From 56d872af15074ca14158dad82223388c6ad7a21d Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 12:47:50 +0100
Subject: [PATCH 01/28] add PropertyMapping Model, add Subclass for SAML, test
 with AWS

---
 .../admin/templates/administration/base.html  | 70 ++++++++-------
 .../administration/property_mapping/list.html | 52 +++++++++++
 passbook/admin/urls.py                        | 13 ++-
 passbook/admin/views/property_mapping.py      | 90 +++++++++++++++++++
 passbook/core/auth/factors/password.py        |  2 +-
 .../core/migrations/0017_propertymapping.py   | 26 ++++++
 .../0018_provider_property_mappings.py        | 18 ++++
 passbook/core/models.py                       | 20 ++++-
 passbook/core/templates/generic/delete.html   |  4 +-
 passbook/saml_idp/base.py                     | 19 ++--
 passbook/saml_idp/forms.py                    | 19 +++-
 .../migrations/0002_samlpropertymapping.py    | 30 +++++++
 passbook/saml_idp/models.py                   | 20 ++++-
 passbook/saml_idp/processors/aws.py           | 10 +--
 .../saml_idp/templates/saml/idp/login.html    | 52 ++++-------
 .../templates/saml/xml/attributes.xml         |  9 +-
 16 files changed, 368 insertions(+), 86 deletions(-)
 create mode 100644 passbook/admin/templates/administration/property_mapping/list.html
 create mode 100644 passbook/admin/views/property_mapping.py
 create mode 100644 passbook/core/migrations/0017_propertymapping.py
 create mode 100644 passbook/core/migrations/0018_provider_property_mappings.py
 create mode 100644 passbook/saml_idp/migrations/0002_samlpropertymapping.py

diff --git a/passbook/admin/templates/administration/base.html b/passbook/admin/templates/administration/base.html
index fadc37d70b..208108c0d1 100644
--- a/passbook/admin/templates/administration/base.html
+++ b/passbook/admin/templates/administration/base.html
@@ -5,35 +5,45 @@
 
 {% block nav_secondary %}
 <ul class="nav navbar-nav navbar-persistent">
-  <li class="{% is_active 'passbook_admin:overview' %}">
-    <a href="{% url 'passbook_admin:overview' %}">{% trans 'Overview' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:applications' 'passbook_admin:application-create' 'passbook_admin:application-update' 'passbook_admin:application-delete' %}">
-    <a href="{% url 'passbook_admin:applications' %}">{% trans 'Applications' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:sources' 'passbook_admin:source-create' 'passbook_admin:source-update' 'passbook_admin:source-delete' %}">
-    <a href="{% url 'passbook_admin:sources' %}">{% trans 'Sources' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:providers' 'passbook_admin:provider-create' 'passbook_admin:provider-update' 'passbook_admin:provider-delete' %}">
-    <a href="{% url 'passbook_admin:providers' %}">{% trans 'Providers' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
-    <a href="{% url 'passbook_admin:factors' %}">{% trans 'Factors' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:policies' 'passbook_admin:policy-create' 'passbook_admin:policy-update' 'passbook_admin:policy-delete' 'passbook_admin:policy-test' %}">
-    <a href="{% url 'passbook_admin:policies' %}">{% trans 'Policies' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
-    <a href="{% url 'passbook_admin:invitations' %}">{% trans 'Invitations' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:users' 'passbook_admin:user-update' 'passbook_admin:user-delete' %}">
-    <a href="{% url 'passbook_admin:users' %}">{% trans 'Users' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:audit-log' %}">
-    <a href="{% url 'passbook_admin:audit-log' %}">{% trans 'Audit Log' %}</a>
-  </li>
-  <li class="{% is_active_app 'admin' %}">
-    <a href="{% url 'admin:index' %}">{% trans 'Django' %}</a>
-  </li>
+    <li class="{% is_active 'passbook_admin:overview' %}">
+        <a href="{% url 'passbook_admin:overview' %}">{% trans 'Overview' %}</a>
+    </li>
+    <li
+        class="{% is_active 'passbook_admin:applications' 'passbook_admin:application-create' 'passbook_admin:application-update' 'passbook_admin:application-delete' %}">
+        <a href="{% url 'passbook_admin:applications' %}">{% trans 'Applications' %}</a>
+    </li>
+    <li
+        class="{% is_active 'passbook_admin:sources' 'passbook_admin:source-create' 'passbook_admin:source-update' 'passbook_admin:source-delete' %}">
+        <a href="{% url 'passbook_admin:sources' %}">{% trans 'Sources' %}</a>
+    </li>
+    <li
+        class="{% is_active 'passbook_admin:providers' 'passbook_admin:provider-create' 'passbook_admin:provider-update' 'passbook_admin:provider-delete' %}">
+        <a href="{% url 'passbook_admin:providers' %}">{% trans 'Providers' %}</a>
+    </li>
+    <li
+        class="{% is_active 'passbook_admin:property-mappings' 'passbook_admin:property-mapping-create' 'passbook_admin:property-mapping-update' 'passbook_admin:property-mapping-delete' %}">
+        <a href="{% url 'passbook_admin:property-mappings' %}">{% trans 'Property Mappings' %}</a>
+    </li>
+    <li
+        class="{% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
+        <a href="{% url 'passbook_admin:factors' %}">{% trans 'Factors' %}</a>
+    </li>
+    <li
+        class="{% is_active 'passbook_admin:policies' 'passbook_admin:policy-create' 'passbook_admin:policy-update' 'passbook_admin:policy-delete' 'passbook_admin:policy-test' %}">
+        <a href="{% url 'passbook_admin:policies' %}">{% trans 'Policies' %}</a>
+    </li>
+    <li
+        class="{% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
+        <a href="{% url 'passbook_admin:invitations' %}">{% trans 'Invitations' %}</a>
+    </li>
+    <li class="{% is_active 'passbook_admin:users' 'passbook_admin:user-update' 'passbook_admin:user-delete' %}">
+        <a href="{% url 'passbook_admin:users' %}">{% trans 'Users' %}</a>
+    </li>
+    <li class="{% is_active 'passbook_admin:audit-log' %}">
+        <a href="{% url 'passbook_admin:audit-log' %}">{% trans 'Audit Log' %}</a>
+    </li>
+    <li class="{% is_active_app 'admin' %}">
+        <a href="{% url 'admin:index' %}">{% trans 'Django' %}</a>
+    </li>
 </ul>
 {% endblock %}
diff --git a/passbook/admin/templates/administration/property_mapping/list.html b/passbook/admin/templates/administration/property_mapping/list.html
new file mode 100644
index 0000000000..7bf8c2da23
--- /dev/null
+++ b/passbook/admin/templates/administration/property_mapping/list.html
@@ -0,0 +1,52 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="fa fa-table"></span> {% trans "Property Mappings" %}</h1>
+    <span>{% trans "Property Mappings allow you expose provider-specific attributes." %}</span>
+    <hr>
+    <div class="dropdown">
+        <button class="btn btn-primary dropdown-toggle" type="button" id="createDropdown" data-toggle="dropdown">
+            {% trans 'Create...' %}
+            <span class="caret"></span>
+        </button>
+        <ul class="dropdown-menu" role="menu" aria-labelledby="createDropdown">
+            {% for type, name in types.items %}
+            <li role="presentation"><a role="menuitem" tabindex="-1"
+                    href="{% url 'passbook_admin:property-mapping-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a></li>
+            {% endfor %}
+        </ul>
+    </div>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Name' %}</th>
+                <th>{% trans 'Type' %}</th>
+                <th></th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for property_mapping in object_list %}
+            <tr>
+                <td>{{ property_mapping.name }} ({{ property_mapping.slug }})</td>
+                <td>{{ property_mapping|verbose_name }}</td>
+                <td>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:property-mapping-update' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:property-mapping-delete' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                </td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}
diff --git a/passbook/admin/urls.py b/passbook/admin/urls.py
index e2d3a62360..fa4c9ec0a7 100644
--- a/passbook/admin/urls.py
+++ b/passbook/admin/urls.py
@@ -2,8 +2,8 @@
 from django.urls import include, path
 
 from passbook.admin.views import (applications, audit, factors, groups,
-                                  invitations, overview, policy, providers,
-                                  sources, users)
+                                  invitations, overview, policy,
+                                  property_mapping, providers, sources, users)
 
 urlpatterns = [
     path('', overview.AdministrationOverviewView.as_view(), name='overview'),
@@ -43,6 +43,15 @@ urlpatterns = [
          factors.FactorUpdateView.as_view(), name='factor-update'),
     path('factors/<uuid:pk>/delete/',
          factors.FactorDeleteView.as_view(), name='factor-delete'),
+    # Factors
+    path('property-mappings/', property_mapping.PropertyMappingListView.as_view(),
+         name='property-mappings'),
+    path('property-mappings/create/',
+         property_mapping.PropertyMappingCreateView.as_view(), name='property-mapping-create'),
+    path('property-mappings/<uuid:pk>/update/',
+         property_mapping.PropertyMappingUpdateView.as_view(), name='property-mapping-update'),
+    path('property-mappings/<uuid:pk>/delete/',
+         property_mapping.PropertyMappingDeleteView.as_view(), name='property-mapping-delete'),
     # Invitations
     path('invitations/', invitations.InvitationListView.as_view(), name='invitations'),
     path('invitations/create/',
diff --git a/passbook/admin/views/property_mapping.py b/passbook/admin/views/property_mapping.py
new file mode 100644
index 0000000000..c4cf7fad33
--- /dev/null
+++ b/passbook/admin/views/property_mapping.py
@@ -0,0 +1,90 @@
+"""passbook PropertyMapping administration"""
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import Http404
+from django.urls import reverse_lazy
+from django.utils.translation import ugettext as _
+from django.views.generic import CreateView, DeleteView, ListView, UpdateView
+
+from passbook.admin.mixins import AdminRequiredMixin
+from passbook.core.models import PropertyMapping
+from passbook.lib.utils.reflection import path_to_class
+
+
+def all_subclasses(cls):
+    """Recursively return all subclassess of cls"""
+    return set(cls.__subclasses__()).union(
+        [s for c in cls.__subclasses__() for s in all_subclasses(c)])
+
+
+class PropertyMappingListView(AdminRequiredMixin, ListView):
+    """Show list of all property_mappings"""
+
+    model = PropertyMapping
+    template_name = 'administration/property_mapping/list.html'
+    ordering = 'name'
+
+    def get_context_data(self, **kwargs):
+        kwargs['types'] = {
+            x.__name__: x._meta.verbose_name for x in all_subclasses(PropertyMapping)}
+        return super().get_context_data(**kwargs)
+
+    def get_queryset(self):
+        return super().get_queryset().select_subclasses()
+
+
+class PropertyMappingCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
+    """Create new PropertyMapping"""
+
+    template_name = 'generic/create.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully created Property Mapping')
+
+    def get_context_data(self, **kwargs):
+        kwargs = super().get_context_data(**kwargs)
+        property_mapping_type = self.request.GET.get('type')
+        model = next(x for x in all_subclasses(PropertyMapping)
+                     if x.__name__ == property_mapping_type)
+        kwargs['type'] = model._meta.verbose_name
+        return kwargs
+
+    def get_form_class(self):
+        property_mapping_type = self.request.GET.get('type')
+        model = next(x for x in all_subclasses(PropertyMapping)
+                     if x.__name__ == property_mapping_type)
+        if not model:
+            raise Http404
+        return path_to_class(model.form)
+
+
+class PropertyMappingUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
+    """Update property_mapping"""
+
+    model = PropertyMapping
+    template_name = 'generic/update.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully updated Property Mapping')
+
+    def get_form_class(self):
+        form_class_path = self.get_object().form
+        form_class = path_to_class(form_class_path)
+        return form_class
+
+    def get_object(self, queryset=None):
+        return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
+
+
+class PropertyMappingDeleteView(SuccessMessageMixin, AdminRequiredMixin, DeleteView):
+    """Delete property_mapping"""
+
+    model = PropertyMapping
+    template_name = 'generic/delete.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully deleted Property Mapping')
+
+    def get_object(self, queryset=None):
+        return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)
diff --git a/passbook/core/auth/factors/password.py b/passbook/core/auth/factors/password.py
index 1367595170..d8956d3777 100644
--- a/passbook/core/auth/factors/password.py
+++ b/passbook/core/auth/factors/password.py
@@ -37,7 +37,7 @@ class PasswordFactor(FormView, AuthenticationFactor):
             send_email.delay(self.pending_user.email, _('Forgotten password'),
                              'email/account_password_reset.html', {
                                  'url': self.request.build_absolute_uri(
-                                     reverse('passbook_core:passbook_core:auth-password-reset',
+                                     reverse('passbook_core:auth-password-reset',
                                              kwargs={
                                                  'nonce': nonce.uuid
                                              })
diff --git a/passbook/core/migrations/0017_propertymapping.py b/passbook/core/migrations/0017_propertymapping.py
new file mode 100644
index 0000000000..c53c910c10
--- /dev/null
+++ b/passbook/core/migrations/0017_propertymapping.py
@@ -0,0 +1,26 @@
+# Generated by Django 2.1.7 on 2019-03-08 10:40
+
+import uuid
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0016_auto_20190227_1355'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='PropertyMapping',
+            fields=[
+                ('uuid', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.TextField()),
+            ],
+            options={
+                'verbose_name': 'Property Mapping',
+                'verbose_name_plural': 'Property Mappings',
+            },
+        ),
+    ]
diff --git a/passbook/core/migrations/0018_provider_property_mappings.py b/passbook/core/migrations/0018_provider_property_mappings.py
new file mode 100644
index 0000000000..a845d1c81f
--- /dev/null
+++ b/passbook/core/migrations/0018_provider_property_mappings.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-03-08 10:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0017_propertymapping'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='provider',
+            name='property_mappings',
+            field=models.ManyToManyField(blank=True, default=None, to='passbook_core.PropertyMapping'),
+        ),
+    ]
diff --git a/passbook/core/models.py b/passbook/core/models.py
index 2f6d526d8d..7772a6d0f7 100644
--- a/passbook/core/models.py
+++ b/passbook/core/models.py
@@ -60,6 +60,8 @@ class User(AbstractUser):
 class Provider(models.Model):
     """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
 
