bump version: 0.1.29-beta -> 0.1.30-beta

Resolve "Websocket Proxying"

Closes #38

See merge request BeryJu.org/passbook!24

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.0.13-alpha
+current_version = 0.1.30-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
@@ -9,11 +9,16 @@ tag_name = version/{new_version}
 
 [bumpversion:part:release]
 optional_value = stable
+first_value = beta
 values = 
 	alpha
 	beta
 	stable
 
+[bumpversion:file:client-packages/allauth/setup.py]
+
+[bumpversion:file:client-packages/sentry-auth-passbook/setup.py]
+
 [bumpversion:file:helm/passbook/values.yaml]
 
 [bumpversion:file:helm/passbook/Chart.yaml]
@@ -36,6 +41,10 @@ values =
 
 [bumpversion:file:passbook/lib/__init__.py]
 
+[bumpversion:file:passbook/hibp_policy/__init__.py]
+
+[bumpversion:file:passbook/password_expiry_policy/__init__.py]
+
 [bumpversion:file:passbook/saml_idp/__init__.py]
 
 [bumpversion:file:passbook/audit/__init__.py]
@@ -44,3 +53,7 @@ values =
 
 [bumpversion:file:passbook/otp/__init__.py]
 
+[bumpversion:file:passbook/app_gw/__init__.py]
+
+[bumpversion:file:passbook/suspicious_policy/__init__.py]
+

.gitlab-ci.yml

@@ -8,17 +8,19 @@ stages:
     - test
     - build
     - docs
+    - deploy
 image: python:3.6
 services:
     - postgres:latest
+    - redis:latest
 
 variables:
     POSTGRES_DB: passbook
     POSTGRES_USER: passbook
-  POSTGRES_PASSWORD: 'EK-5jnKfjrGRm<77'
+    POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
 include:
-  - /allauth/.gitlab-ci.yml
+    - /client-packages/allauth/.gitlab-ci.yml
 
 isort:
     script:
@@ -38,6 +40,7 @@ pylint:
     stage: test
 coverage:
     script:
+        - python manage.py collectstatic --no-input
         - coverage run manage.py test
         - coverage report
     stage: test
@@ -53,7 +56,7 @@ package-docker:
     before_script:
         - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
     script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.0.13-alpha
+        - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.30-beta
     stage: build
     only:
         - tags
@@ -68,54 +71,56 @@ package-helm:
     only:
         - tags
         - /^version/.*$/
-# package-3.5:
-#   before_script:
-#     - apt update
-#     - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
-#     - cp debian/control-3.5 debian/control
-#     - mk-build-deps debian/control
-#     - apt install ./*build-deps*deb -f -y
-#     - "python3 -m pip install -U virtualenv"
-#     - "virtualenv env"
-#     - "source env/bin/activate"
-#     - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
-#   image: debian
-#   script:
-#     - debuild -us -uc
-#     - cp ../passbook*.deb .
-#     - python manage.py nexus_upload
-#   artifacts:
-#     paths:
-#     - passbook-python3.5*deb
-#     expire_in: 2 days
-#   stage: build
-#   only:
-#   - tags
-#   - /^debian/.*$/
-# package-3.6:
-#   before_script:
-#     - apt update
-#     - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
-#     - cp debian/control-3.6 debian/control
-#     - mk-build-deps debian/control
-#     - apt install ./*build-deps*deb -f -y
-#     - "python3 -m pip install -U virtualenv"
-#     - "virtualenv env"
-#     - "source env/bin/activate"
-#     - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
-#   image: debian:buster
-#   script:
-#     - debuild -us -uc
-#     - cp ../passbook*.deb .
-#     - python manage.py nexus_upload
-#   artifacts:
-#     paths:
-#     - passbook-python3.6*deb
-#     expire_in: 2 days
-#   stage: build
-#   only:
-#     - tags
-#     - /^debian/.*$r
+package-debian:
+    before_script:
+        - apt update
+        - apt install -y --no-install-recommends build-essential debhelper devscripts equivs python3 python3-dev python3-pip libsasl2-dev libldap2-dev
+        - mk-build-deps debian/control
+        - apt install ./*build-deps*deb -f -y
+        - python3 -m pip install -U virtualenv pip
+        - virtualenv env
+        - source env/bin/activate
+        - pip3 install -U -r requirements.txt -r requirements-dev.txt
+        - ./manage.py collectstatic --no-input
+    image: ubuntu:18.04
+    script:
+        - debuild -us -uc
+        - cp ../passbook*.deb .
+        - ./manage.py nexus_upload --method post --url $NEXUS_URL --auth $NEXUS_AUTH --repo apt passbook*deb
+    artifacts:
+        paths:
+            - passbook*deb
+        expire_in: 2 days
+    stage: build
+    only:
+        - tags
+        - /^version/.*$/
+
+package-client-package-allauth:
+    script:
+        - cd client-packages/allauth
+        - python setup.py sdist
+        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
+    stage: build
+    only:
+        refs:
+            - tags
+            - /^version/.*$/
+        changes:
+            - client-packages/allauth/**
+
+package-client-package-sentry:
+    script:
+        - cd client-packages/sentry-auth-passbook
+        - python setup.py sdist
+        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
+    stage: build
+    only:
+        refs:
+            - tags
+            - /^version/.*$/
+        changes:
+            - client-packages/sentry-auth-passbook/**
 
 # docs:
 #   stage: docs
@@ -137,3 +142,16 @@ package-helm:
 #     - mkdocs build
 #     - 'rsync -avh --delete web/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/"'
 #     - 'rsync -avh --delete site/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/docs/"'
+
+# deploy:
+#   environment:
+#     name: production
+#     url: https://passbook-prod.default.k8s.beryju.org/
+#   stage: deploy
+#   only:
+#   - tags
+#   - /^version/.*$/
+#   script:
+#     - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
+#     - helm init
+#     - helm upgrade passbook-prod helm/passbook --devel

.prospector.yaml

@@ -7,6 +7,7 @@ ignore-paths:
   - migrations
   - docs
   - node_modules
+  - client-packages
 
 uses:
  - django

Dockerfile

@@ -6,10 +6,13 @@ COPY ./requirements.txt /app/
 
 WORKDIR /app/
 
-RUN mkdir /app/static/ && \
+RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
+    mkdir /app/static/ && \
     pip install -r requirements.txt && \
     pip install psycopg2 && \
-    ./manage.py collectstatic --no-input
+    ./manage.py collectstatic --no-input && \
+    apt-get remove --purge -y build-essential && \
+    apt-get autoremove --purge -y
 
 FROM python:3.6-slim-stretch
 
@@ -20,9 +23,12 @@ COPY --from=build /app/static /app/static/
 
 WORKDIR /app/
 
-RUN pip install -r requirements.txt && \
+RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
+    pip install -r requirements.txt && \
     pip install psycopg2 && \
     adduser --system --home /app/ passbook && \
-    chown -R passbook /app/
+    chown -R passbook /app/ && \
+    apt-get remove --purge -y build-essential && \
+    apt-get autoremove --purge -y
 
 USER passbook

client-packages/allauth/allauth_passbook/urls.py

@@ -1,5 +1,6 @@
 """passbook provider"""
 from allauth.socialaccount.providers.oauth2.urls import default_urlpatterns
+
 from allauth_passbook.provider import PassbookProvider
 
 urlpatterns = default_urlpatterns(PassbookProvider)

client-packages/allauth/allauth_passbook/views.py

@@ -1,10 +1,10 @@
 """passbook adapter"""
 import requests
-
 from allauth.socialaccount import app_settings
 from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter,
                                                           OAuth2CallbackView,
                                                           OAuth2LoginView)
+
 from allauth_passbook.provider import PassbookProvider
 
 

client-packages/allauth/setup.py

@@ -3,7 +3,7 @@ from setuptools import setup
 
 setup(
     name='django-allauth-passbook',
-    version='1.0.0',
+    version='0.1.30-beta',
     description='passbook support for django-allauth',
     # long_description='\n'.join(read_simple('docs/index.md')[2:]),
     long_description_content_type='text/markdown',

client-packages/sentry-auth-passbook/.gitignore

@@ -0,0 +1,5 @@
+*.pyc
+*.egg-info/
+*.eggs
+/dist
+/build

client-packages/sentry-auth-passbook/.travis.yml

@@ -0,0 +1,32 @@
+sudo: false
+language: python
+services:
+  - memcached
+  - postgresql
+  - redis-server
+python:
+  - '2.7'
+cache:
+  directories:
+    - node_modules
+    - "$HOME/.cache/pip"
+deploy:
+  provider: pypi
+  user: getsentry
+  password:
+    secure: kVmxKHkBWRLYyZme05p+WZSJmb8GjHV9uyuaSCVMRlqWCW+GXRB7P1xXR2jb9URTlNdcs56Ab/UrwzCbMFGC8LmwCeFVgIR/ltytVZG2FgXZPWaeA4dH25qK2oGWgzJ/xeiMpmuJqN9hRl25MX6jG7FZKvrrOkG7+8tpPd1yO+uYWZQbnebZMjcPBqEpn7CC0hR39GSoyVAbydpMe5hwENGQM26CepcicdrelfawItoUrXrkJzBHkIQQTO/xRSbCtRJOtzI5lwtv3GP0hcbOy5tI5dhG/93pLwZRc5+dZaCaP7oaVeOcBjN0zfINRQobt8d6h2Qgvd/YyFkGi0/xKn1zMmKIVLOG6VsYwEAUq8wNOsP4A/jdm4Y0J/1oEZStCkpaGpx85TYi4kq1hWQdyqaVJSPhh4Tk4roIaS2zOYQl+nIpbHqmJ4FJrg1il+TCdjBXobATQ1mKRBUrjD+RDzH/r4ogbd8+UwvvvevpqS2K+/wgT6UD0MzDInv9S29CUQvuFhPoqyJb5XRddHMRE9EEK/2Z8tFN91sDATnqfXHgwnvu00q/nKP5JnijBPzGmx7ydgUViIukklDrlPvo9BbRJz0Vr2vbAvMTrLMLCXqi5CwTm+v+iaOf/YaCziaG2vx0eVASYjpOLCedSgRZBubPM8z4E/HMXhChN7sVDWk=
+  on:
+    tags: true
+  distributions: sdist bdist_wheel
+env:
+  global:
+    - PIP_DOWNLOAD_CACHE=".pip_download_cache"
+before_install:
+  - pip install codecov
+install:
+  - make develop
+script:
+  - PYFLAKES_NODOCTEST=1 flake8
+  - coverage run --source=. -m py.test tests
+after_success:
+  - codecov

client-packages/sentry-auth-passbook/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright 2016 Functional Software, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

client-packages/sentry-auth-passbook/MANIFEST.in

@@ -0,0 +1,3 @@
+include setup.py package.json webpack.config.js README.rst MANIFEST.in LICENSE AUTHORS
+recursive-include sentry_auth_supervisr/templates *
+global-exclude *~

