new release: 0.2.0-beta

Move Main Django Project into passbook.root while passbook.core holds core functionality.

passbook.root contains main settings, ASGI & WSGI, celery and URLs.

.bumpversion.cfg

@@ -1,19 +1,26 @@
 [bumpversion]
-current_version = 0.0.10-alpha
+current_version = 0.2.0-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
 serialize = {major}.{minor}.{patch}-{release}
-message = bump version: {current_version} -> {new_version}
+message = new release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:release]
 optional_value = stable
+first_value = beta
 values = 
 	alpha
 	beta
 	stable
 
+[bumpversion:file:client-packages/allauth/setup.py]
+
+[bumpversion:file:client-packages/sentry-auth-passbook/setup.py]
+
+[bumpversion:file:helm/passbook/values.yaml]
+
 [bumpversion:file:helm/passbook/Chart.yaml]
 
 [bumpversion:file:.gitlab-ci.yml]
@@ -34,6 +41,10 @@ values =
 
 [bumpversion:file:passbook/lib/__init__.py]
 
+[bumpversion:file:passbook/hibp_policy/__init__.py]
+
+[bumpversion:file:passbook/password_expiry_policy/__init__.py]
+
 [bumpversion:file:passbook/saml_idp/__init__.py]
 
 [bumpversion:file:passbook/audit/__init__.py]
@@ -42,3 +53,7 @@ values =
 
 [bumpversion:file:passbook/otp/__init__.py]
 
+[bumpversion:file:passbook/app_gw/__init__.py]
+
+[bumpversion:file:passbook/suspicious_policy/__init__.py]
+

.coveragerc

@@ -6,7 +6,6 @@ omit =
     manage.py
     */migrations/*
     */apps.py
-    passbook/management/commands/nexus_upload.py
     passbook/management/commands/web.py
     passbook/management/commands/worker.py
     docs/

.editorconfig

@@ -9,3 +9,6 @@ insert_final_newline = true
 
 [html]
 indent_size = 2
+
+[yaml]
+indent_size = 2

.gitlab-ci.yml

@@ -1,25 +1,33 @@
 # Global Variables
-before_script:
-  - "python3 -m pip install -U virtualenv"
-  - "virtualenv env"
-  - "source env/bin/activate"
-  - "pip3 install -U -r requirements-dev.txt"
 stages:
+  - build-buildimage
   - test
   - build
   - docs
-image: python:3.6
+  - deploy
+image: docker.beryju.org/passbook/build-base:latest
 services:
   - postgres:latest
+  - redis:latest
 
 variables:
   POSTGRES_DB: passbook
   POSTGRES_USER: passbook
-  POSTGRES_PASSWORD: 'EK-5jnKfjrGRm<77'
-  SUPERVISR_ENV: ci
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
-include:
-  - /allauth/.gitlab-ci.yml
+create-build-image:
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script:
+    - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
+  script:
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.build-base --destination docker.beryju.org/passbook/build-base:latest --destination docker.beryju.org/passbook/build-base:0.2.0-beta
+  stage: build-buildimage
+  only:
+    refs:
+      - tags
+      - /^version/.*$/
 
 isort:
   script:
@@ -39,6 +47,7 @@ pylint:
   stage: test
 coverage:
   script:
+    - python manage.py collectstatic --no-input
     - coverage run manage.py test
     - coverage report
   stage: test
@@ -52,9 +61,9 @@ package-docker:
     name: gcr.io/kaniko-project/executor:debug
     entrypoint: [""]
   before_script:
-    - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
+    - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.0.10-alpha
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.2.0-beta
   stage: build
   only:
     - tags
@@ -65,76 +74,36 @@ package-helm:
     - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
     - helm init --client-only
     - helm package helm/passbook
-    - ./manage.py nexus_upload --method put --url $NEXUS_URL --auth $NEXUS_AUTH --repo helm *.tgz
+  artifacts:
+    paths:
+      - passbook-*.tgz
+    expire_in: 2 days
   only:
     - tags
     - /^version/.*$/
-# package-3.5:
-#   before_script:
-#     - apt update
-#     - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
-#     - cp debian/control-3.5 debian/control
-#     - mk-build-deps debian/control
-#     - apt install ./*build-deps*deb -f -y
-#     - "python3 -m pip install -U virtualenv"
-#     - "virtualenv env"
-#     - "source env/bin/activate"
-#     - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
-#   image: debian
-#   script:
-#     - debuild -us -uc
-#     - cp ../passbook*.deb .
-#     - python manage.py nexus_upload
-#   artifacts:
-#     paths:
-#     - passbook-python3.5*deb
-#     expire_in: 2 days
-#   stage: build
-#   only:
-#   - tags
-#   - /^debian/.*$/
-# package-3.6:
-#   before_script:
-#     - apt update
-#     - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
-#     - cp debian/control-3.6 debian/control
-#     - mk-build-deps debian/control
-#     - apt install ./*build-deps*deb -f -y
-#     - "python3 -m pip install -U virtualenv"
-#     - "virtualenv env"
-#     - "source env/bin/activate"
-#     - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
-#   image: debian:buster
-#   script:
-#     - debuild -us -uc
-#     - cp ../passbook*.deb .
-#     - python manage.py nexus_upload
-#   artifacts:
-#     paths:
-#     - passbook-python3.6*deb
-#     expire_in: 2 days
-#   stage: build
-#   only:
-#     - tags
-#     - /^debian/.*$r
 
-# docs:
-#   stage: docs
-#   only:
-#   - master
-#   - tags
-#   - /^debian/.*$/
-#   environment:
-#     name: docs
-#     url: "https://passbook.beryju.org/docs/"
-#   script:
-#     - apt update
-#     - apt install -y rsync
-#     - "mkdir ~/.ssh"
-#     - "cp .gitlab/known_hosts ~/.ssh/"
-#     - "pip3 install -U -r requirements-docs.txt"
-#     - "eval $(ssh-agent -s)"
-#     - "echo \"${CI_SSH_PRIVATE}\" | ssh-add -"
-#     - mkdocs build
-#     - 'rsync -avh --delete web/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/"'
-#     - 'rsync -avh --delete site/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/docs/"'
+package-client-package-allauth:
+  script:
+    - cd client-packages/allauth
+    - python setup.py sdist
+    - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
+  stage: build
+  only:
+    refs:
+      - tags
+      - /^version/.*$/
+    changes:
+      - client-packages/allauth/**
+
+package-client-package-sentry:
+  script:
+    - cd client-packages/sentry-auth-passbook
+    - python setup.py sdist
+    - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
+  stage: build
+  only:
+    refs:
+      - tags
+      - /^version/.*$/
+    changes:
+      - client-packages/sentry-auth-passbook/**

.prospector.yaml

@@ -7,6 +7,7 @@ ignore-paths:
   - migrations
   - docs
   - node_modules
+  - client-packages
 
 uses:
  - django

.vscode/settings.json

@@ -4,6 +4,9 @@
   "[html]": {
     "editor.tabSize": 2
   },
+  "[yml]": {
+    "editor.tabSize": 2
+  },
   "cSpell.words": [
     "SAML",
     "passbook"

Dockerfile

@@ -6,10 +6,13 @@ COPY ./requirements.txt /app/
 
 WORKDIR /app/
 
-RUN mkdir /app/static/ && \
+RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
+    mkdir /app/static/ && \
     pip install -r requirements.txt && \
     pip install psycopg2 && \
-    ./manage.py collectstatic --no-input
+    ./manage.py collectstatic --no-input && \
+    apt-get remove --purge -y build-essential && \
+    apt-get autoremove --purge -y
 
 FROM python:3.6-slim-stretch
 
@@ -20,9 +23,12 @@ COPY --from=build /app/static /app/static/
 
 WORKDIR /app/
 
-RUN pip install -r requirements.txt && \
+RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
+    pip install -r requirements.txt && \
     pip install psycopg2 && \
     adduser --system --home /app/ passbook && \
-    chown -R passbook /app/
+    chown -R passbook /app/ && \
+    apt-get remove --purge -y build-essential && \
+    apt-get autoremove --purge -y
 
 USER passbook

Dockerfile.build-base

@@ -0,0 +1,12 @@
+FROM python:3.6
+
+COPY ./passbook/ /app/passbook
+COPY ./client-packages/ /app/client-packages
+COPY ./requirements.txt /app/
+COPY ./requirements-dev.txt /app/
+
+WORKDIR /app/
+
+RUN apt-get update && apt-get install libssl-dev libffi-dev libpq-dev -y && \
+     pip install -U -r requirements-dev.txt && \
+     rm -rf /app/*

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2018 BeryJu.org
+Copyright (c) 2019 BeryJu.org
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

allauth/.gitlab-ci.yml

@@ -1,27 +0,0 @@
-# Global Variables
-before_script:
-  - cd allauth/
-  - "python3 -m pip install -U virtualenv"
-  - "virtualenv env"
-  - "source env/bin/activate"
-  - "pip3 install -U -r requirements-dev.txt"
-stages:
-  - test-allauth
-image: python:3.6
-
-isort:
-  script:
-    - isort -c -sg env
-  stage: test-allauth
-prospector:
-  script:
-    - prospector
-  stage: test-allauth
-pylint:
-  script:
-    - pylint passbook
-  stage: test-allauth
-bandit:
-  script:
-    - bandit -r allauth_passbook
-  stage: test-allauth

client-packages/allauth/allauth_passbook/urls.py

@@ -1,5 +1,6 @@
 """passbook provider"""
 from allauth.socialaccount.providers.oauth2.urls import default_urlpatterns
+
 from allauth_passbook.provider import PassbookProvider
 
 urlpatterns = default_urlpatterns(PassbookProvider)

client-packages/allauth/allauth_passbook/views.py

@@ -1,10 +1,10 @@
 """passbook adapter"""
 import requests
-
 from allauth.socialaccount import app_settings
 from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter,
                                                           OAuth2CallbackView,
                                                           OAuth2LoginView)
+
 from allauth_passbook.provider import PassbookProvider
 