+    property_mappings = models.ManyToManyField('PropertyMapping', default=None, blank=True)
+
     objects = InheritanceManager()
 
     # This class defines no field for easier inheritance
@@ -412,7 +414,7 @@ class Invitation(UUIDModel):
         verbose_name_plural = _('Invitations')
 
 class Nonce(UUIDModel):
-    """One-time link for password resets/signup-confirmations"""
+    """One-time link for password resets/sign-up-confirmations"""
 
     expires = models.DateTimeField(default=default_nonce_duration)
     user = models.ForeignKey('User', on_delete=models.CASCADE)
@@ -424,3 +426,19 @@ class Nonce(UUIDModel):
 
         verbose_name = _('Nonce')
         verbose_name_plural = _('Nonces')
+
+class PropertyMapping(UUIDModel):
+    """User-defined key -> x mapping which can be used by providers to expose extra data."""
+
+    name = models.TextField()
+
+    form = ''
+    objects = InheritanceManager()
+
+    def __str__(self):
+        return "Property Mapping %s" % self.name
+
+    class Meta:
+
+        verbose_name = _('Property Mapping')
+        verbose_name_plural = _('Property Mappings')
diff --git a/passbook/core/templates/generic/delete.html b/passbook/core/templates/generic/delete.html
index 19e570e322..33a51dd0f3 100644
--- a/passbook/core/templates/generic/delete.html
+++ b/passbook/core/templates/generic/delete.html
@@ -6,13 +6,13 @@
 {% block content %}
 <div class="container">
     {% block above_form %}
-    <h1>{% blocktrans with object_type=object|fieldtype|title %}Delete {{ object_type }}{% endblocktrans %}</h1>
+    <h1>{% blocktrans with object_type=object|verbose_name %}Delete {{ object_type }}{% endblocktrans %}</h1>
     {% endblock %}
     <div class="">
         <form method="post" class="form-horizontal">
             {% csrf_token %}
             <p>
-                {% blocktrans with object_type=object|fieldtype|title name=object %}
+                {% blocktrans with object_type=object|verbose_name name=object %}
                 Are you sure you want to delete {{ object_type }} "{{ object }}"?
                 {% endblocktrans %}
             </p>
diff --git a/passbook/saml_idp/base.py b/passbook/saml_idp/base.py
index dcf03580f8..eb9a921b1a 100644
--- a/passbook/saml_idp/base.py
+++ b/passbook/saml_idp/base.py
@@ -6,7 +6,6 @@ from logging import getLogger
 
 from bs4 import BeautifulSoup
 
-from passbook.lib.config import CONFIG
 from passbook.saml_idp import exceptions, utils, xml_render
 
 MINUTES = 60
@@ -52,9 +51,7 @@ class Processor:
     _session_index = None
     _subject = None
     _subject_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
-    _system_params = {
-        'ISSUER': CONFIG.y('saml_idp.issuer'),
-    }
+    _system_params = {}
 
     @property
     def dotted_path(self):
@@ -67,7 +64,7 @@ class Processor:
         self.name = remote.name
         self._remote = remote
         self._logger = getLogger(__name__)
-
+        self._system_params['ISSUER'] = self._remote.issuer
         self._logger.info('processor configured')
 
     def _build_assertion(self):
@@ -170,6 +167,16 @@ class Processor:
                 'Value': self._django_request.user.username,
             },
         ]
+        from passbook.saml_idp.models import SAMLPropertyMapping
+        for mapping in self._remote.property_mappings.all().select_subclasses():
+            if isinstance(mapping, SAMLPropertyMapping):
+                mapping_payload = {
+                    'Name': mapping.saml_name,
+                    'ValueArray': mapping.values
+                }
+                if mapping.friendly_name:
+                    mapping_payload['FriendlyName'] = mapping.friendly_name
+                self._assertion_params['ATTRIBUTES'].append(mapping_payload)
         self._assertion_xml = xml_render.get_assertion_xml(
             'saml/xml/assertions/generic.xml', self._assertion_params, signed=True)
 
@@ -227,7 +234,7 @@ class Processor:
         self._subject = sp_config
         self._subject_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
         self._system_params = {
-            'ISSUER': CONFIG.y('saml_idp.issuer'),
+            'ISSUER': self._remote.issuer
         }
 
     def _validate_request(self):
diff --git a/passbook/saml_idp/forms.py b/passbook/saml_idp/forms.py
index 99341ee5b5..00f34bb985 100644
--- a/passbook/saml_idp/forms.py
+++ b/passbook/saml_idp/forms.py
@@ -2,7 +2,8 @@
 
 from django import forms
 
-from passbook.saml_idp.models import SAMLProvider, get_provider_choices
+from passbook.saml_idp.models import (SAMLPropertyMapping, SAMLProvider,
+                                      get_provider_choices)
 from passbook.saml_idp.utils import CertificateBuilder
 
 
@@ -21,7 +22,7 @@ class SAMLProviderForm(forms.ModelForm):
     class Meta:
 
         model = SAMLProvider
-        fields = ['name', 'acs_url', 'processor_path', 'issuer',
+        fields = ['name', 'property_mappings', 'acs_url', 'processor_path', 'issuer',
                   'assertion_valid_for', 'signing', 'signing_cert', 'signing_key', ]
         labels = {
             'acs_url': 'ACS URL',
@@ -31,3 +32,17 @@ class SAMLProviderForm(forms.ModelForm):
             'name': forms.TextInput(),
             'issuer': forms.TextInput(),
         }
+
+
+class SAMLPropertyMappingForm(forms.ModelForm):
+    """SAML Property Mapping form"""
+
+    class Meta:
+
+        model = SAMLPropertyMapping
+        fields = ['name', 'saml_name', 'friendly_name', 'values']
+        widgets = {
+            'name': forms.TextInput(),
+            'saml_name': forms.TextInput(),
+            'friendly_name': forms.TextInput(),
+        }
diff --git a/passbook/saml_idp/migrations/0002_samlpropertymapping.py b/passbook/saml_idp/migrations/0002_samlpropertymapping.py
new file mode 100644
index 0000000000..7fe8de7205
--- /dev/null
+++ b/passbook/saml_idp/migrations/0002_samlpropertymapping.py
@@ -0,0 +1,30 @@
+# Generated by Django 2.1.7 on 2019-03-08 10:40
+
+import django.contrib.postgres.fields
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0017_propertymapping'),
+        ('passbook_saml_idp', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SAMLPropertyMapping',
+            fields=[
+                ('propertymapping_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.PropertyMapping')),
+                ('saml_name', models.TextField()),
+                ('friendly_name', models.TextField(blank=True, default=None, null=True)),
+                ('values', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
+            ],
+            options={
+                'verbose_name': 'SAML Property Mapping',
+                'verbose_name_plural': 'SAML Property Mappings',
+            },
+            bases=('passbook_core.propertymapping',),
+        ),
+    ]
diff --git a/passbook/saml_idp/models.py b/passbook/saml_idp/models.py
index 42589e5741..4d9d2f4008 100644
--- a/passbook/saml_idp/models.py
+++ b/passbook/saml_idp/models.py
@@ -1,10 +1,11 @@
 """passbook saml_idp Models"""
 
+from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.shortcuts import reverse
 from django.utils.translation import gettext as _
 
-from passbook.core.models import Provider
+from passbook.core.models import PropertyMapping, Provider
 from passbook.lib.utils.reflection import class_to_path, path_to_class
 from passbook.saml_idp.base import Processor
 
@@ -53,6 +54,23 @@ class SAMLProvider(Provider):
         verbose_name_plural = _('SAML Providers')
 
 
+class SAMLPropertyMapping(PropertyMapping):
+    """SAML Property mapping, allowing Name/FriendlyName mapping to a list of strings"""
+
+    saml_name = models.TextField()
+    friendly_name = models.TextField(default=None, blank=True, null=True)
+    values = ArrayField(models.TextField())
+
+    form = 'passbook.saml_idp.forms.SAMLPropertyMappingForm'
+
+    def __str__(self):
+        return "SAML Property Mapping %s" % self.saml_name
+
+    class Meta:
+
+        verbose_name = _('SAML Property Mapping')
+        verbose_name_plural = _('SAML Property Mappings')
+
 def get_provider_choices():
     """Return tuple of class_path, class name of all providers."""
     return [(class_to_path(x), x.__name__) for x in Processor.__subclasses__()]
diff --git a/passbook/saml_idp/processors/aws.py b/passbook/saml_idp/processors/aws.py
index 2b3c05ecad..44953b1fba 100644
--- a/passbook/saml_idp/processors/aws.py
+++ b/passbook/saml_idp/processors/aws.py
@@ -11,16 +11,12 @@ class AWSProcessor(Processor):
 
     def _format_assertion(self):
         """Formats _assertion_params as _assertion_xml."""
-        self._assertion_params['ATTRIBUTES'] = [
+        super()._format_assertion()
+        self._assertion_params['ATTRIBUTES'].append(
             {
                 'Name': 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
                 'Value': self._django_request.user.username,
-            },
-            {
-                'Name': 'https://aws.amazon.com/SAML/Attributes/Role',
-                # 'Value': 'arn:aws:iam::471432361072:saml-provider/passbook_dev,
-                # arn:aws:iam::471432361072:role/saml_role'
             }
-        ]
+        )
         self._assertion_xml = xml_render.get_assertion_xml(
             'saml/xml/assertions/generic.xml', self._assertion_params, signed=True)
diff --git a/passbook/saml_idp/templates/saml/idp/login.html b/passbook/saml_idp/templates/saml/idp/login.html
index a357a7b390..d8b929931b 100644
--- a/passbook/saml_idp/templates/saml/idp/login.html
+++ b/passbook/saml_idp/templates/saml/idp/login.html
@@ -9,40 +9,26 @@
 
 {% block card %}
 <header class="login-pf-header">
-  <h1>{% trans 'Authorize Application' %}</h1>
+    <h1>{% trans 'Authorize Application' %}</h1>
 </header>
-<form method="POST" action="{{ acs_url }}">>
-  {% csrf_token %}
-  <input type="hidden" name="ACSUrl" value="{{ acs_url }}">
-  <input type="hidden" name="RelayState" value="{{ relay_state }}" />
-  <input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
-  <label class="title">
-    <clr-icon shape="passbook" class="is-info" size="48"></clr-icon>
-    {% config 'passbook.branding' %}
-  </label>
-  <label class="subtitle">
-    {% trans 'SSO - Authorize External Source' %}
-  </label>
-  <div class="login-group">
-    <p class="subtitle">
-      {% blocktrans with remote=remote.name %}
-        You're about to sign into {{ remote }}
-      {% endblocktrans %}
-    </p>
-    <p>
-      {% blocktrans with user=user %}
-        You are logged in as {{ user }}. Not you?
-      {% endblocktrans %}
-      <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
-    </p>
-    <div class="row">
-      <div class="col-md-6">
-        <input class="btn btn-success btn-block" type="submit" value="{% trans "Continue" %}" />
-      </div>
-      <div class="col-md-6">
-        <a href="{% url 'passbook_core:overview' %}" class="btn btn-outline btn-block">{% trans "Cancel" %}</a>
-      </div>
+<form method="POST" action="{{ acs_url }}">
+    {% csrf_token %}
+    <input type="hidden" name="ACSUrl" value="{{ acs_url }}">
+    <input type="hidden" name="RelayState" value="{{ relay_state }}" />
+    <input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
+    <div class="login-group">
+        <h3>
+            {% blocktrans with remote=remote.name %}
+            You're about to sign into {{ remote }}
+            {% endblocktrans %}
+        </h3>
+        <p>
+            {% blocktrans with user=user %}
+            You are logged in as {{ user }}.
+            {% endblocktrans %}
+            <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Not you?' %}</a>
+        </p>
+        <input class="btn btn-primary btn-block btn-lg" type="submit" value="{% trans 'Continue' %}" />
     </div>
-  </div>
 </form>
 {% endblock %}
diff --git a/passbook/saml_idp/templates/saml/xml/attributes.xml b/passbook/saml_idp/templates/saml/xml/attributes.xml
index 054b96ca49..36fd4f89c4 100644
--- a/passbook/saml_idp/templates/saml/xml/attributes.xml
+++ b/passbook/saml_idp/templates/saml/xml/attributes.xml
@@ -1,7 +1,14 @@
 <saml:AttributeStatement>
     {% for attr in attributes %}
         <saml:Attribute {% if attr.FriendlyName %}FriendlyName="{{ attr.FriendlyName }}" {% endif %}Name="{{ attr.Name }}">
-           <saml:AttributeValue>{{ attr.Value }}</saml:AttributeValue>
+            {% if attr.Value %}
+            <saml:AttributeValue>{{ attr.Value }}</saml:AttributeValue>
+            {% endif %}
+            {% if attr.ValueArray %}
+                {% for value in attr.ValueArray %}
+                <saml:AttributeValue>{{ value }}</saml:AttributeValue>
+                {% endfor %}
+            {% endif %}
         </saml:Attribute>
     {% endfor %}
 </saml:AttributeStatement>

From 6dcdf7bccea6a466a75d87b0c49dd333ef376b2a Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 15:11:01 +0100
Subject: [PATCH 02/28] add custom DynamicArrayField to better handle arrays

