wip add username whitespace check to invitation flow blueprint

.drone.yml

@@ -23,14 +23,13 @@ steps:
       FLOW_INVALIDATION_VERSION: v1
       FLOW_RECOVERY_VERSION: v1
       FLOW_TRANSLATION_VERSION: v1
-      SYSTEM_BRAND_VERSION: v1
+      SYSTEM_TENANT_VERSION: v1
       NEXTCLOUD_CONFIG_VERSION: v1
       SECRET_SECRET_KEY_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_ADMIN_TOKEN_VERSION: v1
       SECRET_ADMIN_PASS_VERSION: v1
       SECRET_EMAIL_PASS_VERSION: v1
-      DB_ENTRYPOINT_VERSION: v1
 trigger:
   branch:
     - main

.env.sample

@@ -17,9 +17,6 @@ AUTHENTIK_LOG_LEVEL=info
 ## Outpost Integration
 # COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
 
-## ADMIN
-AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
-
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=587
@@ -37,6 +34,7 @@ SECRET_ADMIN_PASS_VERSION=v1
 SECRET_EMAIL_PASS_VERSION=v1
 
 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
+AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 
 ## FLOW OPTIONS
 # WELCOME_MESSAGE="Welcome to Authentik"
@@ -49,12 +47,6 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
-# Default CSS customisation, just background colour
-COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
-AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
-# Custommise the entire custom CSS file
-#COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
-
 # COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
 # NEXTCLOUD_DOMAIN=nextcloud.example.com
 # SECRET_NEXTCLOUD_ID_VERSION=v1
@@ -70,7 +62,6 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 # ELEMENT_DOMAIN=element-web.example.com
-# MATRIX_DOMAIN=matrix-synapse.example.com
 # SECRET_MATRIX_ID_VERSION=v1
 # SECRET_MATRIX_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
@@ -93,21 +84,11 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 # SECRET_OUTLINE_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS outline:~/.abra/recipes/authentik/icons/outline.png"
 
-# COMPOSE_FILE="$COMPOSE_FILE:compose.kimai.yml"
-# KIMAI_DOMAIN=kimai.example.com
-# SECRET_KIMAI_ID_VERSION=v1
-# SECRET_KIMAI_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS kimai:~/.abra/recipes/authentik/icons/kimai_logo.png"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.zammad.yml"
-# ZAMMAD_DOMAIN=zammad.example.com
-# APP_ICONS="$APP_ICONS zammad:~/.abra/recipes/authentik/icons/zammad.svg"
-
 # COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
 # MONITORING_DOMAIN=monitoring.example.com
 # SECRET_MONITORING_ID_VERSION=v1
 # SECRET_MONITORING_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.svg"
+# APP_ICONS="$APP_ICONS monitoring:~/.abra/recipes/authentik/icons/monitoring.png"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.rallly.yml"
 # RALLLY_DOMAIN=rallly.example.com
@@ -115,12 +96,6 @@ AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
 # SECRET_RALLLY_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS rallly:~/.abra/recipes/authentik/icons/rallly.png"
 
-# COMPOSE_FILE="$COMPOSE_FILE:compose.hedgedoc.yml"
-# HEDGEDOC_DOMAIN=hedgedoc.example.com
-# SECRET_HEDGEDOC_ID_VERSION=v1
-# SECRET_HEDGEDOC_SECRET_VERSION=v1
-# APP_ICONS="$APP_ICONS hedgedoc:~/.abra/recipes/authentik/icons/hedgedoc.png"
-
 # APPLICATIONS='{"Calendar": "https://nextcloud.example.com/apps/calendar/", "BBB": "https://nextcloud.example.com/apps/bbb/"}'
 # APP_ICONS="$APP_ICONS Calendar:~/.abra/recipes/authentik/icons/calendar.svg"
-# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.png"
+# APP_ICONS="$APP_ICONS BBB:~/.abra/recipes/authentik/icons/bbb.jpg"

