css

@@ -81,6 +81,10 @@ select[multiple] {
     font-size: var(--pf-global--FontSize--sm);
 }
 
+.pf-c-page__main {
+    z-index: auto !important;
+}
+
 @media (prefers-color-scheme: dark) {
     :root {
         --ak-dark-foreground: #fafafa;

web/src/constants.ts

@@ -28,4 +28,4 @@ export const ColorStyles = css`
         background-color: var(--pf-global--danger-color--100);
     }
 `;
-export const VERSION = "0.13.3-stable";
+export const VERSION = "0.13.5-stable";

web/src/interfaces/Interface.ts

@@ -18,6 +18,10 @@ export abstract class Interface extends LitElement {
 
     constructor() {
         super();
+        this.sidebarOpen = window.outerWidth >= 1280;
+        window.addEventListener("resize", () => {
+            this.sidebarOpen = window.outerWidth >= 1280;
+        });
         window.addEventListener("ak-sidebar-toggle", () => {
             this.sidebarOpen = !this.sidebarOpen;
         });

website/docs/installation/docker-compose.md

@@ -15,7 +15,7 @@ Download the latest `docker-compose.yml` from [here](https://raw.githubuserconte
 
 To optionally enable error-reporting, run `echo AUTHENTIK_ERROR_REPORTING__ENABLED=true >> .env`
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=0.13.3-stable >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=0.13.5-stable >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 

website/docs/installation/kubernetes.md

@@ -22,7 +22,7 @@ image:
     name: beryju/authentik
     name_static: beryju/authentik-static
     name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
-    tag: 0.13.3-stable
+    tag: 0.13.5-stable
 
 serverReplicas: 1
 workerReplicas: 1