---
 passbook/admin/templates/generic/form.html | 10 +++++
 passbook/core/forms/factors.py             |  4 ++
 passbook/core/static/css/passbook.css      | 23 +++++++++++
 passbook/core/static/js/passbook.js        | 30 +++++++++++++++
 passbook/core/templates/base/skeleton.html |  1 +
 passbook/lib/fields.py                     | 44 ++++++++++++++++++++++
 passbook/lib/templates/lib/arrayfield.html | 17 +++++++++
 passbook/lib/widgets.py                    | 36 ++++++++++++++++++
 passbook/saml_idp/forms.py                 |  4 ++
 9 files changed, 169 insertions(+)
 create mode 100644 passbook/core/static/css/passbook.css
 create mode 100644 passbook/lib/templates/lib/arrayfield.html
 create mode 100644 passbook/lib/widgets.py

diff --git a/passbook/admin/templates/generic/form.html b/passbook/admin/templates/generic/form.html
index 40a2b7568e..4de06b3386 100644
--- a/passbook/admin/templates/generic/form.html
+++ b/passbook/admin/templates/generic/form.html
@@ -3,6 +3,11 @@
 {% load i18n %}
 {% load utils %}
 
+{% block head %}
+{{ block.super }}
+{{ form.media.css }}
+{% endblock %}
+
 {% block content %}
 <div class="container">
   {% block above_form %}
@@ -16,3 +21,8 @@
   </div>
 </div>
 {% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+{{ form.media.js }}
+{% endblock %}
diff --git a/passbook/core/forms/factors.py b/passbook/core/forms/factors.py
index 30a5875466..11d0061c67 100644
--- a/passbook/core/forms/factors.py
+++ b/passbook/core/forms/factors.py
@@ -2,6 +2,7 @@
 from django import forms
 
 from passbook.core.models import DummyFactor, PasswordFactor
+from passbook.lib.fields import DynamicArrayField
 
 GENERAL_FIELDS = ['name', 'slug', 'order', 'policies', 'enabled']
 
@@ -16,6 +17,9 @@ class PasswordFactorForm(forms.ModelForm):
             'name': forms.TextInput(),
             'order': forms.NumberInput(),
         }
+        field_classes = {
+            'backends': DynamicArrayField
+        }
 
 class DummyFactorForm(forms.ModelForm):
     """Form to create/edit Dummy Factor"""
diff --git a/passbook/core/static/css/passbook.css b/passbook/core/static/css/passbook.css
new file mode 100644
index 0000000000..86711d8b1d
--- /dev/null
+++ b/passbook/core/static/css/passbook.css
@@ -0,0 +1,23 @@
+.dynamic-array-widget .array-item {
+  display: flex;
+  align-items: center;
+  margin-bottom: 15px;
+}
+
+.dynamic-array-widget .remove_sign {
+  width: 10px;
+  height: 2px;
+  background: #a41515;
+  border-radius: 1px;
+}
+
+.dynamic-array-widget .remove {
+  height: 15px;
+  display: flex;
+  align-items: center;
+  margin-left: 5px;
+}
+
+.dynamic-array-widget .remove:hover {
+  cursor: pointer;
+}
diff --git a/passbook/core/static/js/passbook.js b/passbook/core/static/js/passbook.js
index a52cfe21e5..cb89bbd27c 100644
--- a/passbook/core/static/js/passbook.js
+++ b/passbook/core/static/js/passbook.js
@@ -16,3 +16,33 @@ const typeHandler = function (e) {
 
 $source.on('input', typeHandler) // register for oninput
 $source.on('propertychange', typeHandler) // for IE8
+
+window.addEventListener('load', function () {
+
+    function addRemoveEventListener(widgetElement) {
+        widgetElement.querySelectorAll('.array-remove').forEach(function (element) {
+            element.addEventListener('click', function () {
+                this.parentNode.parentNode.remove();
+            });
+        });
+    }
+
+    document.querySelectorAll('.dynamic-array-widget').forEach(function (widgetElement) {
+
+        addRemoveEventListener(widgetElement);
+
+        widgetElement.querySelector('.add-array-item').addEventListener('click', function () {
+            var first = widgetElement.querySelector('.array-item');
+            var newElement = first.cloneNode(true);
+            var id_parts = newElement.querySelector('input').getAttribute('id').split('_');
+            var id = id_parts.slice(0, -1).join('_') + '_' + String(parseInt(id_parts.slice(-1)[0]) + 1);
+            newElement.querySelector('input').setAttribute('id', id);
+            newElement.querySelector('input').value = '';
+
+            addRemoveEventListener(newElement);
+            first.parentElement.insertBefore(newElement, first.parentNode.lastChild);
+        });
+
+    });
+
+});
diff --git a/passbook/core/templates/base/skeleton.html b/passbook/core/templates/base/skeleton.html
index 69a60d503b..dad2289969 100644
--- a/passbook/core/templates/base/skeleton.html
+++ b/passbook/core/templates/base/skeleton.html
@@ -16,6 +16,7 @@
     <link rel="shortcut icon" type="image/png" href="{% static 'img/logo.png' %}">
     <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly.min.css' %}">
     <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly-additions.min.css' %}">
+    <link rel="stylesheet" type="text/css" href="{% static 'css/passbook.css' %}">
     <style>
         .login-pf {
             background-attachment: fixed;
diff --git a/passbook/lib/fields.py b/passbook/lib/fields.py
index e69de29bb2..d2ef82f877 100644
--- a/passbook/lib/fields.py
+++ b/passbook/lib/fields.py
@@ -0,0 +1,44 @@
+"""passbook lib fields"""
+from itertools import chain
+
+from django import forms
+from django.contrib.postgres.utils import prefix_validation_error
+
+from passbook.lib.widgets import DynamicArrayWidget
+
+
+class DynamicArrayField(forms.Field):
+    """Show array field as a dynamic amount of textboxes"""
+
+    default_error_messages = {"item_invalid": "Item %(nth)s in the array did not validate: "}
+
+    def __init__(self, base_field, **kwargs):
+        self.base_field = base_field
+        self.max_length = kwargs.pop("max_length", None)
+        kwargs.setdefault("widget", DynamicArrayWidget)
+        super().__init__(**kwargs)
+
+    def clean(self, value):
+        cleaned_data = []
+        errors = []
+        value = [x for x in value if x]
+        for index, item in enumerate(value):
+            try:
+                cleaned_data.append(self.base_field.clean(item))
+            except forms.ValidationError as error:
+                errors.append(
+                    prefix_validation_error(
+                        error, self.error_messages["item_invalid"],
+                        code="item_invalid", params={"nth": index}
+                    )
+                )
+        if errors:
+            raise forms.ValidationError(list(chain.from_iterable(errors)))
+        if not cleaned_data and self.required:
+            raise forms.ValidationError(self.error_messages["required"])
+        return cleaned_data
+
+    def has_changed(self, initial, data):
+        if not data and not initial:
+            return False
+        return super().has_changed(initial, data)
diff --git a/passbook/lib/templates/lib/arrayfield.html b/passbook/lib/templates/lib/arrayfield.html
new file mode 100644
index 0000000000..85705402c6
--- /dev/null
+++ b/passbook/lib/templates/lib/arrayfield.html
@@ -0,0 +1,17 @@
+{% load utils %}
+
+{% spaceless %}
+<div class="dynamic-array-widget">
+    {% for widget in widget.subwidgets %}
+    <div class="array-item input-group">
+        {% include widget.template_name %}
+        <div class="input-group-btn">
+            <button class="array-remove btn btn-danger" type="button">
+                <span class="pficon-delete"></span>
+            </button>
+        </div>
+    </div>
+    {% endfor %}
+    <div><button type="button" class="add-array-item btn btn-default">Add another</button></div>
+</div>
+{% endspaceless %}
diff --git a/passbook/lib/widgets.py b/passbook/lib/widgets.py
new file mode 100644
index 0000000000..5012a1ff75
--- /dev/null
+++ b/passbook/lib/widgets.py
@@ -0,0 +1,36 @@
+"""Dynamic array widget"""
+from django import forms
+
+
+class DynamicArrayWidget(forms.TextInput):
+    """Dynamic array widget"""
+
+    template_name = "lib/arrayfield.html"
+
+    def get_context(self, name, value, attrs):
+        value = value or [""]
+        context = super().get_context(name, value, attrs)
+        final_attrs = context["widget"]["attrs"]
+        id_ = context["widget"]["attrs"].get("id")
+
+        subwidgets = []
+        for index, item in enumerate(context["widget"]["value"]):
+            widget_attrs = final_attrs.copy()
+            if id_:
+                widget_attrs["id"] = "{id_}_{index}".format(id_=id_, index=index)
+            widget = forms.TextInput()
+            widget.is_required = self.is_required
+            subwidgets.append(widget.get_context(name, item, widget_attrs)["widget"])
+
+        context["widget"]["subwidgets"] = subwidgets
+        return context
+
+    def value_from_datadict(self, data, files, name):
+        try:
+            getter = data.getlist
+            return [value for value in getter(name) if value]
+        except AttributeError:
+            return data.get(name)
+
+    def format_value(self, value):
+        return value or []
diff --git a/passbook/saml_idp/forms.py b/passbook/saml_idp/forms.py
index 00f34bb985..e54bd63064 100644
--- a/passbook/saml_idp/forms.py
+++ b/passbook/saml_idp/forms.py
@@ -2,6 +2,7 @@
 
 from django import forms
 
+from passbook.lib.fields import DynamicArrayField
 from passbook.saml_idp.models import (SAMLPropertyMapping, SAMLProvider,
                                       get_provider_choices)
 from passbook.saml_idp.utils import CertificateBuilder
@@ -46,3 +47,6 @@ class SAMLPropertyMappingForm(forms.ModelForm):
             'saml_name': forms.TextInput(),
             'friendly_name': forms.TextInput(),
         }
+        field_classes = {
+            'values': DynamicArrayField
+        }

From cf11f6b121ebdc23d267aaf597d2477fa8e29c1d Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 15:16:25 +0100
Subject: [PATCH 03/28] format data before inserting it

---
 passbook/saml_idp/base.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/passbook/saml_idp/base.py b/passbook/saml_idp/base.py
index eb9a921b1a..c9b7a5d05f 100644
--- a/passbook/saml_idp/base.py
+++ b/passbook/saml_idp/base.py
@@ -172,10 +172,14 @@ class Processor:
             if isinstance(mapping, SAMLPropertyMapping):
                 mapping_payload = {
                     'Name': mapping.saml_name,
-                    'ValueArray': mapping.values
+                    'ValueArray': [],
+                    'FriendlyName': mapping.friendly_name
                 }
-                if mapping.friendly_name:
-                    mapping_payload['FriendlyName'] = mapping.friendly_name
+                for value in mapping.values:
+                    mapping_payload['ValueArray'].append(value.format(
+                        user=self._django_request.user,
+                        request=self._django_request
+                    ))
                 self._assertion_params['ATTRIBUTES'].append(mapping_payload)
         self._assertion_xml = xml_render.get_assertion_xml(
             'saml/xml/assertions/generic.xml', self._assertion_params, signed=True)

From a54adb05c46a25dab912ac2f7fa8478a34719d69 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 16:03:52 +0100
Subject: [PATCH 04/28] bump version: 0.1.4-beta -> 0.1.5-beta

---
 .bumpversion.cfg                            | 2 +-
 .gitlab-ci.yml                              | 2 +-
 helm/passbook/Chart.yaml                    | 4 ++--
 helm/passbook/values.yaml                   | 2 +-
 passbook/__init__.py                        | 2 +-
 passbook/admin/__init__.py                  | 2 +-
 passbook/api/__init__.py                    | 2 +-
 passbook/audit/__init__.py                  | 2 +-
 passbook/captcha_factor/__init__.py         | 2 +-
 passbook/core/__init__.py                   | 2 +-
 passbook/hibp_policy/__init__.py            | 2 +-
 passbook/ldap/__init__.py                   | 2 +-
 passbook/lib/__init__.py                    | 2 +-
 passbook/oauth_client/__init__.py           | 2 +-
 passbook/oauth_provider/__init__.py         | 2 +-
 passbook/otp/__init__.py                    | 2 +-
 passbook/password_expiry_policy/__init__.py | 2 +-
 passbook/saml_idp/__init__.py               | 2 +-
 18 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 5d06175a4e..1d4ac212cd 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.4-beta
+current_version = 0.1.5-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bae12ea9be..36212bf64d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -53,7 +53,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.4-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.5-beta
   stage: build
   only:
     - tags
diff --git a/helm/passbook/Chart.yaml b/helm/passbook/Chart.yaml
index 3dbead71d0..586af8ca9c 100644
--- a/helm/passbook/Chart.yaml
+++ b/helm/passbook/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.4-beta"
+appVersion: "0.1.5-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.4-beta"
+version: "0.1.5-beta"
 icon: https://passbook.beryju.org/images/logo.png
diff --git a/helm/passbook/values.yaml b/helm/passbook/values.yaml
index 273f77488b..458c0cdc45 100644
--- a/helm/passbook/values.yaml
+++ b/helm/passbook/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.4-beta
+  tag: 0.1.5-beta
 
 nameOverride: ""
 
