Merge branch 'main' into dev
* main: web: bump rollup from 4.1.4 to 4.1.5 in /web (#7370) website/integrations: add SonarQube (#7167) web: bump the storybook group in /web with 5 updates (#7382) core: bump goauthentik.io/api/v3 from 3.2023101.1 to 3.2023102.1 (#7378) web: bump ts-lit-plugin from 2.0.0 to 2.0.1 in /web (#7379) web: bump @rollup/plugin-replace from 5.0.4 to 5.0.5 in /web (#7380) web: bump API Client version (#7365) website/docs: add 2023.8.4 release notes release: 2023.10.2 security: fix oobe-flow reuse when akadmin is deleted (#7361) website/docs: prepare 2023.10.2 release notes (#7362) website/docs: add missing breaking change due to APPEND_SLASH (#7360) lifecycle: rework otp_merge migration (#7359) translate: Updates for file web/xliff/en.xlf in zh-Hans (#7354) translate: Updates for file web/xliff/en.xlf in zh_CN (#7353) website/docs: add warning about Helm breaking change in 2024.x (#7351)
This commit is contained in:
commit
6653bd8224
|
@ -1,5 +1,5 @@
|
|||
[bumpversion]
|
||||
current_version = 2023.10.1
|
||||
current_version = 2023.10.2
|
||||
tag = True
|
||||
commit = True
|
||||
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
from os import environ
|
||||
from typing import Optional
|
||||
|
||||
__version__ = "2023.10.1"
|
||||
__version__ = "2023.10.2"
|
||||
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
# Generated by Django 4.2.6 on 2023-10-28 14:24
|
||||
|
||||
from django.apps.registry import Apps
|
||||
from django.db import migrations
|
||||
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
|
||||
|
||||
|
||||
def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
|
||||
from guardian.shortcuts import get_anonymous_user
|
||||
|
||||
Flow = apps.get_model("authentik_flows", "Flow")
|
||||
User = apps.get_model("authentik_core", "User")
|
||||
|
||||
db_alias = schema_editor.connection.alias
|
||||
|
||||
users = User.objects.using(db_alias).exclude(username="akadmin")
|
||||
try:
|
||||
users = users.exclude(pk=get_anonymous_user().pk)
|
||||
# pylint: disable=broad-except
|
||||
except Exception: # nosec
|
||||
pass
|
||||
|
||||
if users.exists():
|
||||
Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
dependencies = [
|
||||
("authentik_flows", "0026_alter_flow_options"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.RunPython(set_oobe_flow_authentication),
|
||||
]
|
|
@ -85,6 +85,19 @@ entries:
|
|||
identifiers:
|
||||
name: default-oobe-password-usable
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
- attrs:
|
||||
expression: |
|
||||
# This policy ensures that the setup flow can only be
|
||||
# used one time
|
||||
from authentik.flows.models import Flow, FlowAuthenticationRequirement
|
||||
Flow.objects.filter(slug="initial-setup").update(
|
||||
authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER,
|
||||
)
|
||||
return True
|
||||
id: policy-default-oobe-flow-set-authentication
|
||||
identifiers:
|
||||
name: default-oobe-flow-set-authentication
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
- attrs:
|
||||
fields:
|
||||
- !KeyOf prompt-field-header
|
||||
|
@ -129,6 +142,7 @@ entries:
|
|||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
re_evaluate_policies: false
|
||||
id: binding-login
|
||||
identifiers:
|
||||
order: 100
|
||||
stage: !KeyOf stage-default-authentication-login
|
||||
|
@ -144,3 +158,8 @@ entries:
|
|||
policy: !KeyOf policy-default-oobe-prefill-user
|
||||
target: !KeyOf binding-password-write
|
||||
model: authentik_policies.policybinding
|
||||
- identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf policy-default-oobe-flow-set-authentication
|
||||
target: !KeyOf binding-login
