Merge branch 'goauthentik:main' into sdko/feat/integration/pickup-109…

…43-owncloud

.github/actions/docker-push-variables/action.yml

@@ -9,6 +9,9 @@ inputs:
   image-arch:
     required: false
     description: "Docker image arch"
+  release:
+    required: true
+    description: "True if this is a release build, false if this is a dev/PR build"
 
 outputs:
   shouldPush:
@@ -44,6 +47,9 @@ outputs:
   imageMainName:
     description: "Docker image main name"
     value: ${{ steps.ev.outputs.imageMainName }}
+  imageBuildArgs:
+    description: "Docker image build args"
+    value: ${{ steps.ev.outputs.imageBuildArgs }}
 
 runs:
   using: "composite"
@@ -54,6 +60,8 @@ runs:
       env:
         IMAGE_NAME: ${{ inputs.image-name }}
         IMAGE_ARCH: ${{ inputs.image-arch }}
+        RELEASE: ${{ inputs.release }}
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        REF: ${{ github.ref }}
       run: |
         python3 ${{ github.action_path }}/push_vars.py

.github/actions/docker-push-variables/push_vars.py

@@ -80,6 +80,13 @@ def get_attest_image_names(image_with_tags: list[str]):
     cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
 
 
+image_build_args = []
+if os.getenv("RELEASE", "false").lower() == "true":
+    image_build_args = [f"VERSION={os.getenv('REF')}"]
+else:
+    image_build_args = [f"GIT_BUILD_HASH={sha}"]
+image_build_args = "\n".join(image_build_args)
+
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
     print(f"sha={sha}", file=_output)
@@ -91,3 +98,4 @@ def get_attest_image_names(image_with_tags: list[str]):
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
     print(f"cacheTo={cache_to}", file=_output)
+    print(f"imageBuildArgs={image_build_args}", file=_output)

.github/workflows/_reusable-docker-build-single.yaml

@@ -50,6 +50,7 @@ jobs:
         with:
           image-name: ${{ inputs.image_name }}
           image-arch: ${{ inputs.image_arch }}
+          release: ${{ inputs.release }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
         uses: docker/login-action@v3
@@ -81,7 +82,7 @@ jobs:
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           build-args: |
-            VERSION=${{ github.ref }}
+            ${{ steps.ev.outputs.imageBuildArgs }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}

Dockerfile

@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps
 
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -132,13 +132,14 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     . "$HOME/.cargo/env" && \
     python -m venv /ak-root/venv/ && \
     bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip && \
-    pip3 install poetry && \
+    pip3 install --upgrade pip poetry && \
     poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
+    poetry install --only=main --no-ansi --no-interaction --no-root && \
+    pip uninstall cryptography -y && \
     poetry install --only=main --no-ansi --no-interaction --no-root"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image
 
 ARG VERSION
 ARG GIT_BUILD_HASH
@@ -154,10 +155,12 @@ WORKDIR /
 
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
+    apt-get upgrade -y && \
     # Required for runtime
     apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
+    pip3 install --no-cache-dir --upgrade pip && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \

Makefile

@@ -152,7 +152,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \

authentik/sources/kerberos/api/source.py

@@ -66,6 +66,7 @@ class KerberosSourceViewSet(UsedByMixin, ModelViewSet):
     serializer_class = KerberosSourceSerializer
     lookup_field = "slug"
     filterset_fields = [
+        "pbm_uuid",
         "name",
         "slug",
         "enabled",

authentik/sources/ldap/api.py

@@ -110,6 +110,7 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
     serializer_class = LDAPSourceSerializer
     lookup_field = "slug"
     filterset_fields = [
+        "pbm_uuid",
         "name",
         "slug",
         "enabled",

authentik/sources/oauth/api/source.py

@@ -152,6 +152,7 @@ def filter_has_jwks(self, queryset, name, value):  # pragma: no cover
     class Meta:
         model = OAuthSource
         fields = [
+            "pbm_uuid",
             "name",
             "slug",
             "enabled",

authentik/sources/plex/api/source.py

@@ -52,6 +52,7 @@ class PlexSourceViewSet(UsedByMixin, ModelViewSet):
     serializer_class = PlexSourceSerializer
     lookup_field = "slug"
     filterset_fields = [
+        "pbm_uuid",
         "name",
         "slug",
         "enabled",