diff --git a/passbook/__init__.py b/passbook/__init__.py
index 56b2dca4e5..4574f2dc7e 100644
--- a/passbook/__init__.py
+++ b/passbook/__init__.py
@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/admin/__init__.py b/passbook/admin/__init__.py
index d812363c3e..c42ea010ed 100644
--- a/passbook/admin/__init__.py
+++ b/passbook/admin/__init__.py
@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/api/__init__.py b/passbook/api/__init__.py
index 895c549c75..8806d93c5e 100644
--- a/passbook/api/__init__.py
+++ b/passbook/api/__init__.py
@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/audit/__init__.py b/passbook/audit/__init__.py
index 017272cfb8..f43baadb3c 100644
--- a/passbook/audit/__init__.py
+++ b/passbook/audit/__init__.py
@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/captcha_factor/__init__.py b/passbook/captcha_factor/__init__.py
index 0f462f20c3..d9933edd62 100644
--- a/passbook/captcha_factor/__init__.py
+++ b/passbook/captcha_factor/__init__.py
@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/core/__init__.py b/passbook/core/__init__.py
index 0f73d35676..2bcaa41219 100644
--- a/passbook/core/__init__.py
+++ b/passbook/core/__init__.py
@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/hibp_policy/__init__.py b/passbook/hibp_policy/__init__.py
index 5b2a272438..4fcaf55117 100644
--- a/passbook/hibp_policy/__init__.py
+++ b/passbook/hibp_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/ldap/__init__.py b/passbook/ldap/__init__.py
index 86e8af36c6..37832bef1a 100644
--- a/passbook/ldap/__init__.py
+++ b/passbook/ldap/__init__.py
@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/lib/__init__.py b/passbook/lib/__init__.py
index 4477dc3351..208ec64733 100644
--- a/passbook/lib/__init__.py
+++ b/passbook/lib/__init__.py
@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/oauth_client/__init__.py b/passbook/oauth_client/__init__.py
index b8c244612f..5514c94232 100644
--- a/passbook/oauth_client/__init__.py
+++ b/passbook/oauth_client/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/oauth_provider/__init__.py b/passbook/oauth_provider/__init__.py
index 5a8c9b3406..5d91a9d7b1 100644
--- a/passbook/oauth_provider/__init__.py
+++ b/passbook/oauth_provider/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/otp/__init__.py b/passbook/otp/__init__.py
index ce49b71da2..7c6794bb8a 100644
--- a/passbook/otp/__init__.py
+++ b/passbook/otp/__init__.py
@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/password_expiry_policy/__init__.py b/passbook/password_expiry_policy/__init__.py
index 2cf7bc4b45..ed8c759a9d 100644
--- a/passbook/password_expiry_policy/__init__.py
+++ b/passbook/password_expiry_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'
diff --git a/passbook/saml_idp/__init__.py b/passbook/saml_idp/__init__.py
index a1453f8842..67fd72a176 100644
--- a/passbook/saml_idp/__init__.py
+++ b/passbook/saml_idp/__init__.py
@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.4-beta'
+__version__ = '0.1.5-beta'

From 0a4af80b9b80d0acd11ba03dc13a72ae459be3ea Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 16:41:52 +0100
Subject: [PATCH 05/28] fix static files missing for debian package

---
 .gitlab-ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 36212bf64d..b68babc367 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -78,6 +78,7 @@ package-debian:
     - virtualenv env
     - source env/bin/activate
     - pip3 install -U -r requirements.txt -r requirements-dev.txt
+    - ./manage.py collectstatic --no-input
   image: ubuntu:18.04
   script:
     - debuild -us -uc

From 9daff7608d5540c0caf2133045d927d68422bce4 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 19:45:41 +0100
Subject: [PATCH 06/28] fix password not getting set on user import

---
 passbook/core/management/commands/import_users.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/passbook/core/management/commands/import_users.py b/passbook/core/management/commands/import_users.py
index fc694ef96a..c0b1a829bd 100644
--- a/passbook/core/management/commands/import_users.py
+++ b/passbook/core/management/commands/import_users.py
@@ -37,7 +37,8 @@ class Command(BaseCommand):
                         User.objects.create(
                             username=user.get('username'),
                             email=user.get('email'),
-                            name=user.get('name'))
+                            name=user.get('name'),
+                            password=user.get('password'))
                         LOGGER.debug('Created User %s', user.get('username'))
                     except ValidationError as exc:
                         LOGGER.warning('User %s caused %r, skipping', user.get('username'), exc)

From 64033031b155a138e8cf5188f3f2af38673ef1c4 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 19:45:50 +0100
Subject: [PATCH 07/28] remove audit's login attempt

---
 .../audit/migrations/0004_delete_loginattempt.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 passbook/audit/migrations/0004_delete_loginattempt.py

diff --git a/passbook/audit/migrations/0004_delete_loginattempt.py b/passbook/audit/migrations/0004_delete_loginattempt.py
new file mode 100644
index 0000000000..96ca0e8dcd
--- /dev/null
+++ b/passbook/audit/migrations/0004_delete_loginattempt.py
@@ -0,0 +1,16 @@
+# Generated by Django 2.1.7 on 2019-03-08 14:53
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_audit', '0003_auto_20190221_1240'),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name='LoginAttempt',
+        ),
+    ]

From 296d4f691a96c59ab10acfe87af08ba26e0a2150 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 19:49:53 +0100
Subject: [PATCH 08/28] add passing property to PolicyEngine

---
 passbook/core/auth/view.py                           | 2 +-
 passbook/core/policies.py                            | 5 +++++
 passbook/core/templatetags/passbook_user_settings.py | 2 +-
 passbook/saml_idp/views.py                           | 2 +-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/passbook/core/auth/view.py b/passbook/core/auth/view.py
index 80f7bd835f..81e6b48164 100644
--- a/passbook/core/auth/view.py
+++ b/passbook/core/auth/view.py
@@ -66,7 +66,7 @@ class AuthenticationView(UserPassesTestMixin, View):
             for factor in _all_factors:
                 policy_engine = PolicyEngine(factor.policies.all())
                 policy_engine.for_user(self.pending_user).with_request(request).build()
-                if policy_engine.result[0]:
+                if policy_engine.passing:
                     self.pending_factors.append((factor.uuid.hex, factor.type))
         # Read and instantiate factor from session
         factor_uuid, factor_class = None, None
diff --git a/passbook/core/policies.py b/passbook/core/policies.py
index 37050a2d07..f26919cef3 100644
--- a/passbook/core/policies.py
+++ b/passbook/core/policies.py
@@ -79,3 +79,8 @@ class PolicyEngine:
             if not passing:
                 return False, messages
         return True, messages
+
+    @property
+    def passing(self):
+        """Only get true/false if user passes"""
+        return self.result[0]
diff --git a/passbook/core/templatetags/passbook_user_settings.py b/passbook/core/templatetags/passbook_user_settings.py
index f6e11df6c0..8e529d68ca 100644
--- a/passbook/core/templatetags/passbook_user_settings.py
+++ b/passbook/core/templatetags/passbook_user_settings.py
@@ -17,6 +17,6 @@ def user_factors(context):
         _link = factor.has_user_settings()
         policy_engine = PolicyEngine(factor.policies.all())
         policy_engine.for_user(user).with_request(context.get('request')).build()
-        if policy_engine.result[0] and _link:
+        if policy_engine.passing and _link:
             matching_factors.append(_link)
     return matching_factors
diff --git a/passbook/saml_idp/views.py b/passbook/saml_idp/views.py
index e1d4367ee9..682d53efa9 100644
--- a/passbook/saml_idp/views.py
+++ b/passbook/saml_idp/views.py
@@ -105,7 +105,7 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
         """Check if user has access to application"""
         policy_engine = PolicyEngine(self.provider.application.policies.all())
         policy_engine.for_user(self.request.user).with_request(self.request).build()
-        return policy_engine.result
+        return policy_engine.passing
 
     def get(self, request, application):
         """Handle get request, i.e. render form"""

From 2f7781b67aa51e8cce5048a3a82da01043ad05c1 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 20:08:28 +0100
Subject: [PATCH 09/28] fix captcha factor not loading keys from Factor class

---
 passbook/captcha_factor/factor.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/passbook/captcha_factor/factor.py b/passbook/captcha_factor/factor.py
index a162229951..9ce564cffc 100644
--- a/passbook/captcha_factor/factor.py
+++ b/passbook/captcha_factor/factor.py
@@ -13,3 +13,10 @@ class CaptchaFactor(FormView, AuthenticationFactor):
 
     def form_valid(self, form):
         return self.authenticator.user_ok()
+
+    def get_form(self, form_class=None):
+        form = CaptchaForm(**self.get_form_kwargs())
+        form.fields['captcha'].public_key = '6Lfi1w8TAAAAAELH-YiWp0OFItmMzvjGmw2xkvUN'
+        form.fields['captcha'].private_key = '6Lfi1w8TAAAAAMQI3f86tGMvd1QkcqqVQyBWI23D'
+        form.fields['captcha'].widget.attrs["data-sitekey"] = form.fields['captcha'].public_key
+        return form

From 11ecdc4fcf5d4a68a376881b66dc193dd75db3b9 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 20:39:27 +0100
Subject: [PATCH 10/28] bump version: 0.1.5-beta -> 0.1.6-beta

---
 .bumpversion.cfg                            | 2 +-
 .gitlab-ci.yml                              | 2 +-
 helm/passbook/Chart.yaml                    | 4 ++--
 helm/passbook/values.yaml                   | 2 +-
 passbook/__init__.py                        | 2 +-
 passbook/admin/__init__.py                  | 2 +-
 passbook/api/__init__.py                    | 2 +-
 passbook/audit/__init__.py                  | 2 +-
 passbook/captcha_factor/__init__.py         | 2 +-
 passbook/core/__init__.py                   | 2 +-
 passbook/hibp_policy/__init__.py            | 2 +-
 passbook/ldap/__init__.py                   | 2 +-
 passbook/lib/__init__.py                    | 2 +-
 passbook/oauth_client/__init__.py           | 2 +-
 passbook/oauth_provider/__init__.py         | 2 +-
 passbook/otp/__init__.py                    | 2 +-
 passbook/password_expiry_policy/__init__.py | 2 +-
 passbook/saml_idp/__init__.py               | 2 +-
 18 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 1d4ac212cd..aebc1e5e11 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.5-beta
+current_version = 0.1.6-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b68babc367..c8968ee9f8 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -53,7 +53,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.5-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.6-beta
   stage: build
   only:
     - tags
diff --git a/helm/passbook/Chart.yaml b/helm/passbook/Chart.yaml
index 586af8ca9c..97a7ee5d05 100644
--- a/helm/passbook/Chart.yaml
+++ b/helm/passbook/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.5-beta"
+appVersion: "0.1.6-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.5-beta"
+version: "0.1.6-beta"
 icon: https://passbook.beryju.org/images/logo.png
diff --git a/helm/passbook/values.yaml b/helm/passbook/values.yaml
index 458c0cdc45..ce88f8c33d 100644
--- a/helm/passbook/values.yaml
+++ b/helm/passbook/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.5-beta
+  tag: 0.1.6-beta
 
 nameOverride: ""
 
diff --git a/passbook/__init__.py b/passbook/__init__.py
index 4574f2dc7e..2510200b00 100644
--- a/passbook/__init__.py
+++ b/passbook/__init__.py
@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/admin/__init__.py b/passbook/admin/__init__.py
index c42ea010ed..9e4bc3157f 100644
--- a/passbook/admin/__init__.py
+++ b/passbook/admin/__init__.py
@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/api/__init__.py b/passbook/api/__init__.py
index 8806d93c5e..b2ccddbd53 100644
--- a/passbook/api/__init__.py
+++ b/passbook/api/__init__.py
@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/audit/__init__.py b/passbook/audit/__init__.py
index f43baadb3c..54a98e64c4 100644
--- a/passbook/audit/__init__.py
+++ b/passbook/audit/__init__.py
@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/captcha_factor/__init__.py b/passbook/captcha_factor/__init__.py
index d9933edd62..05f48a00c1 100644
--- a/passbook/captcha_factor/__init__.py
+++ b/passbook/captcha_factor/__init__.py
@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/core/__init__.py b/passbook/core/__init__.py
index 2bcaa41219..96a1ca28bc 100644
--- a/passbook/core/__init__.py
+++ b/passbook/core/__init__.py
@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/hibp_policy/__init__.py b/passbook/hibp_policy/__init__.py
index 4fcaf55117..0609368cc9 100644
--- a/passbook/hibp_policy/__init__.py
+++ b/passbook/hibp_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/ldap/__init__.py b/passbook/ldap/__init__.py
index 37832bef1a..3cb7ddf35f 100644
--- a/passbook/ldap/__init__.py
+++ b/passbook/ldap/__init__.py
@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/lib/__init__.py b/passbook/lib/__init__.py
index 208ec64733..f7737700b3 100644
--- a/passbook/lib/__init__.py
+++ b/passbook/lib/__init__.py
@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/oauth_client/__init__.py b/passbook/oauth_client/__init__.py
index 5514c94232..6baf276f16 100644
--- a/passbook/oauth_client/__init__.py
+++ b/passbook/oauth_client/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/oauth_provider/__init__.py b/passbook/oauth_provider/__init__.py
index 5d91a9d7b1..d2c4202830 100644
--- a/passbook/oauth_provider/__init__.py
+++ b/passbook/oauth_provider/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/otp/__init__.py b/passbook/otp/__init__.py
index 7c6794bb8a..2ff45196bb 100644
--- a/passbook/otp/__init__.py
+++ b/passbook/otp/__init__.py
@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/password_expiry_policy/__init__.py b/passbook/password_expiry_policy/__init__.py
index ed8c759a9d..caf854d2c8 100644
--- a/passbook/password_expiry_policy/__init__.py
+++ b/passbook/password_expiry_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'
diff --git a/passbook/saml_idp/__init__.py b/passbook/saml_idp/__init__.py
index 67fd72a176..61223c987b 100644
--- a/passbook/saml_idp/__init__.py
+++ b/passbook/saml_idp/__init__.py
@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.5-beta'
+__version__ = '0.1.6-beta'

