Boots the full authentik stack (postgres + Go server + Rust worker)
inside the existing ci-web workflow, applies migrations and the
test-admin user blueprint, then runs `corepack npm run --prefix web
test:e2e` against http://localhost:9000. Uploads the HTML report,
traces/videos, and authentik logs as artifacts on failure so reviewers
can debug without rerunning locally.
Also enables the HTML reporter and screenshot/video capture on CI in
playwright.config.js, and updates the full dev-environment docs to
point at the same npm scripts CI uses so local and CI runs stay in
lockstep.
Closes#21994
Co-Authored-By: Agent (authentik-i21994-better-mobile-tangelo) <279763771+playpen-agent@users.noreply.github.com>
ci/web: make test-admin blueprint self-contained
The previous blueprint used !Find to look up the authentik Admins group,
which raced against system/bootstrap.yaml and resolved to None when the
explicit apply_blueprint step ran before the worker had applied bootstrap.
The serializer rejected groups: [None] with Invalid pk "None".
Define the group in the same blueprint with state: present and reference
it via !KeyOf, so the test admin setup does not depend on any pre-existing
data. If bootstrap has already created the group, state: present is a
no-op on the identifiers; otherwise the group is created here.
Co-Authored-By: Agent (authentik-i21994-better-mobile-tangelo) <279763771+playpen-agent@users.noreply.github.com>
ci/web: format test-admin-user.yaml with prettier
Pick up the 4-space indent that web/'s prettier config enforces. The
file was added under issue #21994 with 2-space indent and tripped the
ci-web format check on push.
Co-Authored-By: Agent (authentik-i21994-better-mobile-tangelo) <279763771+playpen-agent@users.noreply.github.com>
Use parallelism.
Remove guard.
Reorder tests.
Ignore playwright-traces.
Update expected path.
Always parallel.
Flesh out types.
ci/web: post Playwright result comment + gated S3 upload + !cancelled() guards
Three reviewer-facing improvements to the e2e job:
1. Idempotent PR comment summarising Playwright pass/fail/flaky/skipped
counts. Marker `<!-- playwright-result -->` lets re-runs edit the
same comment instead of piling up. Skipped on fork PRs where the
default GITHUB_TOKEN is read-only.
2. Optional S3 publish of the HTML report to
`s3://authentik-playwright-artifacts/pr-<n>/run-<id>/attempt-<n>/`,
gated behind `vars.PLAYWRIGHT_S3_ENABLED == 'true'`. The bucket is
pending infra provisioning; the public URL pattern is already wired
into the comment so flipping the variable on later requires no
workflow changes. Borrows the OIDC + IAM role plumbing from
`.github/workflows/release-publish.yml`.
3. Switch the failure-guarded reporting/upload steps to `!cancelled()`
so a superseded (cancelled) run no longer emits failure-shaped noise,
and so successful runs still produce the artifact bundle reviewers
expect.
Adds the Playwright JSON reporter so the parse step can pull pass/fail
counts from `playwright-report/results.json` for the comment body.
Co-Authored-By: Agent (authentik-i21996-internal-achievable-raisin) <279763771+playpen-agent@users.noreply.github.com>
web/e2e: fix three regressions blocking the parallel suite
Locally and in CI the new `e2e (playwright)` job appeared to "hang"
under `fullyParallel: true` + `workers: "50%"`. The hang was actually
five tests sharing two unrelated bugs that all manifest as 30s test
timeouts; the cluster only *looks* like a parallelism issue because
multiple workers stall on the same wall-clock window. With these three
fixes the full suite is green in 1m48s on `--workers=2` (was: 5 failed
/ 17 passed in 5m30s).
1. `web/test/browser/600-providers.test.ts`
PR #21647 dropped the `to:` argument on the `session.login()` call
in this file's `beforeEach`. Without it, `SessionFixture.login()`
waits for the auth-flow URL pattern to re-appear — which it does
immediately, since we just navigated there — so the helper returns
*before* the post-login redirect lands. The wizard buttons probed
afterward live on `/if/admin/#/core/providers`, which the user never
actually reaches; every test in the file then hits the 30s
`beforeEach` timeout. Pin the destination explicitly, matching the
shape of every other test file.
