Merge branch 'stable' into fac-merge-stable-into-release1.5

Author: fatih-acar

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12
+FROM python:3.12-bookworm
 
 RUN apt-get remove -yq docker.io docker-doc docker-compose podman-docker containerd runc 2>&1 || true
 

.github/workflows/chromatic.yml

@@ -24,7 +24,7 @@ jobs:
         with:
           fetch-depth: 0  # In order for Chromatic to correctly determine baseline commits, tot access the full Git history graph.
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'

.github/workflows/ci.yml

@@ -90,7 +90,7 @@ jobs:
       - name: "Check out repository code"
         uses: "actions/checkout@v5"
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'
@@ -535,7 +535,7 @@ jobs:
         with:
           submodules: true
       - name: Install NodeJS
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'
@@ -636,7 +636,7 @@ jobs:
         with:
           submodules: true
       - name: Install NodeJS
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'
@@ -676,7 +676,7 @@ jobs:
         with:
           submodules: true
       - name: Install NodeJS
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'
@@ -794,7 +794,7 @@ jobs:
         with:
           submodules: true
       - name: Install NodeJS
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'

CHANGELOG.md

@@ -11,6 +11,40 @@ This project uses [*towncrier*](https://towncrier.readthedocs.io/) and the chang
 
 <!-- towncrier release notes start -->
 
+## [Infrahub - v1.4.11](https://github.com/opsmill/infrahub/tree/infrahub-v1.4.11) - 2025-10-17
+
+### Added
+
+- The login form now automatically focuses on the first field.
+
+### Fixed
+
+- Frontend Updates
+  - Consistent font size for all events in the Proposed Change timeline
+  - Proposed Change action buttons now keep their size and does not strectch anymore
+  - Prevent overflow on the create new relationship button within the relationship input
+  - fixed typos
+
+- SSO Fixes ([#6969](https://github.com/opsmill/infrahub/issues/6969))
+  - Improved logging for SSO authentication to provide better debugging information
+  - Enhanced error handling to properly support all error codes returned by identity providers
+
+- Artifact Display Fixes ([#7294](https://github.com/opsmill/infrahub/issues/7294))
+  - Correctly display XML and CSV artifacts in the UI.
+  - Added a fallback to plain text for unsupported content types.
+
+- Fix a bug that allowed duplicate attributes and/or relationships on Node or Generic schemas to be merged into the default branch,
+  which would cause the application and workers to crash with an error message similar to the following:
+
+  > ValueError: SchemaName: Names of attributes and relationships must be unique : ['field_name_1', 'field_name_2']
+
+  Added a new CLI command `infrahub db check-duplicate-schema-fields` to resolve this duplicated schema fields issue if it appears. ([#7346](https://github.com/opsmill/infrahub/issues/7346))
+- Fixed an issue where boolean fields in the object Details view always displayed a checkmark, even when the value was false. ([#7372](https://github.com/opsmill/infrahub/issues/7372))
+- Fixed prefix utilization showing as greater than 100% after setting the pool attribute to false ([#7388](https://github.com/opsmill/infrahub/issues/7388))
+- Corrected the labels on the branch list and detailed view to use the correct terminology
+- Fixed issue with number pool popover stuck in the top-left corner and not expandable during the initial render in some cases.
+- Improved artifacts generation and proposed change checks performance by leveraging caching and avoiding excessive GraphQL queries.
+
 ## [Infrahub - v1.4.10](https://github.com/opsmill/infrahub/tree/infrahub-v1.4.10) - 2025-10-01
 
 ### Fixed

backend/infrahub/api/oauth2.py

@@ -11,14 +11,16 @@
 
 from infrahub import config, models
 from infrahub.api.dependencies import get_db
-from infrahub.auth import get_groups_from_provider, signin_sso_account
-from infrahub.exceptions import GatewayError, ProcessingError
+from infrahub.auth import (
+    get_groups_from_provider,
+    signin_sso_account,
+    validate_auth_response,
+)
+from infrahub.exceptions import ProcessingError
 from infrahub.log import get_logger
 from infrahub.message_bus.types import KVTTL
 
 if TYPE_CHECKING:
-    import httpx
-
     from infrahub.database import InfrahubDatabase
     from infrahub.services import InfrahubServices
 
@@ -95,7 +97,7 @@ async def token(
     }
 
     token_response = await service.http.post(provider.token_url, data=token_data)
-    _validate_response(response=token_response)
+    validate_auth_response(response=token_response, provider_type="OAuth 2.0")
 
     with trace.get_tracer(__name__).start_as_current_span("sso_token_request") as span:
         span.set_attribute("token_request_data", ujson.dumps(token_response.json()))
@@ -107,12 +109,17 @@ async def token(
     else:
         userinfo_response = await service.http.post(provider.userinfo_url, headers=headers)
 
-    _validate_response(response=userinfo_response)
+    validate_auth_response(response=userinfo_response, provider_type="OAuth 2.0")
     user_info = userinfo_response.json()
     sso_groups = user_info.get("groups", []) or await get_groups_from_provider(
         provider=provider, service=service, payload=payload, user_info=user_info
     )
 