|
||||
model: authentik_policies.policybinding
|
||||
|
|
|
@ -42,9 +42,3 @@ entries:
|
|||
user: !KeyOf admin-user
|
||||
attrs:
|
||||
key: !Context token
|
||||
- model: authentik_blueprints.blueprintinstance
|
||||
identifiers:
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/system-bootstrap: "true"
|
||||
state: absent
|
||||
|
|
|
@ -32,7 +32,7 @@ services:
|
|||
volumes:
|
||||
- redis:/data
|
||||
server:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.1}
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
|
||||
restart: unless-stopped
|
||||
command: server
|
||||
environment:
|
||||
|
@ -53,7 +53,7 @@ services:
|
|||
- postgresql
|
||||
- redis
|
||||
worker:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.1}
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
|
||||
restart: unless-stopped
|
||||
command: worker
|
||||
environment:
|
||||
|
|
2
go.mod
2
go.mod
|
@ -27,7 +27,7 @@ require (
|
|||
github.com/sirupsen/logrus v1.9.3
|
||||
github.com/spf13/cobra v1.7.0
|
||||
github.com/stretchr/testify v1.8.4
|
||||
goauthentik.io/api/v3 v3.2023101.1
|
||||
goauthentik.io/api/v3 v3.2023102.1
|
||||
golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
|
||||
golang.org/x/oauth2 v0.13.0
|
||||
golang.org/x/sync v0.4.0
|
||||
|
|
4
go.sum
4
go.sum
|
@ -356,8 +356,8 @@ go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyK
|
|||
go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
|
||||
go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
|
||||
go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
|
||||
goauthentik.io/api/v3 v3.2023101.1 h1:KIQ4wmxjE+geAVB0wBfmxW9Uzo/tA0dbd2hSUJ7YJ3M=
|
||||
goauthentik.io/api/v3 v3.2023101.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
|
||||
goauthentik.io/api/v3 v3.2023102.1 h1:TinB3fzh17iw92Mak0pxVdVSMJbL2CxZkQSvd98C4+U=
|
||||
goauthentik.io/api/v3 v3.2023102.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
|
||||
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
|
||||
|
|
|
@ -29,4 +29,4 @@ func UserAgent() string {
|
|||
return fmt.Sprintf("authentik@%s", FullVersion())
|
||||
}
|
||||
|
||||
const VERSION = "2023.10.1"
|
||||
const VERSION = "2023.10.2"
|
||||
|
|
|
@ -3,13 +3,17 @@ from lifecycle.migrate import BaseMigration
|
|||
|
||||
SQL_STATEMENT = """
|
||||
BEGIN TRANSACTION;
|
||||
DELETE FROM django_migrations WHERE app = 'otp_static';
|
||||
DELETE FROM django_migrations WHERE app = 'otp_totp';
|
||||
-- Update migrations (static)
|
||||
UPDATE django_migrations SET app = 'authentik_stages_authenticator_static', name = '0008_initial' WHERE app = 'otp_static' AND name = '0001_initial';
|
||||
UPDATE django_migrations SET app = 'authentik_stages_authenticator_static', name = '0009_throttling' WHERE app = 'otp_static' AND name = '0002_throttling';
|
||||
-- Rename tables (static)
|
||||
ALTER TABLE otp_static_staticdevice RENAME TO authentik_stages_authenticator_static_staticdevice;
|
||||
ALTER TABLE otp_static_statictoken RENAME TO authentik_stages_authenticator_static_statictoken;
|
||||
ALTER SEQUENCE otp_static_statictoken_id_seq RENAME TO authentik_stages_authenticator_static_statictoken_id_seq;
|
||||
ALTER SEQUENCE otp_static_staticdevice_id_seq RENAME TO authentik_stages_authenticator_static_staticdevice_id_seq;
|
||||
-- Update migrations (totp)
|
||||
UPDATE django_migrations SET app = 'authentik_stages_authenticator_totp', name = '0008_initial' WHERE app = 'otp_totp' AND name = '0001_initial';
|
||||
UPDATE django_migrations SET app = 'authentik_stages_authenticator_totp', name = '0009_auto_20190420_0723' WHERE app = 'otp_totp' AND name = '0002_auto_20190420_0723';
|
||||
-- Rename tables (totp)