README.md

@@ -167,9 +167,9 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
     - Default - Source enrollment flow
         - OVERWRITE:
             - `default-source-enrollment-field-username`
-- Custom System Brand
+- Custom System Tenant
-    - Default - Brand
+    - Default - Tenant
-        - APPEND: `authentik_brands.brand  domain: authentik-default`
+        - APPEND: `authentik_tenants.tenant  domain: authentik-default`
     - Recovery with email verification
         - USE:
             - `default-recovery-flow`
@@ -177,8 +177,8 @@ The `abra.sh` function `apply_blueprints` needs to be executed to deactivate the
 
 ### Blueprint Dependency Execution Order
 
-5. Custom System Brand
+5. Custom System Tenant
-    - Default - Brand
+    - Default - Tenant
     1. Recovery with email verification
         - Default - Authentication flow
             - Default - Password change flow

abra.sh

@@ -1,21 +1,18 @@
 export CUSTOM_CSS_VERSION=v2
-export FLOW_AUTHENTICATION_VERSION=v4
+export FLOW_AUTHENTICATION_VERSION=v3
-export FLOW_INVITATION_VERSION=v2
+export FLOW_INVITATION_VERSION=v1
 export FLOW_INVALIDATION_VERSION=v2
 export FLOW_RECOVERY_VERSION=v1
-export FLOW_TRANSLATION_VERSION=v3
+export FLOW_TRANSLATION_VERSION=v2
-export SYSTEM_BRAND_VERSION=v3
+export SYSTEM_TENANT_VERSION=v2
 export NEXTCLOUD_CONFIG_VERSION=v1
 export WORDPRESS_CONFIG_VERSION=v2
 export MATRIX_CONFIG_VERSION=v1
 export WEKAN_CONFIG_VERSION=v3
 export VIKUNJA_CONFIG_VERSION=v1
-export OUTLINE_CONFIG_VERSION=v2
+export OUTLINE_CONFIG_VERSION=v1
-export KIMAI_CONFIG_VERSION=v1
+export RALLLY_CONFIG_VERSION=v1
-export ZAMMAD_CONFIG_VERSION=v1
+export MONITORING_CONFIG_VERSION=v1
-export RALLLY_CONFIG_VERSION=v2
-export HEDGEDOC_CONFIG_VERSION=v1
-export MONITORING_CONFIG_VERSION=v2
 export DB_ENTRYPOINT_VERSION=v1
 
 customize() {
@@ -57,19 +54,15 @@ with open('/tmp/$1', newline='') as file:
     email = row[2].strip()
     groups = row[3].split(';')
     if User.objects.filter(username=username):
-        print(f'{username} already exists')
         continue
     new_user = User.objects.create(name=name, username=username, email=email)
-    print(f'{username} created')
     for group_name in groups:
         group_name = group_name.strip()
         if Group.objects.filter(name=group_name):
             group = Group.objects.get(name=group_name)
         else:
             group = Group.objects.create(name=group_name)
-            print(f'{group_name} created')
         group.users.add(new_user)
-        print(f'add {username} to group {group_name}')
 """ 2>&1 | quieten
 }
 
@@ -177,9 +170,7 @@ for name, url in applications.items():
 
 
 quieten(){
-    # 'SyntaxWarning|version_regex|"http\['
+    grep -v -e '{"event"' -e '{"action"'
-    # is a workaround to get rid of some verbose syntax warnings, this might be fixed with another version
-    grep -Pv '"level": "(info|debug)"|SyntaxWarning|version_regex|"http\[|RuntimeWarning:'
 }
 
 add_email_templates(){
@@ -226,26 +217,7 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
-Brand.objects.filter(default=True).delete()
+Tenant.objects.filter(default=True).delete()
 """ 2>&1 | quieten
 apply_blueprints
 }
-
-get_certificate() {
-/manage.py shell -c """
-provider_name='$1'
-if not provider_name:
-    print('no Provider Name given')
-    exit(1)
-provider = Provider.objects.filter(name=provider_name).first()
-saml = provider.samlprovider
-cert = saml.signing_kp
-print(''.join(cert.certificate_data.splitlines()[1:-1]))
-""" 2>&1 | quieten
-}
-
-get_user_uid() {
-/manage.py shell -c """
-print(User.objects.filter(username='$1').first().uid)
-""" 2>&1 | quieten
-}