client-packages/sentry-auth-passbook/Makefile

@@ -0,0 +1,26 @@
+.PHONY: clean develop install-tests lint publish test
+
+develop:
+	pip install "pip>=7"
+	pip install -e .
+	make install-tests
+
+install-tests:
+	pip install .[tests]
+
+lint:
+	@echo "--> Linting python"
+	flake8
+	@echo ""
+
+test:
+	@echo "--> Running Python tests"
+	py.test tests || exit 1
+	@echo ""
+
+publish:
+	python setup.py sdist bdist_wheel upload
+
+clean:
+	rm -rf *.egg-info src/*.egg-info
+	rm -rf dist build

client-packages/sentry-auth-passbook/README.rst

@@ -0,0 +1,55 @@
+GitHub Auth for Sentry
+======================
+
+An SSO provider for Sentry which enables GitHub organization-restricted authentication.
+
+Install
+-------
+
+::
+
+    $ pip install https://github.com/getsentry/sentry-auth-github/archive/master.zip
+
+Setup
+-----
+
+Create a new application under your organization in GitHub. Enter the **Authorization
+callback URL** as the prefix to your Sentry installation:
+
+::
+
+    https://example.sentry.com
+
+
+Once done, grab your API keys and drop them in your ``sentry.conf.py``:
+
+.. code-block:: python
+
+    GITHUB_APP_ID = ""
+
+    GITHUB_API_SECRET = ""
+
+
+Verified email addresses can optionally be required:
+
+.. code-block:: python
+
+    GITHUB_REQUIRE_VERIFIED_EMAIL = True
+
+
+Optionally you may also specify the domain (for GHE users):
+
+.. code-block:: python
+
+    GITHUB_BASE_DOMAIN = "git.example.com"
+
+    GITHUB_API_DOMAIN = "api.git.example.com"
+
+
+If Subdomain isolation is disabled in GHE:
+
+.. code-block:: python
+
+    GITHUB_BASE_DOMAIN = "git.example.com"
+
+    GITHUB_API_DOMAIN = "git.example.com/api/v3"

client-packages/sentry-auth-passbook/conftest.py

@@ -0,0 +1,14 @@
+from __future__ import absolute_import
+
+# Run tests against sqlite for simplicity
+import os
+import os.path
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__)))
+
+os.environ.setdefault('DB', 'sqlite')
+
+pytest_plugins = [
+    'sentry.utils.pytest'
+]

client-packages/sentry-auth-passbook/sentry_auth_passbook/__init__.py

@@ -0,0 +1,7 @@
+from __future__ import absolute_import
+
+from sentry.auth import register
+
+from .provider import PassbookOAuth2Provider
+
+register('passbook', PassbookOAuth2Provider)

client-packages/sentry-auth-passbook/sentry_auth_passbook/client.py

@@ -0,0 +1,45 @@
+from __future__ import absolute_import, print_function
+
+from requests.exceptions import RequestException
+
+from sentry import http
+from sentry.utils import json
+
+from .constants import BASE_DOMAIN
+
+
+class PassbookApiError(Exception):
+    def __init__(self, message='', status=0):
+        super(PassbookApiError, self).__init__(message)
+        self.status = status
+
+
+class PassbookClient(object):
+    def __init__(self, client_id, client_secret):
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.http = http.build_session()
+
+    def _request(self, path, access_token):
+        params = {
+            'client_id': self.client_id,
+            'client_secret': self.client_secret,
+        }
+
+        headers = {
+            'Authorization': 'Bearer {0}'.format(access_token),
+        }
+
+        try:
+            req = self.http.get('https://{0}/{1}'.format(BASE_DOMAIN, path.lstrip('/')),
+                params=params,
+                headers=headers,
+            )
+        except RequestException as e:
+            raise PassbookApiError(unicode(e), status=getattr(e, 'status_code', 0))
+        if req.status_code < 200 or req.status_code >= 300:
+            raise PassbookApiError(req.content, status=req.status_code)
+        return json.loads(req.content)
+
+    def get_user(self, access_token):
+        return self._request('/api/v1/openid/', access_token)

client-packages/sentry-auth-passbook/sentry_auth_passbook/constants.py

@@ -0,0 +1,14 @@
+from __future__ import absolute_import, print_function
+
+from django.conf import settings
+
+CLIENT_ID = getattr(settings, 'PASSBOOK_APP_ID', None)
+
+CLIENT_SECRET = getattr(settings, 'PASSBOOK_API_SECRET', None)
+
+SCOPE = 'openid:userinfo'
+
+BASE_DOMAIN = getattr(settings, 'PASSBOOK_BASE_DOMAIN', 'id.beryju.org')
+
+ACCESS_TOKEN_URL = 'https://{0}/application/oauth/token/'.format(BASE_DOMAIN)
+AUTHORIZE_URL = 'https://{0}/application/oauth/authorize/'.format(BASE_DOMAIN)

client-packages/sentry-auth-passbook/sentry_auth_passbook/provider.py

@@ -0,0 +1,62 @@
+from __future__ import absolute_import, print_function
+
+from sentry.auth.exceptions import IdentityNotValid
+from sentry.auth.providers.oauth2 import (OAuth2Callback, OAuth2Login,
+                                          OAuth2Provider)
+
+from .client import PassbookApiError, PassbookClient
+from .constants import (ACCESS_TOKEN_URL, AUTHORIZE_URL, CLIENT_ID,
+                        CLIENT_SECRET, SCOPE)
+from .views import FetchUser, PassbookConfigureView
+
+
+class PassbookOAuth2Provider(OAuth2Provider):
+    access_token_url = ACCESS_TOKEN_URL
+    authorize_url = AUTHORIZE_URL
+    name = 'Passbook'
+    client_id = CLIENT_ID
+    client_secret = CLIENT_SECRET
+
+    def __init__(self, **config):
+        super(PassbookOAuth2Provider, self).__init__(**config)
+
+    def get_configure_view(self):
+        return PassbookConfigureView.as_view()
+
+    def get_auth_pipeline(self):
+        return [
+            OAuth2Login(
+                authorize_url=self.authorize_url,
+                client_id=self.client_id,
+                scope=SCOPE,
+            ),
+            OAuth2Callback(
+                access_token_url=self.access_token_url,
+                client_id=self.client_id,
+                client_secret=self.client_secret,
+            ),
+            FetchUser(
+                client_id=self.client_id,
+                client_secret=self.client_secret,
+            ),
+        ]
+
+    def get_refresh_token_url(self):
+        return ACCESS_TOKEN_URL
+
+    def build_identity(self, state):
+        data = state['data']
+        user_data = state['user']
+        return {
+            'id': user_data['email'],
+            'email': user_data['email'],
+            'name': user_data['name'],
+            'data': self.get_oauth_data(data),
+        }
+
+    def build_config(self, state):
+        return {}
+
+    def refresh_identity(self, auth_identity):
+        client = PassbookClient(self.client_id, self.client_secret)
+        access_token = auth_identity.data['access_token']

client-packages/sentry-auth-passbook/sentry_auth_passbook/views.py

@@ -0,0 +1,75 @@
+from __future__ import absolute_import, print_function
+
+from django import forms
+
+from sentry.auth.view import AuthView, ConfigureView
+from sentry.models import AuthIdentity
+
+from .client import PassbookClient
+
+
+def _get_name_from_email(email):
+    """
+    Given an email return a capitalized name. Ex. john.smith@example.com would return John Smith.
+    """
+    name = email.rsplit('@', 1)[0]
+    name = ' '.join([n_part.capitalize() for n_part in name.split('.')])
+    return name
+
+
+class FetchUser(AuthView):
+    def __init__(self, client_id, client_secret, *args, **kwargs):
+        self.client = PassbookClient(client_id, client_secret)
+        super(FetchUser, self).__init__(*args, **kwargs)
+
+    def handle(self, request, helper):
+        access_token = helper.fetch_state('data')['access_token']
+
+        user = self.client.get_user(access_token)
+
+        # A user hasn't set their name in their Passbook profile so it isn't
+        # populated in the response
+        if not user.get('name'):
+            user['name'] = _get_name_from_email(user['email'])
+
+        helper.bind_state('user', user)
+
+        return helper.next_step()
+
+
+class ConfirmEmailForm(forms.Form):
+    email = forms.EmailField(label='Email')
+
+
+class ConfirmEmail(AuthView):
+    def handle(self, request, helper):
+        user = helper.fetch_state('user')
+
+        # TODO(dcramer): this isnt ideal, but our current flow doesnt really
+        # support this behavior;
+        try:
+            auth_identity = AuthIdentity.objects.select_related('user').get(
+                auth_provider=helper.auth_provider,
+                ident=user['id'],
+            )
+        except AuthIdentity.DoesNotExist:
+            pass
+        else:
+            user['email'] = auth_identity.user.email
+
+        if user.get('email'):
+            return helper.next_step()
+
+        form = ConfirmEmailForm(request.POST or None)
+        if form.is_valid():
+            user['email'] = form.cleaned_data['email']
+            helper.bind_state('user', user)
+            return helper.next_step()
+
+        return self.respond('sentry_auth_passbook/enter-email.html', {
+            'form': form,
+        })
+
+class PassbookConfigureView(ConfigureView):
+    def dispatch(self, request, organization, auth_provider):
+        return self.render('sentry_auth_passbook/configure.html')

client-packages/sentry-auth-passbook/setup.cfg

@@ -0,0 +1,12 @@
+[wheel]
+universal = 1
+
+[pytest]
+python_files = test*.py
+addopts = --tb=native -p no:doctest
+norecursedirs = bin dist docs htmlcov script hooks node_modules .* {args}
+
+[flake8]
+ignore = F999,E501,E128,E124,E402,W503,E731,C901
+max-line-length = 100
+exclude = .tox,.git,*/migrations/*,node_modules/*,docs/*

client-packages/sentry-auth-passbook/setup.py

@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+"""
+sentry-auth-passbook
+==================
+
+:copyright: (c) 2016 Functional Software, Inc
+"""
+from setuptools import find_packages, setup
+
+install_requires = [
+    'sentry>=7.0.0',
+]
+
+tests_require = [
+    'mock',
+    'flake8>=2.0,<2.1',
+]
+
+setup(
+    name='sentry-auth-passbook',
+    version='0.1.30-beta',
+    author='BeryJu.org',
+    author_email='support@beryju.org',
+    url='https://passbook.beryju.org',
+    description='passbook authentication provider for Sentry',
+    long_description=__doc__,
+    license='MIT',
+    packages=find_packages(exclude=['tests']),
+    zip_safe=False,
+    install_requires=install_requires,
+    tests_require=tests_require,
+    extras_require={'tests': tests_require},
+    include_package_data=True,
+    entry_points={
+        'sentry.apps': [
+            'auth_passbook = sentry_auth_passbook',
+        ],
+    },
+    classifiers=[
+        'Intended Audience :: Developers',
+        'Intended Audience :: System Administrators',
+        'Operating System :: OS Independent',
+        'Topic :: Software Development'
+    ],
+)

client-packages/sentry-auth-passbook/tests/test_provider.py

@@ -0,0 +1,6 @@
+from sentry.testutils import TestCase
+
+
+class GitHubOAuth2ProviderTest(TestCase):
+    def test_simple(self):
+        pass