 

client-packages/allauth/setup.py

@@ -3,7 +3,7 @@ from setuptools import setup
 
 setup(
     name='django-allauth-passbook',
-    version='1.0.0',
+    version='0.2.0-beta',
     description='passbook support for django-allauth',
     # long_description='\n'.join(read_simple('docs/index.md')[2:]),
     long_description_content_type='text/markdown',

client-packages/sentry-auth-passbook/.gitignore

@@ -0,0 +1,5 @@
+*.pyc
+*.egg-info/
+*.eggs
+/dist
+/build

client-packages/sentry-auth-passbook/.travis.yml

@@ -0,0 +1,32 @@
+sudo: false
+language: python
+services:
+  - memcached
+  - postgresql
+  - redis-server
+python:
+  - '2.7'
+cache:
+  directories:
+    - node_modules
+    - "$HOME/.cache/pip"
+deploy:
+  provider: pypi
+  user: getsentry
+  password:
+    secure: kVmxKHkBWRLYyZme05p+WZSJmb8GjHV9uyuaSCVMRlqWCW+GXRB7P1xXR2jb9URTlNdcs56Ab/UrwzCbMFGC8LmwCeFVgIR/ltytVZG2FgXZPWaeA4dH25qK2oGWgzJ/xeiMpmuJqN9hRl25MX6jG7FZKvrrOkG7+8tpPd1yO+uYWZQbnebZMjcPBqEpn7CC0hR39GSoyVAbydpMe5hwENGQM26CepcicdrelfawItoUrXrkJzBHkIQQTO/xRSbCtRJOtzI5lwtv3GP0hcbOy5tI5dhG/93pLwZRc5+dZaCaP7oaVeOcBjN0zfINRQobt8d6h2Qgvd/YyFkGi0/xKn1zMmKIVLOG6VsYwEAUq8wNOsP4A/jdm4Y0J/1oEZStCkpaGpx85TYi4kq1hWQdyqaVJSPhh4Tk4roIaS2zOYQl+nIpbHqmJ4FJrg1il+TCdjBXobATQ1mKRBUrjD+RDzH/r4ogbd8+UwvvvevpqS2K+/wgT6UD0MzDInv9S29CUQvuFhPoqyJb5XRddHMRE9EEK/2Z8tFN91sDATnqfXHgwnvu00q/nKP5JnijBPzGmx7ydgUViIukklDrlPvo9BbRJz0Vr2vbAvMTrLMLCXqi5CwTm+v+iaOf/YaCziaG2vx0eVASYjpOLCedSgRZBubPM8z4E/HMXhChN7sVDWk=
+  on:
+    tags: true
+  distributions: sdist bdist_wheel
+env:
+  global:
+    - PIP_DOWNLOAD_CACHE=".pip_download_cache"
+before_install:
+  - pip install codecov
+install:
+  - make develop
+script:
+  - PYFLAKES_NODOCTEST=1 flake8
+  - coverage run --source=. -m py.test tests
+after_success:
+  - codecov

client-packages/sentry-auth-passbook/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright 2016 Functional Software, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

client-packages/sentry-auth-passbook/MANIFEST.in

@@ -0,0 +1,3 @@
+include setup.py package.json webpack.config.js README.rst MANIFEST.in LICENSE AUTHORS
+recursive-include sentry_auth_supervisr/templates *
+global-exclude *~

client-packages/sentry-auth-passbook/Makefile

@@ -0,0 +1,26 @@
+.PHONY: clean develop install-tests lint publish test
+
+develop:
+	pip install "pip>=7"
+	pip install -e .
+	make install-tests
+
+install-tests:
+	pip install .[tests]
+
+lint:
+	@echo "--> Linting python"
+	flake8
+	@echo ""
+
+test:
+	@echo "--> Running Python tests"
+	py.test tests || exit 1
+	@echo ""
+
+publish:
+	python setup.py sdist bdist_wheel upload
+
+clean:
+	rm -rf *.egg-info src/*.egg-info
+	rm -rf dist build

client-packages/sentry-auth-passbook/README.rst

@@ -0,0 +1,55 @@
+GitHub Auth for Sentry
+======================
+
+An SSO provider for Sentry which enables GitHub organization-restricted authentication.
+
+Install
+-------
+
+::
+
+    $ pip install https://github.com/getsentry/sentry-auth-github/archive/master.zip
+
+Setup
+-----
+
+Create a new application under your organization in GitHub. Enter the **Authorization
+callback URL** as the prefix to your Sentry installation:
+
+::
+
+    https://example.sentry.com
+
+
+Once done, grab your API keys and drop them in your ``sentry.conf.py``:
+
+.. code-block:: python
+
+    GITHUB_APP_ID = ""
+
+    GITHUB_API_SECRET = ""
+
+
+Verified email addresses can optionally be required:
+
+.. code-block:: python
+
+    GITHUB_REQUIRE_VERIFIED_EMAIL = True
+
+
+Optionally you may also specify the domain (for GHE users):
+
+.. code-block:: python
+
+    GITHUB_BASE_DOMAIN = "git.example.com"
+
+    GITHUB_API_DOMAIN = "api.git.example.com"
+
+
+If Subdomain isolation is disabled in GHE:
+
+.. code-block:: python
+
+    GITHUB_BASE_DOMAIN = "git.example.com"
+
+    GITHUB_API_DOMAIN = "git.example.com/api/v3"

client-packages/sentry-auth-passbook/conftest.py

@@ -0,0 +1,14 @@
+from __future__ import absolute_import
+
+# Run tests against sqlite for simplicity
+import os
+import os.path
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__)))
+
+os.environ.setdefault('DB', 'sqlite')
+
+pytest_plugins = [
+    'sentry.utils.pytest'
+]

client-packages/sentry-auth-passbook/sentry_auth_passbook/__init__.py

@@ -0,0 +1,7 @@
+from __future__ import absolute_import
+
+from sentry.auth import register
+
+from .provider import PassbookOAuth2Provider
+
+register('passbook', PassbookOAuth2Provider)

client-packages/sentry-auth-passbook/sentry_auth_passbook/client.py

@@ -0,0 +1,45 @@
+from __future__ import absolute_import, print_function
+
+from requests.exceptions import RequestException
+
+from sentry import http
+from sentry.utils import json
+
+from .constants import BASE_DOMAIN
+
+
+class PassbookApiError(Exception):
+    def __init__(self, message='', status=0):
+        super(PassbookApiError, self).__init__(message)
+        self.status = status
+
+
+class PassbookClient(object):
+    def __init__(self, client_id, client_secret):
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.http = http.build_session()
+
+    def _request(self, path, access_token):
+        params = {
+            'client_id': self.client_id,
+            'client_secret': self.client_secret,
+        }
+
+        headers = {
+            'Authorization': 'Bearer {0}'.format(access_token),
+        }
+
+        try:
+            req = self.http.get('https://{0}/{1}'.format(BASE_DOMAIN, path.lstrip('/')),
+                params=params,
+                headers=headers,
+            )
+        except RequestException as e:
+            raise PassbookApiError(unicode(e), status=getattr(e, 'status_code', 0))
+        if req.status_code < 200 or req.status_code >= 300:
+            raise PassbookApiError(req.content, status=req.status_code)
+        return json.loads(req.content)
+
+    def get_user(self, access_token):
+        return self._request('/api/v1/openid/', access_token)

client-packages/sentry-auth-passbook/sentry_auth_passbook/constants.py

@@ -0,0 +1,14 @@
+from __future__ import absolute_import, print_function
+
+from django.conf import settings
+
+CLIENT_ID = getattr(settings, 'PASSBOOK_APP_ID', None)
+
+CLIENT_SECRET = getattr(settings, 'PASSBOOK_API_SECRET', None)
+
+SCOPE = 'openid:userinfo'
+
+BASE_DOMAIN = getattr(settings, 'PASSBOOK_BASE_DOMAIN', 'id.beryju.org')
+
+ACCESS_TOKEN_URL = 'https://{0}/application/oauth/token/'.format(BASE_DOMAIN)
+AUTHORIZE_URL = 'https://{0}/application/oauth/authorize/'.format(BASE_DOMAIN)

client-packages/sentry-auth-passbook/sentry_auth_passbook/provider.py

@@ -0,0 +1,62 @@
+from __future__ import absolute_import, print_function
+
+from sentry.auth.exceptions import IdentityNotValid
+from sentry.auth.providers.oauth2 import (OAuth2Callback, OAuth2Login,
+                                          OAuth2Provider)
+
+from .client import PassbookApiError, PassbookClient
+from .constants import (ACCESS_TOKEN_URL, AUTHORIZE_URL, CLIENT_ID,
+                        CLIENT_SECRET, SCOPE)
+from .views import FetchUser, PassbookConfigureView
+
+
+class PassbookOAuth2Provider(OAuth2Provider):
+    access_token_url = ACCESS_TOKEN_URL
+    authorize_url = AUTHORIZE_URL
+    name = 'Passbook'
+    client_id = CLIENT_ID
+    client_secret = CLIENT_SECRET
+
+    def __init__(self, **config):
+        super(PassbookOAuth2Provider, self).__init__(**config)
+
+    def get_configure_view(self):
+        return PassbookConfigureView.as_view()
+
+    def get_auth_pipeline(self):
+        return [
+            OAuth2Login(
+                authorize_url=self.authorize_url,
+                client_id=self.client_id,
+                scope=SCOPE,
+            ),
+            OAuth2Callback(
+                access_token_url=self.access_token_url,
+                client_id=self.client_id,
+                client_secret=self.client_secret,
+            ),
+            FetchUser(
+                client_id=self.client_id,
+                client_secret=self.client_secret,
+            ),
+        ]
+
+    def get_refresh_token_url(self):
+        return ACCESS_TOKEN_URL
+
+    def build_identity(self, state):
+        data = state['data']
+        user_data = state['user']
+        return {
+            'id': user_data['email'],
+            'email': user_data['email'],
+            'name': user_data['name'],
+            'data': self.get_oauth_data(data),
+        }
+
+    def build_config(self, state):
+        return {}
+
+    def refresh_identity(self, auth_identity):
+        client = PassbookClient(self.client_id, self.client_secret)
+        access_token = auth_identity.data['access_token']

client-packages/sentry-auth-passbook/sentry_auth_passbook/views.py

@@ -0,0 +1,75 @@
+from __future__ import absolute_import, print_function
+
+from django import forms
+
+from sentry.auth.view import AuthView, ConfigureView
+from sentry.models import AuthIdentity
+
+from .client import PassbookClient
+
+
+def _get_name_from_email(email):
+    """
+    Given an email return a capitalized name. Ex. john.smith@example.com would return John Smith.
+    """
+    name = email.rsplit('@', 1)[0]
+    name = ' '.join([n_part.capitalize() for n_part in name.split('.')])
+    return name
+
+
+class FetchUser(AuthView):
+    def __init__(self, client_id, client_secret, *args, **kwargs):
+        self.client = PassbookClient(client_id, client_secret)
+        super(FetchUser, self).__init__(*args, **kwargs)
+
+    def handle(self, request, helper):
+        access_token = helper.fetch_state('data')['access_token']
+
+        user = self.client.get_user(access_token)
+
+        # A user hasn't set their name in their Passbook profile so it isn't
+        # populated in the response
+        if not user.get('name'):
+            user['name'] = _get_name_from_email(user['email'])
+
+        helper.bind_state('user', user)
+
+        return helper.next_step()
+
+
+class ConfirmEmailForm(forms.Form):
+    email = forms.EmailField(label='Email')
+
+
+class ConfirmEmail(AuthView):
+    def handle(self, request, helper):
+        user = helper.fetch_state('user')
+
+        # TODO(dcramer): this isnt ideal, but our current flow doesnt really
+        # support this behavior;
+        try:
+            auth_identity = AuthIdentity.objects.select_related('user').get(
+                auth_provider=helper.auth_provider,
+                ident=user['id'],
+            )
+        except AuthIdentity.DoesNotExist:
+            pass
+        else:
+            user['email'] = auth_identity.user.email
+
+        if user.get('email'):
+            return helper.next_step()
+
+        form = ConfirmEmailForm(request.POST or None)
+        if form.is_valid():
+            user['email'] = form.cleaned_data['email']
+            helper.bind_state('user', user)
+            return helper.next_step()
+
+        return self.respond('sentry_auth_passbook/enter-email.html', {
+            'form': form,
+        })
+
+class PassbookConfigureView(ConfigureView):
+    def dispatch(self, request, organization, auth_provider):
+        return self.render('sentry_auth_passbook/configure.html')

client-packages/sentry-auth-passbook/setup.cfg

@@ -0,0 +1,12 @@
+[wheel]
+universal = 1
+
+[pytest]
+python_files = test*.py
+addopts = --tb=native -p no:doctest
+norecursedirs = bin dist docs htmlcov script hooks node_modules .* {args}
+
+[flake8]
+ignore = F999,E501,E128,E124,E402,W503,E731,C901
+max-line-length = 100
+exclude = .tox,.git,*/migrations/*,node_modules/*,docs/*