|
||||
ALTER TABLE otp_totp_totpdevice RENAME TO authentik_stages_authenticator_totp_totpdevice;
|
||||
ALTER SEQUENCE otp_totp_totpdevice_id_seq RENAME TO authentik_stages_authenticator_totp_totpdevice_id_seq;
|
||||
|
@ -25,22 +29,9 @@ class Migration(BaseMigration):
|
|||
return bool(self.cur.rowcount)
|
||||
|
||||
def run(self):
|
||||
self.cur.execute(SQL_STATEMENT)
|
||||
self.fake_migration(
|
||||
(
|
||||
"authentik_stages_authenticator_static",
|
||||
"0008_initial",
|
||||
),
|
||||
(
|
||||
"authentik_stages_authenticator_static",
|
||||
"0009_throttling",
|
||||
),
|
||||
(
|
||||
"authentik_stages_authenticator_totp",
|
||||
"0008_initial",
|
||||
),
|
||||
(
|
||||
"authentik_stages_authenticator_totp",
|
||||
"0009_auto_20190420_0723",
|
||||
),
|
||||
self.cur.execute(
|
||||
"SELECT * FROM django_migrations WHERE app = 'authentik_stages_authenticator_static' AND name = '0007_authenticatorstaticstage_token_length_and_more';"
|
||||
)
|
||||
if not bool(self.cur.rowcount):
|
||||
raise Exception("Please upgrade to 2023.8 before upgrading to 2023.10")
|
||||
self.cur.execute(SQL_STATEMENT)
|
||||
|
|
|
@ -113,7 +113,7 @@ filterwarnings = [
|
|||
|
||||
[tool.poetry]
|
||||
name = "authentik"
|
||||
version = "2023.10.1"
|
||||
version = "2023.10.2"
|
||||
description = ""
|
||||
authors = ["authentik Team <hello@goauthentik.io>"]
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
openapi: 3.0.3
|
||||
info:
|
||||
title: authentik
|
||||
version: 2023.10.1
|
||||
version: 2023.10.2
|
||||
description: Making authentication simple.
|
||||
contact:
|
||||
email: hello@goauthentik.io
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -38,7 +38,7 @@
|
|||
"@codemirror/theme-one-dark": "^6.1.2",
|
||||
"@formatjs/intl-listformat": "^7.5.0",
|
||||
"@fortawesome/fontawesome-free": "^6.4.2",
|
||||
"@goauthentik/api": "^2023.10.1-1698348102",
|
||||
"@goauthentik/api": "^2023.10.2-1698526374",
|
||||
"@lit-labs/context": "^0.4.1",
|
||||
"@lit-labs/task": "^3.1.0",
|
||||
"@lit/localize": "^0.11.4",
|
||||
|
@ -79,14 +79,14 @@
|
|||
"@rollup/plugin-babel": "^6.0.4",
|
||||
"@rollup/plugin-commonjs": "^25.0.7",
|
||||
"@rollup/plugin-node-resolve": "^15.2.3",
|
||||
"@rollup/plugin-replace": "^5.0.4",
|
||||
"@rollup/plugin-replace": "^5.0.5",
|
||||
"@rollup/plugin-terser": "^0.4.4",
|
||||
"@rollup/plugin-typescript": "^11.1.5",
|
||||
"@storybook/addon-essentials": "^7.5.1",
|
||||
"@storybook/addon-links": "^7.5.1",
|
||||
"@storybook/addon-essentials": "^7.5.2",
|
||||
"@storybook/addon-links": "^7.5.2",
|
||||
"@storybook/blocks": "^7.1.1",
|
||||
"@storybook/web-components": "^7.5.1",
|
||||
"@storybook/web-components-vite": "^7.5.1",
|
||||
"@storybook/web-components": "^7.5.2",
|
||||
"@storybook/web-components-vite": "^7.5.2",
|
||||
"@trivago/prettier-plugin-sort-imports": "^4.2.1",
|
||||
"@types/chart.js": "^2.9.39",
|
||||
"@types/codemirror": "5.60.12",
|
||||
|
@ -109,13 +109,13 @@
|
|||
"pyright": "^1.1.333",
|
||||
"react": "^18.2.0",
|
||||
"react-dom": "^18.2.0",
|
||||
"rollup": "^4.1.4",
|
||||
"rollup": "^4.1.5",
|
||||
"rollup-plugin-copy": "^3.5.0",
|
||||
"rollup-plugin-cssimport": "^1.0.3",
|
||||
"rollup-plugin-postcss-lit": "^2.1.0",
|
||||
"storybook": "^7.5.1",
|
||||
"storybook": "^7.5.2",
|
||||
"storybook-addon-mock": "^4.3.0",
|
||||
"ts-lit-plugin": "^2.0.0",
|
||||
"ts-lit-plugin": "^2.0.1",
|
||||
"tslib": "^2.6.2",
|
||||
"turnstile-types": "^1.1.3",
|
||||
"typescript": "^5.2.2",
|
||||
|
|
|
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
|
|||
export const ERROR_CLASS = "pf-m-danger";
|
||||
export const PROGRESS_CLASS = "pf-m-in-progress";