client-packages/sentry-auth-passbook/tests/test_views.py

@@ -0,0 +1,17 @@
+from __future__ import absolute_import, print_function
+
+import pytest
+from sentry_auth_sentry.views import _get_name_from_email
+
+expected_data = [
+    ('john.smith@example.com', 'John Smith'),
+    ('john@example.com', 'John'),
+    ('XYZ-234=3523@example.com', 'Xyz-234=3523'),
+    ('XYZ.1111@example.com', 'Xyz 1111'),
+    ('JOHN@example.com', 'John'),
+]
+
+
+@pytest.mark.parametrize("email,expected_name", expected_data)
+def test_get_name_from_email(email, expected_name):
+    assert _get_name_from_email(email) == expected_name

debian/changelog

@@ -0,0 +1,220 @@
+passbook (0.1.30) stable; urgency=medium
+
+  * bump version: 0.1.28-beta -> 0.1.29-beta
+  * don't use context manager in web command
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 11 Apr 2019 12:21:58 +0000
+
+passbook (0.1.29) stable; urgency=medium
+
+  * bump version: 0.1.27-beta -> 0.1.28-beta
+  * Add libpq-dev dependency so psycopg2 build works
+  * switch to whitenoise for static files
+  * replace cherrypy with daphne
+  * Run collectstatic before coverage, use autoreload on celery worker
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 11 Apr 2019 12:00:27 +0000
+
+passbook (0.1.28) stable; urgency=medium
+
+  * bump version: 0.1.26-beta -> 0.1.27-beta
+  * fix allauth client's formatting
+  * switch from raven to sentry_sdk
+  * add ability to have non-expiring nonces, clean up expired nonces
+  * fully remove raven and switch WSGI and logging to sentry_sdk
+  * fix failing CI
+  * trigger autoreload from config files
+  * Choose upstream more cleverly
+  * Move code from django-revproxy to app_gw to fix cookie bug
+  * Implement websocket proxy
+  * switch kubernetes deployment to daphne server
+  * set default log level to warn, fix clean_nonces not working
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 11 Apr 2019 08:46:44 +0000
+
+passbook (0.1.27) stable; urgency=medium
+
+  * bump version: 0.1.25-beta -> 0.1.26-beta
+  * fix broken app_gw
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 22 Mar 2019 13:50:31 +0000
+
+passbook (0.1.26) stable; urgency=medium
+
+  * bump version: 0.1.24-beta -> 0.1.25-beta
+  * always parse url instead of once
+  * validate upstream in form
+  * add custom template views
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 22 Mar 2019 11:47:08 +0000
+
+passbook (0.1.25) stable; urgency=medium
+
+  * initial implementation of reverse proxy, using django-revproxy from within a middleware
+  * fix TypeError: can only concatenate list (not "str") to list
+  * bump version: 0.1.23-beta -> 0.1.24-beta
+  * add redis dependency back in for caching
+  * utilise cache in PolicyEngine
+  * explicitly use redis db
+  * invalidate cache when policy is saved
+  * add redis as service in CI for unittests
+  * add timeout field to policy to prevent stuck policies
+  * Don't use LoginRequired for PermissionDenied View
+  * Check for policies in app_gw
+  * Better handle policy timeouts
+  * cleanup post-migration mess
+  * prevent ZeroDivisionError
+  * Redirect to login on reverse proxy
+  * cleanup property_mapping list
+  * add compiled regex to RewriteRule
+  * implement actual Rewriting logic
+  * Invalidate cache when ApplicationGateway instance is saved
+  * validate server_name in form
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 21 Mar 2019 15:47:58 +0000
+
+passbook (0.1.24) stable; urgency=medium
+
+  * bump version: 0.1.22-beta -> 0.1.23-beta
+  * add modal for OAuth Providers showing the URLs
+  * remove user field from form. Closes #32
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 20 Mar 2019 21:59:21 +0000
+
+passbook (0.1.23) stable; urgency=medium
+
+  * add support for OpenID-Connect Discovery
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 18 Mar 2019 20:19:27 +0000
+
+passbook (0.1.22) stable; urgency=medium
+
+  * bump version: 0.1.20-beta -> 0.1.21-beta
+  * fix missing debug template
+  * move icons to single folder, cleanup
+  * fix layout when on mobile viewport and scrolling
+  * fix delete form not working
+  * point to correct icons
+  * add Azure AD Source
+  * Fix OAuth Client's disconnect view having invalid URL names
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 14 Mar 2019 20:19:27 +0000
+
+passbook (0.1.21) stable; urgency=medium
+
+  * bump version: 0.1.19-beta -> 0.1.20-beta
+  * add request debug view
+  * detect HTTPS from reverse proxy
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 14 Mar 2019 17:01:49 +0000
+
+passbook (0.1.20) stable; urgency=medium
+
+  * bump version: 0.1.18-beta -> 0.1.19-beta
+  * fix GitHub Pretend again
+  * add user settings for Sources
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 13 Mar 2019 15:49:44 +0000
+
+passbook (0.1.18) stable; urgency=medium
+
+  * bump version: 0.1.16-beta -> 0.1.17-beta
+  * fix Server Error when downloading metadata
+  * add sentry client
+  * fix included yaml file
+  * adjust versions for client packages, auto build client-packages
+  * bump version: 0.1.17-beta -> 0.1.18-beta
+  * fix API Call for sentry-client, add missing template
+  * fix GitHub Pretend throwing a 500 error
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 13 Mar 2019 14:14:10 +0000
+
+passbook (0.1.17) stable; urgency=medium
+
+  * bump version: 0.1.15-beta -> 0.1.16-beta
+  * remove Application.user_is_authorized
+  * don't use celery heartbeat, use TCP keepalive instead
+  * switch to vertical navigation
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Tue, 12 Mar 2019 14:54:27 +0000
+
+passbook (0.1.16) stable; urgency=medium
+
+  * Replace redis with RabbitMQ
+  * updated debian package to suggest RabbitMQ
+  * update helm chart to require RabbitMQ
+  * fix invalid default config in debian package
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 10:28:36 +0000
+
+passbook (0.1.14) stable; urgency=medium
+
+  * bump version: 0.1.11-beta -> 0.1.12-beta
+  * Fix DoesNotExist error when running PolicyEngine against None user
+  * allow custom email server for helm installs
+  * fix UserChangePasswordView not requiring Login
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 10:28:36 +0000
+
+passbook (0.1.12) stable; urgency=medium
+
+  * bump version: 0.1.10-beta -> 0.1.11-beta
+  * rewrite PasswordFactor to use backends setting instead of trying all backends
+  * install updated helm release from local folder
+  * disable automatic k8s deployment for now
+  * fix OAuth Authorization View not requiring authentication
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 08:50:29 +0000
+
+passbook (0.1.11) stable; urgency=medium
+
+  * add group administration
+  * bump version: 0.1.9-beta -> 0.1.10-beta
+  * fix helm labels being on deployments and not pods
+  * automatically deploy after release
+  * use Django's Admin FilteredSelectMultiple for Group Membership
+  * always use FilteredSelectMultiple for many-to-many fields
+  * Add Group Member policy
+  * add LDAP Group Membership Policy
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Sun, 10 Mar 2019 18:55:31 +0000
+
+passbook (0.1.10) stable; urgency=high
+
+  * bump version: 0.1.7-beta -> 0.1.8-beta
+  * consistently using PolicyEngine
+  * add more Verbosity to PolicyEngine, rewrite SAML Authorisation check
+  * slightly refactor Factor View, add more unittests
+  * add impersonation middleware, add to templates
+  * bump version: 0.1.8-beta -> 0.1.9-beta
+  * fix k8s service routing http traffic to workers
+  * Fix button on policy test page
+  * better show loading state when testing a policy
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Sun, 10 Mar 2019 14:52:40 +0000
+
+passbook (0.1.7) stable; urgency=medium
+
+  * bump version: 0.1.3-beta -> 0.1.4-beta
+  * implicitly add kubernetes-healthcheck-host in helm configmap
+  * fix debian build (again)
+  * add PropertyMapping Model, add Subclass for SAML, test with AWS
+  * add custom DynamicArrayField to better handle arrays
+  * format data before inserting it
+  * bump version: 0.1.4-beta -> 0.1.5-beta
+  * fix static files missing for debian package
+  * fix password not getting set on user import
+  * remove audit's login attempt
+  * add passing property to PolicyEngine
+  * fix captcha factor not loading keys from Factor class
+  * bump version: 0.1.5-beta -> 0.1.6-beta
+  * fix MATCH_EXACT not working as intended
+  * Improve access control for saml
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 08 Mar 2019 20:37:05 +0000
+
+passbook (0.1.4) stable; urgency=medium
+
+  * initial debian package release
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 06 Mar 2019 18:22:41 +0000

debian/compat

@@ -0,0 +1 @@
+10

debian/config

@@ -0,0 +1,20 @@
+#!/bin/sh
+# config maintainer script for passbook
+set -e
+
+# source debconf stuff
+. /usr/share/debconf/confmodule
+
+dbc_first_version=1.0.0
+dbc_dbuser=passbook
+dbc_dbname=passbook
+
+# source dbconfig-common shell library, and call the hook function
+if [ -f /usr/share/dbconfig-common/dpkg/config.pgsql ]; then
+    . /usr/share/dbconfig-common/dpkg/config.pgsql
+    dbc_go passbook "$@"
+fi
+
+#DEBHELPER#
+
+exit 0

debian/control

@@ -0,0 +1,14 @@
+Source: passbook
+Section: admin
+Priority: optional
+Maintainer: BeryJu.org <support@beryju.org>
+Uploaders: Jens Langhammer <jens@beryju.org>, BeryJu.org <support@beryju.org>
+Build-Depends: debhelper (>= 10), dh-systemd (>= 1.5), dh-exec, wget, dh-exec, python3 (>= 3.5) | python3.6 | python3.7, libpq-dev
+Standards-Version: 3.9.6
+
+Package: passbook
+Architecture: all
+Recommends: mysql-server, rabbitmq-server, redis-server
+Pre-Depends: adduser, libldap2-dev, libsasl2-dev
+Depends: python3 (>= 3.5) | python3.6 | python3.7, python3-pip, dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends}
+Description: Authentication Provider/Proxy supporting protocols like SAML, OAuth, LDAP and more.