2. `web/src/admin/roles/ak-role-list.ts`
The role-list row anchor had no aria-label, so its accessible name
was the (random, generated) role name. `500-roles.test.ts` searches
for that anchor with `getByRole("link", { name: "view details" })`
— the same selector `400-groups.test.ts` uses against the group
list, where `GroupListPage.row()` *does* set
`aria-label="View details of group ..."`. Bring the role row to
parity with groups; the test wasn't wrong, the UI was missing the
accessibility hook.
3. `web/test/browser/500-roles.test.ts` ("Edit role from view page")
The post-edit verification used `page.getByText(updatedName)`, but
on the role view page the new name renders in two places (the
"Role <name>" page-navbar heading and the description-list value),
so the bare text match resolves to two elements and trips
strict-mode. Add `{ exact: true }` so we assert the canonical value
the edit wrote rather than the heading template.
Co-Authored-By: Agent (authentik-i21996-internal-achievable-raisin) <279763771+playpen-agent@users.noreply.github.com>
Use headless.
* website/docs: preserve blueprint download filenames
Use a shared DownloadLink component for bundled blueprint downloads.
Closes: https://github.com/goauthentik/authentik/issues/20089
* website/docs: use download link for lockdown blueprint
* enterprise/lifecycle: allow multiple rules to apply to a single object (and thus, multiple concurrent reviews)
* enterprise/lifecyle: add missing migration to allow multiple lifecycle rules per object, add tests, update documentation
* enterprise/lifecycle: add a bit of padding to individual review iterations on Review tab for better visual separation
* enterprise/lifecycle: remove validation preventing the creation of multiple lifecycle rules for one object type
* enterprise/lifecycle: change the approach to querying the list of reviews with user_is_reviewer annotation to prevent duplicate rows
* enterprise/lifecycle: add custom per-type logic to get object name for use in a notification to prevent texts like "Review is due for Group Group X"
* enterprise/lifecycle: updated wording on lifecycle rule form and preview banner padding
* enterprise/lifecycle: remove task list from lifecycle rules and switch to using per-rule schedules
* enterprise/lifecycle: add a title to the lifecycle tab
* Revert "enterprise/lifecycle: remove task list from lifecycle rules and switch to using per-rule schedules"
This reverts commit 8a060015b693f65f651a71bdb0c47092d3463af1.
* enterprise/lifecycle: remove task list from the lifecycle rule list page and attach the tasks to the schedule
* enterprise/lifecycle: add proper caption when there are no reviews for an object
* enterprise/lifecycle: attach individual apply_lifecycle_rule tasks to the schedule when launched from apply_lifecycle_rules
* enterprise/lifecycle: update generated API clients
* enterprise/lifecycle: update wording
* enterprise/lifecycle: fix ts issues after rebase
* Update website/docs/sys-mgmt/object-lifecycle-management.md
Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>
* enterprise/lifecycle: remove fmall code artifact
---------
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@sdko.org>
* initial
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* use same startup template
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix check not working
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* unrelated: fix inspector auth
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* update docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* ensure oobe flow can only accessed via correct url
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* set setup flag when applying bootstrap blueprint when env is set
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* add system visibility to flags to make them non-editable
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* set setup flag for e2e tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix tests and linting
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* make github lint happy
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* make tests have less assumptions
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* Update docs
* include more heuristics in migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* add management command to set any flag
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* migrate worker command to signal
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* improved api for setting flags
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* short circuit
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
* website/docs: clarify LDAP group attribute mappings
Explain that LDAP source property mappings can be assigned to groups, add an example for copying a custom LDAP group attribute into authentik group attributes, and note how to decode JSON-encoded values.
Closes: https://github.com/goauthentik/authentik/issues/5874
* Update website/docs/users-sources/sources/protocols/ldap/index.md
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dominic R <dominic@sdko.org>
* Update website/docs/users-sources/sources/protocols/ldap/index.md
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dominic R <dominic@sdko.org>
---------
Signed-off-by: Dominic R <dominic@sdko.org>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Clarify that the OAuth2 provider Signing Key field is optional and that authentik signs JWTs with the provider Client secret when no signing key is set.
Closes: https://github.com/goauthentik/authentik/issues/4824
Refine the machine-to-machine authentication page, align examples and inline formatting with the docs style guide, and replace the small event logging table with a list.
* add another sentence about restricting access to apps
* tweaks
* Update website/docs/install-config/first-steps/index.mdx
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
* Lint fix
---------
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
