Skip to content

security: fix oobe-flow reuse when akadmin is deleted#7361

Merged
BeryJu merged 1 commit intomainfrom
security/GHSA-rjvp-29xq-f62w
Oct 28, 2023
Merged

security: fix oobe-flow reuse when akadmin is deleted#7361
BeryJu merged 1 commit intomainfrom
security/GHSA-rjvp-29xq-f62w

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Oct 28, 2023

Details

fix GHSA-rjvp-29xq-f62w

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)
  • The translation files have been updated (make i18n-extract)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu BeryJu requested review from a team as code owners October 28, 2023 19:00
@netlify
Copy link

netlify bot commented Oct 28, 2023
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit a4124f2
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/653d5fd2c83d4d0007d96543

@BeryJu
Copy link
Member Author

BeryJu commented Oct 28, 2023

/cherry-pick version-2023.8

@netlify
Copy link

netlify bot commented Oct 28, 2023
edited
Loading

Deploy Preview for authentik ready!

Name Link
🔨 Latest commit a4124f2
🔍 Latest deploy log https://app.netlify.com/sites/authentik/deploys/653d5fd2f39cf70008ebb3e1
😎 Deploy Preview https://deploy-preview-7361--authentik.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 95
Accessibility: 90
Best Practices: 100
SEO: 80
PWA: -
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify site configuration.

@codecov
Copy link

codecov bot commented Oct 28, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (2a47ff2) 92.59% compared to head (c9c584e) 92.57%.
Report is 1 commits behind head on main.

❗ Current head c9c584e differs from pull request most recent head a4124f2. Consider uploading reports for the commit a4124f2 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7361      +/-   ##
==========================================
- Coverage   92.59%   92.57%   -0.03%     
==========================================
  Files         587      587              
  Lines       28911    28911              
==========================================
- Hits        26770    26764       -6     
- Misses       2141     2147       +6
Flag Coverage Δ
e2e 50.89% <ø> (-0.04%) ⬇️
integration 26.00% <ø> (ø)
unit 89.60% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu
security: fix oobe-flow reuse when akadmin is deleted
a4124f2 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the security/GHSA-rjvp-29xq-f62w branch from c9c584e to a4124f2 Compare October 28, 2023 19:24
@BeryJu BeryJu merged commit 2618790 into main Oct 28, 2023
@BeryJu BeryJu deleted the security/GHSA-rjvp-29xq-f62w branch October 28, 2023 19:24
@gcp-cherry-pick-bot
Copy link
Contributor

gcp-cherry-pick-bot bot commented Oct 28, 2023

Cherry-pick failed with Merge error 261879022d25016d58867cf1f24e90b81ad618d0 into temp-cherry-pick-a69c14-version-2023.8

BeryJu added a commit that referenced this pull request Oct 28, 2023
@BeryJu
security: fix oobe-flow reuse when akadmin is deleted (#7361)
ea75741 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
# Conflicts:
#	website/docs/releases/2023/v2023.10.md
@github-actions
Copy link
Contributor

github-actions bot commented Oct 28, 2023
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-security-GHSA-rjvp-29xq-f62w-1698522017-a4124f2
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-security-GHSA-rjvp-29xq-f62w-1698522017-a4124f2-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-security-GHSA-rjvp-29xq-f62w-1698522017-a4124f2

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-security-GHSA-rjvp-29xq-f62w-1698522017-a4124f2-arm64

Afterwards, run the upgrade commands from the latest release notes.

kensternberg-authentik added a commit that referenced this pull request Oct 30, 2023
@kensternberg-authentik
Merge branch 'main' into web/ak-multi-select-component
aa76623 
* main: (54 commits)
  web: bump rollup from 4.1.4 to 4.1.5 in /web (#7370)
  website/integrations: add SonarQube (#7167)
  web: bump the storybook group in /web with 5 updates (#7382)
  core: bump goauthentik.io/api/v3 from 3.2023101.1 to 3.2023102.1 (#7378)
  web: bump ts-lit-plugin from 2.0.0 to 2.0.1 in /web (#7379)
  web: bump @rollup/plugin-replace from 5.0.4 to 5.0.5 in /web (#7380)
  web: bump API Client version (#7365)
  website/docs: add 2023.8.4 release notes
  release: 2023.10.2
  security: fix oobe-flow reuse when akadmin is deleted (#7361)
  website/docs: prepare 2023.10.2 release notes (#7362)
  website/docs: add missing breaking change due to APPEND_SLASH (#7360)
  lifecycle: rework otp_merge migration (#7359)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#7354)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#7353)
  website/docs: add warning about Helm breaking change in 2024.x (#7351)
  crypto: fix race conditions when creating self-signed certificates on startup (#7344)
  blueprints: fix entries with state: absent not being deleted if their serializer has errors (#7345)
  web/admin: fix @change handler for ak-radio elements (#7348)
  rbac: handle lookup error (#7341)
  ...
kensternberg-authentik added a commit that referenced this pull request Oct 30, 2023
@kensternberg-authentik
Merge branch 'main' into web/error-handling-form-components
03e8320 
* main:
  web: bump rollup from 4.1.4 to 4.1.5 in /web (#7370)
  website/integrations: add SonarQube (#7167)
  web: bump the storybook group in /web with 5 updates (#7382)
  core: bump goauthentik.io/api/v3 from 3.2023101.1 to 3.2023102.1 (#7378)
  web: bump ts-lit-plugin from 2.0.0 to 2.0.1 in /web (#7379)
  web: bump @rollup/plugin-replace from 5.0.4 to 5.0.5 in /web (#7380)
  web: bump API Client version (#7365)
  website/docs: add 2023.8.4 release notes
  release: 2023.10.2
  security: fix oobe-flow reuse when akadmin is deleted (#7361)
  website/docs: prepare 2023.10.2 release notes (#7362)
  website/docs: add missing breaking change due to APPEND_SLASH (#7360)
  lifecycle: rework otp_merge migration (#7359)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#7354)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#7353)
  website/docs: add warning about Helm breaking change in 2024.x (#7351)
kensternberg-authentik added a commit that referenced this pull request Oct 30, 2023
@kensternberg-authentik
Merge branch 'main' into dev
6653bd8 
* main:
  web: bump rollup from 4.1.4 to 4.1.5 in /web (#7370)
  website/integrations: add SonarQube (#7167)
  web: bump the storybook group in /web with 5 updates (#7382)
  core: bump goauthentik.io/api/v3 from 3.2023101.1 to 3.2023102.1 (#7378)
  web: bump ts-lit-plugin from 2.0.0 to 2.0.1 in /web (#7379)
  web: bump @rollup/plugin-replace from 5.0.4 to 5.0.5 in /web (#7380)
  web: bump API Client version (#7365)
  website/docs: add 2023.8.4 release notes
  release: 2023.10.2
  security: fix oobe-flow reuse when akadmin is deleted (#7361)
  website/docs: prepare 2023.10.2 release notes (#7362)
  website/docs: add missing breaking change due to APPEND_SLASH (#7360)
  lifecycle: rework otp_merge migration (#7359)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#7354)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#7353)
  website/docs: add warning about Helm breaking change in 2024.x (#7351)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BeryJu