|
||||
export const CURRENT_CLASS = "pf-m-current";
|
||||
export const VERSION = "2023.10.1";
|
||||
export const VERSION = "2023.10.2";
|
||||
export const TITLE_DEFAULT = "authentik";
|
||||
export const ROUTE_SEPARATOR = ";";
|
||||
|
||||
|
|
|
@ -613,9 +613,9 @@
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="saa0e2675da69651b">
|
||||
<source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
|
||||
<target>未找到 URL "
|
||||
<x id="0" equiv-text="${this.url}"/>"。</target>
|
||||
<source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
|
||||
<target>未找到 URL "
|
||||
<x id="0" equiv-text="${this.url}"/>"。</target>
|
||||
|
||||
</trans-unit>
|
||||
<trans-unit id="s58cd9c2fe836d9c6">
|
||||
|
@ -1057,8 +1057,8 @@
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="sa8384c9c26731f83">
|
||||
<source>To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.</source>
|
||||
<target>要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
|
||||
<source>To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.</source>
|
||||
<target>要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
|
||||
|
||||
</trans-unit>
|
||||
<trans-unit id="s55787f4dfcdce52b">
|
||||
|
@ -1799,8 +1799,8 @@
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="sa90b7809586c35ce">
|
||||
<source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
|
||||
<target>输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
|
||||
<source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
|
||||
<target>输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
|
||||
|
||||
</trans-unit>
|
||||
<trans-unit id="s0410779cb47de312">
|
||||
|
@ -3013,8 +3013,8 @@ doesn't pass when either or both of the selected options are equal or above the
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="s76768bebabb7d543">
|
||||
<source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
|
||||
<target>包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
|
||||
<source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
|
||||
<target>包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
|
||||
|
||||
</trans-unit>
|
||||
<trans-unit id="s026555347e589f0e">
|
||||
|
@ -3806,8 +3806,8 @@ doesn't pass when either or both of the selected options are equal or above the
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="s7b1fba26d245cb1c">
|
||||
<source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
|
||||
<target>使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。</target>
|
||||
<source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
|
||||
<target>使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。</target>
|
||||
|
||||
</trans-unit>
|
||||
<trans-unit id="s44536d20bb5c8257">
|
||||
|
@ -3816,8 +3816,8 @@ doesn't pass when either or both of the selected options are equal or above the
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="s3bb51cabb02b997e">
|
||||
<source>Format: "weeks=3;days=2;hours=3,seconds=2".</source>
|
||||
<target>格式:"weeks=3;days=2;hours=3,seconds=2"。</target>
|
||||
<source>Format: "weeks=3;days=2;hours=3,seconds=2".</source>
|
||||
<target>格式:"weeks=3;days=2;hours=3,seconds=2"。</target>
|
||||
|
||||
</trans-unit>
|
||||
<trans-unit id="s04bfd02201db5ab8">
|
||||
|
@ -4013,10 +4013,10 @@ doesn't pass when either or both of the selected options are equal or above the
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="sa95a538bfbb86111">
|
||||
<source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
|
||||
<source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
|
||||
<target>您确定要更新
|
||||
<x id="0" equiv-text="${this.objectLabel}"/>"
|
||||