client-packages/sentry-auth-passbook/setup.py

@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+"""
+sentry-auth-passbook
+==================
+
+:copyright: (c) 2016 Functional Software, Inc
+"""
+from setuptools import find_packages, setup
+
+install_requires = [
+    'sentry>=7.0.0',
+]
+
+tests_require = [
+    'mock',
+    'flake8>=2.0,<2.1',
+]
+
+setup(
+    name='sentry-auth-passbook',
+    version='0.2.0-beta',
+    author='BeryJu.org',
+    author_email='support@beryju.org',
+    url='https://passbook.beryju.org',
+    description='passbook authentication provider for Sentry',
+    long_description=__doc__,
+    license='MIT',
+    packages=find_packages(exclude=['tests']),
+    zip_safe=False,
+    install_requires=install_requires,
+    tests_require=tests_require,
+    extras_require={'tests': tests_require},
+    include_package_data=True,
+    entry_points={
+        'sentry.apps': [
+            'auth_passbook = sentry_auth_passbook',
+        ],
+    },
+    classifiers=[
+        'Intended Audience :: Developers',
+        'Intended Audience :: System Administrators',
+        'Operating System :: OS Independent',
+        'Topic :: Software Development'
+    ],
+)

client-packages/sentry-auth-passbook/tests/test_provider.py

@@ -0,0 +1,6 @@
+from sentry.testutils import TestCase
+
+
+class GitHubOAuth2ProviderTest(TestCase):
+    def test_simple(self):
+        pass

client-packages/sentry-auth-passbook/tests/test_views.py

@@ -0,0 +1,17 @@
+from __future__ import absolute_import, print_function
+
+import pytest
+from sentry_auth_sentry.views import _get_name_from_email
+
+expected_data = [
+    ('john.smith@example.com', 'John Smith'),
+    ('john@example.com', 'John'),
+    ('XYZ-234=3523@example.com', 'Xyz-234=3523'),
+    ('XYZ.1111@example.com', 'Xyz 1111'),
+    ('JOHN@example.com', 'John'),
+]
+
+
+@pytest.mark.parametrize("email,expected_name", expected_data)
+def test_get_name_from_email(email, expected_name):
+    assert _get_name_from_email(email) == expected_name

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.0.10-alpha"
+appVersion: "0.2.0-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.0.10-alpha"
-icon: https://passbook.beryju.org/images/logo.png
+version: "0.2.0-beta"
+icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/passbook/app-readme.md

@@ -0,0 +1 @@
+# passbook

helm/passbook/questions.yml

@@ -0,0 +1,98 @@
+---
+categories:
+  - Authentication
+  - SSO
+questions:
+  - default: "true"
+    variable: config.error_reporting
+    type: boolean
+    description: "Enable error-reporting to sentry.services.beryju.org"
+    group: "passbook Configuration"
+    label: "Error Reporting"
+    ####################################################################
+    ### PostgreSQL
+    ####################################################################
+  - variable: postgresql.enabled
+    default: true
+    description: "Deploy a database server as part of this deployment, or set to false and configure an external database connection."
+    type: boolean
+    required: true
+    label: Install PostgreSQL
+    show_subquestion_if: true
+    group: "Database Settings"
+    subquestions:
+      - variable: postgresql.postgresqlDatabase
+        default: "passbook"
+        description: "Database name to create"
+        type: string
+        label: PostgreSQL Database
+      - variable: postgresql.postgresqlUsername
+        default: "passbook"
+        description: "Database user to create"
+        type: string
+        label: PostgreSQL User
+      - variable: postgresql.postgresqlPassword
+        default: ""
+        description: "password will be auto-generated if not specified"
+        type: password
+        label: PostgreSQL Password
+  - variable: externalDatabase.host
+    default: ""
+    description: "Host of the external database"
+    type: string
+    label: External Database Host
+    show_if: "postgresql.enabled=false"
+    group: "Database Settings"
+  - variable: externalDatabase.user
+    default: ""
+    description: "Existing username in the external DB"
+    type: string
+    label: External Database username
+    show_if: "postgresql.enabled=false"
+    group: "Database Settings"
+  - variable: externalDatabase.password
+    default: ""
+    description: "External database password"
+    type: password
+    label: External Database password
+    show_if: "postgresql.enabled=false"
+    group: "Database Settings"
+  - variable: externalDatabase.database
+    default: ""
+    description: "Name of the existing database"
+    type: string
+    label: External Database
+    show_if: "postgresql.enabled=false"
+    group: "Database Settings"
+  - variable: externalDatabase.port
+    default: "3306"
+    description: "External database port number"
+    type: string
+    label: External Database Port
+    show_if: "postgresql.enabled=false"
+    group: "Database Settings"
+  - variable: postgresql.persistence.enabled
+    default: false
+    description: "Enable persistent volume for PostgreSQL"
+    type: boolean
+    required: true
+    label: PostgreSQL Persistent Volume Enabled
+    show_if: "postgresql.enabled=true"
+    show_subquestion_if: true
+    group: "Database Settings"
+    subquestions:
+      - variable: postgresql.master.persistence.size
+        default: "8Gi"
+        description: "PostgreSQL Persistent Volume Size"
+        type: string
+        label: PostgreSQL Volume Size
+      - variable: postgresql.master.persistence.storageClass
+        default: ""
+        description: "If undefined or null, uses the default StorageClass. Default to null"
+        type: storageclass
+        label: Default StorageClass for PostgreSQL
+      - variable: postgresql.master.persistence.existingClaim
+        default: ""
+        description: "If not empty, uses the specified existing PVC instead of creating new one"
+        type: string
+        label: Existing Persistent Volume Claim for PostgreSQL

helm/passbook/requirements.lock

@@ -1,9 +1,12 @@
 dependencies:
-- name: redis
+- name: rabbitmq
   repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 5.1.0
+  version: 4.3.2
 - name: postgresql
   repository: https://kubernetes-charts.storage.googleapis.com/
   version: 3.10.1
-digest: sha256:04bd136761f070e94a2ff32ff48ff87f5e07fbd451e5fd7f65551e3bd4680e5e
-generated: 2019-02-08T12:08:49.090666+01:00
+- name: redis
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 5.1.0
+digest: sha256:8bf68bc928a2e3c0f05139635be05fa0840554c7bde4cecd624fac78fb5fa5a3
+generated: 2019-03-21T11:06:51.553379+01:00

helm/passbook/requirements.yaml

@@ -1,7 +1,10 @@
 dependencies:
-- name: redis
-  version: 5.1.0
+- name: rabbitmq
+  version: 4.3.2
   repository: https://kubernetes-charts.storage.googleapis.com/
 - name: postgresql
   version: 3.10.1
   repository: https://kubernetes-charts.storage.googleapis.com/
+- name: redis
+  version: 5.1.0
+  repository: https://kubernetes-charts.storage.googleapis.com/

helm/passbook/templates/passbook-configmap.yaml

@@ -15,14 +15,14 @@ data:
         port: ''
     log:
       level:
-        console: DEBUG
-        file: DEBUG
+        console: WARNING
+        file: WARNING
       file: /dev/null
       syslog:
         host: 127.0.0.1
         port: 514
     email:
-      host: localhost
+      host: {{ .Values.config.email.host }}
       port: 25
       user: ''
       password: ''
@@ -36,7 +36,8 @@ data:
     debug: false
     secure_proxy_header:
       HTTP_X_FORWARDED_PROTO: https
-    redis: {{ .Release.Name }}-redis
+    rabbitmq: "user:{{ .Values.rabbitmq.rabbitmq.password }}@{{ .Release.Name }}-rabbitmq"
+    redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master/0"
     # Error reporting, sends stacktrace to sentry.services.beryju.org
     error_report_enabled: {{ .Values.config.error_reporting }}
 
@@ -46,10 +47,12 @@ data:
     secret_key: {{ randAlphaNum 50 }}
     {{- end }}
 
+    primary_domain: {{ .Values.primary_domain }}
     domains:
         {{- range .Values.ingress.hosts }}
         - {{ . | quote }}
         {{- end }}
+        - kubernetes-healthcheck-host
 
     passbook:
       sign_up:
@@ -105,10 +108,9 @@ data:
         email: mail # or userPrincipalName
       user_attribute_map:
         active_directory:
-          sAMAccountName: username
-          mail: email
-          given_name: first_name
-          name: last_name
+          username: "%(sAMAccountName)s"
+          email: "%(mail)s"
+          name: "%(displayName)"
       # # Create new users in LDAP upon sign-up
       # create_users: true
       # # Reset LDAP password when user reset their password
@@ -123,6 +125,7 @@ data:
         - passbook.oauth_client.source_types.reddit
         - passbook.oauth_client.source_types.supervisr
         - passbook.oauth_client.source_types.twitter
+        - passbook.oauth_client.source_types.azure_ad
     saml_idp:
       signing: true
       autosubmit: false
@@ -131,8 +134,4 @@ data:
       # List of python packages with provider types to load.
       types:
         - passbook.saml_idp.processors.generic
-        - passbook.saml_idp.processors.gitlab
-        - passbook.saml_idp.processors.nextcloud
         - passbook.saml_idp.processors.salesforce
-        - passbook.saml_idp.processors.shibboleth
-        - passbook.saml_idp.processors.wordpress_orange

helm/passbook/templates/passbook-web-deployment.yaml

@@ -18,6 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: web
     spec:
       volumes:
         - name: config-volume
@@ -25,7 +26,7 @@ spec:
             name: {{ include "passbook.fullname" . }}-config
       containers:
         - name: {{ .Chart.Name }}
-          image: "docker.pkg.beryju.org/passbook:{{ .Values.image.tag }}"
+          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh","-c"]
           args: ["./manage.py migrate && ./manage.py web"]

helm/passbook/templates/passbook-web-service.yaml

@@ -17,3 +17,4 @@ spec:
   selector:
     app.kubernetes.io/name: {{ include "passbook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
+    passbook.io/component: web

helm/passbook/templates/passbook-worker-deployment.yaml

@@ -18,6 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: worker
     spec:
       volumes:
         - name: config-volume
@@ -25,7 +26,7 @@ spec:
             name: {{ include "passbook.fullname" . }}-config
       containers:
         - name: {{ .Chart.Name }}
-          image: "docker.pkg.beryju.org/passbook:{{ .Values.image.tag }}"
+          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
           imagePullPolicy: IfNotPresent
           command: ["./manage.py", "worker"]
           ports:

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: latest
+  tag: 0.2.0-beta
 
 nameOverride: ""
 
@@ -14,10 +14,16 @@ config:
   # secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
   # Enable error reporting
   error_reporting: true
+  email:
+    host: localhost
 
 postgresql:
-    postgresqlDatabase: passbook
-    postgresqlPassword: foo
+  postgresqlDatabase: passbook
+  postgresqlPassword: foo
+
+rabbitmq:
+  rabbitmq:
+    password: foo
 
 service:
   type: ClusterIP
@@ -31,7 +37,6 @@ ingress:
   path: /
   hosts:
     - passbook.k8s.local
-    - kubernetes-healthcheck-host
   defaultHost: passbook.k8s.local
   tls: []
   #  - secretName: chart-example-tls

manage.py

@@ -4,7 +4,7 @@ import os
 import sys
 
 if __name__ == '__main__':
-    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'passbook.core.settings')
+    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'passbook.root.settings')
     try:
         from django.core.management import execute_from_command_line
     except ImportError as exc:

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.0.10-alpha'
+__version__ = '0.2.0-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.0.10-alpha'
+__version__ = '0.2.0-beta'

passbook/admin/api/v1/users.py

@@ -11,7 +11,7 @@ class UserSerializer(ModelSerializer):
 
     class Meta:
         model = User
-        fields = ['is_superuser', 'username', 'first_name', 'last_name', 'email', 'date_joined',
+        fields = ['is_superuser', 'username', 'name', 'email', 'date_joined',
                   'uuid']
 
