create SSOLoginPolicy, which allows factors to be applied when user comes from SSO login
implement SESSIION_IS_SSO_LOGIN for OAuth Client and core MFA
This commit is contained in:
		| @ -29,6 +29,7 @@ class AuthenticationView(UserPassesTestMixin, View): | |||||||
|     SESSION_PENDING_FACTORS = 'passbook_pending_factors' |     SESSION_PENDING_FACTORS = 'passbook_pending_factors' | ||||||
|     SESSION_PENDING_USER = 'passbook_pending_user' |     SESSION_PENDING_USER = 'passbook_pending_user' | ||||||
|     SESSION_USER_BACKEND = 'passbook_user_backend' |     SESSION_USER_BACKEND = 'passbook_user_backend' | ||||||
|  |     SESSION_IS_SSO_LOGIN = 'passbook_sso_login' | ||||||
|  |  | ||||||
|     pending_user = None |     pending_user = None | ||||||
|     pending_factors = [] |     pending_factors = [] | ||||||
| @ -79,6 +80,10 @@ class AuthenticationView(UserPassesTestMixin, View): | |||||||
|         if AuthenticationView.SESSION_FACTOR not in request.session: |         if AuthenticationView.SESSION_FACTOR not in request.session: | ||||||
|             # Case when no factors apply to user, return error denied |             # Case when no factors apply to user, return error denied | ||||||
|             if not self.pending_factors: |             if not self.pending_factors: | ||||||
|  |                 # Case when user logged in from SSO provider and no more factors apply | ||||||
|  |                 if AuthenticationView.SESSION_IS_SSO_LOGIN in request.session: | ||||||
|  |                     LOGGER.debug("User authenticated with SSO, logging in...") | ||||||
|  |                     return self._user_passed() | ||||||
|                 return self.user_invalid() |                 return self.user_invalid() | ||||||
|             factor_uuid, factor_class = self.pending_factors[0] |             factor_uuid, factor_class = self.pending_factors[0] | ||||||
|         else: |         else: | ||||||
|  | |||||||
| @ -5,7 +5,7 @@ from django.utils.translation import gettext as _ | |||||||
|  |  | ||||||
| from passbook.core.models import (DebugPolicy, FieldMatcherPolicy, | from passbook.core.models import (DebugPolicy, FieldMatcherPolicy, | ||||||
|                                   GroupMembershipPolicy, PasswordPolicy, |                                   GroupMembershipPolicy, PasswordPolicy, | ||||||
|                                   WebhookPolicy) |                                   SSOLoginPolicy, WebhookPolicy) | ||||||
|  |  | ||||||
| GENERAL_FIELDS = ['name', 'action', 'negate', 'order', 'timeout'] | GENERAL_FIELDS = ['name', 'action', 'negate', 'order', 'timeout'] | ||||||
|  |  | ||||||
| @ -66,6 +66,18 @@ class GroupMembershipPolicyForm(forms.ModelForm): | |||||||
|             'order': forms.NumberInput(), |             'order': forms.NumberInput(), | ||||||
|         } |         } | ||||||
|  |  | ||||||
|  | class SSOLoginPolicyForm(forms.ModelForm): | ||||||
|  |     """Edit SSOLoginPolicy instances""" | ||||||
|  |  | ||||||
|  |     class Meta: | ||||||
|  |  | ||||||
|  |         model = SSOLoginPolicy | ||||||
|  |         fields = GENERAL_FIELDS | ||||||
|  |         widgets = { | ||||||
|  |             'name': forms.TextInput(), | ||||||
|  |             'order': forms.NumberInput(), | ||||||
|  |         } | ||||||
|  |  | ||||||
| class PasswordPolicyForm(forms.ModelForm): | class PasswordPolicyForm(forms.ModelForm): | ||||||
|     """PasswordPolicy Form""" |     """PasswordPolicy Form""" | ||||||
|  |  | ||||||
|  | |||||||
							
								
								
									
										25
									
								
								passbook/core/migrations/0024_ssologinpolicy.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								passbook/core/migrations/0024_ssologinpolicy.py
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,25 @@ | |||||||
|  | # Generated by Django 2.2 on 2019-04-29 21:14 | ||||||
|  |  | ||||||
|  | import django.db.models.deletion | ||||||
|  | from django.db import migrations, models | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class Migration(migrations.Migration): | ||||||
|  |  | ||||||
|  |     dependencies = [ | ||||||
|  |         ('passbook_core', '0023_remove_user_applications'), | ||||||
|  |     ] | ||||||
|  |  | ||||||
|  |     operations = [ | ||||||