From a7eaa74191b2f6f172c8617d855a36fb07c1b503 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 21:20:38 +0100
Subject: [PATCH 11/28] fix MATCH_EXACT not working as intended

---
 passbook/core/models.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/passbook/core/models.py b/passbook/core/models.py
index 7772a6d0f7..582b1aa29a 100644
--- a/passbook/core/models.py
+++ b/passbook/core/models.py
@@ -288,6 +288,8 @@ class FieldMatcherPolicy(Policy):
         if self.match_action == FieldMatcherPolicy.MATCH_REGEXP:
             pattern = re.compile(self.value)
             passes = bool(pattern.match(user_field_value))
+        if self.match_action == FieldMatcherPolicy.MATCH_EXACT:
+            passes = user_field_value == self.value
 
         LOGGER.debug("User got '%r'", passes)
         return passes

From c313b496aa446cea35ee762ce5e9a9c57aa519f1 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 21:30:16 +0100
Subject: [PATCH 12/28] Improve access control for saml

---
 passbook/saml_idp/templates/saml/idp/login.html |  2 +-
 passbook/saml_idp/views.py                      | 13 +++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/passbook/saml_idp/templates/saml/idp/login.html b/passbook/saml_idp/templates/saml/idp/login.html
index d8b929931b..13fc082b31 100644
--- a/passbook/saml_idp/templates/saml/idp/login.html
+++ b/passbook/saml_idp/templates/saml/idp/login.html
@@ -18,7 +18,7 @@
     <input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
     <div class="login-group">
         <h3>
-            {% blocktrans with remote=remote.name %}
+            {% blocktrans with remote=remote.application.name %}
             You're about to sign into {{ remote }}
             {% endblocktrans %}
         </h3>
diff --git a/passbook/saml_idp/views.py b/passbook/saml_idp/views.py
index 682d53efa9..99c39f26fa 100644
--- a/passbook/saml_idp/views.py
+++ b/passbook/saml_idp/views.py
@@ -12,6 +12,7 @@ from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from signxml.util import strip_pem_header
+from django.utils.translation import gettext as _
 
 from passbook.audit.models import AuditEntry
 from passbook.core.models import Application
@@ -110,8 +111,12 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
     def get(self, request, application):
         """Handle get request, i.e. render form"""
         LOGGER.debug("Request: %s", request)
+        if not self._has_access():
+            return render(request, 'login/denied.html', {
+                'title': _("You don't have access to this application")
+            })
         # Check if user has access
-        if self.provider.application.skip_authorization and self._has_access():
+        if self.provider.application.skip_authorization:
             ctx = self.provider.processor.generate_response()
             # Log Application Authorization
             AuditEntry.create(
@@ -133,8 +138,12 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
     def post(self, request, application):
         """Handle post request, return back to ACS"""
         LOGGER.debug("Request: %s", request)
+        if not self._has_access():
+            return render(request, 'login/denied.html', {
+                'title': _("You don't have access to this application")
+            })
         # Check if user has access
-        if request.POST.get('ACSUrl', None) and self._has_access():
+        if request.POST.get('ACSUrl', None):
             # User accepted request
             AuditEntry.create(
                 action=AuditEntry.ACTION_AUTHORIZE_APPLICATION,

From a6e435bd70b3c457b481f4c9c1f3937b6db0717d Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 21:37:55 +0100
Subject: [PATCH 13/28] prepare debian changelog for 0.1.6

---
 debian/changelog | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index fe430b9721..a878de228d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+passbook (0.1.6) stable; urgency=medium
+
+  * bump version: 0.1.3-beta -> 0.1.4-beta
+  * implicitly add kubernetes-healthcheck-host in helm configmap
+  * fix debian build (again)
+  * add PropertyMapping Model, add Subclass for SAML, test with AWS
+  * add custom DynamicArrayField to better handle arrays
+  * format data before inserting it
+  * bump version: 0.1.4-beta -> 0.1.5-beta
+  * fix static files missing for debian package
+  * fix password not getting set on user import
+  * remove audit's login attempt
+  * add passing property to PolicyEngine
+  * fix captcha factor not loading keys from Factor class
+  * bump version: 0.1.5-beta -> 0.1.6-beta
+  * fix MATCH_EXACT not working as intended
+  * Improve access control for saml
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 08 Mar 2019 20:37:05 +0000
+
 passbook (0.1.4) stable; urgency=medium
 
   * initial debian package release

From 74da3df7cdcef67ceca59559a91dc0f6c9aaf98c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 21:37:59 +0100
Subject: [PATCH 14/28] bump version: 0.1.6-beta -> 0.1.7-beta

---
 .bumpversion.cfg                            | 2 +-
 .gitlab-ci.yml                              | 2 +-
 helm/passbook/Chart.yaml                    | 4 ++--
 helm/passbook/values.yaml                   | 2 +-
 passbook/__init__.py                        | 2 +-
 passbook/admin/__init__.py                  | 2 +-
 passbook/api/__init__.py                    | 2 +-
 passbook/audit/__init__.py                  | 2 +-
 passbook/captcha_factor/__init__.py         | 2 +-
 passbook/core/__init__.py                   | 2 +-
 passbook/hibp_policy/__init__.py            | 2 +-
 passbook/ldap/__init__.py                   | 2 +-
 passbook/lib/__init__.py                    | 2 +-
 passbook/oauth_client/__init__.py           | 2 +-
 passbook/oauth_provider/__init__.py         | 2 +-
 passbook/otp/__init__.py                    | 2 +-
 passbook/password_expiry_policy/__init__.py | 2 +-
 passbook/saml_idp/__init__.py               | 2 +-
 18 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index aebc1e5e11..55a144fefe 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.6-beta
+current_version = 0.1.7-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c8968ee9f8..0c72a24b2b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -53,7 +53,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.6-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.7-beta
   stage: build
   only:
     - tags
diff --git a/helm/passbook/Chart.yaml b/helm/passbook/Chart.yaml
index 97a7ee5d05..8641a555f9 100644
--- a/helm/passbook/Chart.yaml
+++ b/helm/passbook/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.6-beta"
+appVersion: "0.1.7-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.6-beta"
+version: "0.1.7-beta"
 icon: https://passbook.beryju.org/images/logo.png
diff --git a/helm/passbook/values.yaml b/helm/passbook/values.yaml
index ce88f8c33d..8505075a76 100644
--- a/helm/passbook/values.yaml
+++ b/helm/passbook/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.6-beta
+  tag: 0.1.7-beta
 
 nameOverride: ""
 
diff --git a/passbook/__init__.py b/passbook/__init__.py
index 2510200b00..ee4ccd0b3c 100644
--- a/passbook/__init__.py
+++ b/passbook/__init__.py
@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/admin/__init__.py b/passbook/admin/__init__.py
index 9e4bc3157f..97e4260fef 100644
--- a/passbook/admin/__init__.py
+++ b/passbook/admin/__init__.py
@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/api/__init__.py b/passbook/api/__init__.py
index b2ccddbd53..1699e1afd0 100644
--- a/passbook/api/__init__.py
+++ b/passbook/api/__init__.py
@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/audit/__init__.py b/passbook/audit/__init__.py
index 54a98e64c4..e14df48c7c 100644
--- a/passbook/audit/__init__.py
+++ b/passbook/audit/__init__.py
@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/captcha_factor/__init__.py b/passbook/captcha_factor/__init__.py
index 05f48a00c1..d2f18bfc63 100644
--- a/passbook/captcha_factor/__init__.py
+++ b/passbook/captcha_factor/__init__.py
@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/core/__init__.py b/passbook/core/__init__.py
index 96a1ca28bc..6f4ef84407 100644
--- a/passbook/core/__init__.py
+++ b/passbook/core/__init__.py
@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/hibp_policy/__init__.py b/passbook/hibp_policy/__init__.py
index 0609368cc9..8097da7f8d 100644
--- a/passbook/hibp_policy/__init__.py
+++ b/passbook/hibp_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/ldap/__init__.py b/passbook/ldap/__init__.py
index 3cb7ddf35f..ce103112f2 100644
--- a/passbook/ldap/__init__.py
+++ b/passbook/ldap/__init__.py
@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/lib/__init__.py b/passbook/lib/__init__.py
index f7737700b3..83b8edb506 100644
--- a/passbook/lib/__init__.py
+++ b/passbook/lib/__init__.py
@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/oauth_client/__init__.py b/passbook/oauth_client/__init__.py
index 6baf276f16..b724c69546 100644
--- a/passbook/oauth_client/__init__.py
+++ b/passbook/oauth_client/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/oauth_provider/__init__.py b/passbook/oauth_provider/__init__.py
index d2c4202830..b3f6524001 100644
--- a/passbook/oauth_provider/__init__.py
+++ b/passbook/oauth_provider/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/otp/__init__.py b/passbook/otp/__init__.py
index 2ff45196bb..11a624c43c 100644
--- a/passbook/otp/__init__.py
+++ b/passbook/otp/__init__.py
@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/password_expiry_policy/__init__.py b/passbook/password_expiry_policy/__init__.py
index caf854d2c8..2153f401f5 100644
--- a/passbook/password_expiry_policy/__init__.py
+++ b/passbook/password_expiry_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'
diff --git a/passbook/saml_idp/__init__.py b/passbook/saml_idp/__init__.py
index 61223c987b..3e65afc4fe 100644
--- a/passbook/saml_idp/__init__.py
+++ b/passbook/saml_idp/__init__.py
@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.7-beta'

From 787db41cc3bb6a8d409b2ef7d5f6f4d50ec66c38 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 21:43:33 +0100
Subject: [PATCH 15/28] prepare for 0.1.7

---
 debian/changelog           | 2 +-
 passbook/saml_idp/views.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index a878de228d..20367e56cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-passbook (0.1.6) stable; urgency=medium
+passbook (0.1.7) stable; urgency=medium
 
   * bump version: 0.1.3-beta -> 0.1.4-beta
   * implicitly add kubernetes-healthcheck-host in helm configmap
diff --git a/passbook/saml_idp/views.py b/passbook/saml_idp/views.py
index 99c39f26fa..f5cf03cd15 100644
--- a/passbook/saml_idp/views.py
+++ b/passbook/saml_idp/views.py
@@ -9,10 +9,10 @@ from django.http import HttpResponse, HttpResponseBadRequest
 from django.shortcuts import get_object_or_404, redirect, render, reverse
 from django.utils.datastructures import MultiValueDictKeyError
 from django.utils.decorators import method_decorator
+from django.utils.translation import gettext as _
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from signxml.util import strip_pem_header
-from django.utils.translation import gettext as _
 
 from passbook.audit.models import AuditEntry
 from passbook.core.models import Application

From 76694e037a18b181b042a72a9190899ea2f3f8a6 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Fri, 8 Mar 2019 21:43:35 +0100
Subject: [PATCH 16/28] bump version: 0.1.7-beta -> 0.1.8-beta

---
 .bumpversion.cfg                            | 2 +-
 .gitlab-ci.yml                              | 2 +-
 helm/passbook/Chart.yaml                    | 4 ++--
 helm/passbook/values.yaml                   | 2 +-
 passbook/__init__.py                        | 2 +-
 passbook/admin/__init__.py                  | 2 +-
 passbook/api/__init__.py                    | 2 +-
 passbook/audit/__init__.py                  | 2 +-
 passbook/captcha_factor/__init__.py         | 2 +-
 passbook/core/__init__.py                   | 2 +-
 passbook/hibp_policy/__init__.py            | 2 +-
 passbook/ldap/__init__.py                   | 2 +-
 passbook/lib/__init__.py                    | 2 +-
 passbook/oauth_client/__init__.py           | 2 +-
 passbook/oauth_provider/__init__.py         | 2 +-
 passbook/otp/__init__.py                    | 2 +-
 passbook/password_expiry_policy/__init__.py | 2 +-
 passbook/saml_idp/__init__.py               | 2 +-
 18 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 55a144fefe..595a88bd77 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.7-beta
+current_version = 0.1.8-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0c72a24b2b..4ae596d6e1 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -53,7 +53,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.7-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.8-beta
   stage: build
   only:
     - tags
diff --git a/helm/passbook/Chart.yaml b/helm/passbook/Chart.yaml
index 8641a555f9..a3b6368e41 100644
--- a/helm/passbook/Chart.yaml
+++ b/helm/passbook/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.7-beta"
+appVersion: "0.1.8-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.7-beta"
+version: "0.1.8-beta"
 icon: https://passbook.beryju.org/images/logo.png
diff --git a/helm/passbook/values.yaml b/helm/passbook/values.yaml
index 8505075a76..c0c7eff4fe 100644
--- a/helm/passbook/values.yaml
+++ b/helm/passbook/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.7-beta
+  tag: 0.1.8-beta
 
 nameOverride: ""
 
diff --git a/passbook/__init__.py b/passbook/__init__.py
index ee4ccd0b3c..11653b3e00 100644
--- a/passbook/__init__.py
+++ b/passbook/__init__.py
@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/admin/__init__.py b/passbook/admin/__init__.py
index 97e4260fef..8b1e8c4aeb 100644
--- a/passbook/admin/__init__.py
+++ b/passbook/admin/__init__.py
@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/api/__init__.py b/passbook/api/__init__.py
index 1699e1afd0..cd6f09ba5e 100644
--- a/passbook/api/__init__.py
+++ b/passbook/api/__init__.py
@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/audit/__init__.py b/passbook/audit/__init__.py
index e14df48c7c..875b919c05 100644
--- a/passbook/audit/__init__.py
+++ b/passbook/audit/__init__.py
@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/captcha_factor/__init__.py b/passbook/captcha_factor/__init__.py
index d2f18bfc63..57bd027230 100644
--- a/passbook/captcha_factor/__init__.py
+++ b/passbook/captcha_factor/__init__.py
@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/core/__init__.py b/passbook/core/__init__.py
index 6f4ef84407..1e3d2c6243 100644
--- a/passbook/core/__init__.py
+++ b/passbook/core/__init__.py
@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/hibp_policy/__init__.py b/passbook/hibp_policy/__init__.py
index 8097da7f8d..bee6aa1079 100644
--- a/passbook/hibp_policy/__init__.py
+++ b/passbook/hibp_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/ldap/__init__.py b/passbook/ldap/__init__.py
index ce103112f2..966d739491 100644
--- a/passbook/ldap/__init__.py
+++ b/passbook/ldap/__init__.py
@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/lib/__init__.py b/passbook/lib/__init__.py
index 83b8edb506..23656ff3fb 100644
--- a/passbook/lib/__init__.py
+++ b/passbook/lib/__init__.py
@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/oauth_client/__init__.py b/passbook/oauth_client/__init__.py
index b724c69546..155a8400c7 100644
--- a/passbook/oauth_client/__init__.py
+++ b/passbook/oauth_client/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/oauth_provider/__init__.py b/passbook/oauth_provider/__init__.py
index b3f6524001..213644f5ec 100644
--- a/passbook/oauth_provider/__init__.py
+++ b/passbook/oauth_provider/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/otp/__init__.py b/passbook/otp/__init__.py
index 11a624c43c..339126d1c7 100644
--- a/passbook/otp/__init__.py
+++ b/passbook/otp/__init__.py
@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/password_expiry_policy/__init__.py b/passbook/password_expiry_policy/__init__.py
index 2153f401f5..fcf49a8ec2 100644
--- a/passbook/password_expiry_policy/__init__.py
+++ b/passbook/password_expiry_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'
diff --git a/passbook/saml_idp/__init__.py b/passbook/saml_idp/__init__.py
index 3e65afc4fe..fb175dfa90 100644
--- a/passbook/saml_idp/__init__.py
+++ b/passbook/saml_idp/__init__.py
@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.7-beta'
+__version__ = '0.1.8-beta'