<x id="1" equiv-text="${this.obj?.name}"/>" 吗?</target>
|
||||
<x id="0" equiv-text="${this.objectLabel}"/>"
|
||||
<x id="1" equiv-text="${this.obj?.name}"/>" 吗?</target>
|
||||
|
||||
</trans-unit>
|
||||
<trans-unit id="sc92d7cfb6ee1fec6">
|
||||
|
@ -5102,7 +5102,7 @@ doesn't pass when either or both of the selected options are equal or above the
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="sdf1d8edef27236f0">
|
||||
<source>A "roaming" authenticator, like a YubiKey</source>
|
||||
<source>A "roaming" authenticator, like a YubiKey</source>
|
||||
<target>像 YubiKey 这样的“漫游”身份验证器</target>
|
||||
|
||||
</trans-unit>
|
||||
|
@ -5437,10 +5437,10 @@ doesn't pass when either or both of the selected options are equal or above the
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="s2d5f69929bb7221d">
|
||||
<source><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</source>
|
||||
<source><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</source>
|
||||
<target>
|
||||
<x id="0" equiv-text="${prompt.name}"/>("
|
||||
<x id="1" equiv-text="${prompt.fieldKey}"/>",类型为
|
||||
<x id="0" equiv-text="${prompt.name}"/>("
|
||||
<x id="1" equiv-text="${prompt.fieldKey}"/>",类型为
|
||||
<x id="2" equiv-text="${prompt.type}"/>)</target>
|
||||
|
||||
</trans-unit>
|
||||
|
@ -5489,7 +5489,7 @@ doesn't pass when either or both of the selected options are equal or above the
|
|||
|
||||
</trans-unit>
|
||||
<trans-unit id="s1608b2f94fa0dbd4">
|
||||
<source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
|
||||
<source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
|
||||
<target>如果设置时长大于 0,用户可以选择“保持登录”选项,这将使用户的会话延长此处设置的时间。</target>
|
||||
|
||||
</trans-unit>
|
||||
|
@ -7928,15 +7928,19 @@ Bindings to groups/users are checked against the user of the event.</source>
|
|||
</trans-unit>
|
||||
<trans-unit id="sdc9a6ad1af30572c">
|
||||
<source>For nginx's auth_request or traefik's forwardAuth</source>
|
||||
<target>适用于 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
|
||||
</trans-unit>
|
||||
<trans-unit id="sfc31264ef7ff86ef">
|
||||
<source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
|
||||
<target>适用于按根域名配置的 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
|
||||
</trans-unit>
|
||||
<trans-unit id="sc615309d10a9228c">
|
||||
<source>RBAC is in preview.</source>
|
||||
<target>RBAC 目前处于预览状态。</target>
|
||||
</trans-unit>
|
||||
<trans-unit id="s32babfed740fd3c1">
|
||||
<source>User type used for newly created users.</source>
|
||||
<target>新创建用户使用的用户类型。</target>
|
||||
</trans-unit>
|
||||
</body>
|
||||
</file>
|
||||
|
|
|
@ -7620,14 +7620,6 @@ Bindings to groups/users are checked against the user of the event.</source>
|
|||
<source>For transparent reverse proxies with required authentication</source>
|
||||
<target>适用于需要验证身份的透明反向代理</target>
|
||||
</trans-unit>
|
||||
<trans-unit id="sadf073913458acbd">
|
||||
<source>For nginx's auth_request or traefik's forwardAuth</source>
|
||||
<target>适用于 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
|
||||
</trans-unit>
|
||||
<trans-unit id="se770e9498b3bacf6">
|
||||
<source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
|
||||
<target>适用于按根域名配置的 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
|
||||
</trans-unit>
|
||||
<trans-unit id="s40830ec037f34626">
|
||||
<source>Configure SAML provider manually</source>
|
||||
<target>手动配置 SAML 提供程序</target>
|
||||
|
@ -7933,6 +7925,22 @@ Bindings to groups/users are checked against the user of the event.</source>
|
|||
<trans-unit id="s0924f51b028233a3">
|
||||
<source><No name set></source>
|
||||
<target><未设置名称></target>
|
||||
</trans-unit>
|
||||
<trans-unit id="sdc9a6ad1af30572c">
|