debian/copyright

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2019 BeryJu.org
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

debian/dirs

@@ -0,0 +1,4 @@
+etc/passbook/
+etc/passbook/config.d/
+var/log/passbook/
+usr/share/passbook/

debian/etc/passbook/config.yml

@@ -0,0 +1,81 @@
+http:
+    host: 0.0.0.0
+    port: 8000
+secret_key_file: /etc/passbook/secret_key
+log:
+    level:
+        console: INFO
+        file: DEBUG
+    file: /var/log/passbook/passbook.log
+debug: false
+secure_proxy_header:
+  HTTP_X_FORWARDED_PROTO: https
+rabbitmq: guest:guest@localhost/passbook
+redis: localhost/0
+
+# Error reporting, sends stacktrace to sentry.services.beryju.org
+error_report_enabled: true
+
+primary_domain: passbook.local
+
+passbook:
+  sign_up:
+    # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true
+    enabled: true
+  password_reset:
+    # Enable password reset, passwords are reset in internal Database and in LDAP if ldap.reset_password is true
+    enabled: true
+    # Verification the user has to provide in order to be able to reset passwords. Can be any combination of `email`, `2fa`, `security_questions`
+    verification:
+      - email
+  # Text used in title, on login page and multiple other places
+  branding: passbook
+  login:
+    # Override URL used for logo
+    logo_url: null
+    # Override URL used for Background on Login page
+    bg_url: null
+    # Optionally add a subtext, placed below logo on the login page
+    subtext: null
+  footer:
+    links:
+      # Optionally add links to the footer on the login page
+      #  - name: test
+      #    href: https://test
+  # Specify which fields can be used to authenticate. Can be any combination of `username` and `email`
+  uid_fields:
+    - username
+    - email
+  session:
+    remember_age: 2592000 # 60 * 60 * 24 * 30, one month
+# Provider-specific settings
+ldap:
+  # Which field from `uid_fields` maps to which LDAP Attribute
+  login_field_map:
+    username: sAMAccountName
+    email: mail # or userPrincipalName
+  user_attribute_map:
+    active_directory:
+      username: "%(sAMAccountName)s"
+      email: "%(mail)s"
+      name: "%(displayName)"
+oauth_client:
+  # List of python packages with sources types to load.
+  types:
+    - passbook.oauth_client.source_types.discord
+    - passbook.oauth_client.source_types.facebook
+    - passbook.oauth_client.source_types.github
+    - passbook.oauth_client.source_types.google
+    - passbook.oauth_client.source_types.reddit
+    - passbook.oauth_client.source_types.supervisr
+    - passbook.oauth_client.source_types.twitter
+saml_idp:
+  # List of python packages with provider types to load.
+  types:
+    - passbook.saml_idp.processors.generic
+    - passbook.saml_idp.processors.aws
+    - passbook.saml_idp.processors.gitlab
+    - passbook.saml_idp.processors.nextcloud
+    - passbook.saml_idp.processors.salesforce
+    - passbook.saml_idp.processors.shibboleth
+    - passbook.saml_idp.processors.wordpress_orange

debian/gbp.conf

@@ -0,0 +1,2 @@
+[buildpackage]
+export-dir=../build-area

debian/install

@@ -0,0 +1,8 @@
+passbook		/usr/share/passbook/
+static			/usr/share/passbook/
+manage.py		/usr/share/passbook/
+passbook.sh		/usr/share/passbook/
+vendor			/usr/share/passbook/
+
+debian/etc/passbook								/etc/
+debian/templates/database.yml					/usr/share/passbook/

debian/passbook-worker.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=passbook - Authentication Provider/Proxy (Background worker)
+After=network.target
+Requires=network.target
+
+[Service]
+User=passbook
+Group=passbook
+WorkingDirectory=/usr/share/passbook
+Type=simple
+ExecStart=/usr/share/passbook/passbook.sh worker
+
+[Install]
+WantedBy=multi-user.target

debian/passbook.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=passbook - Authentication Provider/Proxy
+After=network.target
+Requires=network.target
+
+[Service]
+User=passbook
+Group=passbook
+WorkingDirectory=/usr/share/passbook
+Type=simple
+ExecStart=/usr/share/passbook/passbook.sh web
+
+[Install]
+WantedBy=multi-user.target

debian/postinst

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+. /usr/share/debconf/confmodule
+. /usr/share/dbconfig-common/dpkg/postinst.pgsql
+
+# you can set the default database encoding to something else
+dbc_pgsql_createdb_encoding="UTF8"
+dbc_generate_include=template:/etc/passbook/config.d/database.yml
+dbc_generate_include_args="-o template_infile=/usr/share/passbook/database.yml"
+dbc_go passbook "$@"
+
+if [ -z "`getent group passbook`" ]; then
+	addgroup --quiet --system passbook
+fi
+if [ -z "`getent passwd passbook`" ]; then
+	echo " * Creating user and group passbook..."
+	adduser --quiet --system --home /usr/share/passbook --shell /bin/false --ingroup passbook --disabled-password --disabled-login --gecos "passbook User" passbook  >> /var/log/passbook/passbook.log 2>&1
+fi
+echo " * Updating binary packages (psycopg2)"
+python3 -m pip install --target=/usr/share/passbook/vendor/ --no-cache-dir --upgrade --force-reinstall psycopg2 >> /var/log/passbook/passbook.log 2>&1
+if [ ! -f '/etc/passbook/secret_key' ]; then
+	echo " * Generating Secret Key"
+	python3 -c 'import random; result = "".join([random.choice("abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)") for i in range(50)]); print(result)' > /etc/passbook/secret_key 2> /dev/null
+fi
+chown -R passbook: /usr/share/passbook/
+chown -R passbook: /etc/passbook/
+chown -R passbook: /var/log/passbook/
+chmod 440 /etc/passbook/secret_key
+echo " * Running Database Migration"
+/usr/share/passbook/passbook.sh migrate
+echo " * A superuser can be created with this command '/usr/share/passbook/passbook.sh createsuperuser'"
+echo " * You should probably also adjust your settings in '/etc/passbook/config.yml'"
+
+#DEBHELPER#

debian/postrm

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+set -e
+
+if [ -f /usr/share/debconf/confmodule ]; then
+    . /usr/share/debconf/confmodule
+fi
+if [ -f /usr/share/dbconfig-common/dpkg/postrm.pgsql ]; then
+    . /usr/share/dbconfig-common/dpkg/postrm.pgsql
+    dbc_go passbook "$@"
+fi
+
+
+if [ "$1" = "purge" ]; then
+    if which ucf >/dev/null 2>&1; then
+        ucf --purge /etc/passbook/config.d/database.yml
+        ucfr --purge passbook /etc/passbook/config.d/database.yml
+    fi
+    rm -rf /etc/passbook/
+    rm -rf /usr/share/passbook/
+fi
+
+#DEBHELPER#
+

debian/prerm

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+. /usr/share/debconf/confmodule
+. /usr/share/dbconfig-common/dpkg/prerm.pgsql
+dbc_go passbook "$@"
+
+#DEBHELPER#
+

debian/rules

@@ -0,0 +1,27 @@
+#!/usr/bin/make -f
+
+# Uncomment this to turn on verbose mode.
+# export DH_VERBOSE=1
+
+%:
+	dh $@ --with=systemd
+
+build-arch:
+	python3 -m pip install setuptools
+	python3 -m pip install --target=vendor/ -r requirements.txt
+
+override_dh_strip:
+	dh_strip --exclude=psycopg2
+
+override_dh_shlibdeps:
+	dh_shlibdeps --exclude=psycopg2
+
+override_dh_installinit:
+	dh_installinit --name=passbook
+	dh_installinit --name=passbook-worker
+	dh_systemd_enable --name=passbook
+	dh_systemd_enable --name=passbook-worker
+	dh_systemd_start
+
+# override_dh_usrlocal to do nothing
+override_dh_usrlocal:

debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

debian/templates/database.yml

@@ -0,0 +1,8 @@
+databases:
+  default:
+    engine: django.db.backends.postgresql
+    name: _DBC_DBNAME_
+    user: _DBC_DBUSER_
+    password: _DBC_DBPASS_
+    host: _DBC_DBSERVER_
+    port: _DBC_DBPORT_

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.0.13-alpha"
+appVersion: "0.1.30-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.0.13-alpha"
+version: "0.1.30-beta"
 icon: https://passbook.beryju.org/images/logo.png

helm/passbook/requirements.lock

@@ -1,9 +1,12 @@
 dependencies:
-- name: redis
+- name: rabbitmq
   repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 5.1.0
+  version: 4.3.2
 - name: postgresql
   repository: https://kubernetes-charts.storage.googleapis.com/
   version: 3.10.1
-digest: sha256:04bd136761f070e94a2ff32ff48ff87f5e07fbd451e5fd7f65551e3bd4680e5e
-generated: 2019-02-08T12:08:49.090666+01:00
+- name: redis
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 5.1.0
+digest: sha256:8bf68bc928a2e3c0f05139635be05fa0840554c7bde4cecd624fac78fb5fa5a3
+generated: 2019-03-21T11:06:51.553379+01:00

helm/passbook/requirements.yaml

@@ -1,7 +1,10 @@
 dependencies:
-- name: redis
-  version: 5.1.0
+- name: rabbitmq
+  version: 4.3.2
   repository: https://kubernetes-charts.storage.googleapis.com/
 - name: postgresql
   version: 3.10.1
   repository: https://kubernetes-charts.storage.googleapis.com/
+- name: redis
+  version: 5.1.0
+  repository: https://kubernetes-charts.storage.googleapis.com/

helm/passbook/templates/passbook-configmap.yaml

@@ -15,14 +15,14 @@ data:
         port: ''
     log:
       level:
-        console: DEBUG
-        file: DEBUG
+        console: WARNING
+        file: WARNING
       file: /dev/null
       syslog:
         host: 127.0.0.1
         port: 514
     email:
-      host: localhost
+      host: {{ .Values.config.email.host }}
       port: 25
       user: ''
       password: ''
@@ -36,7 +36,8 @@ data:
     debug: false
     secure_proxy_header:
       HTTP_X_FORWARDED_PROTO: https
-    redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master"
+    rabbitmq: "user:{{ .Values.rabbitmq.rabbitmq.password }}@{{ .Release.Name }}-rabbitmq"
+    redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master/0"
     # Error reporting, sends stacktrace to sentry.services.beryju.org
     error_report_enabled: {{ .Values.config.error_reporting }}
 
@@ -46,10 +47,12 @@ data:
     secret_key: {{ randAlphaNum 50 }}
     {{- end }}
 
+    primary_domain: {{ .Values.primary_domain }}
     domains:
         {{- range .Values.ingress.hosts }}
         - {{ . | quote }}
         {{- end }}
+        - kubernetes-healthcheck-host
 
     passbook:
       sign_up:
@@ -122,6 +125,7 @@ data:
         - passbook.oauth_client.source_types.reddit
         - passbook.oauth_client.source_types.supervisr
         - passbook.oauth_client.source_types.twitter
+        - passbook.oauth_client.source_types.azure_ad
     saml_idp:
       signing: true
       autosubmit: false
@@ -130,6 +134,7 @@ data:
       # List of python packages with provider types to load.
       types:
         - passbook.saml_idp.processors.generic
+        - passbook.saml_idp.processors.aws
         - passbook.saml_idp.processors.gitlab
         - passbook.saml_idp.processors.nextcloud
         - passbook.saml_idp.processors.salesforce

helm/passbook/templates/passbook-web-deployment.yaml

@@ -18,6 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: web
     spec:
       volumes:
         - name: config-volume

helm/passbook/templates/passbook-web-service.yaml

@@ -17,3 +17,4 @@ spec:
   selector:
     app.kubernetes.io/name: {{ include "passbook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
+    passbook.io/component: web

helm/passbook/templates/passbook-worker-deployment.yaml

@@ -18,6 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: worker
     spec:
       volumes:
         - name: config-volume

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.0.13-alpha
+  tag: 0.1.30-beta
 
 nameOverride: ""
 