alaconnect.yml

@@ -1,89 +0,0 @@
-nextcloud:
-    uncomment:
-        - compose.nextcloud.yml
-        - NEXTCLOUD_DOMAIN
-        - SECRET_NEXTCLOUD_ID_VERSION
-        - SECRET_NEXTCLOUD_SECRET_VERSION
-        - nextcloud.png
-wordpress:
-    uncomment:
-        - compose.wordpress.yml
-        - WORDPRESS_DOMAIN
-        - WORDPRESS_GROUP
-        - SECRET_WORDPRESS_ID_VERSION
-        - SECRET_WORDPRESS_SECRET_VERSION
-        - wordpress.png
-matrix-synapse:
-    uncomment:
-        - compose.matrix.yml
-        - ELEMENT_DOMAIN
-        - MATRIX_DOMAIN
-        - SECRET_MATRIX_ID_VERSION
-        - SECRET_MATRIX_SECRET_VERSION
-        - matrix.svg
-    secrets:
-        matrix_id: matrix
-wekan:
-    uncomment:
-        - compose.wekan.yml
-        - WEKAN_DOMAIN
-        - SECRET_WEKAN_ID_VERSION
-        - SECRET_WEKAN_SECRET_VERSION
-        - wekan.png
-    secrets:
-        wekan_id: wekan
-vikunja:
-    uncomment:
-        - compose.vikunja.yml
-        - VIKUNJA_DOMAIN
-        - SECRET_VIKUNJA_ID_VERSION
-        - SECRET_VIKUNJA_SECRET_VERSION
-        - vikunja.svg
-    secrets:
-        vikunja_id: vikunja
-kimai:
-    uncomment:
-        - compose.kimai.yml
-        - KIMAI_DOMAIN
-        - SECRET_KIMAI_ID_VERSION
-        - SECRET_KIMAI_SECRET_VERSION
-        - kimai_logo.png
-zammad:
-    uncomment:
-        - compose.zammad.yml
-        - ZAMMAD_DOMAIN
-        - zammad.svg
-monitoring-ng:
-    uncomment:
-        - compose.monitoring.yml
-        - MONITORING_DOMAIN
-        - SECRET_MONITORING_ID_VERSION
-        - SECRET_MONITORING_SECRET_VERSION
-        - monitoring.png
-outline:
-    uncomment:
-        - compose.outline.yml
-        - OUTLINE_DOMAIN
-        - SECRET_OUTLINE_ID_VERSION
-        - SECRET_OUTLINE_SECRET_VERSION
-        - outline.png
-    secrets:
-        outline_id: outline
-rallly:
-    uncomment:  
-        - compose.rallly.yml
-        - RALLLY_DOMAIN
-        - SECRET_RALLLY_ID_VERSION
-        - SECRET_RALLLY_SECRET_VERSION
-        - rallly.png
-    secrets:
-        rallly_id: rallly
-hedgedoc:
-    uncomment:  
-        - compose.hedgedoc.yml
-        - HEDGEDOC_DOMAIN
-        - SECRET_HEDGEDOC_ID_VERSION
-        - SECRET_HEDGEDOC_SECRET_VERSION
-        - hedgedoc.png
-    secrets:
-        hedgedoc_id: hedgedoc

compose.css.yml

@@ -1,14 +0,0 @@
----
-version: '3.8'
-
-services:
-  app:
-    configs: 
-      - source: custom_css
-        target: /web/dist/custom.css
-
-configs:
-  custom_css:
-    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
-    file: custom.css.tmpl
-    template_driver: golang