||||
<source>For nginx's auth_request or traefik's forwardAuth</source>
|
||||
<target>适用于 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
|
||||
</trans-unit>
|
||||
<trans-unit id="sfc31264ef7ff86ef">
|
||||
<source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
|
||||
<target>适用于按根域名配置的 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
|
||||
</trans-unit>
|
||||
<trans-unit id="sc615309d10a9228c">
|
||||
<source>RBAC is in preview.</source>
|
||||
<target>RBAC 目前处于预览状态。</target>
|
||||
</trans-unit>
|
||||
<trans-unit id="s32babfed740fd3c1">
|
||||
<source>User type used for newly created users.</source>
|
||||
<target>新创建用户使用的用户类型。</target>
|
||||
</trans-unit>
|
||||
</body>
|
||||
</file>
|
||||
|
|
|
@ -5,8 +5,14 @@ slug: "/releases/2023.10"
|
|||
|
||||
## Breaking changes
|
||||
|
||||
- Requests with missing trailing slash are no longer redirected
|
||||
|
||||
In previous versions, requests to a path like `/api/v3/core/users` would be redirected to `[...]/users/`. This redirect would cause mutating requests (such as POST, PUT and PATCH) to fail as they would get redirected to `[...]/users/`. The redirect has been disabled, which will not have have an impact on a correctly configured setup.
|
||||
|
||||
- It is only possible to upgrade to 2023.10 from 2023.8. This is due to a bug in the migrations which will be fixed in a future release (#7326).
|
||||
|
||||
- Warning: The first 2024.x version of this chart will see a rework that will include breaking changes. The breaking changes will be noted in the next Release notes.
|
||||
|
||||
## New features
|
||||
|
||||
- RBAC (preview)
|
||||
|
@ -15,7 +21,7 @@ slug: "/releases/2023.10"
|
|||
|
||||
- LDAP Provider improvements
|
||||
|
||||
The LDAP Provider now has an expanded schema, increasing the compatibility with clients that use the LDAP schema to parse data and .net applications on Windows.
|
||||
The LDAP Provider now has an expanded schema, increasing the compatibility with clients that use the LDAP schema to parse data and .Net applications on Windows.
|
||||
|
||||
- Improved Proxy provider logout
|
||||
|
||||
|
@ -119,6 +125,18 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.10
|
|||
|
||||
- lifecycle: fix otp merge migration (#7315)
|
||||
|
||||
## Fixed in 2023.10.2
|
||||
|
||||
- \*: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
|
||||
- blueprints: fix entries with state: absent not being deleted if their serializer has errors (#7345)
|
||||
- crypto: fix race conditions when creating self-signed certificates on startup (#7344)
|
||||
- lifecycle: rework otp_merge migration (#7359)
|
||||
- providers/proxy: to fix duplicate cookie (#7324)
|
||||
- rbac: handle lookup error (#7341)
|
||||
- stages/email: fix sending emails from task (#7325)
|
||||
- web/admin: fix @change handler for ak-radio elements (#7348)
|
||||
- web/admin: fix role form reacting to enter (#7330)
|
||||
|
||||
## API Changes
|
||||
|
||||
#### What's New
|
||||
|
|
|
@ -155,6 +155,10 @@ image:
|
|||
- web: don't import entire SourceViewPage in flow and user interface (#6761)
|
||||
- web: replace ampersand (#6737)
|
||||
|
||||
## Fixed in 2023.8.4
|
||||
|
||||
- \*: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
|
||||
|
||||
## API Changes
|
||||
|
||||
#### What's New
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
# GHSA-rjvp-29xq-f62w
|
||||
|
||||
_Reported by [@devSparkle](https://github.com/devSparkle)_
|
||||
|
||||
## Potential Installation takeover when default admin user is deleted
|
||||
|
||||
### Summary
|
||||
|
||||
In the affected versions, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication.