+    log.info(
+        "SSO user authenticated",
+        body={"user_name": user_info.get("name"), "groups": sso_groups},
+    )
+
     if not sso_groups and config.SETTINGS.security.sso_user_default_group:
         sso_groups = [config.SETTINGS.security.sso_user_default_group]
 
@@ -134,16 +141,3 @@ async def token(
     return models.UserTokenWithUrl(
         access_token=user_token.access_token, refresh_token=user_token.refresh_token, final_url=stored_final_url
     )
-
-
-def _validate_response(response: httpx.Response) -> None:
-    if 200 <= response.status_code <= 299:
-        return
-
-    log.error(
-        "Invalid response from the OAuth provider",
-        url=response.url,
-        status_code=response.status_code,
-        body=response.json(),
-    )
-    raise GatewayError(message="Invalid response from Authentication provider")

backend/infrahub/api/oidc.py

@@ -13,14 +13,16 @@
 
 from infrahub import config, models
 from infrahub.api.dependencies import get_db
-from infrahub.auth import get_groups_from_provider, signin_sso_account
-from infrahub.exceptions import GatewayError, ProcessingError
+from infrahub.auth import (
+    get_groups_from_provider,
+    signin_sso_account,
+    validate_auth_response,
+)
+from infrahub.exceptions import ProcessingError
 from infrahub.log import get_logger
 from infrahub.message_bus.types import KVTTL
 
 if TYPE_CHECKING:
-    import httpx
-
     from infrahub.database import InfrahubDatabase
     from infrahub.services import InfrahubServices
 
@@ -69,7 +71,7 @@ async def authorize(request: Request, provider_name: str, final_url: str | None
     service: InfrahubServices = request.app.state.service
 
     response = await service.http.get(url=provider.discovery_url)
-    _validate_response(response=response)
+    validate_auth_response(response=response, provider_type="OIDC")
     oidc_config = OIDCDiscoveryConfig(**response.json())
 
     with trace.get_tracer(__name__).start_as_current_span("sso_oauth2_client_configuration") as span:
@@ -129,12 +131,12 @@ async def token(
     }
 
     discovery_response = await service.http.get(url=provider.discovery_url)
-    _validate_response(response=discovery_response)
+    validate_auth_response(response=discovery_response, provider_type="OIDC")
 
     oidc_config = OIDCDiscoveryConfig(**discovery_response.json())
 
     token_response = await service.http.post(str(oidc_config.token_endpoint), data=token_data)
-    _validate_response(response=token_response)
+    validate_auth_response(response=token_response, provider_type="OIDC")
 
     with trace.get_tracer(__name__).start_as_current_span("sso_token_request") as span:
         span.set_attribute("token_request_data", ujson.dumps(token_response.json()))
@@ -147,7 +149,7 @@ async def token(
     else:
         userinfo_response = await service.http.post(str(oidc_config.userinfo_endpoint), headers=headers)
 
-    _validate_response(response=userinfo_response)
+    validate_auth_response(response=userinfo_response, provider_type="OIDC")
     user_info: dict[str, Any] = userinfo_response.json()
     sso_groups = (
         user_info.get("groups")
@@ -157,6 +159,11 @@ async def token(
         or await get_groups_from_provider(provider=provider, service=service, payload=payload, user_info=user_info)
     )
 
+    log.info(
+        "SSO user authenticated",
+        body={"user_name": user_info.get("name"), "groups": sso_groups},
+    )
+
     if not sso_groups and config.SETTINGS.security.sso_user_default_group:
         sso_groups = [config.SETTINGS.security.sso_user_default_group]
 
@@ -180,19 +187,6 @@ async def token(
     )
 
 
-def _validate_response(response: httpx.Response) -> None:
-    if 200 <= response.status_code <= 299:
-        return
-
-    log.error(
-        "Invalid response from the OIDC provider",
-        url=response.url,
-        status_code=response.status_code,
-        body=response.json(),
-    )
-    raise GatewayError(message="Invalid response from Authentication provider")
-
-
 async def _get_id_token_groups(
     oidc_config: OIDCDiscoveryConfig, service: InfrahubServices, payload: dict[str, Any], client_id: str
 ) -> list[str]:

backend/infrahub/artifacts/models.py

@@ -25,7 +25,8 @@ class CheckArtifactCreate(BaseModel):
     target_kind: str = Field(..., description="The kind of the target object for this artifact")
     target_name: str = Field(..., description="Name of the artifact target")
     artifact_id: str | None = Field(default=None, description="The id of the artifact if it previously existed")
-    query: str = Field(..., description="The name of the query to use when collecting data")
+    query: str = Field(..., description="The name of the query to use when collecting data")  # Deprecated
+    query_id: str = Field(..., description="The id of the query to use when collecting data")
     timeout: int = Field(..., description="Timeout for requests used to generate this artifact")
     variables: dict = Field(..., description="Input variables when generating the artifact")
     validator_id: str = Field(..., description="The ID of the validator")