compose.hedgedoc.yml

@@ -1,26 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    secrets:
-      - hedgedoc_id
-      - hedgedoc_secret
-    environment:
-      - HEDGEDOC_DOMAIN
-    configs:
-      - source: hedgedoc
-        target: /blueprints/hedgedoc.yaml
-
-secrets:
-  hedgedoc_id:
-    external: true
-    name: ${STACK_NAME}_hedgedoc_id_${SECRET_HEDGEDOC_ID_VERSION}
-  hedgedoc_secret:
-    external: true
-    name: ${STACK_NAME}_hedgedoc_secret_${SECRET_HEDGEDOC_SECRET_VERSION}
-
-
-configs:
-  hedgedoc:
-    name: ${STACK_NAME}_hedgedoc_${HEDGEDOC_CONFIG_VERSION}
-    file: hedgedoc.yaml.tmpl
-    template_driver: golang

compose.kimai.yml

@@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    environment:
-      - KIMAI_DOMAIN
-    configs:
-      - source: kimai
-        target: /blueprints/kimai.yaml
-
-configs:
-  kimai:
-    name: ${STACK_NAME}_kimai_${KIMAI_CONFIG_VERSION}
-    file: kimai.yaml.tmpl
-    template_driver: golang

compose.matrix.yml

@@ -1,11 +1,5 @@
 version: "3.8"
 services:
-  app:
-    deploy:
-      labels:
-        - "traefik.http.routers.${STACK_NAME}.middlewares=redirect-matrix-well-known"
-        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.regex=^https://(.*)/.well-known/matrix/(.*)"
-        - "traefik.http.middlewares.redirect-matrix-well-known.redirectregex.replacement=https://${MATRIX_DOMAIN}/.well-known/matrix/$$2"
   worker:
     secrets:
       - matrix_id

compose.yml

@@ -21,7 +21,6 @@ x-env: &env
     - AUTHENTIK_COLOR_BACKGROUND_LIGHT
     - AUTHENTIK_FOOTER_LINKS
     - AUTHENTIK_IMPERSONATION
-    - AUTHENTIK_BOOTSTRAP_EMAIL
     - WELCOME_MESSAGE
     - DEFAULT_LANGUAGE
     - EMAIL_SUBJECT
@@ -33,7 +32,7 @@ x-env: &env
 version: '3.8'
 services:
   app:
-    image: ghcr.io/goauthentik/server:2024.8.3
+    image: ghcr.io/goauthentik/server:2023.10.7
     command: server
     depends_on:
       - db
@@ -48,17 +47,23 @@ services:
       - media:/media
       - assets:/web/dist/assets
       - templates:/templates
+    configs:
+      - source: custom_css
+        target: /web/dist/custom.css
     networks:
       - internal
       - proxy
     healthcheck:
-      test: "ak healthcheck"
+      test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'"
       interval: 30s
-      timeout: 30s
+      timeout: 10s
       retries: 10
       start_period: 5m
     environment: *env
     deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
       labels:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
@@ -71,11 +76,11 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
         - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=6.7.0+2024.8.3"
+        - "coop-cloud.${STACK_NAME}.version=4.2.0+2023.10.7"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
 
   worker:
-    image: ghcr.io/goauthentik/server:2024.8.3
+    image: ghcr.io/goauthentik/server:2023.10.7
     command: worker
     depends_on:
       - db
@@ -90,10 +95,10 @@ services:
       - internal
       - proxy
     volumes:
+      - backups:/backups
       - media:/media
       - /dev/null:/blueprints/default/flow-oobe.yaml
       - templates:/templates
-      - certs:/certs
     configs:
       - source: flow_recovery
         target: /blueprints/1_flow_recovery.yaml
@@ -103,20 +108,14 @@ services:
         target: /blueprints/3_flow_translation.yaml
       - source: flow_invitation
         target: /blueprints/4_flow_invitation.yaml
-      - source: system_brand
+      - source: system_tenant
-        target: /blueprints/5_system_brand.yaml
+        target: /blueprints/5_system_tenant.yaml
       - source: flow_invalidation
         target: /blueprints/6_flow_invalidation.yaml
     environment: *env
-    healthcheck:
-      test: "ak healthcheck"
-      interval: 30s
-      timeout: 30s
-      retries: 10
-      start_period: 5m
 