@@ -14,11 +14,17 @@ config:
   # secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
   # Enable error reporting
   error_reporting: true
+  email:
+    host: localhost
 
 postgresql:
   postgresqlDatabase: passbook
   postgresqlPassword: foo
 
+rabbitmq:
+  rabbitmq:
+    password: foo
+
 service:
   type: ClusterIP
   port: 80
@@ -31,7 +37,6 @@ ingress:
   path: /
   hosts:
     - passbook.k8s.local
-    - kubernetes-healthcheck-host
   defaultHost: passbook.k8s.local
   tls: []
   #  - secretName: chart-example-tls

passbook.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Check if this file is a symlink, if so, read real base dir
+BASE_DIR=$(dirname $(readlink -f ${BASH_SOURCE[0]}))
+
+cd $BASE_DIR
+PYTHONPATH="${BASE_DIR}/vendor/" python3 manage.py $@

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.0.13-alpha'
+__version__ = '0.1.30-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.0.13-alpha'
+__version__ = '0.1.30-beta'

passbook/admin/forms/users.py

@@ -0,0 +1,17 @@
+"""passbook administrative user forms"""
+
+from django import forms
+
+from passbook.core.models import User
+
+
+class UserForm(forms.ModelForm):
+    """Update User Details"""
+
+    class Meta:
+
+        model = User
+        fields = ['username', 'name', 'email', 'is_staff', 'is_active']
+        widgets = {
+            'name': forms.TextInput
+        }

passbook/admin/middleware.py

@@ -0,0 +1,25 @@
+"""passbook admin Middleware to impersonate users"""
+
+from passbook.core.models import User
+
+
+def impersonate(get_response):
+    """Middleware to impersonate users"""
+
+    def middleware(request):
+        """Middleware to impersonate users"""
+
+        # User is superuser and has __impersonate ID set
+        if request.user.is_superuser and "__impersonate" in request.GET:
+            request.session['impersonate_id'] = request.GET["__impersonate"]
+        # user wants to stop impersonation
+        elif "__unimpersonate" in request.GET and 'impersonate_id' in request.session:
+            del request.session['impersonate_id']
+
+        # Actually impersonate user
+        if request.user.is_superuser and 'impersonate_id' in request.session:
+            request.user = User.objects.get(pk=request.session['impersonate_id'])
+
+        response = get_response(request)
+        return response
+    return middleware

passbook/admin/settings.py

@@ -0,0 +1,5 @@
+"""passbook admin settings"""
+
+MIDDLEWARE = [
+    'passbook.admin.middleware.impersonate',
+]

passbook/admin/templates/administration/base.html

@@ -4,36 +4,4 @@
 {% load is_active %}
 
 {% block nav_secondary %}
-<ul class="nav navbar-nav navbar-persistent">
-  <li class="{% is_active 'passbook_admin:overview' %}">
-    <a href="{% url 'passbook_admin:overview' %}">{% trans 'Overview' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:applications' 'passbook_admin:application-create' 'passbook_admin:application-update' 'passbook_admin:application-delete' %}">
-    <a href="{% url 'passbook_admin:applications' %}">{% trans 'Applications' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:sources' 'passbook_admin:source-create' 'passbook_admin:source-update' 'passbook_admin:source-delete' %}">
-    <a href="{% url 'passbook_admin:sources' %}">{% trans 'Sources' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:providers' 'passbook_admin:provider-create' 'passbook_admin:provider-update' 'passbook_admin:provider-delete' %}">
-    <a href="{% url 'passbook_admin:providers' %}">{% trans 'Providers' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
-    <a href="{% url 'passbook_admin:factors' %}">{% trans 'Factors' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:policies' 'passbook_admin:policy-create' 'passbook_admin:policy-update' 'passbook_admin:policy-delete' 'passbook_admin:policy-test' %}">
-    <a href="{% url 'passbook_admin:policies' %}">{% trans 'Policies' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
-    <a href="{% url 'passbook_admin:invitations' %}">{% trans 'Invitations' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:users' 'passbook_admin:user-update' 'passbook_admin:user-delete' %}">
-    <a href="{% url 'passbook_admin:users' %}">{% trans 'Users' %}</a>
-  </li>
-  <li class="{% is_active 'passbook_admin:audit-log' %}">
-    <a href="{% url 'passbook_admin:audit-log' %}">{% trans 'Audit Log' %}</a>
-  </li>
-  <li class="{% is_active_app 'admin' %}">
-    <a href="{% url 'admin:index' %}">{% trans 'Django' %}</a>
-  </li>
-</ul>
 {% endblock %}

passbook/admin/templates/administration/debug/request.html

@@ -0,0 +1,31 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="pficon-applications"></span> {% trans "Request" %}</h1>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Key' %}</th>
+                <th>{% trans 'Value' %}</th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for key, value in request_dict.items %}
+            <tr>
+                <td>{{ key }}</td>
+                <td>{{ value }}</td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}

passbook/admin/templates/administration/group/list.html

@@ -0,0 +1,45 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="pficon-users"></span> {% trans "Groups" %}</h1>
+    <span>{% trans "Group users together and give them permissions based on the membership." %}</span>
+    <hr>
+    <a href="{% url 'passbook_admin:group-create' %}?back={{ request.get_full_path }}" class="btn btn-primary">
+        {% trans 'Create...' %}
+    </a>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Name' %}</th>
+                <th>{% trans 'Parent' %}</th>
+                <th>{% trans 'Members' %}</th>
+                <th></th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for group in object_list %}
+            <tr>
+                <td>{{ group.name }}</td>
+                <td>{{ group.parent }}</td>
+                <td>{{ group.user_set.all|length }}</td>
+                <td>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:group-update' pk=group.uuid %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:group-delete' pk=group.uuid %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                </td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}

passbook/admin/templates/administration/groups/list.html

@@ -1,83 +0,0 @@
-{% extends "administration/base.html" %}
-
-{% load i18n %}
-{% load static %}
-{% load utils %}
-
-{% block head %}
-{{ block.super }}
-<link rel="stylesheet" href="{% static 'css/bootstrap-treeview.min.css'%}">
-{% endblock %}
-
-{% block scripts %}
-{{ block.super }}
-<script src="{% static 'js/bootstrap-treeview.min.js' %}"></script>
-<script>
-  var cleanupData = function (obj) {
-    return {
-      text: obj.name,
-      href: '?group=' + obj.uuid,
-      nodes: obj.children.map(cleanupData),
-    };
-  }
- $(function() {
-   var apiUrl = "{% url 'passbook_admin:group-list' %}?format=json";
-   $.ajax({
-      url: apiUrl,
-    }).done(function(data) {
-      $('#treeview1').treeview({
-        collapseIcon: "fa fa-angle-down",
-        data: data.map(cleanupData),
-        expandIcon: "fa fa-angle-right",
-        nodeIcon: "fa pficon-users",
-        showBorder: true,
-        enableLinks: true,
-        onNodeSelected: function (event, node) {
-          window.location.href = node.href;
-        }
-      });
-    });
-  });
-</script>
-{% endblock %}
-
-{% block title %}
-{% title %}
-{% endblock %}
-
-{% block content %}
-<div class="col-md-3">
-  <div id="treeview1" class="treeview">
-  </div>
-</div>
-<div class="col-md-9">
-  <h1>{% trans "Invitations" %}</h1>
-  <a href="{% url 'passbook_admin:invitation-create' %}" class="btn btn-primary">
-    {% trans 'Create...' %}
-  </a>
-  <hr>
-  <table class="table table-striped table-bordered">
-    <thead>
-      <tr>
-        <th>{% trans 'Expiry' %}</th>
-        <th>{% trans 'Link' %}</th>
-        <th></th>
-      </tr>
-    </thead>
-    <tbody>
-      {% for invitation in object_list %}
-      <tr>
-        <td>{{ invitation.expires|default:"Never" }}</td>
-        <td>
-          <pre>{{ invitation.link }}</pre>
-        </td>
-        <td>
-          <a class="btn btn-default btn-sm" href="{% url 'passbook_admin:invitation-delete' pk=invitation.uuid %}?back={{ request.get_full_path }}">{%
-            trans 'Delete' %}</a>
-        </td>
-      </tr>
-      {% endfor %}
-    </tbody>
-  </table>
-</div>
-{% endblock %}

passbook/admin/templates/administration/overview.html

@@ -76,9 +76,13 @@
             <div class="card-pf-body">
                 <p class="card-pf-aggregate-status-notifications">
                     <span class="card-pf-aggregate-status-notification">
-                        <a href="{% url 'passbook_admin:factors' %}">
+                        {% if factor_count < 1 %}
+                        <span class="pficon-error-circle-o" data-toggle="tooltip" data-placement="right"
+                            title="{% trans 'No Factors configured. No Users will be able to login.' %}"></span>
+                        {{ factor_count }}
+                        {% else %}
                         <span class="pficon pficon-ok"></span>{{ factor_count }}
-                        </a>
+                        {% endif %}
                     </span>
                 </p>
             </div>
@@ -95,9 +99,13 @@
             <div class="card-pf-body">
                 <p class="card-pf-aggregate-status-notifications">
                     <span class="card-pf-aggregate-status-notification">
-                        <a href="{% url 'passbook_admin:policies' %}">
+                        {% if policies_without_attachment > 0 %}
+                        <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right"
+                            title="{% trans 'Policies without attachment exist.' %}"></span>
+                        {{ policy_count }}
+                        {% else %}
                         <span class="pficon pficon-ok"></span>{{ policy_count }}
-                        </a>
+                        {% endif %}
                     </span>
                 </p>
             </div>
@@ -174,7 +182,7 @@
                         <a href="#">
                             {% if worker_count < 1%}
                             <span class="pficon-error-circle-o" data-toggle="tooltip" data-placement="right"
-                                title="{% trans 'No workers connected. Policies may not work.' %}"></span> {{ worker_count }}
+                                title="{% trans 'No workers connected. Policies will not work and you may expect other issues.' %}"></span> {{ worker_count }}
                             {% else %}
                             <span class="pficon pficon-ok"></span>{{ worker_count }}
                             {% endif %}

passbook/admin/templates/administration/policy/list.html

@@ -28,6 +28,7 @@
     <table class="table table-striped table-bordered">
         <thead>
             <tr>
+                <th></th>
                 <th>{% trans 'Name' %}</th>
                 <th>{% trans 'Type' %}</th>
                 <th></th>
@@ -35,7 +36,14 @@
         </thead>
         <tbody>
             {% for policy in object_list %}
-            <tr>
+            <tr {% if not policy.policymodel_set.exists %} class="warning" {% endif %}>
+                <th>
+                    {% if not policy.policymodel_set.exists %}
+                    <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right" title="{% trans 'Warning: Policy is not assigned.' %}"></span>
+                    {% else %}
+                    <span class="pficon-ok" data-toggle="tooltip" data-placement="right" title="{% blocktrans with objects=policy.policymodel_set.all|join:', ' %}Assigned to objects {{ objects }}{% endblocktrans %}"></span>
+                    {% endif %}
+                </th>
                 <td>{{ policy.name }}</td>
                 <td>{{ policy|verbose_name }}</td>
                 <td>

passbook/admin/templates/administration/policy/test.html

@@ -5,3 +5,22 @@
 {% block above_form %}
 <h1>{% blocktrans with policy=policy %}Test policy {{ policy }}{% endblocktrans %}</h1>
 {% endblock %}
+
+{% block action %}
+{% trans 'Test' %}
+{% endblock %}
+
+{% block beneath_form %}
+<p class="loading" style="display: none;">
+  <span class="spinner spinner-xs spinner-inline"></span> {% trans 'Processing, please wait...' %}
+</p>
+{% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+<script>
+  $('form').on('submit', function () {
+    $('p.loading').show();
+  })
+</script>
+{% endblock %}