authentik/sources/saml/api/source.py

@@ -44,6 +44,7 @@ class SAMLSourceViewSet(UsedByMixin, ModelViewSet):
     serializer_class = SAMLSourceSerializer
     lookup_field = "slug"
     filterset_fields = [
+        "pbm_uuid",
         "name",
         "slug",
         "enabled",

authentik/sources/scim/api/sources.py

@@ -53,6 +53,6 @@ class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
     queryset = SCIMSource.objects.all()
     serializer_class = SCIMSourceSerializer
     lookup_field = "slug"
-    filterset_fields = ["name", "slug"]
+    filterset_fields = ["pbm_uuid", "name", "slug"]
     search_fields = ["name", "slug", "token__identifier", "token__user__username"]
     ordering = ["name"]

authentik/stages/prompt/stage.py

@@ -5,6 +5,7 @@
 from types import MethodType
 from typing import Any
 
+from django.contrib.messages import INFO, add_message
 from django.db.models.query import QuerySet
 from django.http import HttpRequest, HttpResponse
 from django.http.request import QueryDict
@@ -147,6 +148,9 @@ def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         result = engine.result
         if not result.passing:
             raise ValidationError(list(result.messages))
+        else:
+            for msg in result.messages:
+                add_message(self.request, INFO, msg)
         return attrs
 
 

ldap.Dockerfile

@@ -43,6 +43,11 @@ LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
 LABEL org.opencontainers.image.version=${VERSION}
 LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
 
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/lib/apt/lists/*
+
 COPY --from=builder /go/ldap /
 
 HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/ldap", "healthcheck" ]

proxy.Dockerfile

@@ -59,6 +59,11 @@ LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
 LABEL org.opencontainers.image.version=${VERSION}
 LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
 
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/lib/apt/lists/*
+
 COPY --from=builder /go/proxy /
 COPY --from=web-builder /static/robots.txt /web/robots.txt
 COPY --from=web-builder /static/security.txt /web/security.txt

rac.Dockerfile

@@ -43,6 +43,13 @@ LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
 LABEL org.opencontainers.image.version=${VERSION}
 LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
 
+USER root
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/lib/apt/lists/*
+USER 1000
+
 COPY --from=builder /go/rac /
 
 HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/rac", "healthcheck" ]

radius.Dockerfile

@@ -43,6 +43,11 @@ LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
 LABEL org.opencontainers.image.version=${VERSION}
 LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
 
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/lib/apt/lists/*
+
 COPY --from=builder /go/radius /
 
 HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/radius", "healthcheck" ]

schema.yml

@@ -26248,6 +26248,11 @@ paths:
         name: password_login_update_internal_password
         schema:
           type: boolean
+      - in: query
+        name: pbm_uuid
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: realm
         schema:
@@ -26620,6 +26625,11 @@ paths:
         name: password_login_update_internal_password
         schema:
           type: boolean
+      - in: query
+        name: pbm_uuid
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: peer_certificate
         schema:
@@ -27049,6 +27059,11 @@ paths:
         description: Number of results to return per page.
         schema:
           type: integer
+      - in: query
+        name: pbm_uuid
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: policy_engine_mode
         schema:
@@ -27418,6 +27433,11 @@ paths:
         description: Number of results to return per page.
         schema:
           type: integer
+      - in: query
+        name: pbm_uuid
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: policy_engine_mode
         schema:
@@ -27821,6 +27841,11 @@ paths:
         description: Number of results to return per page.
         schema:
           type: integer
+      - in: query
+        name: pbm_uuid
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: policy_engine_mode
         schema:
@@ -28184,6 +28209,11 @@ paths:
         description: Number of results to return per page.
         schema:
           type: integer
+      - in: query
+        name: pbm_uuid
+        schema:
+          type: string
+          format: uuid
       - name: search
         required: false
         in: query

web/package.json

@@ -11,7 +11,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.12.2-1736779617",
+        "@goauthentik/api": "^2024.12.2-1737631633",
         "@lit-labs/ssr": "^3.2.2",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",
@@ -125,6 +125,7 @@
         "lint:nightmare": "wireit",
         "lint:package": "wireit",
         "lint:precommit": "wireit",
+        "lint:types": "wireit",
         "lit-analyse": "wireit",
         "postinstall": "bash scripts/patch-spotlight.sh",
         "precommit": "wireit",