 

passbook/admin/forms/users.py

@@ -0,0 +1,17 @@
+"""passbook administrative user forms"""
+
+from django import forms
+
+from passbook.core.models import User
+
+
+class UserForm(forms.ModelForm):
+    """Update User Details"""
+
+    class Meta:
+
+        model = User
+        fields = ['username', 'name', 'email', 'is_staff', 'is_active']
+        widgets = {
+            'name': forms.TextInput
+        }

passbook/admin/middleware.py

@@ -0,0 +1,25 @@
+"""passbook admin Middleware to impersonate users"""
+
+from passbook.core.models import User
+
+
+def impersonate(get_response):
+    """Middleware to impersonate users"""
+
+    def middleware(request):
+        """Middleware to impersonate users"""
+
+        # User is superuser and has __impersonate ID set
+        if request.user.is_superuser and "__impersonate" in request.GET:
+            request.session['impersonate_id'] = request.GET["__impersonate"]
+        # user wants to stop impersonation
+        elif "__unimpersonate" in request.GET and 'impersonate_id' in request.session:
+            del request.session['impersonate_id']
+
+        # Actually impersonate user
+        if request.user.is_superuser and 'impersonate_id' in request.session:
+            request.user = User.objects.get(pk=request.session['impersonate_id'])
+
+        response = get_response(request)
+        return response
+    return middleware

passbook/admin/settings.py

@@ -0,0 +1,5 @@
+"""passbook admin settings"""
+
+MIDDLEWARE = [
+    'passbook.admin.middleware.impersonate',
+]

passbook/admin/templates/administration/application/list.html

@@ -12,7 +12,7 @@
     <h1><span class="pficon-applications"></span> {% trans "Applications" %}</h1>
     <span>{% trans "External Applications which use passbook as Identity-Provider, utilizing protocols like OAuth2 and SAML." %}</span>
     <hr>
-    <a href="{% url 'passbook_admin:application-create' %}" class="btn btn-primary">
+    <a href="{% url 'passbook_admin:application-create' %}?back={{ request.get_full_path }}" class="btn btn-primary">
         {% trans 'Create...' %}
     </a>
     <hr>
@@ -21,6 +21,7 @@
             <tr>
                 <th>{% trans 'Name' %}</th>
                 <th>{% trans 'Provider' %}</th>
+                <th>{% trans 'Provider Type' %}</th>
                 <th></th>
             </tr>
         </thead>
@@ -28,7 +29,8 @@
             {% for application in object_list %}
             <tr>
                 <td>{{ application.name }}</td>
-                <td>{{ application.provider }}</td>
+                <td>{{ application.get_provider }}</td>
+                <td>{{ application.get_provider|verbose_name }}</td>
                 <td>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:application-update' pk=application.uuid %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>

passbook/admin/templates/administration/base.html

@@ -4,36 +4,4 @@
 {% load is_active %}
 
 {% block nav_secondary %}
-<ul class="nav navbar-nav navbar-persistent">
-  <li class="{% is_active 'passbook_admin:overview' %}">
-    <a href="{% url 'passbook_admin:overview' %}">{% trans 'Overview' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:applications' 'passbook_admin:application-create' 'passbook_admin:application-update' 'passbook_admin:application-delete' %}">
-    <a href="{% url 'passbook_admin:applications' %}">{% trans 'Applications' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:sources' 'passbook_admin:source-create' 'passbook_admin:source-update' 'passbook_admin:source-delete' %}">
-    <a href="{% url 'passbook_admin:sources' %}">{% trans 'Sources' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:providers' 'passbook_admin:provider-create' 'passbook_admin:provider-update' 'passbook_admin:provider-delete' %}">
-    <a href="{% url 'passbook_admin:providers' %}">{% trans 'Providers' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
-    <a href="{% url 'passbook_admin:factors' %}">{% trans 'Factors' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:policies' 'passbook_admin:policy-create' 'passbook_admin:policy-update' 'passbook_admin:policy-delete' 'passbook_admin:policy-test' %}">
-    <a href="{% url 'passbook_admin:policies' %}">{% trans 'Policies' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
-    <a href="{% url 'passbook_admin:invitations' %}">{% trans 'Invitations' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:users' 'passbook_admin:user-update' 'passbook_admin:user-delete' %}">
-    <a href="{% url 'passbook_admin:users' %}">{% trans 'Users' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:audit-log' %}">
-    <a href="{% url 'passbook_admin:audit-log' %}">{% trans 'Audit Log' %}</a>
-  </li>
-  <li class="{% is_active_app 'admin' %}">
-    <a href="{% url 'admin:index' %}">{% trans 'Django' %}</a>
-  </li>
-</ul>
 {% endblock %}

passbook/admin/templates/administration/debug/request.html

@@ -0,0 +1,31 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="pficon-applications"></span> {% trans "Request" %}</h1>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Key' %}</th>
+                <th>{% trans 'Value' %}</th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for key, value in request_dict.items %}
+            <tr>
+                <td>{{ key }}</td>
+                <td>{{ value }}</td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}

passbook/admin/templates/administration/factor/list.html

@@ -21,7 +21,7 @@
         <ul class="dropdown-menu" role="menu" aria-labelledby="createDropdown">
             {% for type, name in types.items %}
             <li role="presentation"><a role="menuitem" tabindex="-1"
-                    href="{% url 'passbook_admin:factor-create' %}?type={{ type }}">{{ name }}</a></li>
+                    href="{% url 'passbook_admin:factor-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a></li>
             {% endfor %}
         </ul>
     </div>
@@ -40,7 +40,7 @@
             {% for factor in object_list %}
             <tr>
                 <td>{{ factor.name }} ({{ factor.slug }})</td>
-                <td>{{ factor.type }}</td>
+                <td>{{ factor|verbose_name }}</td>
                 <td>{{ factor.order }}</td>
                 <td>{{ factor.enabled }}</td>
                 <td>

passbook/admin/templates/administration/group/list.html

@@ -0,0 +1,45 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="pficon-users"></span> {% trans "Groups" %}</h1>
+    <span>{% trans "Group users together and give them permissions based on the membership." %}</span>
+    <hr>
+    <a href="{% url 'passbook_admin:group-create' %}?back={{ request.get_full_path }}" class="btn btn-primary">
+        {% trans 'Create...' %}
+    </a>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Name' %}</th>
+                <th>{% trans 'Parent' %}</th>
+                <th>{% trans 'Members' %}</th>
+                <th></th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for group in object_list %}
+            <tr>
+                <td>{{ group.name }}</td>
+                <td>{{ group.parent }}</td>
+                <td>{{ group.user_set.all|length }}</td>
+                <td>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:group-update' pk=group.uuid %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:group-delete' pk=group.uuid %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                </td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}

passbook/admin/templates/administration/groups/list.html

@@ -1,83 +0,0 @@
-{% extends "administration/base.html" %}
-
-{% load i18n %}
-{% load static %}
-{% load utils %}
-
-{% block head %}
-{{ block.super }}
-<link rel="stylesheet" href="{% static 'css/bootstrap-treeview.min.css'%}">
-{% endblock %}
-
-{% block scripts %}
-{{ block.super }}
-<script src="{% static 'js/bootstrap-treeview.min.js' %}"></script>
-<script>
-  var cleanupData = function (obj) {
-    return {
-      text: obj.name,
-      href: '?group=' + obj.uuid,
-      nodes: obj.children.map(cleanupData),
-    };
-  }
- $(function() {
-   var apiUrl = "{% url 'passbook_admin:group-list' %}?format=json";
-   $.ajax({
-      url: apiUrl,
-    }).done(function(data) {
-      $('#treeview1').treeview({
-        collapseIcon: "fa fa-angle-down",
-        data: data.map(cleanupData),
-        expandIcon: "fa fa-angle-right",
-        nodeIcon: "fa pficon-users",
-        showBorder: true,
-        enableLinks: true,
-        onNodeSelected: function (event, node) {
-          window.location.href = node.href;
-        }
-      });
-    });
-  });
-</script>
-{% endblock %}
-
-{% block title %}
-{% title %}
-{% endblock %}
-
-{% block content %}
-<div class="col-md-3">
-  <div id="treeview1" class="treeview">
-  </div>
-</div>
-<div class="col-md-9">
-  <h1>{% trans "Invitations" %}</h1>
-  <a href="{% url 'passbook_admin:invitation-create' %}" class="btn btn-primary">
-    {% trans 'Create...' %}
-  </a>
-  <hr>
-  <table class="table table-striped table-bordered">
-    <thead>
-      <tr>
-        <th>{% trans 'Expiry' %}</th>
-        <th>{% trans 'Link' %}</th>
-        <th></th>
-      </tr>
-    </thead>
-    <tbody>
-      {% for invitation in object_list %}
-      <tr>
-        <td>{{ invitation.expires|default:"Never" }}</td>
-        <td>
-          <pre>{{ invitation.link }}</pre>
-        </td>
-        <td>
-          <a class="btn btn-default btn-sm" href="{% url 'passbook_admin:invitation-delete' pk=invitation.uuid %}?back={{ request.get_full_path }}">{%
-            trans 'Delete' %}</a>
-        </td>
-      </tr>
-      {% endfor %}
-    </tbody>
-  </table>
-</div>
-{% endblock %}

passbook/admin/templates/administration/invitation/list.html

@@ -12,7 +12,7 @@
     <h1><span class="pficon-migration"></span> {% trans "Invitations" %}</h1>
     <span>{% trans "Create Invitation Links which optionally force a username or expire on a set date." %}</span>
     <hr>
-    <a href="{% url 'passbook_admin:invitation-create' %}" class="btn btn-primary">
+    <a href="{% url 'passbook_admin:invitation-create' %}?back={{ request.get_full_path }}" class="btn btn-primary">
         {% trans 'Create...' %}
     </a>
     <hr>