   db:
-    image: postgres:15.8
+    image: postgres:15.5
     secrets:
       - db_password
     configs:
@@ -144,13 +143,10 @@ services:
           backupbot.backup: "true"
           backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
           backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.volumes.database.path: "backup.sql"
+          backupbot.backup.path: "/var/lib/postgresql/data"
-          backupbot.backup.volumes.redis: "false"
-          backupbot.restore.post-hook: 'psql -U authentik -d postgres -c "DROP DATABASE authentik WITH (FORCE);" && createdb -U authentik authentik && psql -U authentik -d authentik -f /var/lib/postgresql/data/backup.sql'
 
   redis:
-    image:  redis:7.4.0-alpine
+    image:  redis:7.2.4-alpine
-    command: --save 60 1 --loglevel warning
     networks:
       - internal
     healthcheck:
@@ -159,8 +155,6 @@ services:
       timeout: 10s
       retries: 10
       start_period: 1m
-    volumes:
-        - redis:/data
 
 secrets:
   db_password:
@@ -185,14 +179,17 @@ networks:
   internal:
 
 volumes:
+  backups:
   media:
-  certs:
-  redis:
   templates:
   assets:
   database:
 
 configs:
+  custom_css:
+    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
+    file: custom.css.tmpl
+    template_driver: golang
   flow_authentication:
     name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION}
     file: flow_authentication.yaml.tmpl
@@ -213,9 +210,9 @@ configs:
     name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION}
     file: flow_translation.yaml.tmpl
     template_driver: golang
-  system_brand:
+  system_tenant:
-    name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION}
+    name: ${STACK_NAME}_system_tenant_${SYSTEM_TENANT_VERSION}
-    file: system_brand.yaml.tmpl
+    file: system_tenant.yaml.tmpl
     template_driver: golang
   db_entrypoint:
     name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}

compose.zammad.yml

@@ -1,14 +0,0 @@
-version: "3.8"
-services:
-  worker:
-    environment:
-      - ZAMMAD_DOMAIN
-    configs:
-      - source: zammad
-        target: /blueprints/zammad.yaml
-
-configs:
-  zammad:
-    name: ${STACK_NAME}_zammad_${ZAMMAD_CONFIG_VERSION}
-    file: zammad.yaml.tmpl
-    template_driver: golang

custom_flows.yaml.tmpl

@@ -384,7 +384,7 @@ entries:
     enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
     timeout: 30
 
-######## System Brand ##########
+######## System Tenant ##########
 - attrs:
     attributes:
       settings:
@@ -401,5 +401,5 @@ entries:
     flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
   identifiers:
     pk: 047cce25-aae2-4b02-9f96-078e155f803d
-  id: system_brand
+  id: system_tenant
-  model: authentik_brands.brand
+  model: authentik_tenants.tenant

flow_authentication.yaml.tmpl

@@ -37,7 +37,7 @@ entries:
     name: default-authentication-login
   model: authentik_stages_user_login.userloginstage
   attrs:
-    session_duration: days=30
+    session_duration: seconds=0
 
 # After the first run this will produce a RelatedObjectDoesNotExist error
 - identifiers:

flow_invitation.yaml.tmpl

@@ -26,16 +26,22 @@ entries:
 
 ### POLICIES
 - attrs:
-    expression: |
+    expression: "if not regex_match(request.context.get('prompt_data').get('username'),\
-      if not regex_match(request.context.get('prompt_data').get('username'), '\s'):
+      \ '\\s'):\n    return True\n\nak_message(\"Username must not contain\
-          return True
+      \ whitespace!\")\nreturn False"
-      ak_message("Username must not contain any whitespace!")
+    name: username-without-spaces-policy
-      return False
   id: username-without-spaces-policy
   identifiers:
     name: username-without-spaces-policy
   model: authentik_policies_expression.expressionpolicy
 