From c3034ab9ac13a3f6dc239f86598d90d422eff1e2 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 02:07:18 +0100
Subject: [PATCH 17/28] consistently using PolicyEngine

---
 passbook/admin/views/policy.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/passbook/admin/views/policy.py b/passbook/admin/views/policy.py
index 51dc4bd0cc..355ea916f5 100644
--- a/passbook/admin/views/policy.py
+++ b/passbook/admin/views/policy.py
@@ -11,6 +11,7 @@ from django.views.generic.detail import DetailView
 from passbook.admin.forms.policies import PolicyTestForm
 from passbook.admin.mixins import AdminRequiredMixin
 from passbook.core.models import Policy
+from passbook.core.policies import PolicyEngine
 from passbook.lib.utils.reflection import path_to_class
 
 
@@ -100,7 +101,9 @@ class PolicyTestView(AdminRequiredMixin, DetailView, FormView):
     def form_valid(self, form):
         policy = self.get_object()
         user = form.cleaned_data.get('user')
-        result = policy.passes(user)
+        policy_engine = PolicyEngine([policy])
+        policy_engine.for_user(user).with_request(self.request).build()
+        result = policy_engine.passing
         if result:
             messages.success(self.request, _('User successfully passed policy.'))
         else:

From 0fa1fc86da167ee436845d6ca0d80dac04713daf Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 02:07:48 +0100
Subject: [PATCH 18/28] add more Verbosity to PolicyEngine, rewrite SAML
 Authorisation check

---
 passbook/core/policies.py  |  3 +++
 passbook/saml_idp/views.py | 51 +++++++++++++++++++-------------------
 2 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/passbook/core/policies.py b/passbook/core/policies.py
index f26919cef3..917b1a0398 100644
--- a/passbook/core/policies.py
+++ b/passbook/core/policies.py
@@ -54,6 +54,8 @@ class PolicyEngine:
 
     def build(self):
         """Build task group"""
+        if not self._user:
+            raise ValueError("User not set.")
         signatures = []
         kwargs = {
             '__password__': getattr(self._user, '__password__', None),
@@ -74,6 +76,7 @@ class PolicyEngine:
         for policy_action, policy_result, policy_message in self._group.get():
             passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \
                       (policy_action == Policy.ACTION_DENY and not policy_result)
+            LOGGER.debug('Action=%s, Result=%r => %r', policy_action, policy_result, passing)
             if policy_message:
                 messages.append(policy_message)
             if not passing:
diff --git a/passbook/saml_idp/views.py b/passbook/saml_idp/views.py
index f5cf03cd15..147a773997 100644
--- a/passbook/saml_idp/views.py
+++ b/passbook/saml_idp/views.py
@@ -2,7 +2,7 @@
 from logging import getLogger
 
 from django.contrib.auth import logout
-from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import AccessMixin
 from django.core.exceptions import ValidationError
 from django.core.validators import URLValidator
 from django.http import HttpResponse, HttpResponseBadRequest
@@ -46,7 +46,7 @@ def render_xml(request, template, ctx):
     return render(request, template, context=ctx, content_type="application/xml")
 
 
-class ProviderMixin:
+class AccessRequiredView(AccessMixin, View):
     """Mixin class for Views using a provider instance"""
 
     _provider = None
@@ -59,8 +59,24 @@ class ProviderMixin:
             self._provider = get_object_or_404(SAMLProvider, pk=application.provider_id)
         return self._provider
 
+    def _has_access(self):
+        """Check if user has access to application"""
+        policy_engine = PolicyEngine(self.provider.application.policies.all())
+        policy_engine.for_user(self.request.user).with_request(self.request).build()
+        return policy_engine.passing
 
-class LoginBeginView(LoginRequiredMixin, View):
+    def dispatch(self, request, *args, **kwargs):
+        if not request.user.is_authenticated:
+            return self.handle_no_permission()
+        if not self._has_access():
+            return render(request, 'login/denied.html', {
+                'title': _("You don't have access to this application"),
+                'is_login': True
+            })
+        return super().dispatch(request, *args, **kwargs)
+
+
+class LoginBeginView(AccessRequiredView):
     """Receives a SAML 2.0 AuthnRequest from a Service Provider and
     stores it in the session prior to enforcing login."""
 
@@ -83,7 +99,7 @@ class LoginBeginView(LoginRequiredMixin, View):
         }))
 
 
-class RedirectToSPView(LoginRequiredMixin, View):
+class RedirectToSPView(AccessRequiredView):
     """Return autosubmit form"""
 
     def get(self, request, acs_url, saml_response, relay_state):
@@ -97,24 +113,13 @@ class RedirectToSPView(LoginRequiredMixin, View):
         })
 
 
-
-class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
+class LoginProcessView(AccessRequiredView):
     """Processor-based login continuation.
     Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
 
-    def _has_access(self):
-        """Check if user has access to application"""
-        policy_engine = PolicyEngine(self.provider.application.policies.all())
-        policy_engine.for_user(self.request.user).with_request(self.request).build()
-        return policy_engine.passing
-
     def get(self, request, application):
         """Handle get request, i.e. render form"""
         LOGGER.debug("Request: %s", request)
-        if not self._has_access():
-            return render(request, 'login/denied.html', {
-                'title': _("You don't have access to this application")
-            })
         # Check if user has access
         if self.provider.application.skip_authorization:
             ctx = self.provider.processor.generate_response()
@@ -138,10 +143,6 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
     def post(self, request, application):
         """Handle post request, return back to ACS"""
         LOGGER.debug("Request: %s", request)
-        if not self._has_access():
-            return render(request, 'login/denied.html', {
-                'title': _("You don't have access to this application")
-            })
         # Check if user has access
         if request.POST.get('ACSUrl', None):
             # User accepted request
@@ -162,7 +163,7 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
             LOGGER.debug(exc)
 
 
-class LogoutView(CSRFExemptMixin, LoginRequiredMixin, View):
+class LogoutView(CSRFExemptMixin, AccessRequiredView):
     """Allows a non-SAML 2.0 URL to log out the user and
     returns a standard logged-out page. (SalesForce and others use this method,
     though it's technically not SAML 2.0)."""
@@ -183,7 +184,7 @@ class LogoutView(CSRFExemptMixin, LoginRequiredMixin, View):
         return render(request, 'saml/idp/logged_out.html')
 
 
-class SLOLogout(CSRFExemptMixin, LoginRequiredMixin, View):
+class SLOLogout(CSRFExemptMixin, AccessRequiredView):
     """Receives a SAML 2.0 LogoutRequest from a Service Provider,
     logs out the user and returns a standard logged-out page."""
 
@@ -199,7 +200,7 @@ class SLOLogout(CSRFExemptMixin, LoginRequiredMixin, View):
         return render(request, 'saml/idp/logged_out.html')
 
 
-class DescriptorDownloadView(ProviderMixin, View):
+class DescriptorDownloadView(AccessRequiredView):
     """Replies with the XML Metadata IDSSODescriptor."""
 
     def get(self, request, application):
@@ -223,10 +224,10 @@ class DescriptorDownloadView(ProviderMixin, View):
         return response
 
 
-class InitiateLoginView(ProviderMixin, LoginRequiredMixin, View):
+class InitiateLoginView(AccessRequiredView):
     """IdP-initiated Login"""
 
-    def dispatch(self, request, application):
+    def get(self, request, application):
         """Initiates an IdP-initiated link to a simple SP resource/target URL."""
         self.provider.processor.init_deep_link(request, '')
         return _generate_response(request, self.provider)

From 37aeeea2394c9660f7a1803196d25010ee8d3546 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 02:08:09 +0100
Subject: [PATCH 19/28] slightly refactor Factor View, add more unittests

---
 passbook/core/auth/view.py            |  51 +++++-----
 passbook/core/tests/test_auth_view.py | 130 ++++++++++++++++++++++++++
 2 files changed, 158 insertions(+), 23 deletions(-)
 create mode 100644 passbook/core/tests/test_auth_view.py

diff --git a/passbook/core/auth/view.py b/passbook/core/auth/view.py
index 81e6b48164..710967b145 100644
--- a/passbook/core/auth/view.py
+++ b/passbook/core/auth/view.py
@@ -39,35 +39,41 @@ class AuthenticationView(UserPassesTestMixin, View):
 
     # Allow only not authenticated users to login
     def test_func(self):
-        return self.request.user.is_authenticated is False
+        return AuthenticationView.SESSION_PENDING_USER in self.request.session
 
     def handle_no_permission(self):
         # Function from UserPassesTestMixin
         if 'next' in self.request.GET:
             return redirect(self.request.GET.get('next'))
-        return _redirect_with_qs('passbook_core:overview', self.request.GET)
+        if self.request.user.is_authenticated:
+            return _redirect_with_qs('passbook_core:overview', self.request.GET)
+        return _redirect_with_qs('passbook_core:auth-login', self.request.GET)
+
+    def get_pending_factors(self):
+        """Loading pending factors from Database or load from session variable"""
+        # Write pending factors to session
+        if AuthenticationView.SESSION_PENDING_FACTORS in self.request.session:
+            return self.request.session[AuthenticationView.SESSION_PENDING_FACTORS]
+        # Get an initial list of factors which are currently enabled
+        # and apply to the current user. We check policies here and block the request
+        _all_factors = Factor.objects.filter(enabled=True).order_by('order').select_subclasses()
+        pending_factors = []
+        for factor in _all_factors:
+            policy_engine = PolicyEngine(factor.policies.all())
+            policy_engine.for_user(self.pending_user).with_request(self.request).build()
+            if policy_engine.passing:
+                pending_factors.append((factor.uuid.hex, factor.type))
+        return pending_factors
 
     def dispatch(self, request, *args, **kwargs):
+        # Check if user passes test (i.e. SESSION_PENDING_USER is set)
+        user_test_result = self.get_test_func()()
+        if not user_test_result:
+            return self.handle_no_permission()
         # Extract pending user from session (only remember uid)
-        if AuthenticationView.SESSION_PENDING_USER in request.session:
-            self.pending_user = get_object_or_404(
-                User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])
-        else:
-            # No Pending user, redirect to login screen
-            return _redirect_with_qs('passbook_core:auth-login', request.GET)
-        # Write pending factors to session
-        if AuthenticationView.SESSION_PENDING_FACTORS in request.session:
-            self.pending_factors = request.session[AuthenticationView.SESSION_PENDING_FACTORS]
-        else:
-            # Get an initial list of factors which are currently enabled
-            # and apply to the current user. We check policies here and block the request
-            _all_factors = Factor.objects.filter(enabled=True).order_by('order').select_subclasses()
-            self.pending_factors = []
-            for factor in _all_factors:
-                policy_engine = PolicyEngine(factor.policies.all())
-                policy_engine.for_user(self.pending_user).with_request(request).build()
-                if policy_engine.passing:
-                    self.pending_factors.append((factor.uuid.hex, factor.type))
+        self.pending_user = get_object_or_404(
+            User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])
+        self.pending_factors = self.get_pending_factors()
         # Read and instantiate factor from session
         factor_uuid, factor_class = None, None
         if AuthenticationView.SESSION_FACTOR not in request.session:
@@ -107,11 +113,11 @@ class AuthenticationView(UserPassesTestMixin, View):
         next_factor = None
         if self.pending_factors:
             next_factor = self.pending_factors.pop()
+            # Save updated pening_factor list to session
             self.request.session[AuthenticationView.SESSION_PENDING_FACTORS] = \
                 self.pending_factors
             self.request.session[AuthenticationView.SESSION_FACTOR] = next_factor
             LOGGER.debug("Rendering Factor is %s", next_factor)
-            # return _redirect_with_qs('passbook_core:auth-process', kwargs={'factor': next_factor})
             return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
         # User passed all factors
         LOGGER.debug("User passed all factors, logging in")
@@ -126,7 +132,6 @@ class AuthenticationView(UserPassesTestMixin, View):
 