|  |         migrations.CreateModel( | ||||||
|  |             name='SSOLoginPolicy', | ||||||
|  |             fields=[ | ||||||
|  |                 ('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')), | ||||||
|  |             ], | ||||||
|  |             options={ | ||||||
|  |                 'verbose_name': 'SSO Login Policy', | ||||||
|  |                 'verbose_name_plural': 'SSO Login Policies', | ||||||
|  |             }, | ||||||
|  |             bases=('passbook_core.policy',), | ||||||
|  |         ), | ||||||
|  |     ] | ||||||
| @ -165,9 +165,10 @@ class Source(PolicyModel): | |||||||
|  |  | ||||||
|     name = models.TextField() |     name = models.TextField() | ||||||
|     slug = models.SlugField() |     slug = models.SlugField() | ||||||
|     form = '' # ModelForm-based class ued to create/edit instance |  | ||||||
|     enabled = models.BooleanField(default=True) |     enabled = models.BooleanField(default=True) | ||||||
|  |  | ||||||
|  |     form = '' # ModelForm-based class ued to create/edit instance | ||||||
|  |  | ||||||
|     objects = InheritanceManager() |     objects = InheritanceManager() | ||||||
|  |  | ||||||
|     @property |     @property | ||||||
| @ -409,6 +410,21 @@ class GroupMembershipPolicy(Policy): | |||||||
|         verbose_name = _('Group Membership Policy') |         verbose_name = _('Group Membership Policy') | ||||||
|         verbose_name_plural = _('Group Membership Policies') |         verbose_name_plural = _('Group Membership Policies') | ||||||
|  |  | ||||||
|  | class SSOLoginPolicy(Policy): | ||||||
|  |     """Policy that applies to users that have authenticated themselves through SSO""" | ||||||
|  |  | ||||||
|  |     form = 'passbook.core.forms.policies.SSOLoginPolicyForm' | ||||||
|  |  | ||||||
|  |     def passes(self, user): | ||||||
|  |         """Check if user instance passes this policy""" | ||||||
|  |         from passbook.core.auth.view import AuthenticationView | ||||||
|  |         return user.session.get(AuthenticationView.SESSION_IS_SSO_LOGIN, False), "" | ||||||
|  |  | ||||||
|  |     class Meta: | ||||||
|  |  | ||||||
|  |         verbose_name = _('SSO Login Policy') | ||||||
|  |         verbose_name_plural = _('SSO Login Policies') | ||||||
|  |  | ||||||
| class Invitation(UUIDModel): | class Invitation(UUIDModel): | ||||||
|     """Single-use invitation link""" |     """Single-use invitation link""" | ||||||
|  |  | ||||||
|  | |||||||
| @ -12,6 +12,7 @@ from django.urls import reverse | |||||||
| from django.utils.translation import ugettext as _ | from django.utils.translation import ugettext as _ | ||||||
| from django.views.generic import RedirectView, View | from django.views.generic import RedirectView, View | ||||||
|  |  | ||||||
|  | from passbook.core.auth.view import AuthenticationView, _redirect_with_qs | ||||||
| from passbook.lib.utils.reflection import app | from passbook.lib.utils.reflection import app | ||||||
| from passbook.oauth_client.clients import get_client | from passbook.oauth_client.clients import get_client | ||||||
| from passbook.oauth_client.models import OAuthSource, UserOAuthSourceConnection | from passbook.oauth_client.models import OAuthSource, UserOAuthSourceConnection | ||||||
| @ -128,11 +129,6 @@ class OAuthCallback(OAuthClientMixin, View): | |||||||
|         "Return url to redirect on login failure." |         "Return url to redirect on login failure." | ||||||
|         return settings.LOGIN_URL |         return settings.LOGIN_URL | ||||||
|  |  | ||||||
|     # pylint: disable=unused-argument |  | ||||||
|     def get_login_redirect(self, source, user, access, new=False): |  | ||||||
|         "Return url to redirect authenticated users." |  | ||||||
|         return 'passbook_core:overview' |  | ||||||
|  |  | ||||||
|     def get_or_create_user(self, source, access, info): |     def get_or_create_user(self, source, access, info): | ||||||
|         "Create a shell auth.User." |         "Create a shell auth.User." | ||||||
|         raise NotImplementedError() |         raise NotImplementedError() | ||||||
| @ -149,14 +145,22 @@ class OAuthCallback(OAuthClientMixin, View): | |||||||
|         except KeyError: |         except KeyError: | ||||||
