create SSOLoginPolicy, which allows factors to be applied when user comes from SSO login

implement SESSIION_IS_SSO_LOGIN for OAuth Client and core MFA

passbook/core/auth/view.py

@@ -29,6 +29,7 @@ class AuthenticationView(UserPassesTestMixin, View):
     SESSION_PENDING_FACTORS = 'passbook_pending_factors'
     SESSION_PENDING_USER = 'passbook_pending_user'
     SESSION_USER_BACKEND = 'passbook_user_backend'
+    SESSION_IS_SSO_LOGIN = 'passbook_sso_login'
 
     pending_user = None
     pending_factors = []
@@ -79,6 +80,10 @@ class AuthenticationView(UserPassesTestMixin, View):
         if AuthenticationView.SESSION_FACTOR not in request.session:
             # Case when no factors apply to user, return error denied
             if not self.pending_factors:
+                # Case when user logged in from SSO provider and no more factors apply
+                if AuthenticationView.SESSION_IS_SSO_LOGIN in request.session:
+                    LOGGER.debug("User authenticated with SSO, logging in...")
+                    return self._user_passed()
                 return self.user_invalid()
             factor_uuid, factor_class = self.pending_factors[0]
         else:

passbook/core/forms/policies.py

@@ -5,7 +5,7 @@ from django.utils.translation import gettext as _
 
 from passbook.core.models import (DebugPolicy, FieldMatcherPolicy,
                                   GroupMembershipPolicy, PasswordPolicy,
-                                  WebhookPolicy)
+                                  SSOLoginPolicy, WebhookPolicy)
 
 GENERAL_FIELDS = ['name', 'action', 'negate', 'order', 'timeout']
 
@@ -66,6 +66,18 @@ class GroupMembershipPolicyForm(forms.ModelForm):
             'order': forms.NumberInput(),
         }
 
+class SSOLoginPolicyForm(forms.ModelForm):
+    """Edit SSOLoginPolicy instances"""
+
+    class Meta:
+
+        model = SSOLoginPolicy
+        fields = GENERAL_FIELDS
+        widgets = {
+            'name': forms.TextInput(),
+            'order': forms.NumberInput(),
+        }
+
 class PasswordPolicyForm(forms.ModelForm):
     """PasswordPolicy Form"""
 

passbook/core/migrations/0024_ssologinpolicy.py

@@ -0,0 +1,25 @@
+# Generated by Django 2.2 on 2019-04-29 21:14
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0023_remove_user_applications'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SSOLoginPolicy',
+            fields=[
+                ('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
+            ],
+            options={
+                'verbose_name': 'SSO Login Policy',
+                'verbose_name_plural': 'SSO Login Policies',
+            },
+            bases=('passbook_core.policy',),
+        ),
+    ]

passbook/core/models.py

@@ -165,9 +165,10 @@ class Source(PolicyModel):
 
     name = models.TextField()
     slug = models.SlugField()
-    form = '' # ModelForm-based class ued to create/edit instance
     enabled = models.BooleanField(default=True)
 
+    form = '' # ModelForm-based class ued to create/edit instance
+
     objects = InheritanceManager()
 
     @property
@@ -409,6 +410,21 @@ class GroupMembershipPolicy(Policy):
         verbose_name = _('Group Membership Policy')
         verbose_name_plural = _('Group Membership Policies')
 
+class SSOLoginPolicy(Policy):
+    """Policy that applies to users that have authenticated themselves through SSO"""
+
+    form = 'passbook.core.forms.policies.SSOLoginPolicyForm'
+
+    def passes(self, user):
+        """Check if user instance passes this policy"""
+        from passbook.core.auth.view import AuthenticationView
+        return user.session.get(AuthenticationView.SESSION_IS_SSO_LOGIN, False), ""
+
+    class Meta:
+
+        verbose_name = _('SSO Login Policy')
+        verbose_name_plural = _('SSO Login Policies')
+
 class Invitation(UUIDModel):
     """Single-use invitation link"""