     def _user_passed(self):
         """User Successfully passed all factors"""
-        # user = authenticate(request=self.request, )
         backend = self.request.session[AuthenticationView.SESSION_USER_BACKEND]
         login(self.request, self.pending_user, backend=backend)
         LOGGER.debug("Logged in user %s", self.pending_user)
diff --git a/passbook/core/tests/test_auth_view.py b/passbook/core/tests/test_auth_view.py
new file mode 100644
index 0000000000..573c214c83
--- /dev/null
+++ b/passbook/core/tests/test_auth_view.py
@@ -0,0 +1,130 @@
+"""passbook Core Authentication Test"""
+import string
+from random import SystemRandom
+
+from django.contrib.auth.models import AnonymousUser
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.test import RequestFactory, TestCase
+from django.urls import reverse
+
+from passbook.core.auth.view import AuthenticationView
+from passbook.core.models import DummyFactor, PasswordFactor, User
+
+
+class TestFactorAuthentication(TestCase):
+    """passbook Core Authentication Test"""
+
+    def setUp(self):
+        super().setUp()
+        self.password = ''.join(SystemRandom().choice(
+            string.ascii_uppercase + string.digits) for _ in range(8))
+        self.factor, _ = PasswordFactor.objects.get_or_create(name='password',
+                                                              slug='password',
+                                                              backends=[])
+        self.user = User.objects.create_user(username='test',
+                                             email='test@test.test',
+                                             password=self.password)
+
+    def test_unauthenticated_raw(self):
+        """test direct call to AuthenticationView"""
+        response = self.client.get(reverse('passbook_core:auth-process'))
+        # Response should be 302 since no pending user is set
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:auth-login'))
+
+    def test_unauthenticated_prepared(self):
+        """test direct call but with pending_uesr in session"""
+        request = RequestFactory().get(reverse('passbook_core:auth-process'))
+        request.user = AnonymousUser()
+        request.session = {}
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 200)
+
+    def test_no_factors(self):
+        """Test with all factors disabled"""
+        self.factor.enabled = False
+        self.factor.save()
+        request = RequestFactory().get(reverse('passbook_core:auth-process'))
+        request.user = AnonymousUser()
+        request.session = {}
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:auth-denied'))
+        self.factor.enabled = True
+        self.factor.save()
+
+    def test_authenticated(self):
+        """Test with already logged in user"""
+        self.client.force_login(self.user)
+        response = self.client.get(reverse('passbook_core:auth-process'))
+        # Response should be 302 since no pending user is set
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:overview'))
+        self.client.logout()
+
+    def test_unauthenticated_post(self):
+        """Test post request as unauthenticated user"""
+        request = RequestFactory().post(reverse('passbook_core:auth-process'), data={
+            'password': self.password
+        })
+        request.user = AnonymousUser()
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        request.session.save()
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:overview'))
+        self.client.logout()
+
+    def test_unauthenticated_post_invalid(self):
+        """Test post request as unauthenticated user"""
+        request = RequestFactory().post(reverse('passbook_core:auth-process'), data={
+            'password': self.password + 'a'
+        })
+        request.user = AnonymousUser()
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        request.session.save()
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 200)
+        self.client.logout()
+
+    def test_multifactor(self):
+        """Test view with multiple active factors"""
+        DummyFactor.objects.get_or_create(name='dummy',
+                                          slug='dummy',
+                                          order=1)
+        request = RequestFactory().post(reverse('passbook_core:auth-process'), data={
+            'password': self.password
+        })
+        request.user = AnonymousUser()
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        request.session.save()
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        session_copy = request.session.items()
+        self.assertEqual(response.status_code, 302)
+        # Verify view redirects to itself after auth
+        self.assertEqual(response.url, reverse('passbook_core:auth-process'))
+
+        # Run another request with same session which should result in a logged in user
+        request = RequestFactory().post(reverse('passbook_core:auth-process'))
+        request.user = AnonymousUser()
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        for key, value in session_copy:
+            request.session[key] = value
+        request.session.save()
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:overview'))

From f1291fec8d33256bc0d38b8764f3f59cae9f3ed1 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 02:41:31 +0100
Subject: [PATCH 20/28] add impersonation middleware, add to templates

---
 passbook/admin/middleware.py                  | 25 ++++++
 passbook/admin/settings.py                    |  5 ++
 .../templates/administration/user/list.html   |  2 +
 passbook/core/templates/base/skeleton.html    | 81 +++++++++++--------
 4 files changed, 78 insertions(+), 35 deletions(-)
 create mode 100644 passbook/admin/middleware.py
 create mode 100644 passbook/admin/settings.py

diff --git a/passbook/admin/middleware.py b/passbook/admin/middleware.py
new file mode 100644
index 0000000000..1c4d1c42a2
--- /dev/null
+++ b/passbook/admin/middleware.py
@@ -0,0 +1,25 @@
+"""passbook admin Middleware to impersonate users"""
+
+from passbook.core.models import User
+
+
+def impersonate(get_response):
+    """Middleware to impersonate users"""
+
+    def middleware(request):
+        """Middleware to impersonate users"""
+
+        # User is superuser and has __impersonate ID set
+        if request.user.is_superuser and "__impersonate" in request.GET:
+            request.session['impersonate_id'] = request.GET["__impersonate"]
+        # user wants to stop impersonation
+        elif "__unimpersonate" in request.GET and 'impersonate_id' in request.session:
+            del request.session['impersonate_id']
+
+        # Actually impersonate user
+        if request.user.is_superuser and 'impersonate_id' in request.session:
+            request.user = User.objects.get(pk=request.session['impersonate_id'])
+
+        response = get_response(request)
+        return response
+    return middleware
diff --git a/passbook/admin/settings.py b/passbook/admin/settings.py
new file mode 100644
index 0000000000..14f5e9421f
--- /dev/null
+++ b/passbook/admin/settings.py
@@ -0,0 +1,5 @@
+"""passbook admin settings"""
+
+MIDDLEWARE = [
+    'passbook.admin.middleware.impersonate',
+]
diff --git a/passbook/admin/templates/administration/user/list.html b/passbook/admin/templates/administration/user/list.html
index fe641038c0..726936b1ea 100644
--- a/passbook/admin/templates/administration/user/list.html
+++ b/passbook/admin/templates/administration/user/list.html
@@ -31,6 +31,8 @@
                         href="{% url 'passbook_admin:user-delete' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:user-password-reset' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Reset Password' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_core:overview' %}?__impersonate={{ user.pk }}">{% trans 'Impersonate' %}</a>
                 </td>
             </tr>
             {% endfor %}
diff --git a/passbook/core/templates/base/skeleton.html b/passbook/core/templates/base/skeleton.html
index dad2289969..dba86a0b8c 100644
--- a/passbook/core/templates/base/skeleton.html
+++ b/passbook/core/templates/base/skeleton.html
@@ -4,40 +4,51 @@
 
 <!DOCTYPE html>
 <html lang="en">
-  <head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <title>
-      {% block title %}
-        {% title %}
-      {% endblock %}
-    </title>
-    <link rel="icon" type="image/png" href="{% static 'img/logo.png' %}">
-    <link rel="shortcut icon" type="image/png" href="{% static 'img/logo.png' %}">
-    <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly.min.css' %}">
-    <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly-additions.min.css' %}">
-    <link rel="stylesheet" type="text/css" href="{% static 'css/passbook.css' %}">
-    <style>
-        .login-pf {
-            background-attachment: fixed;
-            scroll-behavior: smooth;
-            background-size: cover;
-        }
-    </style>
-    {% block head %}
+
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>
+    {% block title %}
+    {% title %}
     {% endblock %}
-  </head>
-  <body {% if is_login %} class="login-pf" {% endif %}>
-    {% block body %}
-    {% endblock %}
-    <script src="{% static 'js/jquery.min.js' %}"></script>
-    <script src="{% static 'js/bootstrap.min.js' %}"></script>
-    <script src="{% static 'js/patternfly.min.js' %}"></script>
-    <script src="{% static 'js/passbook.js' %}"></script>
-    {% block scripts %}
-    {% endblock %}
-    <div class="modals">
-      {% include 'partials/about_modal.html' %}
-    </div>
-  </body>
+  </title>
+  <link rel="icon" type="image/png" href="{% static 'img/logo.png' %}">
+  <link rel="shortcut icon" type="image/png" href="{% static 'img/logo.png' %}">
+  <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly.min.css' %}">
+  <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly-additions.min.css' %}">
+  <link rel="stylesheet" type="text/css" href="{% static 'css/passbook.css' %}">
+  <style>
+    .login-pf {
+      background-attachment: fixed;
+      scroll-behavior: smooth;
+      background-size: cover;
+    }
+  </style>
+  {% block head %}
+  {% endblock %}
+</head>
+
+<body {% if is_login %} class="login-pf" {% endif %}>
+  {% if 'impersonate_id' in request.session %}
+  <div class="experimental-pf-bar">
+    <span id="experimentalBar" class="experimental-pf-text">
+      {% blocktrans with user=user %}You're currently impersonating {{ user }}.{% endblocktrans %}
+      <a href="?__unimpersonate=True" id="acceptMessage">{% trans 'Stop impersonation' %}</a>
+    </span>
+  </div>
+  {% endif %}
+  {% block body %}
+  {% endblock %}
+  <script src="{% static 'js/jquery.min.js' %}"></script>
+  <script src="{% static 'js/bootstrap.min.js' %}"></script>
+  <script src="{% static 'js/patternfly.min.js' %}"></script>
+  <script src="{% static 'js/passbook.js' %}"></script>
+  {% block scripts %}
+  {% endblock %}
+  <div class="modals">
+    {% include 'partials/about_modal.html' %}
+  </div>
+</body>
+
 </html>

From a5dc193cfd92065fdf5da24aa94621e8a572cafd Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 12:17:48 +0100
Subject: [PATCH 21/28] bump version: 0.1.8-beta -> 0.1.9-beta

---
 .bumpversion.cfg                            | 2 +-
 .gitlab-ci.yml                              | 2 +-
 helm/passbook/Chart.yaml                    | 4 ++--
 helm/passbook/values.yaml                   | 2 +-
 passbook/__init__.py                        | 2 +-
 passbook/admin/__init__.py                  | 2 +-
 passbook/api/__init__.py                    | 2 +-
 passbook/audit/__init__.py                  | 2 +-
 passbook/captcha_factor/__init__.py         | 2 +-
 passbook/core/__init__.py                   | 2 +-
 passbook/hibp_policy/__init__.py            | 2 +-
 passbook/ldap/__init__.py                   | 2 +-
 passbook/lib/__init__.py                    | 2 +-
 passbook/oauth_client/__init__.py           | 2 +-
 passbook/oauth_provider/__init__.py         | 2 +-
 passbook/otp/__init__.py                    | 2 +-
 passbook/password_expiry_policy/__init__.py | 2 +-
 passbook/saml_idp/__init__.py               | 2 +-
 18 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 595a88bd77..4890f4910a 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.8-beta
+current_version = 0.1.9-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 4ae596d6e1..48447b42ca 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -53,7 +53,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.8-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.9-beta
   stage: build
   only:
     - tags
diff --git a/helm/passbook/Chart.yaml b/helm/passbook/Chart.yaml
index a3b6368e41..02d43573ca 100644
--- a/helm/passbook/Chart.yaml
+++ b/helm/passbook/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.8-beta"
+appVersion: "0.1.9-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.8-beta"
+version: "0.1.9-beta"
 icon: https://passbook.beryju.org/images/logo.png
diff --git a/helm/passbook/values.yaml b/helm/passbook/values.yaml
index c0c7eff4fe..25edd8e9f2 100644
--- a/helm/passbook/values.yaml
+++ b/helm/passbook/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.8-beta
+  tag: 0.1.9-beta
 
 nameOverride: ""
 
diff --git a/passbook/__init__.py b/passbook/__init__.py
index 11653b3e00..fb410dcada 100644
--- a/passbook/__init__.py
+++ b/passbook/__init__.py
@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/admin/__init__.py b/passbook/admin/__init__.py
index 8b1e8c4aeb..7be3e847a6 100644
--- a/passbook/admin/__init__.py
+++ b/passbook/admin/__init__.py
@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/api/__init__.py b/passbook/api/__init__.py
index cd6f09ba5e..c08b616191 100644
--- a/passbook/api/__init__.py
+++ b/passbook/api/__init__.py
@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/audit/__init__.py b/passbook/audit/__init__.py
index 875b919c05..9dad3e6865 100644
--- a/passbook/audit/__init__.py
+++ b/passbook/audit/__init__.py
@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/captcha_factor/__init__.py b/passbook/captcha_factor/__init__.py
index 57bd027230..81c8c7c190 100644
--- a/passbook/captcha_factor/__init__.py
+++ b/passbook/captcha_factor/__init__.py
@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/core/__init__.py b/passbook/core/__init__.py
index 1e3d2c6243..2ead9f0cff 100644
--- a/passbook/core/__init__.py
+++ b/passbook/core/__init__.py
@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/hibp_policy/__init__.py b/passbook/hibp_policy/__init__.py
index bee6aa1079..9223c559b6 100644
--- a/passbook/hibp_policy/__init__.py
+++ b/passbook/hibp_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/ldap/__init__.py b/passbook/ldap/__init__.py
index 966d739491..87655cb406 100644
--- a/passbook/ldap/__init__.py
+++ b/passbook/ldap/__init__.py
@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/lib/__init__.py b/passbook/lib/__init__.py
index 23656ff3fb..89b1092845 100644
--- a/passbook/lib/__init__.py
+++ b/passbook/lib/__init__.py
@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/oauth_client/__init__.py b/passbook/oauth_client/__init__.py
index 155a8400c7..e8667934ca 100644
--- a/passbook/oauth_client/__init__.py
+++ b/passbook/oauth_client/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/oauth_provider/__init__.py b/passbook/oauth_provider/__init__.py
index 213644f5ec..48a5abe678 100644
--- a/passbook/oauth_provider/__init__.py
+++ b/passbook/oauth_provider/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/otp/__init__.py b/passbook/otp/__init__.py
index 339126d1c7..977ae5891f 100644
--- a/passbook/otp/__init__.py
+++ b/passbook/otp/__init__.py
@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/password_expiry_policy/__init__.py b/passbook/password_expiry_policy/__init__.py
index fcf49a8ec2..ef1c615cab 100644
--- a/passbook/password_expiry_policy/__init__.py
+++ b/passbook/password_expiry_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'
diff --git a/passbook/saml_idp/__init__.py b/passbook/saml_idp/__init__.py
index fb175dfa90..9ffa0b09c8 100644
--- a/passbook/saml_idp/__init__.py
+++ b/passbook/saml_idp/__init__.py
@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.8-beta'
+__version__ = '0.1.9-beta'