passbook/admin/templates/administration/overview.html

@@ -54,7 +54,11 @@
                 <p class="card-pf-aggregate-status-notifications">
                     <span class="card-pf-aggregate-status-notification">
                         <a href="{% url 'passbook_admin:providers' %}">
-                            <span class="pficon pficon-ok"></span>{{ provider_count }}
+                            {% if providers_without_application.exists %}
+                            <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right" title="{% trans 'Warning: At least one Provider has no application assigned.' %}"></span> {{ provider_count }}
+                            {% else %}
+                            <span class="pficon pficon-ok"></span> {{ provider_count }}
+                            {% endif %}
                         </a>
                     </span>
                 </p>
@@ -72,9 +76,13 @@
             <div class="card-pf-body">
                 <p class="card-pf-aggregate-status-notifications">
                     <span class="card-pf-aggregate-status-notification">
-                        <a href="{% url 'passbook_admin:factors' %}">
-                            <span class="pficon pficon-ok"></span>{{ factor_count }}
-                        </a>
+                        {% if factor_count < 1 %}
+                        <span class="pficon-error-circle-o" data-toggle="tooltip" data-placement="right"
+                            title="{% trans 'No Factors configured. No Users will be able to login.' %}"></span>
+                        {{ factor_count }}
+                        {% else %}
+                        <span class="pficon pficon-ok"></span>{{ factor_count }}
+                        {% endif %}
                     </span>
                 </p>
             </div>
@@ -91,9 +99,13 @@
             <div class="card-pf-body">
                 <p class="card-pf-aggregate-status-notifications">
                     <span class="card-pf-aggregate-status-notification">
-                        <a href="{% url 'passbook_admin:policies' %}">
-                            <span class="pficon pficon-ok"></span>{{ policy_count }}
-                        </a>
+                        {% if policies_without_attachment > 0 %}
+                        <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right"
+                            title="{% trans 'Policies without attachment exist.' %}"></span>
+                        {{ policy_count }}
+                        {% else %}
+                        <span class="pficon pficon-ok"></span>{{ policy_count }}
+                        {% endif %}
                     </span>
                 </p>
             </div>
@@ -140,10 +152,8 @@
     <div class="col-xs-6 col-sm-2 col-md-2">
         <div class="card-pf card-pf-accented card-pf-aggregate-status">
             <h2 class="card-pf-title">
-                <a href="#">
-                    <span class="pficon-bundle"></span>
-                    <span class="card-pf-aggregate-status-count"></span> {% trans 'Version' %}
-                </a>
+                <span class="pficon-bundle"></span>
+                <span class="card-pf-aggregate-status-count"></span> {% trans 'Version' %}
             </h2>
             <div class="card-pf-body">
                 <p class="card-pf-aggregate-status-notifications">
@@ -168,7 +178,34 @@
                 <p class="card-pf-aggregate-status-notifications">
                     <span class="card-pf-aggregate-status-notification">
                         <a href="#">
+                            {% if worker_count < 1%}
+                            <span class="pficon-error-circle-o" data-toggle="tooltip" data-placement="right"
+                                title="{% trans 'No workers connected. Policies will not work and you may expect other issues.' %}"></span> {{ worker_count }}
+                            {% else %}
                             <span class="pficon pficon-ok"></span>{{ worker_count }}
+                            {% endif %}
+                        </a>
+                    </span>
+                </p>
+            </div>
+        </div>
+    </div>
+    <div class="col-xs-6 col-sm-2 col-md-2">
+        <div class="card-pf card-pf-accented card-pf-aggregate-status">
+            <h2 class="card-pf-title">
+                <span class="pficon-server"></span>
+                <span class="card-pf-aggregate-status-count"></span> {% trans 'Cached Policies' %}
+            </h2>
+            <div class="card-pf-body">
+                <p class="card-pf-aggregate-status-notifications">
+                    <span class="card-pf-aggregate-status-notification">
+                        <a href="#" data-toggle="modal" data-target="#clearCacheMOdal">
+                            {% if cached_policies < 1 %}
+                            <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right"
+                                title="{% trans 'No policies cached. Users may experience slow response times.' %}"></span> {{ cached_policies }}
+                            {% else %}
+                            <span class="pficon pficon-ok"></span>{{ cached_policies }}
+                            {% endif %}
                         </a>
                     </span>
                 </p>
@@ -176,4 +213,36 @@
         </div>
     </div>
 </div>
+<div class="modal fade" id="clearCacheMOdal" tabindex="-1" role="dialog" aria-labelledby="clearCacheMOdalLabel" aria-hidden="true">
+  <div class="modal-dialog">
+    <div class="modal-content">
+      <div class="modal-header">
+        <button type="button" class="close" data-dismiss="modal" aria-hidden="true">
+          <span class="pficon pficon-close"></span>
+        </button>
+        <h4 class="modal-title" id="clearCacheMOdalLabel">{% trans 'Clear Cache' %}</h4>
+      </div>
+      <div class="modal-body">
+        <form method="post" id="clearForm">
+            {% csrf_token %}
+            <input type="hidden" name="clear">
+            <p>
+                {% blocktrans %}
+                    Are you sure you want to clear the cache? This includes all user sessions and all cached Policy results.
+                {% endblocktrans %}
+            </p>
+            <h3>
+                {% blocktrans %}
+                    This will also log you out.
+                {% endblocktrans %}
+            </h3>
+        </form>
+      </div>
+      <div class="modal-footer">
+        <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+        <button form="clearForm" type="submit" type="button" class="btn btn-danger">{% trans 'Clear' %}</button>
+      </div>
+    </div>
+  </div>
+</div>
 {% endblock %}

passbook/admin/templates/administration/policy/list.html

@@ -20,7 +20,7 @@
         <ul class="dropdown-menu" role="menu" aria-labelledby="createDropdown">
             {% for type, name in types.items %}
             <li role="presentation"><a role="menuitem" tabindex="-1"
-                    href="{% url 'passbook_admin:policy-create' %}?type={{ type }}">{{ name }}</a></li>
+                    href="{% url 'passbook_admin:policy-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a></li>
             {% endfor %}
         </ul>
     </div>
@@ -28,16 +28,24 @@
     <table class="table table-striped table-bordered">
         <thead>
             <tr>
+                <th></th>
                 <th>{% trans 'Name' %}</th>
-                <th>{% trans 'Class' %}</th>
+                <th>{% trans 'Type' %}</th>
                 <th></th>
             </tr>
         </thead>
         <tbody>
             {% for policy in object_list %}
-            <tr>
+            <tr {% if not policy.policymodel_set.exists %} class="warning" {% endif %}>
+                <th>
+                    {% if not policy.policymodel_set.exists %}
+                    <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right" title="{% trans 'Warning: Policy is not assigned.' %}"></span>
+                    {% else %}
+                    <span class="pficon-ok" data-toggle="tooltip" data-placement="right" title="{% blocktrans with objects=policy.policymodel_set.all|join:', ' %}Assigned to objects {{ objects }}{% endblocktrans %}"></span>
+                    {% endif %}
+                </th>
                 <td>{{ policy.name }}</td>
-                <td>{{ policy|fieldtype }}</td>
+                <td>{{ policy|verbose_name }}</td>
                 <td>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:policy-update' pk=policy.uuid %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>

passbook/admin/templates/administration/policy/test.html

@@ -5,3 +5,22 @@
 {% block above_form %}
 <h1>{% blocktrans with policy=policy %}Test policy {{ policy }}{% endblocktrans %}</h1>
 {% endblock %}
+
+{% block action %}
+{% trans 'Test' %}
+{% endblock %}
+
+{% block beneath_form %}
+<p class="loading" style="display: none;">
+  <span class="spinner spinner-xs spinner-inline"></span> {% trans 'Processing, please wait...' %}
+</p>
+{% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+<script>
+  $('form').on('submit', function () {
+    $('p.loading').show();
+  })
+</script>
+{% endblock %}

passbook/admin/templates/administration/property_mapping/list.html

@@ -0,0 +1,52 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="fa fa-table"></span> {% trans "Property Mappings" %}</h1>
+    <span>{% trans "Property Mappings allow you expose provider-specific attributes." %}</span>
+    <hr>
+    <div class="dropdown">
+        <button class="btn btn-primary dropdown-toggle" type="button" id="createDropdown" data-toggle="dropdown">
+            {% trans 'Create...' %}
+            <span class="caret"></span>
+        </button>
+        <ul class="dropdown-menu" role="menu" aria-labelledby="createDropdown">
+            {% for type, name in types.items %}
+            <li role="presentation"><a role="menuitem" tabindex="-1"
+                    href="{% url 'passbook_admin:property-mapping-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a></li>
+            {% endfor %}
+        </ul>
+    </div>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Name' %}</th>
+                <th>{% trans 'Type' %}</th>
+                <th></th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for property_mapping in object_list %}
+            <tr>
+                <td>{{ property_mapping.name }}</td>
+                <td>{{ property_mapping|verbose_name }}</td>
+                <td>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:property-mapping-update' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:property-mapping-delete' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                </td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}

passbook/admin/templates/administration/provider/list.html

@@ -21,7 +21,7 @@
         <ul class="dropdown-menu" role="menu" aria-labelledby="createDropdown">
             {% for type, name in types.items %}
             <li role="presentation"><a role="menuitem" tabindex="-1"
-                    href="{% url 'passbook_admin:provider-create' %}?type={{ type }}">{{ name }}</a></li>
+                    href="{% url 'passbook_admin:provider-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a></li>
             {% endfor %}
         </ul>
     </div>
@@ -29,16 +29,24 @@
     <table class="table table-striped table-bordered">
         <thead>
             <tr>
+                <th></th>
                 <th>{% trans 'Name' %}</th>
-                <th>{% trans 'Class' %}</th>
+                <th>{% trans 'Type' %}</th>
                 <th></th>
             </tr>
         </thead>
         <tbody>
             {% for provider in object_list %}
-            <tr>
+            <tr {% if not provider.application %} class="warning" {% endif %}>
+                <th>
+                    {% if not provider.application %}
+                    <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right" title="{% trans 'Warning: Provider has no application assigned.' %}"></span>
+                    {% else %}
+                    <span class="pficon-ok" data-toggle="tooltip" data-placement="right" title="{% blocktrans with app=provider.application %}Assigned to Application {{ app }}{% endblocktrans %}"></span>
+                    {% endif %}
+                </th>
                 <td>{{ provider.name }}</td>
-                <td>{{ provider|fieldtype }}</td>
+                <td>{{ provider|verbose_name }}</td>
                 <td>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:provider-update' pk=provider.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
@@ -49,6 +57,10 @@
                     <a class="btn btn-default btn-sm"
                         href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a>
                     {% endfor %}
+                    {% get_htmls provider as htmls %}
+                    {% for html in htmls %}
+                    {{ html|safe }}
+                    {% endfor %}
                 </td>
             </tr>
             {% endfor %}

passbook/admin/templates/administration/source/list.html

@@ -17,7 +17,7 @@
         <ul class="dropdown-menu" role="menu" aria-labelledby="createDropdown">
             {% for type, name in types.items %}
             <li role="presentation"><a role="menuitem" tabindex="-1"
-                    href="{% url 'passbook_admin:source-create' %}?type={{ type }}">{{ name }}</a></li>
+                    href="{% url 'passbook_admin:source-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a></li>
             {% endfor %}
         </ul>
     </div>
@@ -36,7 +36,7 @@
             <tr>
                 <td>{{ source.name }}</td>
                 <td>{{ source|fieldtype }}</td>
-                <td>{{ source.additional_info }}</td>
+                <td>{{ source.additional_info|safe }}</td>
                 <td>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:source-update' pk=source.uuid %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>

passbook/admin/templates/administration/user/list.html

@@ -11,8 +11,7 @@
         <thead>
             <tr>
                 <th>{% trans 'Username' %}</th>
-                <th>{% trans 'First Name' %}</th>
-                <th>{% trans 'Last Name' %}</th>
+                <th>{% trans 'Name' %}</th>
                 <th>{% trans 'Active' %}</th>
                 <th>{% trans 'Last Login' %}</th>
                 <th></th>
@@ -22,8 +21,7 @@
             {% for user in object_list %}
             <tr>
                 <td>{{ user.username }}</td>
-                <td>{{ user.first_name|default:'-' }}</td>
-                <td>{{ user.last_name|default:'-' }}</td>
+                <td>{{ user.name|default:'-' }}</td>
                 <td>{{ user.is_active }}</td>
                 <td>{{ user.last_login }}</td>
                 <td>
@@ -33,6 +31,8 @@
                         href="{% url 'passbook_admin:user-delete' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:user-password-reset' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Reset Password' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_core:overview' %}?__impersonate={{ user.pk }}">{% trans 'Impersonate' %}</a>
                 </td>
             </tr>
             {% endfor %}

passbook/admin/templates/generic/create.html

@@ -1,11 +1,12 @@
 {% extends "generic/form.html" %}
 
+{% load utils %}
 {% load i18n %}
 
 {% block above_form %}
-<h1>{% trans 'Create' %}</h1>
+<h1>{% blocktrans with type=form|form_verbose_name %}Create {{ type }}{% endblocktrans %}</h1>
 {% endblock %}
 
