policies/expression: migrate to raw python instead of jinja2 (#49)

* policies/expression: migrate to raw python instead of jinja2

* lib/expression: create base evaluator, custom subclass for policies

* core: rewrite propertymappings to use python

* providers/saml: update to new PropertyMappings

* sources/ldap: update to new PropertyMappings

* docs: update docs for new propertymappings

* root: remove jinja2

* root: re-add jinja to lock file as its implicitly required

docs/policies/expression.md

@@ -0,0 +1,27 @@
+# Expression Policies
+
+The passing of the policy is determined by the return value of the code. Use `return True` to pass a policy and `return False` to fail it.
+
+### Available Functions
+
+#### `pb_message(message: str)`
+
+Add a message, visible by the end user. This can be used to show the reason why they were denied.
+
+Example:
+
+```python
+pb_message("Access denied")
+return False
+```
+
+### Context variables
+
+- `request`: A PolicyRequest object, which has the following properties:
+    - `request.user`: The current User, which the Policy is applied against. ([ref](../expressions/reference/user-object.md))
+    - `request.http_request`: The Django HTTP Request. ([ref](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
+    - `request.obj`: A Django Model instance. This is only set if the Policy is ran against an object.
+    - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
+- `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external Provider.
+- `pb_client_ip`: Client's IP Address or '255.255.255.255' if no IP Address could be extracted.
+- `pb_flow_plan`: Current Plan if Policy is called from the Flow Planner.

docs/policies/expression/index.md

@@ -1,22 +0,0 @@
-# Expression Policy
-
-Expression Policies allows you to write custom Policy Logic using Jinja2 Templating language.
-
-For a language reference, see [here](https://jinja.palletsprojects.com/en/2.11.x/templates/).
-
-The following objects are passed into the variable:
-
-- `request`: A PolicyRequest object, which has the following properties:
-    - `request.user`: The current User, which the Policy is applied against. ([ref](../../property-mappings/reference/user-object.md))
-    - `request.http_request`: The Django HTTP Request, as documented [here](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects).
-    - `request.obj`: A Django Model instance. This is only set if the Policy is ran against an object.
-- `pb_flow_plan`: Current Plan if Policy is called while a flow is active.
-- `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external Provider.
-- `pb_is_group_member(user, group_name)`: Function which checks if `user` is member of a Group with Name `gorup_name`.
-- `pb_logger`: Standard Python Logger Object, which can be used to debug expressions.
-- `pb_client_ip`: Client's IP Address.
-
-There are also the following custom filters available:
-
-- `regex_match(regex)`: Return True if value matches `regex`
-- `regex_replace(regex, repl)`: Replace string matched by `regex` with `repl`

docs/policies/index.md

@@ -8,10 +8,6 @@ There are two different Kind of policies, a Standard Policy and a Password Polic
 
 ---
 
-### Group-Membership Policy
-
-This policy evaluates to True if the current user is a Member of the selected group.
-
 ### Reputation Policy
 
 passbook keeps track of failed login attempts by Source IP and Attempted Username. These values are saved as scores. Each failed login decreases the Score for the Client IP as well as the targeted Username by one.
@@ -20,11 +16,7 @@ This policy can be used to for example prompt Clients with a low score to pass a
 
 ## Expression Policy
 
-See [Expression Policy](expression/index.md).
-
-### Webhook Policy
-
-This policy allows you to send an arbitrary HTTP Request to any URL. You can then use JSONPath to extract the result you need.
+See [Expression Policy](expression.md).
 
 ## Password Policies