passbook/admin/templates/administration/property_mapping/list.html

@@ -0,0 +1,52 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="fa fa-table"></span> {% trans "Property Mappings" %}</h1>
+    <span>{% trans "Property Mappings allow you expose provider-specific attributes." %}</span>
+    <hr>
+    <div class="dropdown">
+        <button class="btn btn-primary dropdown-toggle" type="button" id="createDropdown" data-toggle="dropdown">
+            {% trans 'Create...' %}
+            <span class="caret"></span>
+        </button>
+        <ul class="dropdown-menu" role="menu" aria-labelledby="createDropdown">
+            {% for type, name in types.items %}
+            <li role="presentation"><a role="menuitem" tabindex="-1"
+                    href="{% url 'passbook_admin:property-mapping-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a></li>
+            {% endfor %}
+        </ul>
+    </div>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Name' %}</th>
+                <th>{% trans 'Type' %}</th>
+                <th></th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for property_mapping in object_list %}
+            <tr>
+                <td>{{ property_mapping.name }}</td>
+                <td>{{ property_mapping|verbose_name }}</td>
+                <td>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:property-mapping-update' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:property-mapping-delete' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                </td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}

passbook/admin/templates/administration/provider/list.html

@@ -57,6 +57,10 @@
                     <a class="btn btn-default btn-sm"
                         href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a>
                     {% endfor %}
+                    {% get_htmls provider as htmls %}
+                    {% for html in htmls %}
+                    {{ html|safe }}
+                    {% endfor %}
                 </td>
             </tr>
             {% endfor %}

passbook/admin/templates/administration/user/list.html

@@ -31,6 +31,8 @@
                         href="{% url 'passbook_admin:user-delete' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:user-password-reset' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Reset Password' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_core:overview' %}?__impersonate={{ user.pk }}">{% trans 'Impersonate' %}</a>
                 </td>
             </tr>
             {% endfor %}

passbook/admin/templates/generic/form.html

@@ -2,6 +2,21 @@
 
 {% load i18n %}
 {% load utils %}
+{% load static %}
+
+{% block head %}
+{{ block.super }}
+{{ form.media.css }}
+<script type="text/javascript" src="{% url 'admin:jsi18n' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/vendor/jquery/jquery.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/jquery.init.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/core.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/actions.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/urlify.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/prepopulate.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/SelectBox.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/SelectFilter2.js' %}"></script>
+{% endblock %}
 
 {% block content %}
 <div class="container">
@@ -14,5 +29,12 @@
       <input type="submit" class="btn btn-primary" value="{% block action %}{% endblock %}" />
     </form>
   </div>
+  {% block beneath_form %}
+  {% endblock %}
 </div>
 {% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+{{ form.media.js }}
+{% endblock %}

passbook/admin/templatetags/admin_reflection.py

@@ -5,6 +5,8 @@ from logging import getLogger
 from django import template
 from django.db.models import Model
 
+from passbook.lib.utils.template import render_to_string
+
 register = template.Library()
 LOGGER = getLogger(__name__)
 
@@ -29,3 +31,24 @@ def get_links(model_instance):
         pass
 
     return links
+
+
+@register.simple_tag(takes_context=True)
+def get_htmls(context, model_instance):
+    """Find all html_ methods on an object instance, run them and return as dict"""
+    prefix = 'html_'
+    htmls = []
+
+    if not isinstance(model_instance, Model):
+        LOGGER.warning("Model %s is not instance of Model", model_instance)
+        return htmls
+
+    try:
+        for name, method in inspect.getmembers(model_instance, predicate=inspect.ismethod):
+            if name.startswith(prefix):
+                template, _context = method(context.get('request'))
+                htmls.append(render_to_string(template, _context))
+    except NotImplementedError:
+        pass
+
+    return htmls

passbook/admin/urls.py

@@ -1,9 +1,9 @@
 """passbook URL Configuration"""
 from django.urls import include, path
 
-from passbook.admin.views import (applications, audit, factors, groups,
-                                  invitations, overview, policy, providers,
-                                  sources, users)
+from passbook.admin.views import (applications, audit, debug, factors, groups,
+                                  invitations, overview, policy,
+                                  property_mapping, providers, sources, users)
 
 urlpatterns = [
     path('', overview.AdministrationOverviewView.as_view(), name='overview'),
@@ -43,6 +43,15 @@ urlpatterns = [
          factors.FactorUpdateView.as_view(), name='factor-update'),
     path('factors/<uuid:pk>/delete/',
          factors.FactorDeleteView.as_view(), name='factor-delete'),
+    # Factors
+    path('property-mappings/', property_mapping.PropertyMappingListView.as_view(),
+         name='property-mappings'),
+    path('property-mappings/create/',
+         property_mapping.PropertyMappingCreateView.as_view(), name='property-mapping-create'),
+    path('property-mappings/<uuid:pk>/update/',
+         property_mapping.PropertyMappingUpdateView.as_view(), name='property-mapping-update'),
+    path('property-mappings/<uuid:pk>/delete/',
+         property_mapping.PropertyMappingDeleteView.as_view(), name='property-mapping-delete'),
     # Invitations
     path('invitations/', invitations.InvitationListView.as_view(), name='invitations'),
     path('invitations/create/',
@@ -58,10 +67,17 @@ urlpatterns = [
          users.UserDeleteView.as_view(), name='user-delete'),
     path('users/<int:pk>/reset/',
          users.UserPasswordResetView.as_view(), name='user-password-reset'),
+    # Groups
+    path('group/', groups.GroupListView.as_view(), name='group'),
+    path('group/create/', groups.GroupCreateView.as_view(), name='group-create'),
+    path('group/<uuid:pk>/update/', groups.GroupUpdateView.as_view(), name='group-update'),
+    path('group/<uuid:pk>/delete/', groups.GroupDeleteView.as_view(), name='group-delete'),
     # Audit Log
     path('audit/', audit.AuditEntryListView.as_view(), name='audit-log'),
     # Groups
     path('groups/', groups.GroupListView.as_view(), name='groups'),
     # API
-    path('api/', include('passbook.admin.api.urls'))
+    path('api/', include('passbook.admin.api.urls')),
+    # Debug
+    path('debug/request/', debug.DebugRequestView.as_view(), name='debug-request'),
 ]

passbook/admin/views/debug.py

@@ -0,0 +1,17 @@
+"""passbook administration debug views"""
+
+from django.views.generic import TemplateView
+
+from passbook.admin.mixins import AdminRequiredMixin
+
+
+class DebugRequestView(AdminRequiredMixin, TemplateView):
+    """Show debug info about request"""
+
+    template_name = 'administration/debug/request.html'
+
+    def get_context_data(self, **kwargs):
+        kwargs['request_dict'] = {}
+        for key in dir(self.request):
+            kwargs['request_dict'][key] = getattr(self.request, key)
+        return super().get_context_data(**kwargs)

passbook/admin/views/groups.py

@@ -1,12 +1,57 @@
 """passbook Group administration"""
-from django.views.generic import ListView
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import ugettext as _
+from django.views.generic import CreateView, DeleteView, ListView, UpdateView
 
 from passbook.admin.mixins import AdminRequiredMixin
+from passbook.core.forms.groups import GroupForm
 from passbook.core.models import Group
 
 
 class GroupListView(AdminRequiredMixin, ListView):
-    """Show list of all invitations"""
+    """Show list of all groups"""
 
     model = Group
-    template_name = 'administration/groups/list.html'
+    ordering = 'name'
+    template_name = 'administration/group/list.html'
+
+
+class GroupCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
+    """Create new Group"""
+
+    form_class = GroupForm
+
+    template_name = 'generic/create.html'
+    success_url = reverse_lazy('passbook_admin:groups')
+    success_message = _('Successfully created Group')
+
+    def get_context_data(self, **kwargs):
+        kwargs['type'] = 'Group'
+        return super().get_context_data(**kwargs)
+
+
+class GroupUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
+    """Update group"""
+
+    model = Group
+    form_class = GroupForm
+
+    template_name = 'generic/update.html'
+    success_url = reverse_lazy('passbook_admin:groups')
+    success_message = _('Successfully updated Group')
+
+
+class GroupDeleteView(SuccessMessageMixin, AdminRequiredMixin, DeleteView):
+    """Delete group"""
+
+    model = Group
+
+    template_name = 'generic/delete.html'
+    success_url = reverse_lazy('passbook_admin:groups')
+    success_message = _('Successfully deleted Group')
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)

passbook/admin/views/overview.py

@@ -24,4 +24,5 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
         kwargs['version'] = __version__
         kwargs['worker_count'] = len(CELERY_APP.control.ping(timeout=0.5))
         kwargs['providers_without_application'] = Provider.objects.filter(application=None)
+        kwargs['policies_without_attachment'] = len(Policy.objects.filter(policymodel__isnull=True))
         return super().get_context_data(**kwargs)

passbook/admin/views/policy.py

@@ -11,6 +11,7 @@ from django.views.generic.detail import DetailView
 from passbook.admin.forms.policies import PolicyTestForm
 from passbook.admin.mixins import AdminRequiredMixin
 from passbook.core.models import Policy
+from passbook.core.policies import PolicyEngine
 from passbook.lib.utils.reflection import path_to_class
 
 
@@ -100,7 +101,9 @@ class PolicyTestView(AdminRequiredMixin, DetailView, FormView):
     def form_valid(self, form):
         policy = self.get_object()
         user = form.cleaned_data.get('user')
-        result = policy.passes(user)
+        policy_engine = PolicyEngine([policy])
+        policy_engine.for_user(user).with_request(self.request).build()
+        result = policy_engine.passing
         if result:
             messages.success(self.request, _('User successfully passed policy.'))
         else:

passbook/admin/views/property_mapping.py

@@ -0,0 +1,90 @@
+"""passbook PropertyMapping administration"""
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import Http404
+from django.urls import reverse_lazy
+from django.utils.translation import ugettext as _
+from django.views.generic import CreateView, DeleteView, ListView, UpdateView
+
+from passbook.admin.mixins import AdminRequiredMixin
+from passbook.core.models import PropertyMapping
+from passbook.lib.utils.reflection import path_to_class
+
+
+def all_subclasses(cls):
+    """Recursively return all subclassess of cls"""
+    return set(cls.__subclasses__()).union(
+        [s for c in cls.__subclasses__() for s in all_subclasses(c)])
+
+
+class PropertyMappingListView(AdminRequiredMixin, ListView):
+    """Show list of all property_mappings"""
+
+    model = PropertyMapping
+    template_name = 'administration/property_mapping/list.html'
+    ordering = 'name'
+
+    def get_context_data(self, **kwargs):
+        kwargs['types'] = {
+            x.__name__: x._meta.verbose_name for x in all_subclasses(PropertyMapping)}
+        return super().get_context_data(**kwargs)
+
+    def get_queryset(self):
+        return super().get_queryset().select_subclasses()
+
+
+class PropertyMappingCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
+    """Create new PropertyMapping"""
+
+    template_name = 'generic/create.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully created Property Mapping')
+
+    def get_context_data(self, **kwargs):
+        kwargs = super().get_context_data(**kwargs)
+        property_mapping_type = self.request.GET.get('type')
+        model = next(x for x in all_subclasses(PropertyMapping)
+                     if x.__name__ == property_mapping_type)
+        kwargs['type'] = model._meta.verbose_name
+        return kwargs
+
+    def get_form_class(self):
+        property_mapping_type = self.request.GET.get('type')
+        model = next(x for x in all_subclasses(PropertyMapping)
+                     if x.__name__ == property_mapping_type)
+        if not model:
+            raise Http404
+        return path_to_class(model.form)
+
+
+class PropertyMappingUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
+    """Update property_mapping"""
+
+    model = PropertyMapping
+    template_name = 'generic/update.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully updated Property Mapping')
+
+    def get_form_class(self):
+        form_class_path = self.get_object().form
+        form_class = path_to_class(form_class_path)
+        return form_class
+
+    def get_object(self, queryset=None):
+        return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
+
+
+class PropertyMappingDeleteView(SuccessMessageMixin, AdminRequiredMixin, DeleteView):
+    """Delete property_mapping"""
+
+    model = PropertyMapping
+    template_name = 'generic/delete.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully deleted Property Mapping')
+
+    def get_object(self, queryset=None):
+        return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)

passbook/admin/views/users.py

@@ -7,8 +7,8 @@ from django.utils.translation import ugettext as _
 from django.views import View
 from django.views.generic import DeleteView, ListView, UpdateView
 