+### POLICY BINDINGS
+- identifiers:
+    policy: !KeyOf username-without-spaces-policy
+    target: !KeyOf prompt-stage-binding
+    order: 10
+  model: authentik_policies.policybinding
+
 ### STAGES
 - identifiers:
     name: invitation-stage
@@ -53,8 +59,6 @@ entries:
       - !Find [authentik_stages_prompt.prompt, [name, default-user-settings-field-email]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password]]
       - !Find [authentik_stages_prompt.prompt, [name, default-password-change-field-password-repeat]]
-    validation_policies:
-      - !Find [ authentik_policies_expression.expressionpolicy, [name, username-without-spaces-policy]]
 
 ### STAGE BINDINGS
 - identifiers:
@@ -67,6 +71,7 @@ entries:
     stage: !KeyOf enrollment-prompt-userdata
     target: !KeyOf invitation-enrollment-flow
   model: authentik_flows.flowstagebinding
+  id: prompt-stage-binding
 - identifiers:
     order: 20
     stage: !Find [authentik_stages_user_write.userwritestage, [name,  default-source-enrollment-write]]

flow_translation.yaml.tmpl

@@ -69,3 +69,16 @@ entries:
   attrs:
     label: !Context transl_username
     placeholder: !Context transl_username
+
+### POLICIES
+- model: authentik_policies_expression.expressionpolicy
+  identifiers:
+    name: username-without-spaces-policy
+  attrs:
+    expression: "if not regex_match(request.context.get('prompt_data').get('username'),\
+      \ '\\s'):\n    return True\n\nak_message(\"Benutzername darf kein Leerzeichen\
+      \ enthalten\")\nreturn False"
+      name: username-without-spaces-policy
+  id: username-without-spaces-policy
+
+Benutzername darf kein Leerzeichen enthalten\")\n

hedgedoc.yaml.tmpl

@@ -1,43 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: hedgedoc
-
-entries:
-
-- attrs:
-    access_code_validity: minutes=1
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    client_id: {{ secret  "hedgedoc_id" }}
-    client_secret: {{ secret  "hedgedoc_secret" }}
-    client_type: confidential
-    include_claims_in_id_token: true
-    issuer_mode: per_provider
-    name: Hedgedoc
-    property_mappings:
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sub_mode: hashed_user_id
-    token_validity: days=30
-  conditions: []
-  id: hedgedoc_provider
-  identifiers:
-    pk: 9992
-  model: authentik_providers_oauth2.oauth2provider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "HEDGEDOC_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf hedgedoc_provider
-    slug: hedgedoc
-  conditions: []
-  id: hedgedoc_application
-  identifiers:
-    name: Hedgedoc
-  model: authentik_core.application
-  state: present