|
||||
|
||||
### Patches
|
||||
|
||||
authentik 2023.8.4 and 2023.10.2 fix this issue, for other versions the workaround can be used.
|
||||
|
||||
### Impact
|
||||
|
||||
authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again.
|
||||
|
||||
### Workarounds
|
||||
|
||||
Ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.
|
||||
|
||||
### For more information
|
||||
|
||||
If you have any questions or comments about this advisory:
|
||||
|
||||
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|
|
@ -0,0 +1,72 @@
|
|||
---
|
||||
title: SonarQube
|
||||
---
|
||||
|
||||
<span class="badge badge--primary">Support level: Community</span>
|
||||
|
||||
## What is SonarQube
|
||||
|
||||
> Self-managed static analysis tool for continuous codebase inspection
|
||||
>
|
||||
> -- https://www.sonarsource.com/products/sonarqube/
|
||||
|
||||
## Preparation
|
||||
|
||||
The following placeholders will be used:
|
||||
|
||||
- `sonarqube.company` is the FQDN of the sonarqube install.
|
||||
- `authentik.company` is the FQDN of the authentik install.
|
||||
|
||||
## Terraform provider
|
||||
|
||||
Create an application in authentik. Create a SAML Provider with the following values
|
||||
|
||||
```hcl
|
||||
|
||||
data "authentik_flow" "default-provider-authorization-implicit-consent" {
|
||||
slug = "default-provider-authorization-implicit-consent"
|
||||
}
|
||||
|
||||
data "authentik_property_mapping_saml" "saml-sonar-qube" {
|
||||
managed_list = [
|
||||
"goauthentik.io/providers/saml/email",
|
||||
"goauthentik.io/providers/saml/username",
|
||||
"goauthentik.io/providers/saml/name"
|
||||
]
|
||||
}
|
||||
|
||||
resource "authentik_provider_saml" "provider_sonar-qube" {
|
||||
name = "SonarQube"
|
||||
|
||||
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
|
||||
|
||||
acs_url = "https://sonarqube.company/oauth2/callback/saml"
|
||||
issuer = "https://authentik.company/"
|
||||
sp_binding = "post"
|
||||
audience = "https://sonarqube.company/saml2/metadata"
|
||||
|
||||
property_mappings = data.authentik_property_mapping_saml.saml-sonar-qube.ids
|
||||
}
|
||||
|
||||
resource "authentik_application" "application_sonar-qube" {
|
||||
name = "SonarQube"
|
||||
slug = "sonarqube"
|
||||
protocol_provider = authentik_provider_saml.provider_sonar-qube.id
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
## SonarQube
|
||||
|
||||
Navigate to Administration -> Configuration -> Authentication -> Saml
|
||||
|
||||
Input these Values
|
||||
|
||||
- Application ID: https://sonarqube.company/saml2/metadata
|
||||
- Provider Name: authentik
|
||||
- Provider ID: https://authentik.company/
|
||||
- SAML login url: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/
|
||||
- Identity provider certificate: Download it from authentik
|
||||
- SAML user login attribute: http://schemas.goauthentik.io/2021/02/saml/username
|
||||
- SAML user name attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
||||
- SAML user email attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
|
|
@ -407,6 +407,7 @@ const docsSidebar = {
|
|||
},
|
||||
items: [
|
||||
"security/policy",
|
||||
"security/GHSA-rjvp-29xq-f62w",
|
||||
"security/CVE-2023-39522",
|
||||
"security/CVE-2023-36456",
|
||||
"security/2023-06-cure53",
|
||||
|
|
|
@ -100,6 +100,7 @@ module.exports = {
|
|||
"services/home-assistant/index",
|
||||
"services/jellyfin/index",
|
||||
"services/node-red/index",
|
||||
"services/sonar-qube/index",
|
||||
"services/sonarr/index",
|
||||
"services/tautulli/index",
|
||||
"services/weblate/index",
|
||||
|
|
Reference in New Issue