 {% block action %}
-{% trans 'Create' %}
+{% blocktrans with type=form|form_verbose_name %}Create {{ type }}{% endblocktrans %}
 {% endblock %}

passbook/admin/templates/generic/create_inheritance.html

@@ -1,11 +0,0 @@
-{% extends "generic/create.html" %}
-
-{% load i18n %}
-
-{% block title %}
-{% blocktrans with type=request.GET.type %}Create {{ type }}{% endblocktrans %}
-{% endblock %}
-
-{% block above_form %}
-<h1>{% blocktrans with type=request.GET.type %}Create {{ type }}{% endblocktrans %}</h1>
-{% endblock %}

passbook/admin/templates/generic/form.html

@@ -2,6 +2,21 @@
 
 {% load i18n %}
 {% load utils %}
+{% load static %}
+
+{% block head %}
+{{ block.super }}
+{{ form.media.css }}
+<script type="text/javascript" src="{% url 'admin:jsi18n' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/vendor/jquery/jquery.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/jquery.init.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/core.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/actions.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/urlify.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/prepopulate.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/SelectBox.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/SelectFilter2.js' %}"></script>
+{% endblock %}
 
 {% block content %}
 <div class="container">
@@ -14,5 +29,12 @@
       <input type="submit" class="btn btn-primary" value="{% block action %}{% endblock %}" />
     </form>
   </div>
+  {% block beneath_form %}
+  {% endblock %}
 </div>
 {% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+{{ form.media.js }}
+{% endblock %}

passbook/admin/templates/generic/update.html

@@ -1,11 +1,12 @@
 {% extends "generic/form.html" %}
 
+{% load utils %}
 {% load i18n %}
 
 {% block above_form %}
-<h1>{% trans 'Update' %}</h1>
+<h1>{% blocktrans with type=form|form_verbose_name %}Update {{ type }}{% endblocktrans %}</h1>
 {% endblock %}
 
 {% block action %}
-{% trans 'Update' %}
+{% blocktrans with type=form|form_verbose_name %}Update {{ type }}{% endblocktrans %}
 {% endblock %}

passbook/admin/templatetags/admin_reflection.py

@@ -5,6 +5,8 @@ from logging import getLogger
 from django import template
 from django.db.models import Model
 
+from passbook.lib.utils.template import render_to_string
+
 register = template.Library()
 LOGGER = getLogger(__name__)
 
@@ -29,3 +31,24 @@ def get_links(model_instance):
         pass
 
     return links
+
+
+@register.simple_tag(takes_context=True)
+def get_htmls(context, model_instance):
+    """Find all html_ methods on an object instance, run them and return as dict"""
+    prefix = 'html_'
+    htmls = []
+
+    if not isinstance(model_instance, Model):
+        LOGGER.warning("Model %s is not instance of Model", model_instance)
+        return htmls
+
+    try:
+        for name, method in inspect.getmembers(model_instance, predicate=inspect.ismethod):
+            if name.startswith(prefix):
+                template, _context = method(context.get('request'))
+                htmls.append(render_to_string(template, _context))
+    except NotImplementedError:
+        pass
+
+    return htmls

passbook/admin/urls.py

@@ -1,9 +1,9 @@
 """passbook URL Configuration"""
 from django.urls import include, path
 
-from passbook.admin.views import (applications, audit, factors, groups,
-                                  invitations, overview, policy, providers,
-                                  sources, users)
+from passbook.admin.views import (applications, audit, debug, factors, groups,
+                                  invitations, overview, policy,
+                                  property_mapping, providers, sources, users)
 
 urlpatterns = [
     path('', overview.AdministrationOverviewView.as_view(), name='overview'),
@@ -43,6 +43,15 @@ urlpatterns = [
          factors.FactorUpdateView.as_view(), name='factor-update'),
     path('factors/<uuid:pk>/delete/',
          factors.FactorDeleteView.as_view(), name='factor-delete'),
+    # Factors
+    path('property-mappings/', property_mapping.PropertyMappingListView.as_view(),
+         name='property-mappings'),
+    path('property-mappings/create/',
+         property_mapping.PropertyMappingCreateView.as_view(), name='property-mapping-create'),
+    path('property-mappings/<uuid:pk>/update/',
+         property_mapping.PropertyMappingUpdateView.as_view(), name='property-mapping-update'),
+    path('property-mappings/<uuid:pk>/delete/',
+         property_mapping.PropertyMappingDeleteView.as_view(), name='property-mapping-delete'),
     # Invitations
     path('invitations/', invitations.InvitationListView.as_view(), name='invitations'),
     path('invitations/create/',
@@ -58,10 +67,17 @@ urlpatterns = [
          users.UserDeleteView.as_view(), name='user-delete'),
     path('users/<int:pk>/reset/',
          users.UserPasswordResetView.as_view(), name='user-password-reset'),
+    # Groups
+    path('group/', groups.GroupListView.as_view(), name='group'),
+    path('group/create/', groups.GroupCreateView.as_view(), name='group-create'),
+    path('group/<uuid:pk>/update/', groups.GroupUpdateView.as_view(), name='group-update'),
+    path('group/<uuid:pk>/delete/', groups.GroupDeleteView.as_view(), name='group-delete'),
     # Audit Log
     path('audit/', audit.AuditEntryListView.as_view(), name='audit-log'),
     # Groups
     path('groups/', groups.GroupListView.as_view(), name='groups'),
     # API
-    path('api/', include('passbook.admin.api.urls'))
+    path('api/', include('passbook.admin.api.urls')),
+    # Debug
+    path('debug/request/', debug.DebugRequestView.as_view(), name='debug-request'),
 ]

passbook/admin/views/applications.py

@@ -14,6 +14,7 @@ class ApplicationListView(AdminRequiredMixin, ListView):
     """Show list of all applications"""
 
     model = Application
+    ordering = 'name'
     template_name = 'administration/application/list.html'
 
     def get_queryset(self):
@@ -29,6 +30,10 @@ class ApplicationCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView)
     success_url = reverse_lazy('passbook_admin:applications')
     success_message = _('Successfully created Application')
 
+    def get_context_data(self, **kwargs):
+        kwargs['type'] = 'Application'
+        return super().get_context_data(**kwargs)
+
 
 class ApplicationUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
     """Update application"""

passbook/admin/views/debug.py

@@ -0,0 +1,17 @@
+"""passbook administration debug views"""
+
+from django.views.generic import TemplateView
+
+from passbook.admin.mixins import AdminRequiredMixin
+
+
+class DebugRequestView(AdminRequiredMixin, TemplateView):
+    """Show debug info about request"""
+
+    template_name = 'administration/debug/request.html'
+
+    def get_context_data(self, **kwargs):
+        kwargs['request_dict'] = {}
+        for key in dir(self.request):
+            kwargs['request_dict'][key] = getattr(self.request, key)
+        return super().get_context_data(**kwargs)

passbook/admin/views/factors.py

@@ -34,7 +34,7 @@ class FactorListView(AdminRequiredMixin, ListView):
 class FactorCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
     """Create new Factor"""
 
-    template_name = 'generic/create_inheritance.html'
+    template_name = 'generic/create.html'
     success_url = reverse_lazy('passbook_admin:factors')
     success_message = _('Successfully created Factor')
 

passbook/admin/views/groups.py

@@ -1,12 +1,57 @@
 """passbook Group administration"""
-from django.views.generic import ListView
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import ugettext as _
+from django.views.generic import CreateView, DeleteView, ListView, UpdateView
 
 from passbook.admin.mixins import AdminRequiredMixin
+from passbook.core.forms.groups import GroupForm
 from passbook.core.models import Group
 
 
 class GroupListView(AdminRequiredMixin, ListView):
-    """Show list of all invitations"""
+    """Show list of all groups"""
 
     model = Group
-    template_name = 'administration/groups/list.html'
+    ordering = 'name'
+    template_name = 'administration/group/list.html'
+
+
+class GroupCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
+    """Create new Group"""
+
+    form_class = GroupForm
+
+    template_name = 'generic/create.html'
+    success_url = reverse_lazy('passbook_admin:groups')
+    success_message = _('Successfully created Group')
+
+    def get_context_data(self, **kwargs):
+        kwargs['type'] = 'Group'
+        return super().get_context_data(**kwargs)
+
+
+class GroupUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
+    """Update group"""
+
+    model = Group
+    form_class = GroupForm
+
+    template_name = 'generic/update.html'
+    success_url = reverse_lazy('passbook_admin:groups')
+    success_message = _('Successfully updated Group')
+
+
+class GroupDeleteView(SuccessMessageMixin, AdminRequiredMixin, DeleteView):
+    """Delete group"""
+
+    model = Group
+
+    template_name = 'generic/delete.html'
+    success_url = reverse_lazy('passbook_admin:groups')
+    success_message = _('Successfully deleted Group')
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)

passbook/admin/views/invitations.py

@@ -27,6 +27,10 @@ class InvitationCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
     success_message = _('Successfully created Invitation')
     form_class = InvitationForm
 
+    def get_context_data(self, **kwargs):
+        kwargs['type'] = 'Invitation'
+        return super().get_context_data(**kwargs)
+
     def form_valid(self, form):
         obj = form.save(commit=False)
         obj.created_by = self.request.user

passbook/admin/views/overview.py

@@ -1,11 +1,13 @@
 """passbook administration overview"""
+from django.core.cache import cache
+from django.shortcuts import redirect, reverse
 from django.views.generic import TemplateView
 
 from passbook.admin.mixins import AdminRequiredMixin
 from passbook.core import __version__
-from passbook.core.celery import CELERY_APP
 from passbook.core.models import (Application, Factor, Invitation, Policy,
                                   Provider, Source, User)
+from passbook.root.celery import CELERY_APP
 
 
 class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
@@ -13,6 +15,13 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
 
     template_name = 'administration/overview.html'
 
+    def post(self, *args, **kwargs):
+        """Handle post (clear cache from modal)"""
+        if 'clear' in self.request.POST:
+            cache.clear()
+            return redirect(reverse('passbook_core:auth-login'))
+        return self.get(*args, **kwargs)
+
     def get_context_data(self, **kwargs):
         kwargs['application_count'] = len(Application.objects.all())
         kwargs['policy_count'] = len(Policy.objects.all())
@@ -23,4 +32,7 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
         kwargs['invitation_count'] = len(Invitation.objects.all())
         kwargs['version'] = __version__
         kwargs['worker_count'] = len(CELERY_APP.control.ping(timeout=0.5))
+        kwargs['providers_without_application'] = Provider.objects.filter(application=None)
+        kwargs['policies_without_attachment'] = len(Policy.objects.filter(policymodel__isnull=True))
+        kwargs['cached_policies'] = len(cache.keys('policy_*'))
         return super().get_context_data(**kwargs)

passbook/admin/views/policy.py

@@ -11,6 +11,7 @@ from django.views.generic.detail import DetailView
 from passbook.admin.forms.policies import PolicyTestForm
 from passbook.admin.mixins import AdminRequiredMixin
 from passbook.core.models import Policy
+from passbook.core.policies import PolicyEngine
 from passbook.lib.utils.reflection import path_to_class
 
 
@@ -32,7 +33,7 @@ class PolicyListView(AdminRequiredMixin, ListView):
 class PolicyCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
     """Create new Policy"""
 
-    template_name = 'generic/create_inheritance.html'
+    template_name = 'generic/create.html'
     success_url = reverse_lazy('passbook_admin:policies')
     success_message = _('Successfully created Policy')
 