|             return None |             return None | ||||||
|  |  | ||||||
|  |     def handle_login(self, user, source, access): | ||||||
|  |         """Prepare AuthenticationView, redirect users to remaining Factors""" | ||||||
|  |         user = authenticate(source=access.source, | ||||||
|  |                             identifier=access.identifier, request=self.request) | ||||||
|  |         self.request.session[AuthenticationView.SESSION_PENDING_USER] = user.pk | ||||||
|  |         self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend | ||||||
|  |         self.request.session[AuthenticationView.SESSION_IS_SSO_LOGIN] = True | ||||||
|  |         return _redirect_with_qs('passbook_core:auth-process', self.request.GET) | ||||||
|  |  | ||||||
|     # pylint: disable=unused-argument |     # pylint: disable=unused-argument | ||||||
|     def handle_existing_user(self, source, user, access, info): |     def handle_existing_user(self, source, user, access, info): | ||||||
|         "Login user and redirect." |         "Login user and redirect." | ||||||
|         login(self.request, user) |  | ||||||
|         messages.success(self.request, _("Successfully authenticated with %(source)s!" % { |         messages.success(self.request, _("Successfully authenticated with %(source)s!" % { | ||||||
|             'source': self.source.name |             'source': self.source.name | ||||||
|         })) |         })) | ||||||
|         return redirect(self.get_login_redirect(source, user, access)) |         return self.handle_login(user, source, access) | ||||||
|  |  | ||||||
|     def handle_login_failure(self, source, reason): |     def handle_login_failure(self, source, reason): | ||||||
|         "Message user and redirect on error." |         "Message user and redirect on error." | ||||||
| @ -176,12 +180,9 @@ class OAuthCallback(OAuthClientMixin, View): | |||||||
|         access.user = user |         access.user = user | ||||||
|         access.save() |         access.save() | ||||||
|         UserOAuthSourceConnection.objects.filter(pk=access.pk).update(user=user) |         UserOAuthSourceConnection.objects.filter(pk=access.pk).update(user=user) | ||||||
|         if not was_authenticated: |  | ||||||
|             user = authenticate(source=access.source, |  | ||||||
|                                 identifier=access.identifier, request=self.request) |  | ||||||
|             login(self.request, user) |  | ||||||
|         if app('passbook_audit'): |         if app('passbook_audit'): | ||||||
|             pass |             pass | ||||||
|  |             # TODO: Create audit entry | ||||||
|             # from passbook.audit.models import something |             # from passbook.audit.models import something | ||||||
|             # something.event(user=user,) |             # something.event(user=user,) | ||||||
|             # Event.create( |             # Event.create( | ||||||
| @ -197,10 +198,13 @@ class OAuthCallback(OAuthClientMixin, View): | |||||||
|             return redirect(reverse('passbook_oauth_client:oauth-client-user', kwargs={ |             return redirect(reverse('passbook_oauth_client:oauth-client-user', kwargs={ | ||||||
|                 'source_slug': self.source.slug |                 'source_slug': self.source.slug | ||||||
|             })) |             })) | ||||||
|  |         # User was not authenticated, new user has been created | ||||||
|  |         user = authenticate(source=access.source, | ||||||
|  |                             identifier=access.identifier, request=self.request) | ||||||
|         messages.success(self.request, _("Successfully authenticated with %(source)s!" % { |         messages.success(self.request, _("Successfully authenticated with %(source)s!" % { | ||||||
|             'source': self.source.name |             'source': self.source.name | ||||||
|         })) |         })) | ||||||
|         return redirect(self.get_login_redirect(source, user, access, True)) |         return self.handle_login(user, source, access) | ||||||
|  |  | ||||||
|  |  | ||||||
| class DisconnectView(LoginRequiredMixin, View): | class DisconnectView(LoginRequiredMixin, View): | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user
	 Jens Langhammer
					Jens Langhammer