From 0a8da376fcd36b98047e1ac34550c0c5d003396f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Feb 2021 09:13:07 +0100 Subject: [PATCH 01/20] build(deps-dev): bump typescript from 4.1.5 to 4.2.2 in /web (#587) Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.1.5 to 4.2.2. - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Commits](https://github.com/Microsoft/TypeScript/commits) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/package-lock.json | 6 +++--- web/package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/package-lock.json b/web/package-lock.json index 78e77bddc..c31f9146b 100644 --- a/web/package-lock.json +++ b/web/package-lock.json @@ -3326,9 +3326,9 @@ "dev": true }, "typescript": { - "version": "4.1.5", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.1.5.tgz", - "integrity": "sha512-6OSu9PTIzmn9TCDiovULTnET6BgXtDYL4Gg4szY+cGsc3JP1dQL8qvE8kShTRx1NIw4Q9IBHlwODjkjWEtMUyA==", + "version": "4.2.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.2.2.tgz", + "integrity": "sha512-tbb+NVrLfnsJy3M59lsDgrzWIflR4d4TIUjz+heUnHZwdF7YsrMTKoRERiIvI2lvBG95dfpLxB21WZhys1bgaQ==", "dev": true }, "uglify-js": { diff --git a/web/package.json b/web/package.json index 3786254e4..875702561 100644 --- a/web/package.json +++ b/web/package.json @@ -42,6 +42,6 @@ "rollup-plugin-sourcemaps": "^0.6.3", "rollup-plugin-terser": "^7.0.2", "ts-lit-plugin": "^1.2.1", - "typescript": "^4.1.5" + "typescript": "^4.2.2" } } From d06a44378dbe0c86529cfbeab985a8a6020b3d17 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Feb 2021 09:13:20 +0100 Subject: [PATCH 02/20] build(deps): bump boto3 from 1.17.13 to 1.17.14 (#586) Bumps [boto3](https://github.com/boto/boto3) from 1.17.13 to 1.17.14. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.17.13...1.17.14) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Pipfile.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index a7db6e4db..12e208b7d 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -116,18 +116,18 @@ }, "boto3": { "hashes": [ - "sha256:27e9eb7d03ace9602777d0e808901812dfbb0c8c3e9454ab10e7ad1656a86a2d", - "sha256:58823abe27f3ab76761e6ba421ceed9f6011da2267d1622547efb358be507896" + "sha256:95e23684bccdb0e02910fd71586ca2a1941a0f96ba1a8753e5f1e990c8fd25d9", + "sha256:a1dc13aa5fac7bc6df0ca29e0a93e320a7a2370f9fe03cfb7284090d9180b97a" ], "index": "pypi", - "version": "==1.17.13" + "version": "==1.17.14" }, "botocore": { "hashes": [ - "sha256:84d44036b1c174d4973c58387acefd851e71fed3ae8cc818b76b817556b59156", - "sha256:9ae7785f8d5150b720a4b5ddde7b4b4da447da1d084375fc5de61f8b0ae46023" + "sha256:2a07533de92603607c8b594ff92647f5d5a39e75f66c9476ccd30ed4d6de37ae", + "sha256:38f73dca0e3f2448ad91f6dbff99fc09ec1b2b9250a8b4871c90b8296f87d572" ], - "version": "==1.20.13" + "version": "==1.20.14" }, "cachetools": { "hashes": [ From e74c098b7a4063669b76ef4af66b8e825dd6c0db Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 24 Feb 2021 09:21:16 +0100 Subject: [PATCH 03/20] web: fix library not being full height, again --- web/src/pages/LibraryPage.ts | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/web/src/pages/LibraryPage.ts b/web/src/pages/LibraryPage.ts index fa0ae7c7b..7928272c9 100644 --- a/web/src/pages/LibraryPage.ts +++ b/web/src/pages/LibraryPage.ts @@ -14,10 +14,6 @@ export class LibraryApplication extends LitElement { static get styles(): CSSResult[] { return COMMON_STYLES.concat( css` - :host, - main { - height: 100%; - } a { height: 100%; } @@ -59,7 +55,12 @@ export class LibraryPage extends LitElement { apps?: AKResponse; static get styles(): CSSResult[] { - return COMMON_STYLES; + return COMMON_STYLES.concat(css` + :host, + main { + height: 100%; + } + `); } firstUpdated(): void { From 9049593ff5051eb3a88d83e67ac2e0e1c5dc6852 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 24 Feb 2021 09:23:19 +0100 Subject: [PATCH 04/20] sources/oauth: fix buttons not being ak-root-link --- authentik/sources/oauth/templates/oauth_client/user.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/authentik/sources/oauth/templates/oauth_client/user.html b/authentik/sources/oauth/templates/oauth_client/user.html index 0576f0971..ff69eaa91 100644 --- a/authentik/sources/oauth/templates/oauth_client/user.html +++ b/authentik/sources/oauth/templates/oauth_client/user.html @@ -9,13 +9,13 @@
{% if connections.exists %}

{% trans 'Connected.' %}

- {% trans 'Disconnect' %} {% else %}

Not connected.