@@ -100,7 +101,9 @@ class PolicyTestView(AdminRequiredMixin, DetailView, FormView):
     def form_valid(self, form):
         policy = self.get_object()
         user = form.cleaned_data.get('user')
-        result = policy.passes(user)
+        policy_engine = PolicyEngine([policy])
+        policy_engine.for_user(user).with_request(self.request).build()
+        result = policy_engine.passing
         if result:
             messages.success(self.request, _('User successfully passed policy.'))
         else:

passbook/admin/views/property_mapping.py

@@ -0,0 +1,90 @@
+"""passbook PropertyMapping administration"""
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import Http404
+from django.urls import reverse_lazy
+from django.utils.translation import ugettext as _
+from django.views.generic import CreateView, DeleteView, ListView, UpdateView
+
+from passbook.admin.mixins import AdminRequiredMixin
+from passbook.core.models import PropertyMapping
+from passbook.lib.utils.reflection import path_to_class
+
+
+def all_subclasses(cls):
+    """Recursively return all subclassess of cls"""
+    return set(cls.__subclasses__()).union(
+        [s for c in cls.__subclasses__() for s in all_subclasses(c)])
+
+
+class PropertyMappingListView(AdminRequiredMixin, ListView):
+    """Show list of all property_mappings"""
+
+    model = PropertyMapping
+    template_name = 'administration/property_mapping/list.html'
+    ordering = 'name'
+
+    def get_context_data(self, **kwargs):
+        kwargs['types'] = {
+            x.__name__: x._meta.verbose_name for x in all_subclasses(PropertyMapping)}
+        return super().get_context_data(**kwargs)
+
+    def get_queryset(self):
+        return super().get_queryset().select_subclasses()
+
+
+class PropertyMappingCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
+    """Create new PropertyMapping"""
+
+    template_name = 'generic/create.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully created Property Mapping')
+
+    def get_context_data(self, **kwargs):
+        kwargs = super().get_context_data(**kwargs)
+        property_mapping_type = self.request.GET.get('type')
+        model = next(x for x in all_subclasses(PropertyMapping)
+                     if x.__name__ == property_mapping_type)
+        kwargs['type'] = model._meta.verbose_name
+        return kwargs
+
+    def get_form_class(self):
+        property_mapping_type = self.request.GET.get('type')
+        model = next(x for x in all_subclasses(PropertyMapping)
+                     if x.__name__ == property_mapping_type)
+        if not model:
+            raise Http404
+        return path_to_class(model.form)
+
+
+class PropertyMappingUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
+    """Update property_mapping"""
+
+    model = PropertyMapping
+    template_name = 'generic/update.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully updated Property Mapping')
+
+    def get_form_class(self):
+        form_class_path = self.get_object().form
+        form_class = path_to_class(form_class_path)
+        return form_class
+
+    def get_object(self, queryset=None):
+        return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
+
+
+class PropertyMappingDeleteView(SuccessMessageMixin, AdminRequiredMixin, DeleteView):
+    """Delete property_mapping"""
+
+    model = PropertyMapping
+    template_name = 'generic/delete.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully deleted Property Mapping')
+
+    def get_object(self, queryset=None):
+        return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)

passbook/admin/views/providers.py

@@ -29,7 +29,7 @@ class ProviderListView(AdminRequiredMixin, ListView):
 class ProviderCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
     """Create new Provider"""
 
-    template_name = 'generic/create_inheritance.html'
+    template_name = 'generic/create.html'
     success_url = reverse_lazy('passbook_admin:providers')
     success_message = _('Successfully created Provider')
 

passbook/admin/views/sources.py

@@ -34,7 +34,7 @@ class SourceListView(AdminRequiredMixin, ListView):
 class SourceCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
     """Create new Source"""
 
-    template_name = 'generic/create_inheritance.html'
+    template_name = 'generic/create.html'
     success_url = reverse_lazy('passbook_admin:sources')
     success_message = _('Successfully created Source')
 

passbook/admin/views/users.py

@@ -7,8 +7,8 @@ from django.utils.translation import ugettext as _
 from django.views import View
 from django.views.generic import DeleteView, ListView, UpdateView
 
+from passbook.admin.forms.users import UserForm
 from passbook.admin.mixins import AdminRequiredMixin
-from passbook.core.forms.users import UserDetailForm
 from passbook.core.models import Nonce, User
 
 
@@ -23,7 +23,7 @@ class UserUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
     """Update user"""
 
     model = User
-    form_class = UserDetailForm
+    form_class = UserForm
 
     template_name = 'generic/update.html'
     success_url = reverse_lazy('passbook_admin:users')

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.0.10-alpha'
+__version__ = '0.2.0-beta'

passbook/api/v1/openid.py

@@ -14,8 +14,8 @@ class OpenIDUserInfoView(ScopedResourceMixin, View):
         payload = {
             'sub': request.user.uuid.int,
             'name': request.user.get_full_name(),
-            'given_name': request.user.first_name,
-            'family_name': request.user.last_name,
+            'given_name': request.user.name,
+            'family_name': '',
             'preferred_username': request.user.username,
             'email': request.user.email,
         }

passbook/app_gw/__init__.py

@@ -0,0 +1,2 @@
+"""passbook Application Security Gateway Header"""
+__version__ = '0.2.0-beta'

passbook/app_gw/admin.py

@@ -0,0 +1,5 @@
+"""passbook Application Security Gateway model admin"""
+
+from passbook.lib.admin import admin_autoregister
+
+admin_autoregister('passbook_app_gw')

passbook/app_gw/apps.py

@@ -0,0 +1,16 @@
+"""passbook Application Security Gateway app"""
+from importlib import import_module
+
+from django.apps import AppConfig
+
+
+class PassbookApplicationApplicationGatewayConfig(AppConfig):
+    """passbook app_gw app"""
+
+    name = 'passbook.app_gw'
+    label = 'passbook_app_gw'
+    verbose_name = 'passbook Application Security Gateway'
+    mountpoint = 'app_gw/'
+
+    def ready(self):
+        import_module('passbook.app_gw.signals')

passbook/app_gw/forms.py

@@ -0,0 +1,66 @@
+"""passbook Application Security Gateway Forms"""
+from urllib.parse import urlparse
+
+from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
+from django.forms import ValidationError
+from django.utils.translation import gettext as _
+
+from passbook.app_gw.models import ApplicationGatewayProvider, RewriteRule
+from passbook.lib.fields import DynamicArrayField
+
+
+class ApplicationGatewayProviderForm(forms.ModelForm):
+    """Security Gateway Provider form"""
+
+    def clean_server_name(self):
+        """Check if server_name is in DB already, since
+        Postgres ArrayField doesn't suppport keys."""
+        current = self.cleaned_data.get('server_name')
+        if ApplicationGatewayProvider.objects \
+                .filter(server_name__overlap=current) \
+                .exclude(pk=self.instance.pk).exists():
+            raise ValidationError(_("Server Name already in use."))
+        return current
+
+    def clean_upstream(self):
+        """Check that upstream begins with http(s)"""
+        for upstream in self.cleaned_data.get('upstream'):
+            _parsed_url = urlparse(upstream)
+
+            if _parsed_url.scheme not in ('http', 'https'):
+                raise ValidationError(_("URL Scheme must be either http or https"))
+        return self.cleaned_data.get('upstream')
+
+    class Meta:
+
+        model = ApplicationGatewayProvider
+        fields = ['server_name', 'upstream', 'enabled', 'authentication_header',
+                  'default_content_type', 'upstream_ssl_verification', 'property_mappings']
+        widgets = {
+            'authentication_header': forms.TextInput(),
+            'default_content_type': forms.TextInput(),
+            'property_mappings': FilteredSelectMultiple(_('Property Mappings'), False)
+        }
+        field_classes = {
+            'server_name': DynamicArrayField,
+            'upstream': DynamicArrayField
+        }
+        labels = {
+            'upstream_ssl_verification': _('Verify upstream SSL Certificates?'),
+            'property_mappings': _('Rewrite Rules')
+        }
+
+class RewriteRuleForm(forms.ModelForm):
+    """Rewrite Rule Form"""
+
+    class Meta:
+
+        model = RewriteRule
+        fields = ['name', 'match', 'halt', 'replacement', 'redirect', 'conditions']
+        widgets = {
+            'name': forms.TextInput(),
+            'match': forms.TextInput(attrs={'data-is-monospace': True}),
+            'replacement': forms.TextInput(attrs={'data-is-monospace': True}),
+            'conditions': FilteredSelectMultiple(_('Conditions'), False)
+        }

passbook/app_gw/middleware.py

@@ -0,0 +1,33 @@
+"""passbook app_gw middleware"""
+from django.views.generic import RedirectView
+
+from passbook.app_gw.proxy.handler import RequestHandler
+from passbook.lib.config import CONFIG
+
+
+class ApplicationGatewayMiddleware:
+    """Check if request should be proxied or handeled normally"""
+
+    _app_gw_cache = {}
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        # Rudimentary cache
+        host_header = request.META.get('HTTP_HOST')
+        if host_header not in self._app_gw_cache:
+            self._app_gw_cache[host_header] = RequestHandler.find_app_gw_for_request(request)
+        if self._app_gw_cache[host_header]:
+            return self.dispatch(request, self._app_gw_cache[host_header])
+        return self.get_response(request)
+
+    def dispatch(self, request, app_gw):
+        """Build proxied request and pass to upstream"""
+        handler = RequestHandler(app_gw, request)
+
+        if not handler.check_permission():
+            to_url = 'https://%s/?next=%s' % (CONFIG.get('domains')[0], request.get_full_path())
+            return RedirectView.as_view(url=to_url)(request)
+
+        return handler.get_response()

passbook/app_gw/migrations/0001_initial.py

@@ -0,0 +1,50 @@
+# Generated by Django 2.1.7 on 2019-03-20 21:38
+
+import django.contrib.postgres.fields
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('passbook_core', '0020_groupmembershippolicy'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ApplicationGatewayProvider',
+            fields=[
+                ('provider_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Provider')),
+                ('server_name', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
+                ('upstream', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
+                ('enabled', models.BooleanField(default=True)),
+                ('authentication_header', models.TextField(default='X-Remote-User')),
+                ('default_content_type', models.TextField(default='application/octet-stream')),
+                ('upstream_ssl_verification', models.BooleanField(default=True)),
+            ],
+            options={
+                'verbose_name': 'Application Gateway Provider',
+                'verbose_name_plural': 'Application Gateway Providers',
+            },
+            bases=('passbook_core.provider',),
+        ),
+        migrations.CreateModel(
+            name='RewriteRule',
+            fields=[
+                ('propertymapping_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.PropertyMapping')),
+                ('match', models.TextField()),
+                ('halt', models.BooleanField(default=False)),
+                ('replacement', models.TextField()),
+                ('redirect', models.CharField(choices=[('internal', 'Internal'), (301, 'Moved Permanently'), (302, 'Found')], max_length=50)),
+                ('conditions', models.ManyToManyField(to='passbook_core.Policy')),
+            ],
+            options={
+                'verbose_name': 'Rewrite Rule',
+                'verbose_name_plural': 'Rewrite Rules',
+            },
+            bases=('passbook_core.propertymapping',),
+        ),
+    ]

passbook/app_gw/migrations/0002_auto_20190321_1521.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-03-21 15:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_app_gw', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='rewriterule',
+            name='conditions',
+            field=models.ManyToManyField(blank=True, to='passbook_core.Policy'),
+        ),
+    ]

passbook/app_gw/migrations/0003_auto_20190411_1314.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2 on 2019-04-11 13:14
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_app_gw', '0002_auto_20190321_1521'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='applicationgatewayprovider',
+            name='authentication_header',
+            field=models.TextField(blank=True, default='X-Remote-User'),
+        ),
+    ]