+from passbook.admin.forms.users import UserForm
 from passbook.admin.mixins import AdminRequiredMixin
-from passbook.core.forms.users import UserDetailForm
 from passbook.core.models import Nonce, User
 
 
@@ -23,7 +23,7 @@ class UserUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
     """Update user"""
 
     model = User
-    form_class = UserDetailForm
+    form_class = UserForm
 
     template_name = 'generic/update.html'
     success_url = reverse_lazy('passbook_admin:users')

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.0.13-alpha'
+__version__ = '0.1.30-beta'

passbook/app_gw/__init__.py

@@ -0,0 +1,2 @@
+"""passbook Application Security Gateway Header"""
+__version__ = '0.1.30-beta'

passbook/app_gw/admin.py

@@ -0,0 +1,5 @@
+"""passbook Application Security Gateway model admin"""
+
+from passbook.lib.admin import admin_autoregister
+
+admin_autoregister('passbook_app_gw')

passbook/app_gw/apps.py

@@ -0,0 +1,16 @@
+"""passbook Application Security Gateway app"""
+from importlib import import_module
+
+from django.apps import AppConfig
+
+
+class PassbookApplicationApplicationGatewayConfig(AppConfig):
+    """passbook app_gw app"""
+
+    name = 'passbook.app_gw'
+    label = 'passbook_app_gw'
+    verbose_name = 'passbook Application Security Gateway'
+    mountpoint = 'app_gw/'
+
+    def ready(self):
+        import_module('passbook.app_gw.signals')

passbook/app_gw/forms.py

@@ -0,0 +1,66 @@
+"""passbook Application Security Gateway Forms"""
+from urllib.parse import urlparse
+
+from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
+from django.forms import ValidationError
+from django.utils.translation import gettext as _
+
+from passbook.app_gw.models import ApplicationGatewayProvider, RewriteRule
+from passbook.lib.fields import DynamicArrayField
+
+
+class ApplicationGatewayProviderForm(forms.ModelForm):
+    """Security Gateway Provider form"""
+
+    def clean_server_name(self):
+        """Check if server_name is in DB already, since
+        Postgres ArrayField doesn't suppport keys."""
+        current = self.cleaned_data.get('server_name')
+        if ApplicationGatewayProvider.objects \
+                .filter(server_name__overlap=current) \
+                .exclude(pk=self.instance.pk).exists():
+            raise ValidationError(_("Server Name already in use."))
+        return current
+
+    def clean_upstream(self):
+        """Check that upstream begins with http(s)"""
+        for upstream in self.cleaned_data.get('upstream'):
+            _parsed_url = urlparse(upstream)
+
+            if _parsed_url.scheme not in ('http', 'https'):
+                raise ValidationError(_("URL Scheme must be either http or https"))
+        return self.cleaned_data.get('upstream')
+
+    class Meta:
+
+        model = ApplicationGatewayProvider
+        fields = ['server_name', 'upstream', 'enabled', 'authentication_header',
+                  'default_content_type', 'upstream_ssl_verification', 'property_mappings']
+        widgets = {
+            'authentication_header': forms.TextInput(),
+            'default_content_type': forms.TextInput(),
+            'property_mappings': FilteredSelectMultiple(_('Property Mappings'), False)
+        }
+        field_classes = {
+            'server_name': DynamicArrayField,
+            'upstream': DynamicArrayField
+        }
+        labels = {
+            'upstream_ssl_verification': _('Verify upstream SSL Certificates?'),
+            'property_mappings': _('Rewrite Rules')
+        }
+
+class RewriteRuleForm(forms.ModelForm):
+    """Rewrite Rule Form"""
+
+    class Meta:
+
+        model = RewriteRule
+        fields = ['name', 'match', 'halt', 'replacement', 'redirect', 'conditions']
+        widgets = {
+            'name': forms.TextInput(),
+            'match': forms.TextInput(attrs={'data-is-monospace': True}),
+            'replacement': forms.TextInput(attrs={'data-is-monospace': True}),
+            'conditions': FilteredSelectMultiple(_('Conditions'), False)
+        }

passbook/app_gw/middleware.py

@@ -0,0 +1,238 @@
+"""passbook app_gw middleware"""
+import mimetypes
+from logging import getLogger
+from random import SystemRandom
+from urllib.parse import urlparse
+
+import certifi
+import urllib3
+from django.core.cache import cache
+from django.utils.http import urlencode
+from django.views.generic import RedirectView
+from revproxy.exceptions import InvalidUpstream
+
+from passbook.app_gw.models import ApplicationGatewayProvider
+from passbook.app_gw.proxy.response import get_django_response
+from passbook.app_gw.proxy.utils import encode_items, normalize_request_headers
+from passbook.app_gw.rewrite import Rewriter
+from passbook.core.models import Application
+from passbook.core.policies import PolicyEngine
+from passbook.lib.config import CONFIG
+
+SESSION_UPSTREAM_KEY = 'passbook_app_gw_upstream'
+IGNORED_HOSTNAMES_KEY = 'passbook_app_gw_ignored'
+LOGGER = getLogger(__name__)
+QUOTE_SAFE = r'<.;>\(}*+|~=-$/_:^@)[{]&\'!,"`'
+ERRORS_MESSAGES = {
+    'upstream-no-scheme': ("Upstream URL scheme must be either "
+                           "'http' or 'https' (%s).")
+}
+
+# pylint: disable=too-many-instance-attributes
+class ApplicationGatewayMiddleware:
+    """Check if request should be proxied or handeled normally"""
+
+    ignored_hosts = []
+    request = None
+    app_gw = None
+    http = None
+    http_no_verify = None
+    host_header = ''
+
+    _parsed_url = None
+    _request_headers = None
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.ignored_hosts = cache.get(IGNORED_HOSTNAMES_KEY, [])
+        self.http_no_verify = urllib3.PoolManager()
+        self.http = urllib3.PoolManager(
+            cert_reqs='CERT_REQUIRED',
+            ca_certs=certifi.where())
+
+    def precheck(self, request):
+        """Check if a request should be proxied or forwarded to passbook"""
+        # Check if hostname is in cached list of ignored hostnames
+        # This saves us having to query the database on each request
+        self.host_header = request.META.get('HTTP_HOST')
+        if self.host_header in self.ignored_hosts:
+            LOGGER.debug("%s is ignored", self.host_header)
+            return True, None
+        # Look through all ApplicationGatewayProviders and check hostnames
+        matches = ApplicationGatewayProvider.objects.filter(
+            server_name__contains=[self.host_header],
+            enabled=True)
+        if not matches.exists():
+            # Mo matching Providers found, add host header to ignored list
+            self.ignored_hosts.append(self.host_header)
+            cache.set(IGNORED_HOSTNAMES_KEY, self.ignored_hosts)
+            LOGGER.debug("Ignoring %s", self.host_header)
+            return True, None
+        # At this point we're certain there's a matching ApplicationGateway
+        if len(matches) > 1:
+            # This should never happen
+            raise ValueError
+        app_gw = matches.first()
+        try:
+            # Check if ApplicationGateway is associated with application
+            getattr(app_gw, 'application')
+            return False, app_gw
+        except Application.DoesNotExist:
+            LOGGER.debug("ApplicationGateway not associated with Application")
+            return True, None
+        return True, None
+
+    def __call__(self, request):
+        forward, self.app_gw = self.precheck(request)
+        if forward:
+            return self.get_response(request)
+        self.request = request
+        return self.dispatch(request)
+
+    def _get_upstream(self):
+        """Choose random upstream and save in session"""
+        if SESSION_UPSTREAM_KEY not in self.request.session:
+            self.request.session[SESSION_UPSTREAM_KEY] = {}
+        if self.app_gw.pk not in self.request.session[SESSION_UPSTREAM_KEY]:
+            upstream_index = SystemRandom().randrange(len(self.app_gw.upstream))
+            self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk] = upstream_index
+        return self.app_gw.upstream[self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk]]
+
+    def get_upstream(self):
+        """Get upstream as parsed url"""
+        upstream = self._get_upstream()
+
+        self._parsed_url = urlparse(upstream)
+
+        if self._parsed_url.scheme not in ('http', 'https'):
+            raise InvalidUpstream(ERRORS_MESSAGES['upstream-no-scheme'] %
+                                  upstream)
+
+        return upstream
+
+    def _format_path_to_redirect(self, request):
+        LOGGER.debug("Path before: %s", request.get_full_path())
+        rewriter = Rewriter(self.app_gw, request)
+        after = rewriter.build()
+        LOGGER.debug("Path after: %s", after)
+        return after
+
+    def get_proxy_request_headers(self, request):
+        """Get normalized headers for the upstream
+        Gets all headers from the original request and normalizes them.
+        Normalization occurs by removing the prefix ``HTTP_`` and
+        replacing and ``_`` by ``-``. Example: ``HTTP_ACCEPT_ENCODING``
+        becames ``Accept-Encoding``.
+        .. versionadded:: 0.9.1
+        :param request:  The original HTTPRequest instance
+        :returns:  Normalized headers for the upstream
+        """
+        return normalize_request_headers(request)
+
+    def get_request_headers(self):
+        """Return request headers that will be sent to upstream.
+        The header REMOTE_USER is set to the current user
+        if AuthenticationMiddleware is enabled and
+        the view's add_remote_user property is True.
+        .. versionadded:: 0.9.8
+        """
+        request_headers = self.get_proxy_request_headers(self.request)
+        request_headers[self.app_gw.authentication_header] = self.request.user.get_username()
+        LOGGER.info("%s set", self.app_gw.authentication_header)
+
+        return request_headers
+
+    def check_permission(self):
+        """Check if user is authenticated and has permission to access app"""
+        if not hasattr(self.request, 'user'):
+            return False
+        if not self.request.user.is_authenticated:
+            return False
+        policy_engine = PolicyEngine(self.app_gw.application.policies.all())
+        policy_engine.for_user(self.request.user).with_request(self.request).build()
+        passing, _messages = policy_engine.result
+
+        return passing
+
+    def get_encoded_query_params(self):
+        """Return encoded query params to be used in proxied request"""
+        get_data = encode_items(self.request.GET.lists())
+        return urlencode(get_data)
+
+    def _created_proxy_response(self, request, path):
+        request_payload = request.body
+
+        LOGGER.debug("Request headers: %s", self._request_headers)
+
+        request_url = self.get_upstream() + path
+        LOGGER.debug("Request URL: %s", request_url)
+
+        if request.GET:
+            request_url += '?' + self.get_encoded_query_params()
+            LOGGER.debug("Request URL: %s", request_url)
+
+        http = self.http
+        if not self.app_gw.upstream_ssl_verification:
+            http = self.http_no_verify
+
+        try:
+            proxy_response = http.urlopen(request.method,
+                                          request_url,
+                                          redirect=False,
+                                          retries=None,
+                                          headers=self._request_headers,
+                                          body=request_payload,
+                                          decode_content=False,
+                                          preload_content=False)
+            LOGGER.debug("Proxy response header: %s",
+                         proxy_response.getheaders())
+        except urllib3.exceptions.HTTPError as error:
+            LOGGER.exception(error)
+            raise
+
+        return proxy_response
+
+    def _replace_host_on_redirect_location(self, request, proxy_response):
+        location = proxy_response.headers.get('Location')
+        if location:
+            if request.is_secure():
+                scheme = 'https://'
+            else:
+                scheme = 'http://'
+            request_host = scheme + self.host_header
+
+            upstream_host_http = 'http://' + self._parsed_url.netloc
+            upstream_host_https = 'https://' + self._parsed_url.netloc
+
+            location = location.replace(upstream_host_http, request_host)
+            location = location.replace(upstream_host_https, request_host)
+            proxy_response.headers['Location'] = location
+            LOGGER.debug("Proxy response LOCATION: %s",
+                         proxy_response.headers['Location'])
+
+    def _set_content_type(self, request, proxy_response):
+        content_type = proxy_response.headers.get('Content-Type')
+        if not content_type:
+            content_type = (mimetypes.guess_type(request.path)[0] or
+                            self.app_gw.default_content_type)
+            proxy_response.headers['Content-Type'] = content_type
+            LOGGER.debug("Proxy response CONTENT-TYPE: %s",
+                         proxy_response.headers['Content-Type'])
+
+    def dispatch(self, request):
+        """Build proxied request and pass to upstream"""
+        if not self.check_permission():
+            to_url = 'https://%s/?next=%s' % (CONFIG.get('domains')[0], request.get_full_path())
+            return RedirectView.as_view(url=to_url)(request)
+
+        self._request_headers = self.get_request_headers()
+
+        path = self._format_path_to_redirect(request)
+        proxy_response = self._created_proxy_response(request, path)
+
+        self._replace_host_on_redirect_location(request, proxy_response)
+        self._set_content_type(request, proxy_response)
+        response = get_django_response(proxy_response, strict_cookies=False)
+
+        LOGGER.debug("RESPONSE RETURNED: %s", response)
+        return response