- {% trans 'Connect' %} From d99a41550271b3221789048e56611f3cc824fdff Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 24 Feb 2021 09:21:16 +0100 Subject: [PATCH 05/20] web: fix library not being full height, again --- web/src/pages/LibraryPage.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/web/src/pages/LibraryPage.ts b/web/src/pages/LibraryPage.ts index 19e3f17d8..7928272c9 100644 --- a/web/src/pages/LibraryPage.ts +++ b/web/src/pages/LibraryPage.ts @@ -55,7 +55,12 @@ export class LibraryPage extends LitElement { apps?: AKResponse; static get styles(): CSSResult[] { - return COMMON_STYLES; + return COMMON_STYLES.concat(css` + :host, + main { + height: 100%; + } + `); } firstUpdated(): void { From bba43c510912a00f2e79747d939aefd5a5bf58df Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 24 Feb 2021 09:23:19 +0100 Subject: [PATCH 06/20] sources/oauth: fix buttons not being ak-root-link --- authentik/sources/oauth/templates/oauth_client/user.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/authentik/sources/oauth/templates/oauth_client/user.html b/authentik/sources/oauth/templates/oauth_client/user.html index 0576f0971..ff69eaa91 100644 --- a/authentik/sources/oauth/templates/oauth_client/user.html +++ b/authentik/sources/oauth/templates/oauth_client/user.html @@ -9,13 +9,13 @@
{% if connections.exists %}

{% trans 'Connected.' %}

- {% trans 'Disconnect' %} {% else %}

Not connected.

- {% trans 'Connect' %} From ce0140ef679f55aee357198050a4e6cc2bd20b16 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 11 Feb 2021 19:56:39 +0100 Subject: [PATCH 07/20] events: pass Event's user to Notification policy engine when present --- authentik/events/tasks.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/authentik/events/tasks.py b/authentik/events/tasks.py index 68b46f92b..6027ecb97 100644 --- a/authentik/events/tasks.py +++ b/authentik/events/tasks.py @@ -2,6 +2,7 @@ from guardian.shortcuts import get_anonymous_user from structlog import get_logger +from authentik.core.models import User from authentik.events.models import ( Event, Notification, @@ -53,7 +54,8 @@ def event_trigger_handler(event_uuid: str, trigger_name: str): return LOGGER.debug("e(trigger): checking if trigger applies", trigger=trigger) - policy_engine = PolicyEngine(trigger, get_anonymous_user()) + user = User.objects.filter(pk=event.user.get("pk")) or get_anonymous_user() + policy_engine = PolicyEngine(trigger, user) policy_engine.mode = PolicyEngineMode.MODE_OR policy_engine.empty_result = False policy_engine.use_cache = False From 86c069fe64647fcce56f15fc1fd5910bd9e01879 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 11 Feb 2021 20:17:45 +0100 Subject: [PATCH 08/20] admin: fix policy list not having a refresh button --- authentik/admin/templates/administration/policy/list.html | 3 +++ 1 file changed, 3 insertions(+) diff --git a/authentik/admin/templates/administration/policy/list.html b/authentik/admin/templates/administration/policy/list.html index 5397403c0..3b4d35a9a 100644 --- a/authentik/admin/templates/administration/policy/list.html +++ b/authentik/admin/templates/administration/policy/list.html @@ -41,6 +41,9 @@ {% endfor %} +
{% include 'partials/pagination.html' %}
From c1caf84d926535d06283f86cf4990d78c99729e0 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 11 Feb 2021 23:36:22 +0100 Subject: [PATCH 09/20] events: fix user QuerySet being passed --- authentik/events/tasks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authentik/events/tasks.py b/authentik/events/tasks.py index 6027ecb97..8f6309da7 100644 --- a/authentik/events/tasks.py +++ b/authentik/events/tasks.py @@ -54,7 +54,7 @@ def event_trigger_handler(event_uuid: str, trigger_name: str): return LOGGER.debug("e(trigger): checking if trigger applies", trigger=trigger) - user = User.objects.filter(pk=event.user.get("pk")) or get_anonymous_user() + user = User.objects.filter(pk=event.user.get("pk")).first() or get_anonymous_user() policy_engine = PolicyEngine(trigger, user) policy_engine.mode = PolicyEngineMode.MODE_OR policy_engine.empty_result = False From 1abcff39c7a6f837beb1a8ca00a16f8948d998f5 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 11 Feb 2021 23:48:54 +0100 Subject: [PATCH 10/20] outpost: improve logging output, ensure fields match api server --- outpost/pkg/ak/api.go | 6 ++++-- outpost/pkg/ak/api_ws.go | 4 ++-- outpost/pkg/ak/global.go | 7 ++++++- outpost/pkg/proxy/api.go | 2 +- outpost/pkg/proxy/api_bundle.go | 2 +- outpost/pkg/proxy/middleware.go | 26 ++++++++++++-------------- outpost/pkg/proxy/proxy.go | 6 ++++-- outpost/pkg/proxy/server.go | 14 +++++++++----- 8 files changed, 39 insertions(+), 28 deletions(-) diff --git a/outpost/pkg/ak/api.go b/outpost/pkg/ak/api.go index 22703c76e..2cb94517a 100644 --- a/outpost/pkg/ak/api.go +++ b/outpost/pkg/ak/api.go @@ -49,12 +49,14 @@ func NewAPIController(pbURL url.URL, token string) *APIController { // create the API client, with the transport apiClient := client.New(transport, strfmt.Default) + log := log.WithField("logger", "authentik.outpost.ak-api-controller") + // Because we don't know the outpost UUID, we simply do a list and pick the first // The service account this token belongs to should only have access to a single outpost outposts, err := apiClient.Outposts.OutpostsOutpostsList(outposts.NewOutpostsOutpostsListParams(), auth) if err != nil { - panic(err) + log.WithError(err).Panic("Failed to fetch configuration") } outpost := outposts.Payload.Results[0] doGlobalSetup(outpost.Config.(map[string]interface{})) @@ -64,7 +66,7 @@ func NewAPIController(pbURL url.URL, token string) *APIController { Auth: auth, token: token, - logger: log.WithField("component", "ak-api-controller"), + logger: log, reloadOffset: time.Duration(rand.Intn(10)) * time.Second, diff --git a/outpost/pkg/ak/api_ws.go b/outpost/pkg/ak/api_ws.go index 93eace7f3..c2fe4dc31 100644 --- a/outpost/pkg/ak/api_ws.go +++ b/outpost/pkg/ak/api_ws.go @@ -40,7 +40,7 @@ func (ac *APIController) initWS(pbURL url.URL, outpostUUID strfmt.UUID) { } ws.Dial(fmt.Sprintf(pathTemplate, scheme, pbURL.Host, outpostUUID.String()), header) - ac.logger.WithField("component", "ak-ws").WithField("outpost", outpostUUID.String()).Debug("connecting to authentik") + ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithField("outpost", outpostUUID.String()).Debug("connecting to authentik") ac.wsConn = ws // Send hello message with our version @@ -52,7 +52,7 @@ func (ac *APIController) initWS(pbURL url.URL, outpostUUID strfmt.UUID) { } err := ws.WriteJSON(msg) if err != nil { - ac.logger.WithField("component", "ak-ws").WithError(err).Warning("Failed to hello to authentik") + ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithError(err).Warning("Failed to hello to authentik") } } diff --git a/outpost/pkg/ak/global.go b/outpost/pkg/ak/global.go index d3d509cfd..f6678f6b9 100644 --- a/outpost/pkg/ak/global.go +++ b/outpost/pkg/ak/global.go @@ -13,7 +13,12 @@ import ( ) func doGlobalSetup(config map[string]interface{}) { - log.SetFormatter(&log.JSONFormatter{}) + log.SetFormatter(&log.JSONFormatter{ + FieldMap: log.FieldMap{ + log.FieldKeyMsg: "event", + log.FieldKeyTime: "timestamp", + }, + }) switch config[ConfigLogLevel].(string) { case "debug": log.SetLevel(log.DebugLevel) diff --git a/outpost/pkg/proxy/api.go b/outpost/pkg/proxy/api.go index ee44f4a73..87d982a78 100644 --- a/outpost/pkg/proxy/api.go +++ b/outpost/pkg/proxy/api.go @@ -31,7 +31,7 @@ func (s *Server) bundleProviders(providers []*models.ProxyOutpostConfig) []*prov bundles[idx] = &providerBundle{ s: s, Host: externalHost.Host, - log: log.WithField("component", "proxy-bundle").WithField("provider", provider.Name), + log: log.WithField("logger", "authentik.outpost.proxy-bundle").WithField("provider", provider.Name), } bundles[idx].Build(provider) } diff --git a/outpost/pkg/proxy/api_bundle.go b/outpost/pkg/proxy/api_bundle.go index 10f61d9b1..55a94794e 100644 --- a/outpost/pkg/proxy/api_bundle.go +++ b/outpost/pkg/proxy/api_bundle.go @@ -129,7 +129,7 @@ func (pb *providerBundle) Build(provider *models.ProxyOutpostConfig) { log.Printf("%s", err) os.Exit(1) } - oauthproxy, err := NewOAuthProxy(opts) + oauthproxy, err := NewOAuthProxy(opts, provider) if err != nil { log.Errorf("ERROR: Failed to initialise OAuth2 Proxy: %v", err) os.Exit(1) diff --git a/outpost/pkg/proxy/middleware.go b/outpost/pkg/proxy/middleware.go index ae95ed346..3e9e924fc 100644 --- a/outpost/pkg/proxy/middleware.go +++ b/outpost/pkg/proxy/middleware.go @@ -95,7 +95,7 @@ type loggingHandler struct { func LoggingHandler(h http.Handler) http.Handler { return loggingHandler{ handler: h, - logger: log.WithField("component", "proxy-http-server"), + logger: log.WithField("logger", "authentik.outpost.proxy-http-server"), } } @@ -104,19 +104,17 @@ func (h loggingHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) { url := *req.URL responseLogger := &responseLogger{w: w} h.handler.ServeHTTP(responseLogger, req) - duration := float64(time.Since(t)) / float64(time.Second) + duration := float64(time.Since(t)) / float64(time.Millisecond) h.logger.WithFields(log.Fields{ - "Client": req.RemoteAddr, - "Host": req.Host, - "Protocol": req.Proto, - "RequestDuration": fmt.Sprintf("%0.3f", duration), - "RequestMethod": req.Method, - "ResponseSize": responseLogger.Size(), - "StatusCode": responseLogger.Status(), - "Timestamp": t, - "Upstream": responseLogger.upstream, - "UserAgent": req.UserAgent(), - "Username": responseLogger.authInfo, + "host": req.RemoteAddr, + "vhost": req.Host, + "request_protocol": req.Proto, + "runtime": fmt.Sprintf("%0.3f", duration), + "method": req.Method, + "size": responseLogger.Size(), + "status": responseLogger.Status(), + "upstream": responseLogger.upstream, + "request_useragent": req.UserAgent(), + "request_username": responseLogger.authInfo, }).Info(url.RequestURI()) - // logger.PrintReq(responseLogger.authInfo, responseLogger.upstream, req, url, t, , ) } diff --git a/outpost/pkg/proxy/proxy.go b/outpost/pkg/proxy/proxy.go index 366c0a75e..44643c959 100644 --- a/outpost/pkg/proxy/proxy.go +++ b/outpost/pkg/proxy/proxy.go @@ -21,6 +21,7 @@ import ( "github.com/oauth2-proxy/oauth2-proxy/pkg/sessions" "github.com/oauth2-proxy/oauth2-proxy/pkg/upstream" "github.com/oauth2-proxy/oauth2-proxy/providers" + "goauthentik.io/outpost/pkg/models" log "github.com/sirupsen/logrus" ) @@ -92,8 +93,8 @@ type OAuthProxy struct { } // NewOAuthProxy creates a new instance of OAuthProxy from the options provided -func NewOAuthProxy(opts *options.Options) (*OAuthProxy, error) { - logger := log.WithField("component", "proxy").WithField("client-id", opts.ClientID) +func NewOAuthProxy(opts *options.Options, provider *models.ProxyOutpostConfig) (*OAuthProxy, error) { + logger := log.WithField("logger", "authentik.outpost.proxy").WithField("provider", provider.Name) sessionStore, err := sessions.NewSessionStore(&opts.Session, &opts.Cookie) if err != nil { return nil, fmt.Errorf("error initialising session store: %v", err) @@ -434,6 +435,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password)) req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)} } + rw.Header().Set("GAP-Auth", session.PreferredUsername) // Check if user has additional headers set that we should sent if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok { if additionalHeaders == nil { diff --git a/outpost/pkg/proxy/server.go b/outpost/pkg/proxy/server.go index 23db5fc8e..e01dbee95 100644 --- a/outpost/pkg/proxy/server.go +++ b/outpost/pkg/proxy/server.go @@ -6,6 +6,7 @@ import ( "errors" "net" "net/http" + "strings" "time" log "github.com/sirupsen/logrus" @@ -30,7 +31,7 @@ func NewServer(ac *ak.APIController) *Server { } return &Server{ Handlers: make(map[string]*providerBundle), - logger: log.WithField("component", "proxy-http-server"), + logger: log.WithField("logger", "authentik.outpost.proxy-http-server"), defaultCert: defaultCert, ak: ac, } @@ -50,12 +51,15 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) { return } } - s.logger.WithField("host", r.Host).Debug("Host header does not match any we know of") - s.logger.Printf("%v+\n", s.Handlers) - w.WriteHeader(400) + // Get a list of all host keys we know + hostKeys := make([]string, 0, len(s.Handlers)) + for k := range s.Handlers { + hostKeys = append(hostKeys, k) + } + s.logger.WithField("host", r.Host).WithField("known-hosts", strings.Join(hostKeys, ", ")).Debug("Host header does not match any we know of") + w.WriteHeader(404) return } - s.logger.WithField("host", r.Host).Debug("passing request from host head") handler.ServeHTTP(w, r) } From f33369bf0caf589d2ccadc436efc708bb9bb2620 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 12 Feb 2021 11:53:49 +0100 Subject: [PATCH 11/20] helm: add initial wait for healthcheck --- helm/templates/web-deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/helm/templates/web-deployment.yaml b/helm/templates/web-deployment.yaml index c30562287..2397a5b36 100644 --- a/helm/templates/web-deployment.yaml +++ b/helm/templates/web-deployment.yaml @@ -99,10 +99,12 @@ spec: httpGet: path: /-/health/live/ port: http + initialDelaySeconds: 15 readinessProbe: httpGet: path: /-/health/ready/ port: http + initialDelaySeconds: 15 resources: requests: cpu: 100m From a07d7456c8294b9d3690fad0e91d30fb5ede0318 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 12 Feb 2021 11:56:14 +0100 Subject: [PATCH 12/20] web: fix outpost edit/delete buttons --- web/src/pages/outposts/OutpostListPage.ts | 4 ++-- website/docs/releases/next.md | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 website/docs/releases/next.md diff --git a/web/src/pages/outposts/OutpostListPage.ts b/web/src/pages/outposts/OutpostListPage.ts index d155c6596..8246f8820 100644 --- a/web/src/pages/outposts/OutpostListPage.ts +++ b/web/src/pages/outposts/OutpostListPage.ts @@ -52,13 +52,13 @@ export class OutpostListPage extends TablePage { })}`, html``, html` - + ${gettext("Edit")}