passbook/app_gw/models.py

@@ -0,0 +1,74 @@
+"""passbook app_gw models"""
+import re
+
+from django.contrib.postgres.fields import ArrayField
+from django.db import models
+from django.utils.translation import gettext as _
+
+from passbook.core.models import Policy, PropertyMapping, Provider
+
+
+class ApplicationGatewayProvider(Provider):
+    """Virtual server which proxies requests to any hostname in server_name to upstream"""
+
+    server_name = ArrayField(models.TextField())
+    upstream = ArrayField(models.TextField())
+    enabled = models.BooleanField(default=True)
+
+    authentication_header = models.TextField(default='X-Remote-User', blank=True)
+    default_content_type = models.TextField(default='application/octet-stream')
+    upstream_ssl_verification = models.BooleanField(default=True)
+
+    form = 'passbook.app_gw.forms.ApplicationGatewayProviderForm'
+
+    @property
+    def name(self):
+        """since this model has no name property, return a joined list of server_names as name"""
+        return ', '.join(self.server_name)
+
+    def __str__(self):
+        return "Application Gateway %s" % ', '.join(self.server_name)
+
+    class Meta:
+
+        verbose_name = _('Application Gateway Provider')
+        verbose_name_plural = _('Application Gateway Providers')
+
+
+class RewriteRule(PropertyMapping):
+    """Rewrite requests matching `match` with `replacement`, if all polcies in `conditions` apply"""
+
+    REDIRECT_INTERNAL = 'internal'
+    REDIRECT_PERMANENT = 301
+    REDIRECT_FOUND = 302
+
+    REDIRECTS = (
+        (REDIRECT_INTERNAL, _('Internal')),
+        (REDIRECT_PERMANENT, _('Moved Permanently')),
+        (REDIRECT_FOUND, _('Found')),
+    )
+
+    match = models.TextField()
+    halt = models.BooleanField(default=False)
+    conditions = models.ManyToManyField(Policy, blank=True)
+    replacement = models.TextField() # python formatted strings, use {match.1}
+    redirect = models.CharField(max_length=50, choices=REDIRECTS)
+
+    form = 'passbook.app_gw.forms.RewriteRuleForm'
+
+    _matcher = None
+
+    @property
+    def compiled_matcher(self):
+        """Cache the compiled regex in memory"""
+        if not self._matcher:
+            self._matcher = re.compile(self.match)
+        return self._matcher
+
+    def __str__(self):
+        return "Rewrite Rule %s" % self.name
+
+    class Meta:
+
+        verbose_name = _('Rewrite Rule')
+        verbose_name_plural = _('Rewrite Rules')

passbook/app_gw/proxy/exceptions.py

@@ -0,0 +1,8 @@
+"""Exception classes"""
+
+class ReverseProxyException(Exception):
+    """Base for revproxy exception"""
+
+
+class InvalidUpstream(ReverseProxyException):
+    """Invalid upstream set"""

passbook/app_gw/proxy/handler.py

@@ -0,0 +1,225 @@
+"""passbook app_gw request handler"""
+import mimetypes
+from logging import getLogger
+from random import SystemRandom
+from urllib.parse import urlparse
+
+import certifi
+import urllib3
+from django.core.cache import cache
+from django.utils.http import urlencode
+
+from passbook.app_gw.models import ApplicationGatewayProvider
+from passbook.app_gw.proxy.exceptions import InvalidUpstream
+from passbook.app_gw.proxy.response import get_django_response
+from passbook.app_gw.proxy.rewrite import Rewriter
+from passbook.app_gw.proxy.utils import encode_items, normalize_request_headers
+from passbook.core.models import Application
+from passbook.core.policies import PolicyEngine
+
+SESSION_UPSTREAM_KEY = 'passbook_app_gw_upstream'
+IGNORED_HOSTNAMES_KEY = 'passbook_app_gw_ignored'
+LOGGER = getLogger(__name__)
+QUOTE_SAFE = r'<.;>\(}*+|~=-$/_:^@)[{]&\'!,"`'
+ERRORS_MESSAGES = {
+    'upstream-no-scheme': ("Upstream URL scheme must be either "
+                           "'http' or 'https' (%s).")
+}
+HTTP_NO_VERIFY = urllib3.PoolManager()
+HTTP = urllib3.PoolManager(
+    cert_reqs='CERT_REQUIRED',
+    ca_certs=certifi.where())
+IGNORED_HOSTS = cache.get(IGNORED_HOSTNAMES_KEY, [])
+POLICY_CACHE = {}
+
+class RequestHandler:
+    """Forward requests"""
+
+    _parsed_url = None
+    _request_headers = None
+
+    def __init__(self, app_gw, request):
+        self.app_gw = app_gw
+        self.request = request
+        if self.app_gw.pk not in POLICY_CACHE:
+            POLICY_CACHE[self.app_gw.pk] = self.app_gw.application.policies.all()
+
+    @staticmethod
+    def find_app_gw_for_request(request):
+        """Check if a request should be proxied or forwarded to passbook"""
+        # Check if hostname is in cached list of ignored hostnames
+        # This saves us having to query the database on each request
+        host_header = request.META.get('HTTP_HOST')
+        if host_header in IGNORED_HOSTS:
+            # LOGGER.debug("%s is ignored", host_header)
+            return False
+        # Look through all ApplicationGatewayProviders and check hostnames
+        matches = ApplicationGatewayProvider.objects.filter(
+            server_name__contains=[host_header],
+            enabled=True)
+        if not matches.exists():
+            # Mo matching Providers found, add host header to ignored list
+            IGNORED_HOSTS.append(host_header)
+            cache.set(IGNORED_HOSTNAMES_KEY, IGNORED_HOSTS)
+            # LOGGER.debug("Ignoring %s", host_header)
+            return False
+        # At this point we're certain there's a matching ApplicationGateway
+        if len(matches) > 1:
+            # This should never happen
+            raise ValueError
+        app_gw = matches.first()
+        try:
+            # Check if ApplicationGateway is associated with application
+            getattr(app_gw, 'application')
+            if app_gw:
+                return app_gw
+        except Application.DoesNotExist:
+            pass
+            # LOGGER.debug("ApplicationGateway not associated with Application")
+        return True
+
+    def _get_upstream(self):
+        """Choose random upstream and save in session"""
+        if SESSION_UPSTREAM_KEY not in self.request.session:
+            self.request.session[SESSION_UPSTREAM_KEY] = {}
+        if self.app_gw.pk not in self.request.session[SESSION_UPSTREAM_KEY]:
+            upstream_index = int(SystemRandom().random() * len(self.app_gw.upstream))
+            self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk] = upstream_index
+        return self.app_gw.upstream[self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk]]
+
+    def get_upstream(self):
+        """Get upstream as parsed url"""
+        upstream = self._get_upstream()
+
+        self._parsed_url = urlparse(upstream)
+
+        if self._parsed_url.scheme not in ('http', 'https'):
+            raise InvalidUpstream(ERRORS_MESSAGES['upstream-no-scheme'] %
+                                  upstream)
+
+        return upstream
+
+    def _format_path_to_redirect(self):
+        # LOGGER.debug("Path before: %s", self.request.get_full_path())
+        rewriter = Rewriter(self.app_gw, self.request)
+        after = rewriter.build()
+        # LOGGER.debug("Path after: %s", after)
+        return after
+
+    def get_proxy_request_headers(self):
+        """Get normalized headers for the upstream
+        Gets all headers from the original request and normalizes them.
+        Normalization occurs by removing the prefix ``HTTP_`` and
+        replacing and ``_`` by ``-``. Example: ``HTTP_ACCEPT_ENCODING``
+        becames ``Accept-Encoding``.
+        .. versionadded:: 0.9.1
+        :param request:  The original HTTPRequest instance
+        :returns:  Normalized headers for the upstream
+        """
+        return normalize_request_headers(self.request)
+
+    def get_request_headers(self):
+        """Return request headers that will be sent to upstream.
+        The header REMOTE_USER is set to the current user
+        if AuthenticationMiddleware is enabled and
+        the view's add_remote_user property is True.
+        .. versionadded:: 0.9.8
+        """
+        request_headers = self.get_proxy_request_headers()
+        if not self.app_gw.authentication_header:
+            return request_headers
+        request_headers[self.app_gw.authentication_header] = self.request.user.get_username()
+        # LOGGER.debug("%s set", self.app_gw.authentication_header)
+
+        return request_headers
+
+    def check_permission(self):
+        """Check if user is authenticated and has permission to access app"""
+        if not hasattr(self.request, 'user'):
+            return False
+        if not self.request.user.is_authenticated:
+            return False
+        policy_engine = PolicyEngine(POLICY_CACHE[self.app_gw.pk])
+        policy_engine.for_user(self.request.user).with_request(self.request).build()
+        passing, _messages = policy_engine.result
+
+        return passing
+
+    def get_encoded_query_params(self):
+        """Return encoded query params to be used in proxied request"""
+        get_data = encode_items(self.request.GET.lists())
+        return urlencode(get_data)
+
+    def _created_proxy_response(self, path):
+        request_payload = self.request.body
+
+        # LOGGER.debug("Request headers: %s", self._request_headers)
+
+        request_url = self.get_upstream() + path
+        # LOGGER.debug("Request URL: %s", request_url)
+
+        if self.request.GET:
+            request_url += '?' + self.get_encoded_query_params()
+            # LOGGER.debug("Request URL: %s", request_url)
+
+        http = HTTP
+        if not self.app_gw.upstream_ssl_verification:
+            http = HTTP_NO_VERIFY
+
+        try:
+            proxy_response = http.urlopen(self.request.method,
+                                          request_url,
+                                          redirect=False,
+                                          retries=None,
+                                          headers=self._request_headers,
+                                          body=request_payload,
+                                          decode_content=False,
+                                          preload_content=False)
+            # LOGGER.debug("Proxy response header: %s",
+            #              proxy_response.getheaders())
+        except urllib3.exceptions.HTTPError as error:
+            LOGGER.exception(error)
+            raise
+
+        return proxy_response
+
+    def _replace_host_on_redirect_location(self, proxy_response):
+        location = proxy_response.headers.get('Location')
+        if location:
+            if self.request.is_secure():
+                scheme = 'https://'
+            else:
+                scheme = 'http://'
+            request_host = scheme + self.request.META.get('HTTP_HOST')
+
+            upstream_host_http = 'http://' + self._parsed_url.netloc
+            upstream_host_https = 'https://' + self._parsed_url.netloc
+
+            location = location.replace(upstream_host_http, request_host)
+            location = location.replace(upstream_host_https, request_host)
+            proxy_response.headers['Location'] = location
+            # LOGGER.debug("Proxy response LOCATION: %s",
+            #              proxy_response.headers['Location'])
+
+    def _set_content_type(self, proxy_response):
+        content_type = proxy_response.headers.get('Content-Type')
+        if not content_type:
+            content_type = (mimetypes.guess_type(self.request.path)[0] or
+                            self.app_gw.default_content_type)
+            proxy_response.headers['Content-Type'] = content_type
+            # LOGGER.debug("Proxy response CONTENT-TYPE: %s",
+            #              proxy_response.headers['Content-Type'])
+
+    def get_response(self):
+        """Pass request to upstream and return response"""
+        self._request_headers = self.get_request_headers()
+
+        path = self._format_path_to_redirect()
+        proxy_response = self._created_proxy_response(path)
+
+        self._replace_host_on_redirect_location(proxy_response)
+        self._set_content_type(proxy_response)
+        response = get_django_response(proxy_response, strict_cookies=False)
+
+        # LOGGER.debug("RESPONSE RETURNED: %s", response)
+        return response