icons/zammad.svg

@@ -1,30 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg width="126px" height="108px" viewBox="0 0 42 36" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancoding.com/sketch/ns">
-    <!-- Generator: Sketch 3.3.2 (12043) - http://www.bohemiancoding.com/sketch -->
-    <title>logo</title>
-    <desc>Created with Sketch.</desc>
-    <defs/>
-    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
-        <g id="logo" sketch:type="MSArtboardGroup">
-            <g sketch:type="MSLayerGroup" transform="translate(1.000000, 0.000000)" id="Shape">
-                <path d="M27.3375,12.6 L36.72,9.72 L31.1625,13.2525 L27.3375,12.6 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M33.0525,19.62 L31.1625,13.2525 L36.72,9.72 L35.055,15.435 L33.0525,19.62 Z" fill="#E84F83" sketch:type="MSShapeGroup"/>
-                <path d="M39.465,7.9875 L38.43,9.72 L35.055,15.435 L36.72,9.72 L39.465,7.9875 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M39.8025,9.1125 L37.1925,11.79 L38.43,9.72 L39.8025,9.1125 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M27.9,10.8225 L35.5725,10.0575 L30.24,11.7 L27.9,10.8225 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M28.1925,15.165 L31.1625,13.2525 L33.0525,19.62 L32.0625,21.645 L28.1925,15.165 Z" fill="#CA2317" sketch:type="MSShapeGroup"/>
-                <path d="M23.76,22.725 L22.3425,5.4 L32.0625,21.645 L23.76,22.725 Z" fill="#B7DFF2" sketch:type="MSShapeGroup"/>
-                <path d="M19.7325,27.1575 L23.76,22.725 L32.0625,21.645 L19.7325,27.1575 Z" fill="#E54011" sketch:type="MSShapeGroup"/>
-                <path d="M0.1575,35.865 L19.7325,27.1575 L23.76,22.725 L17.37,22.0725 L0.1575,35.865 Z" fill="#FFCE33" sketch:type="MSShapeGroup"/>
-                <path d="M0.9,28.755 L10.9575,27.225 L14.085,24.705 L12.555,24.03 L0.9,28.755 Z" fill="#D6B12D" sketch:type="MSShapeGroup"/>
-                <path d="M4.5225,20.5425 L14.085,24.705 L17.37,22.0725 L4.5225,20.5425 Z" fill="#FFDE85" sketch:type="MSShapeGroup"/>
-                <path d="M21.6225,11.6775 L20.4075,11.88 L17.37,22.0725 L20.655,20.0025 L21.6225,11.6775 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
-                <path d="M23.4,18.2475 L20.655,20.0025 L22.3425,5.4 L23.4,18.2475 Z" fill="#5EAFCE" sketch:type="MSShapeGroup"/>
-                <path d="M13.0275,13.05 L21.6225,11.6775 L22.005,8.28 L13.0275,13.05 Z" fill="#045972" sketch:type="MSShapeGroup"/>
-                <path d="M12.105,5.085 L19.575,9.585 L22.005,8.28 L22.0725,7.8075 L12.105,5.085 Z" fill="#5A8591" sketch:type="MSShapeGroup"/>
-                <path d="M13.5675,0.18 L20.3625,7.335 L22.0725,7.8075 L22.3425,5.4 L13.5675,0.18 Z" fill="#009EC6" sketch:type="MSShapeGroup"/>
-                <path d="M17.37,22.0725 L23.4,18.2475 L23.76,22.725 L17.37,22.0725 Z" fill="#F39804" sketch:type="MSShapeGroup"/>
-            </g>
-        </g>
-    </g>
-</svg>

kimai.yaml.tmpl

@@ -1,48 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: kimai
-
-entries:
-- attrs:
-    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
-    assertion_valid_not_before: minutes=-5
-    assertion_valid_not_on_or_after: minutes=5
-    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
-    issuer: https://{{ env  "DOMAIN" }}
-    name: Kimai
-    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
-    property_mappings:
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
-    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
-    session_valid_not_on_or_after: minutes=86400
-    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
-    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sp_binding: post
-  conditions: []
-  id: kimai_provider
-  identifiers:
-    pk: 9991
-  model: authentik_providers_saml.samlprovider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf kimai_provider
-    slug: kimai
-  conditions: []
-  id: kimai_application
-  identifiers:
-    name: Kimai
-  model: authentik_core.application
-  state: present

monitoring.yaml.tmpl

@@ -25,7 +25,7 @@ entries:
   conditions: []
   id: monitoring_provider
   identifiers:
-    pk: 9990
+    pk: 9994
   model: authentik_providers_oauth2.oauth2provider
   state: present
 

outline.yaml.tmpl

@@ -25,7 +25,7 @@ entries:
   conditions: []
   id: outline_provider
   identifiers:
-    pk: 9994
+    pk: 9995
   model: authentik_providers_oauth2.oauth2provider
   state: present
 