  - + ${gettext("Delete")} diff --git a/website/docs/releases/next.md b/website/docs/releases/next.md new file mode 100644 index 000000000..b9561d4c8 --- /dev/null +++ b/website/docs/releases/next.md @@ -0,0 +1,14 @@ +--- +title: Next release +--- + +## Headline Changes + +- Simplify role-based access + + Instead of having to create a Group Membership policy for every group you want to use, you can now select a Group and even a User directly in a binding. + + When a group is selected, the binding behaves the same as if a Group Membership policy exists. + + When a user is selected, the binding checks the user of the request, and denies the request when the user doesn't match. + From 7b60bca2979045358aa339692fa91799245da45e Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sat, 13 Feb 2021 18:11:29 +0100 Subject: [PATCH 13/20] web: fix SiteShell breaking links when handlers are updated twice --- web/src/pages/generic/SiteShell.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/web/src/pages/generic/SiteShell.ts b/web/src/pages/generic/SiteShell.ts index d5ca0100e..687fc8d78 100644 --- a/web/src/pages/generic/SiteShell.ts +++ b/web/src/pages/generic/SiteShell.ts @@ -89,10 +89,14 @@ export class SiteShell extends LitElement { if (a.href === "") { return; } + if (a.href.startsWith("#")) { + return; + } try { const url = new URL(a.href); const qs = url.search || ""; - a.href = `#${url.pathname}${qs}`; + const hash = (url.hash || "#").substring(2, Infinity); + a.href = `#${url.pathname}${qs}${hash}`; } catch (e) { console.debug(`authentik/site-shell: error ${e}`); a.href = `#${a.href}`; From 5aabaebd96bcc403ea4a01e05c0d19e55ddf6164 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 16 Feb 2021 19:14:08 +0100 Subject: [PATCH 14/20] root: fix request_id not being logged for actual asgi requests --- authentik/core/middleware.py | 3 ++- authentik/root/asgi.py | 18 ++++++++++++++---- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/authentik/core/middleware.py b/authentik/core/middleware.py index 9b43485e9..1f09555b7 100644 --- a/authentik/core/middleware.py +++ b/authentik/core/middleware.py @@ -9,6 +9,7 @@ from django.http import HttpRequest, HttpResponse SESSION_IMPERSONATE_USER = "authentik_impersonate_user" SESSION_IMPERSONATE_ORIGINAL_USER = "authentik_impersonate_original_user" LOCAL = local() +RESPONSE_HEADER_ID = "X-authentik-id" class ImpersonateMiddleware: @@ -43,7 +44,7 @@ class RequestIDMiddleware: setattr(request, "request_id", request_id) LOCAL.authentik = {"request_id": request_id} response = self.get_response(request) - response["X-authentik-id"] = request.request_id + response[RESPONSE_HEADER_ID] = request.request_id del LOCAL.authentik["request_id"] return response diff --git a/authentik/root/asgi.py b/authentik/root/asgi.py index a7aaa605b..f8bd1fadf 100644 --- a/authentik/root/asgi.py +++ b/authentik/root/asgi.py @@ -18,6 +18,8 @@ from django.core.asgi import get_asgi_application from sentry_sdk.integrations.asgi import SentryAsgiMiddleware from structlog.stdlib import get_logger +from authentik.core.middleware import RESPONSE_HEADER_ID + # DJANGO_SETTINGS_MODULE is set in gunicorn.conf.py defuse_stdlib() @@ -67,6 +69,7 @@ class ASGILogger: status_code: int start: float content_length: int + request_id: str def __init__(self, app: ASGIApp): self.app = app @@ -75,23 +78,29 @@ class ASGILogger: self.scope = scope self.content_length = 0 self.headers = dict(scope.get("headers", [])) + self.request_id = "" async def send_hooked(message: Message) -> None: """Hooked send method, which records status code and content-length, and for the final requests logs it""" headers = dict(message.get("headers", [])) - if "status" in message: self.status_code = message["status"] if b"Content-Length" in headers: self.content_length += int(headers.get(b"Content-Length", b"0")) + if message["type"] == "http.response.start": + response_headers = dict(message["headers"]) + self.request_id = response_headers.get( + RESPONSE_HEADER_ID.encode(), b"" + ).decode() + if message["type"] == "http.response.body" and not message.get( - "more_body", None + "more_body", True ): runtime = int((time() - self.start) * 1000) - self.log(runtime) + self.log(runtime, request_id=self.request_id) await send(message) self.start = time() @@ -111,7 +120,7 @@ class ASGILogger: # Check if header has multiple values, and use the first one return client_ip.split(", ")[0] - def log(self, runtime: float): + def log(self, runtime: float, **kwargs): """Outpot access logs in a structured format""" host = self._get_ip() query_string = "" @@ -125,6 +134,7 @@ class ASGILogger: status=self.status_code, size=self.content_length / 1000 if self.content_length > 0 else 0, runtime=runtime, + **kwargs, ) From e81d3dad3e3f3eb003d014103a16dc9114abab73 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 24 Feb 2021 09:54:06 +0100 Subject: [PATCH 15/20] release: 2021.2.5-stable --- .bumpversion.cfg | 2 +- .github/workflows/release.yml | 14 +++++++------- authentik/__init__.py | 2 +- docker-compose.yml | 6 +++--- helm/Chart.yaml | 2 +- helm/README.md | 2 +- helm/values.yaml | 2 +- outpost/pkg/version.go | 2 +- web/src/constants.ts | 2 +- website/docs/installation/docker-compose.md | 2 +- website/docs/installation/kubernetes.md | 2 +- 11 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index fbde65ca7..e7986c0b4 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 2021.2.4-stable +current_version = 2021.2.5-stable tag = True commit = True parse = (?P\d+)\.(?P\d+)\.(?P\d+)\-(?P.*) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5cbcca3a4..1a6bda5f2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,11 +18,11 @@ jobs: - name: Building Docker Image run: docker build --no-cache - -t beryju/authentik:2021.2.4-stable + -t beryju/authentik:2021.2.5-stable -t beryju/authentik:latest -f Dockerfile . - name: Push Docker Container to Registry (versioned) - run: docker push beryju/authentik:2021.2.4-stable + run: docker push beryju/authentik:2021.2.5-stable - name: Push Docker Container to Registry (latest) run: docker push beryju/authentik:latest build-proxy: @@ -48,11 +48,11 @@ jobs: cd outpost/ docker build \ --no-cache \ - -t beryju/authentik-proxy:2021.2.4-stable \ + -t beryju/authentik-proxy:2021.2.5-stable \ -t beryju/authentik-proxy:latest \ -f proxy.Dockerfile . - name: Push Docker Container to Registry (versioned) - run: docker push beryju/authentik-proxy:2021.2.4-stable + run: docker push beryju/authentik-proxy:2021.2.5-stable - name: Push Docker Container to Registry (latest) run: docker push beryju/authentik-proxy:latest build-static: @@ -69,11 +69,11 @@ jobs: cd web/ docker build \ --no-cache \ - -t beryju/authentik-static:2021.2.4-stable \ + -t beryju/authentik-static:2021.2.5-stable \ -t beryju/authentik-static:latest \ -f Dockerfile . - name: Push Docker Container to Registry (versioned) - run: docker push beryju/authentik-static:2021.2.4-stable + run: docker push beryju/authentik-static:2021.2.5-stable - name: Push Docker Container to Registry (latest) run: docker push beryju/authentik-static:latest test-release: @@ -107,5 +107,5 @@ jobs: SENTRY_PROJECT: authentik SENTRY_URL: https://sentry.beryju.org with: - tagName: 2021.2.4-stable + tagName: 2021.2.5-stable environment: beryjuorg-prod diff --git a/authentik/__init__.py b/authentik/__init__.py index f01befede..404535b55 100644 --- a/authentik/__init__.py +++ b/authentik/__init__.py @@ -1,2 +1,2 @@ """authentik""" -__version__ = "2021.2.4-stable" +__version__ = "2021.2.5-stable" diff --git a/docker-compose.yml b/docker-compose.yml index eaf5d808f..d2cac481a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -19,7 +19,7 @@ services: networks: - internal server: - image: beryju/authentik:${AUTHENTIK_TAG:-2021.2.4-stable} + image: beryju/authentik:${AUTHENTIK_TAG:-2021.2.5-stable} command: server environment: AUTHENTIK_REDIS__HOST: redis @@ -45,7 +45,7 @@ services: env_file: - .env worker: - image: beryju/authentik:${AUTHENTIK_TAG:-2021.2.4-stable} + image: beryju/authentik:${AUTHENTIK_TAG:-2021.2.5-stable} command: worker networks: - internal @@ -62,7 +62,7 @@ services: env_file: - .env static: - image: beryju/authentik-static:${AUTHENTIK_TAG:-2021.2.4-stable} + image: beryju/authentik-static:${AUTHENTIK_TAG:-2021.2.5-stable} networks: - internal labels: diff --git a/helm/Chart.yaml b/helm/Chart.yaml index d1d5e44c1..5ce17b47b 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -4,7 +4,7 @@ name: authentik home: https://goauthentik.io sources: - https://github.com/BeryJu/authentik -version: "2021.2.4-stable" +version: "2021.2.5-stable" icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg dependencies: - name: postgresql diff --git a/helm/README.md b/helm/README.md index 91190b451..a4e84634a 100644 --- a/helm/README.md +++ b/helm/README.md @@ -4,7 +4,7 @@ |-----------------------------------|-------------------------|-------------| | image.name | beryju/authentik | Image used to run the authentik server and worker | | image.name_static | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) | -| image.tag | 2021.2.4-stable | Image tag | +| image.tag | 2021.2.5-stable | Image tag | | image.pullPolicy | IfNotPresent | Image Pull Policy used for all deployments | | serverReplicas | 1 | Replicas for the Server deployment | | workerReplicas | 1 | Replicas for the Worker deployment | diff --git a/helm/values.yaml b/helm/values.yaml index fdec33928..6702fa10a 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -5,7 +5,7 @@ image: name: beryju/authentik name_static: beryju/authentik-static name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended - tag: 2021.2.4-stable + tag: 2021.2.5-stable pullPolicy: IfNotPresent serverReplicas: 1 diff --git a/outpost/pkg/version.go b/outpost/pkg/version.go index d80ad67be..965cd8646 100644 --- a/outpost/pkg/version.go +++ b/outpost/pkg/version.go @@ -1,3 +1,3 @@ package pkg -const VERSION = "2021.2.4-stable" +const VERSION = "2021.2.5-stable" diff --git a/web/src/constants.ts b/web/src/constants.ts index 479352474..73871e963 100644 --- a/web/src/constants.ts +++ b/web/src/constants.ts @@ -28,4 +28,4 @@ export const ColorStyles = css` background-color: var(--pf-global--danger-color--100); } `; -export const VERSION = "2021.2.4-stable"; +export const VERSION = "2021.2.5-stable"; diff --git a/website/docs/installation/docker-compose.md b/website/docs/installation/docker-compose.md index 09e833e2b..639d592e0 100644 --- a/website/docs/installation/docker-compose.md +++ b/website/docs/installation/docker-compose.md @@ -15,7 +15,7 @@ Download the latest `docker-compose.yml` from [here](https://raw.githubuserconte To optionally enable error-reporting, run `echo AUTHENTIK_ERROR_REPORTING__ENABLED=true >> .env` -To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.2.4-stable >> .env` +To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.2.5-stable >> .env` If this is a fresh authentik install run the following commands to generate a password: diff --git a/website/docs/installation/kubernetes.md b/website/docs/installation/kubernetes.md index ba606711f..ae3300f2b 100644 --- a/website/docs/installation/kubernetes.md +++ b/website/docs/installation/kubernetes.md @@ -24,7 +24,7 @@ image: name: beryju/authentik name_static: beryju/authentik-static name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended - tag: 2021.2.4-stable + tag: 2021.2.5-stable serverReplicas: 1 workerReplicas: 1 From a3aacb5285f7da56902b8329822d1e14260f5add Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 24 Feb 2021 10:22:55 +0100 Subject: [PATCH 16/20] docs: add 2021.2.5 --- website/docs/releases/2021.2.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/website/docs/releases/2021.2.md b/website/docs/releases/2021.2.md index bc2aa1445..22bf8fc41 100644 --- a/website/docs/releases/2021.2.md +++ b/website/docs/releases/2021.2.md @@ -82,6 +82,18 @@ title: Release 2021.1.2 - admin: fix missing success_urls causing errors on create/update forms - core: fix typo in user settings causing sources to not show +## Fixed in 2021.2.5-stable + +- admin: fix policy list not having a refresh button +- events: pass Event's user to Notification policy engine when present +- helm: add initial wait for healthcheck +- outpost: improve logging output, ensure fields match api server +- root: fix request_id not being logged for actual asgi requests +- sources/oauth: fix buttons not being ak-root-link +- web: fix library not being full height, again +- web: fix outpost edit/delete buttons +- web: fix SiteShell breaking links when handlers are updated twice + ## Upgrading This release does not introduce any new requirements. From c0c235bead90ae8d626e3c79b73a4b5537f6d73c Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 24 Feb 2021 19:39:35 +0100 Subject: [PATCH 17/20] helm: fix initialDelaySeconds --- helm/templates/web-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/templates/web-deployment.yaml b/helm/templates/web-deployment.yaml index 2397a5b36..d68ced4d5 100644 --- a/helm/templates/web-deployment.yaml +++ b/helm/templates/web-deployment.yaml @@ -99,12 +99,12 @@ spec: httpGet: path: /-/health/live/ port: http - initialDelaySeconds: 15 + initialDelaySeconds: 15 readinessProbe: httpGet: path: /-/health/ready/ port: http - initialDelaySeconds: 15 + initialDelaySeconds: 15 resources: requests: cpu: 100m From d1c24f47b2087a1a19e4110fbefa30dacf7e084d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Feb 2021 09:17:45 +0100 Subject: [PATCH 18/20] build(deps): bump docker from 4.4.3 to 4.4.4 (#588) Bumps [docker](https://github.com/docker/docker-py) from 4.4.3 to 4.4.4. - [Release notes](https://github.com/docker/docker-py/releases) - [Commits](https://github.com/docker/docker-py/compare/4.4.3...4.4.4) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Pipfile.