From c012c6be5ca38229c7160e4be20a4d764d96012d Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 15:34:24 +0100
Subject: [PATCH 22/28] fix k8s service routing http traffic to workers

---
 helm/passbook/templates/passbook-web-deployment.yaml    | 1 +
 helm/passbook/templates/passbook-web-service.yaml       | 1 +
 helm/passbook/templates/passbook-worker-deployment.yaml | 1 +
 3 files changed, 3 insertions(+)

diff --git a/helm/passbook/templates/passbook-web-deployment.yaml b/helm/passbook/templates/passbook-web-deployment.yaml
index 78830221d3..868a067083 100644
--- a/helm/passbook/templates/passbook-web-deployment.yaml
+++ b/helm/passbook/templates/passbook-web-deployment.yaml
@@ -7,6 +7,7 @@ metadata:
     helm.sh/chart: {{ include "passbook.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
+    passbook.io/component: web
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
diff --git a/helm/passbook/templates/passbook-web-service.yaml b/helm/passbook/templates/passbook-web-service.yaml
index 1cbb65de60..9406e6c67a 100644
--- a/helm/passbook/templates/passbook-web-service.yaml
+++ b/helm/passbook/templates/passbook-web-service.yaml
@@ -17,3 +17,4 @@ spec:
   selector:
     app.kubernetes.io/name: {{ include "passbook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
+    passbook.io/component: web
diff --git a/helm/passbook/templates/passbook-worker-deployment.yaml b/helm/passbook/templates/passbook-worker-deployment.yaml
index f4b6c8513b..625bbd188f 100644
--- a/helm/passbook/templates/passbook-worker-deployment.yaml
+++ b/helm/passbook/templates/passbook-worker-deployment.yaml
@@ -7,6 +7,7 @@ metadata:
     helm.sh/chart: {{ include "passbook.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
+    passbook.io/component: worker
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:

From 7fe0300b86c592988db137142bcd1d6f769c3f06 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 15:36:49 +0100
Subject: [PATCH 23/28] Fix button on policy test page

---
 passbook/admin/templates/administration/policy/test.html | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/passbook/admin/templates/administration/policy/test.html b/passbook/admin/templates/administration/policy/test.html
index 6a5ddcbb10..ae4ebf84c3 100644
--- a/passbook/admin/templates/administration/policy/test.html
+++ b/passbook/admin/templates/administration/policy/test.html
@@ -5,3 +5,7 @@
 {% block above_form %}
 <h1>{% blocktrans with policy=policy %}Test policy {{ policy }}{% endblocktrans %}</h1>
 {% endblock %}
+
+{% block action %}
+{% trans 'Test' %}
+{% endblock %}

From 0e425418df4566f8cf100e2857856e454664e2e1 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 15:46:49 +0100
Subject: [PATCH 24/28] better show loading state when testing a policy

---
 .../templates/administration/policy/test.html     | 15 +++++++++++++++
 passbook/admin/templates/generic/form.html        |  2 ++
 2 files changed, 17 insertions(+)

diff --git a/passbook/admin/templates/administration/policy/test.html b/passbook/admin/templates/administration/policy/test.html
index ae4ebf84c3..932e197054 100644
--- a/passbook/admin/templates/administration/policy/test.html
+++ b/passbook/admin/templates/administration/policy/test.html
@@ -9,3 +9,18 @@
 {% block action %}
 {% trans 'Test' %}
 {% endblock %}
+
+{% block beneath_form %}
+<p class="loading" style="display: none;">
+  <span class="spinner spinner-xs spinner-inline"></span> {% trans 'Processing, please wait...' %}
+</p>
+{% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+<script>
+  $('form').on('submit', function () {
+    $('p.loading').show();
+  })
+</script>
+{% endblock %}
diff --git a/passbook/admin/templates/generic/form.html b/passbook/admin/templates/generic/form.html
index 4de06b3386..88bbec8567 100644
--- a/passbook/admin/templates/generic/form.html
+++ b/passbook/admin/templates/generic/form.html
@@ -19,6 +19,8 @@
       <input type="submit" class="btn btn-primary" value="{% block action %}{% endblock %}" />
     </form>
   </div>
+  {% block beneath_form %}
+  {% endblock %}
 </div>
 {% endblock %}
 

From 42b30f450797278510c13b26e225dc4bc236d050 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 15:53:38 +0100
Subject: [PATCH 25/28] prepare 0.1.10 release

---
 debian/changelog | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 20367e56cd..679515b614 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+passbook (0.1.10) stable; urgency=high
+
+  * bump version: 0.1.7-beta -> 0.1.8-beta
+  * consistently using PolicyEngine
+  * add more Verbosity to PolicyEngine, rewrite SAML Authorisation check
+  * slightly refactor Factor View, add more unittests
+  * add impersonation middleware, add to templates
+  * bump version: 0.1.8-beta -> 0.1.9-beta
+  * fix k8s service routing http traffic to workers
+  * Fix button on policy test page
+  * better show loading state when testing a policy
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Sun, 10 Mar 2019 14:52:40 +0000
+
 passbook (0.1.7) stable; urgency=medium
 
   * bump version: 0.1.3-beta -> 0.1.4-beta

From eebbae067730dfe756f013256df5453ef5d2a825 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 15:54:50 +0100
Subject: [PATCH 26/28] bump version: 0.1.9-beta -> 0.1.10-beta

---
 .bumpversion.cfg                            | 2 +-
 .gitlab-ci.yml                              | 2 +-
 helm/passbook/Chart.yaml                    | 4 ++--
 helm/passbook/values.yaml                   | 2 +-
 passbook/__init__.py                        | 2 +-
 passbook/admin/__init__.py                  | 2 +-
 passbook/api/__init__.py                    | 2 +-
 passbook/audit/__init__.py                  | 2 +-
 passbook/captcha_factor/__init__.py         | 2 +-
 passbook/core/__init__.py                   | 2 +-
 passbook/hibp_policy/__init__.py            | 2 +-
 passbook/ldap/__init__.py                   | 2 +-
 passbook/lib/__init__.py                    | 2 +-
 passbook/oauth_client/__init__.py           | 2 +-
 passbook/oauth_provider/__init__.py         | 2 +-
 passbook/otp/__init__.py                    | 2 +-
 passbook/password_expiry_policy/__init__.py | 2 +-
 passbook/saml_idp/__init__.py               | 2 +-
 18 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 4890f4910a..29c810a10c 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.9-beta
+current_version = 0.1.10-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 48447b42ca..398fa5628e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -53,7 +53,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.9-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.10-beta
   stage: build
   only:
     - tags
diff --git a/helm/passbook/Chart.yaml b/helm/passbook/Chart.yaml
index 02d43573ca..5b133024d7 100644
--- a/helm/passbook/Chart.yaml
+++ b/helm/passbook/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.9-beta"
+appVersion: "0.1.10-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.9-beta"
+version: "0.1.10-beta"
 icon: https://passbook.beryju.org/images/logo.png
diff --git a/helm/passbook/values.yaml b/helm/passbook/values.yaml
index 25edd8e9f2..cf75920f8c 100644
--- a/helm/passbook/values.yaml
+++ b/helm/passbook/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.9-beta
+  tag: 0.1.10-beta
 
 nameOverride: ""
 
diff --git a/passbook/__init__.py b/passbook/__init__.py
index fb410dcada..700e02bb31 100644
--- a/passbook/__init__.py
+++ b/passbook/__init__.py
@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/admin/__init__.py b/passbook/admin/__init__.py
index 7be3e847a6..f772a64223 100644
--- a/passbook/admin/__init__.py
+++ b/passbook/admin/__init__.py
@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/api/__init__.py b/passbook/api/__init__.py
index c08b616191..0c5b0717a5 100644
--- a/passbook/api/__init__.py
+++ b/passbook/api/__init__.py
@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/audit/__init__.py b/passbook/audit/__init__.py
index 9dad3e6865..ee9db2eccd 100644
--- a/passbook/audit/__init__.py
+++ b/passbook/audit/__init__.py
@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/captcha_factor/__init__.py b/passbook/captcha_factor/__init__.py
index 81c8c7c190..814a2c720b 100644
--- a/passbook/captcha_factor/__init__.py
+++ b/passbook/captcha_factor/__init__.py
@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/core/__init__.py b/passbook/core/__init__.py
index 2ead9f0cff..34384aea8d 100644
--- a/passbook/core/__init__.py
+++ b/passbook/core/__init__.py
@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/hibp_policy/__init__.py b/passbook/hibp_policy/__init__.py
index 9223c559b6..0630e11015 100644
--- a/passbook/hibp_policy/__init__.py
+++ b/passbook/hibp_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/ldap/__init__.py b/passbook/ldap/__init__.py
index 87655cb406..f23eb47eaa 100644
--- a/passbook/ldap/__init__.py
+++ b/passbook/ldap/__init__.py
@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/lib/__init__.py b/passbook/lib/__init__.py
index 89b1092845..755c6777fc 100644
--- a/passbook/lib/__init__.py
+++ b/passbook/lib/__init__.py
@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/oauth_client/__init__.py b/passbook/oauth_client/__init__.py
index e8667934ca..6a32e8af18 100644
--- a/passbook/oauth_client/__init__.py
+++ b/passbook/oauth_client/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/oauth_provider/__init__.py b/passbook/oauth_provider/__init__.py
index 48a5abe678..a2a618929f 100644
--- a/passbook/oauth_provider/__init__.py
+++ b/passbook/oauth_provider/__init__.py
@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/otp/__init__.py b/passbook/otp/__init__.py
index 977ae5891f..09b157720b 100644
--- a/passbook/otp/__init__.py
+++ b/passbook/otp/__init__.py
@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/password_expiry_policy/__init__.py b/passbook/password_expiry_policy/__init__.py
index ef1c615cab..d63ba506ef 100644
--- a/passbook/password_expiry_policy/__init__.py
+++ b/passbook/password_expiry_policy/__init__.py
@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'
diff --git a/passbook/saml_idp/__init__.py b/passbook/saml_idp/__init__.py
index 9ffa0b09c8..907a72ce9a 100644
--- a/passbook/saml_idp/__init__.py
+++ b/passbook/saml_idp/__init__.py
@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.9-beta'
+__version__ = '0.1.10-beta'

From c4b429825dd95adb9ee2893a215ea90d52edbb8e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 16:39:41 +0100
Subject: [PATCH 27/28] fix helm labels being on deployments and not pods

---
 helm/passbook/templates/passbook-web-deployment.yaml    | 2 +-
 helm/passbook/templates/passbook-worker-deployment.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/helm/passbook/templates/passbook-web-deployment.yaml b/helm/passbook/templates/passbook-web-deployment.yaml
index 868a067083..2308300cab 100644
--- a/helm/passbook/templates/passbook-web-deployment.yaml
+++ b/helm/passbook/templates/passbook-web-deployment.yaml
@@ -7,7 +7,6 @@ metadata:
     helm.sh/chart: {{ include "passbook.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-    passbook.io/component: web
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
@@ -19,6 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: web
     spec:
       volumes:
         - name: config-volume
diff --git a/helm/passbook/templates/passbook-worker-deployment.yaml b/helm/passbook/templates/passbook-worker-deployment.yaml
index 625bbd188f..79cd11002a 100644
--- a/helm/passbook/templates/passbook-worker-deployment.yaml
+++ b/helm/passbook/templates/passbook-worker-deployment.yaml
@@ -7,7 +7,6 @@ metadata:
     helm.sh/chart: {{ include "passbook.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-    passbook.io/component: worker
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
@@ -19,6 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: worker
     spec:
       volumes:
         - name: config-volume

From 5e11b6687edf801326d7245ec190e6a79affcf3c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 Mar 2019 17:08:33 +0100
Subject: [PATCH 28/28] automatically deploy after release

---
 .gitlab-ci.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 398fa5628e..01729e1006 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,6 +8,7 @@ stages:
   - test
   - build
   - docs
+  - deploy
 image: python:3.6
 services:
   - postgres:latest
@@ -113,3 +114,18 @@ package-debian:
 #     - mkdocs build
 #     - 'rsync -avh --delete web/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/"'
 #     - 'rsync -avh --delete site/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/docs/"'
+
+deploy:
+  environment:
+    name: production
+    url: https://passbook-prod.default.k8s.beryju.org/
+  stage: deploy
+  only:
+  - tags
+  - /^version/.*$/
+  script:
+    - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
+    - helm init --client-only
+    - helm repo add beryju.org https://pkg.beryju.org/repository/helm/
+    - helm repo update
+    - helm upgrade passbook-prod beryju.org/passbook --devel