rallly.yaml.tmpl

@@ -25,7 +25,7 @@ entries:
   conditions: []
   id: rallly_provider
   identifiers:
-    pk: 9993
+    pk: 9995
   model: authentik_providers_oauth2.oauth2provider
   state: present
 

release/5.0.0+2024.2.2

@@ -1 +0,0 @@
-Blueprint changes are applied and automatic migrations should work, however, manual action may be required: https://docs.goauthentik.io/docs/releases/2024.2

release/5.1.0+2024.2.3

@@ -1 +0,0 @@
-Due to blueprint changes, you need to run the following command after upgrading: abra app cmd -C <Domain> worker apply_blueprints

release/6.0.0+2024.4.0

@@ -1 +0,0 @@
-Alerta! ⚠️ If you are using AUTHENTIK_COLOR_BACKGROUND_LIGHT, you will need to set COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"

release/6.1.0+2024.4.2

@@ -1 +0,0 @@
-Blueprint for Kimai SSO integration added

release/6.6.0+2024.8.2

@@ -1 +0,0 @@
-Replaced icon bbb.jpg with icon.png - configs need to be updated when upgrading!

release/6.7.0+2024.8.3

@@ -1,3 +0,0 @@
-Two critical vulnerabilities were closed:
-https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
-https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9

system_tenant.yaml.tmpl

@@ -2,13 +2,13 @@ version: 1
 metadata:
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-  name: Custom System brand
+  name: Custom System Tenant
 entries:
 ### DEPENDENCIES
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
     identifiers:
-      name: Default - Brand
+      name: Default - Tenant
     required: true
 - model: authentik_blueprints.metaapplyblueprint
   attrs:
@@ -17,11 +17,11 @@ entries:
     required: true
 
 
-### SYSTEM BRAND
+### SYSTEM TENANT
-# remove custom brand from old recipe
+# remove custom tenant from old recipe
 - identifiers:
     domain: {{ env "DOMAIN" }}
-  model: authentik_brands.brand
+  model: authentik_tenants.tenant
   state: absent
 
 - attrs:
@@ -32,4 +32,4 @@ entries:
   identifiers:
     default: true
     domain: authentik-default
-  model: authentik_brands.brand
+  model: authentik_tenants.tenant

zammad.yaml.tmpl

@@ -1,67 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: zammad
-
-entries:
-- attrs:
-    expression: return request.user.name
-    managed: null
-    name: 'Zammad SAML Mapping: name'
-    saml_name: name
-  conditions: []
-  identifiers:
-    name: zammad_name_mapping
-  id: zammad_name_mapping
-  model: authentik_providers_saml.samlpropertymapping
-  state: present
-
-- attrs:
-    expression: return request.user.email
-    managed: null
-    name: 'Zammad SAML Mapping: email'
-    saml_name: email
-  conditions: []
-  identifiers:
-    name: zammad_email_mapping
-  id: zammad_email_mapping
-  model: authentik_providers_saml.samlpropertymapping
-  state: present
-
-- attrs:
-    acs_url: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/callback
-    assertion_valid_not_before: minutes=-5
-    assertion_valid_not_on_or_after: minutes=5
-    audience: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
-    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
-    issuer: https://{{ env  "ZAMMAD_DOMAIN" }}/auth/saml/metadata
-    name: zammad
-    property_mappings:
-    - !KeyOf zammad_name_mapping
-    - !KeyOf zammad_email_mapping
-    session_valid_not_on_or_after: minutes=86400
-    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
-    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
-    sp_binding: post
-  conditions: []
-  id: zammad_provider
-  identifiers:
-    pk: 9989
-  model: authentik_providers_saml.samlprovider
-  state: present
-
-- attrs:
-    meta_launch_url: https://{{ env  "ZAMMAD_DOMAIN" }}
-    open_in_new_tab: true
-    policy_engine_mode: any
-    provider: !KeyOf zammad_provider
-    slug: zammad
-  conditions: []
-  id: zammad_application
-  identifiers:
-    name: Zammad
-  model: authentik_core.application
-  state: present