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 12e208b7d..d6dfc6148 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -124,10 +124,10 @@ }, "botocore": { "hashes": [ - "sha256:2a07533de92603607c8b594ff92647f5d5a39e75f66c9476ccd30ed4d6de37ae", - "sha256:38f73dca0e3f2448ad91f6dbff99fc09ec1b2b9250a8b4871c90b8296f87d572" + "sha256:71c5073c7f042dc8d4684c7ddd0ab1fce1e9d1db7ab9cdb0ab4c6bd5a6855db4", + "sha256:e4f6184ef463f047f78d95ff735228d934b34c1fcc22e247076a1dd69c4a7c2d" ], - "version": "==1.20.14" + "version": "==1.20.15" }, "cachetools": { "hashes": [ @@ -414,11 +414,11 @@ }, "docker": { "hashes": [ - "sha256:d4625e70e3d5a12d7cbf1fd68cef2e081ac86b83889e00e5466d975f90e50dad", - "sha256:de5753b7f6486dd541a98393e423e387579b8974a5068748b83f852cc76a89d6" + "sha256:d3393c878f575d3a9ca3b94471a3c89a6d960b35feb92f033c0de36cc9d934db", + "sha256:f3607d5695be025fa405a12aca2e5df702a57db63790c73b927eb6a94aac60af" ], "index": "pypi", - "version": "==4.4.3" + "version": "==4.4.4" }, "drf-yasg2": { "hashes": [ @@ -1076,11 +1076,11 @@ }, "rsa": { "hashes": [ - "sha256:74ba16e7ef58920b80b5c54c1c1066d391a2c1e812c466773f74c634eb12253b", - "sha256:9d74d1ff850745c9802cd6b53382bfeec7f6dbe4e26ee2759241ed1e7b0ecf5d" + "sha256:78f9a9bf4e7be0c5ded4583326e7461e3a3c5aae24073648b4bdfa797d78c9d2", + "sha256:9d689e6ca1b3038bc82bf8d23e944b6b6037bc02301a574935b2dd946e0353b9" ], "markers": "python_version >= '3.6'", - "version": "==4.7.1" + "version": "==4.7.2" }, "ruamel.yaml": { "hashes": [ From e7a9a41a2f663be683b4d6c943c25c754eb2d131 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Feb 2021 09:18:02 +0100 Subject: [PATCH 19/20] build(deps): bump boto3 from 1.17.14 to 1.17.15 (#589) Bumps [boto3](https://github.com/boto/boto3) from 1.17.14 to 1.17.15. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.17.14...1.17.15) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Pipfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index d6dfc6148..08f7fd83f 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -116,11 +116,11 @@ }, "boto3": { "hashes": [ - "sha256:95e23684bccdb0e02910fd71586ca2a1941a0f96ba1a8753e5f1e990c8fd25d9", - "sha256:a1dc13aa5fac7bc6df0ca29e0a93e320a7a2370f9fe03cfb7284090d9180b97a" + "sha256:a6b36a3ed9628eb34f7b653c549b045a7f8ddfa26e88c2dc1ad42e3b6d2f3197", + "sha256:d259352f40c5f4fe2dd16110106b86eab07ecd9f6f471a73d23fa8cb8054dcb6" ], "index": "pypi", - "version": "==1.17.14" + "version": "==1.17.15" }, "botocore": { "hashes": [ From 429fc921b13373d9c99f65dd88c2c2b1d738f548 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Feb 2021 09:18:15 +0100 Subject: [PATCH 20/20] build(deps): bump codemirror from 5.59.3 to 5.59.4 in /web (#590) Bumps [codemirror](https://github.com/codemirror/CodeMirror) from 5.59.3 to 5.59.4. - [Release notes](https://github.com/codemirror/CodeMirror/releases) - [Changelog](https://github.com/codemirror/CodeMirror/blob/master/CHANGELOG.md) - [Commits](https://github.com/codemirror/CodeMirror/compare/5.59.3...5.59.4) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/package-lock.json | 6 +++--- web/package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/package-lock.json b/web/package-lock.json index c31f9146b..375e34f41 100644 --- a/web/package-lock.json +++ b/web/package-lock.json @@ -862,9 +862,9 @@ } }, "codemirror": { - "version": "5.59.3", - "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.59.3.tgz", - "integrity": "sha512-p1d4BjmBBssgnEGtQeWvE5PdiDffqZjiJ77h2FZ2J2BpW9qdOzf6v7IQscyE+TgyKBQS3PpsYimfEDNgcNRZGQ==" + "version": "5.59.4", + "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.59.4.tgz", + "integrity": "sha512-achw5JBgx8QPcACDDn+EUUXmCYzx/zxEtOGXyjvLEvYY8GleUrnfm5D+Zb+UjShHggXKDT9AXrbkBZX6a0YSQg==" }, "collection-visit": { "version": "1.0.0", diff --git a/web/package.json b/web/package.json index 875702561..dcb1414e9 100644 --- a/web/package.json +++ b/web/package.json @@ -18,7 +18,7 @@ "@types/codemirror": "0.0.108", "base64-js": "^1.5.1", "chart.js": "^2.9.4", - "codemirror": "^5.59.3", + "codemirror": "^5.59.4", "construct-style-sheets-polyfill": "^2.4.16", "flowchart.js": "^1.15.0", "lit-element": "^2.4.0",