passbook/app_gw/migrations/0001_initial.py

@@ -0,0 +1,50 @@
+# Generated by Django 2.1.7 on 2019-03-20 21:38
+
+import django.contrib.postgres.fields
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('passbook_core', '0020_groupmembershippolicy'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ApplicationGatewayProvider',
+            fields=[
+                ('provider_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Provider')),
+                ('server_name', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
+                ('upstream', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
+                ('enabled', models.BooleanField(default=True)),
+                ('authentication_header', models.TextField(default='X-Remote-User')),
+                ('default_content_type', models.TextField(default='application/octet-stream')),
+                ('upstream_ssl_verification', models.BooleanField(default=True)),
+            ],
+            options={
+                'verbose_name': 'Application Gateway Provider',
+                'verbose_name_plural': 'Application Gateway Providers',
+            },
+            bases=('passbook_core.provider',),
+        ),
+        migrations.CreateModel(
+            name='RewriteRule',
+            fields=[
+                ('propertymapping_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.PropertyMapping')),
+                ('match', models.TextField()),
+                ('halt', models.BooleanField(default=False)),
+                ('replacement', models.TextField()),
+                ('redirect', models.CharField(choices=[('internal', 'Internal'), (301, 'Moved Permanently'), (302, 'Found')], max_length=50)),
+                ('conditions', models.ManyToManyField(to='passbook_core.Policy')),
+            ],
+            options={
+                'verbose_name': 'Rewrite Rule',
+                'verbose_name_plural': 'Rewrite Rules',
+            },
+            bases=('passbook_core.propertymapping',),
+        ),
+    ]

passbook/app_gw/migrations/0002_auto_20190321_1521.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-03-21 15:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_app_gw', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='rewriterule',
+            name='conditions',
+            field=models.ManyToManyField(blank=True, to='passbook_core.Policy'),
+        ),
+    ]

passbook/app_gw/models.py

@@ -0,0 +1,74 @@
+"""passbook app_gw models"""
+import re
+
+from django.contrib.postgres.fields import ArrayField
+from django.db import models
+from django.utils.translation import gettext as _
+
+from passbook.core.models import Policy, PropertyMapping, Provider
+
+
+class ApplicationGatewayProvider(Provider):
+    """Virtual server which proxies requests to any hostname in server_name to upstream"""
+
+    server_name = ArrayField(models.TextField())
+    upstream = ArrayField(models.TextField())
+    enabled = models.BooleanField(default=True)
+
+    authentication_header = models.TextField(default='X-Remote-User')
+    default_content_type = models.TextField(default='application/octet-stream')
+    upstream_ssl_verification = models.BooleanField(default=True)
+
+    form = 'passbook.app_gw.forms.ApplicationGatewayProviderForm'
+
+    @property
+    def name(self):
+        """since this model has no name property, return a joined list of server_names as name"""
+        return ', '.join(self.server_name)
+
+    def __str__(self):
+        return "Application Gateway %s" % ', '.join(self.server_name)
+
+    class Meta:
+
+        verbose_name = _('Application Gateway Provider')
+        verbose_name_plural = _('Application Gateway Providers')
+
+
+class RewriteRule(PropertyMapping):
+    """Rewrite requests matching `match` with `replacement`, if all polcies in `conditions` apply"""
+
+    REDIRECT_INTERNAL = 'internal'
+    REDIRECT_PERMANENT = 301
+    REDIRECT_FOUND = 302
+
+    REDIRECTS = (
+        (REDIRECT_INTERNAL, _('Internal')),
+        (REDIRECT_PERMANENT, _('Moved Permanently')),
+        (REDIRECT_FOUND, _('Found')),
+    )
+
+    match = models.TextField()
+    halt = models.BooleanField(default=False)
+    conditions = models.ManyToManyField(Policy, blank=True)
+    replacement = models.TextField() # python formatted strings, use {match.1}
+    redirect = models.CharField(max_length=50, choices=REDIRECTS)
+
+    form = 'passbook.app_gw.forms.RewriteRuleForm'
+
+    _matcher = None
+
+    @property
+    def compiled_matcher(self):
+        """Cache the compiled regex in memory"""
+        if not self._matcher:
+            self._matcher = re.compile(self.match)
+        return self._matcher
+
+    def __str__(self):
+        return "Rewrite Rule %s" % self.name
+
+    class Meta:
+
+        verbose_name = _('Rewrite Rule')
+        verbose_name_plural = _('Rewrite Rules')

passbook/app_gw/proxy/exceptions.py

@@ -0,0 +1,8 @@
+"""Exception classes"""
+
+class ReverseProxyException(Exception):
+    """Base for revproxy exception"""
+
+
+class InvalidUpstream(ReverseProxyException):
+    """Invalid upstream set"""

passbook/app_gw/proxy/response.py

@@ -0,0 +1,63 @@
+"""response functions from django-revproxy"""
+import logging
+
+from django.http import HttpResponse, StreamingHttpResponse
+
+from passbook.app_gw.proxy.utils import (cookie_from_string,
+                                         set_response_headers, should_stream)
+
+#: Default number of bytes that are going to be read in a file lecture
+DEFAULT_AMT = 2 ** 16
+
+logger = logging.getLogger('revproxy.response')
+
+
+def get_django_response(proxy_response, strict_cookies=False):
+    """This method is used to create an appropriate response based on the
+    Content-Length of the proxy_response. If the content is bigger than
+    MIN_STREAMING_LENGTH, which is found on utils.py,
+    than django.http.StreamingHttpResponse will be created,
+    else a django.http.HTTPResponse will be created instead
+
+    :param proxy_response: An Instance of urllib3.response.HTTPResponse that
+                           will create an appropriate response
+    :param strict_cookies: Whether to only accept RFC-compliant cookies
+    :returns: Returns an appropriate response based on the proxy_response
+              content-length
+    """
+    status = proxy_response.status
+    headers = proxy_response.headers
+
+    logger.debug('Proxy response headers: %s', headers)
+
+    content_type = headers.get('Content-Type')
+
+    logger.debug('Content-Type: %s', content_type)
+
+    if should_stream(proxy_response):
+        logger.info('Content-Length is bigger than %s', DEFAULT_AMT)
+        response = StreamingHttpResponse(proxy_response.stream(DEFAULT_AMT),
+                                         status=status,
+                                         content_type=content_type)
+    else:
+        content = proxy_response.data or b''
+        response = HttpResponse(content, status=status,
+                                content_type=content_type)
+
+    logger.info('Normalizing response headers')
+    set_response_headers(response, headers)
+
+    logger.debug('Response headers: %s', getattr(response, '_headers'))
+
+    cookies = proxy_response.headers.getlist('set-cookie')
+    logger.info('Checking for invalid cookies')
+    for cookie_string in cookies:
+        cookie_dict = cookie_from_string(cookie_string,
+                                         strict_cookies=strict_cookies)
+        # if cookie is invalid cookie_dict will be None
+        if cookie_dict:
+            response.set_cookie(**cookie_dict)
+
+    logger.debug('Response cookies: %s', response.cookies)
+
+    return response

passbook/app_gw/proxy/utils.py

@@ -0,0 +1,227 @@
+"""Utils from django-revproxy, slightly adjusted"""
+import logging
+import re
+from wsgiref.util import is_hop_by_hop
+
+try:
+    from http.cookies import SimpleCookie
+    COOKIE_PREFIX = ''
+except ImportError:
+    from Cookie import SimpleCookie
+    COOKIE_PREFIX = 'Set-Cookie: '
+
+
+#: List containing string constant that are used to represent headers that can
+#: be ignored in the required_header function
+IGNORE_HEADERS = (
+    'HTTP_ACCEPT_ENCODING',  # We want content to be uncompressed so
+                             # we remove the Accept-Encoding from
+                             # original request
+    'HTTP_HOST',
+    'HTTP_REMOTE_USER',
+)
+
+
+# Default from HTTP RFC 2616
+#   See: http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7.1
+#: Variable that represent the default charset used
+DEFAULT_CHARSET = 'latin-1'
+
+#: List containing string constants that represents possible html content type
+HTML_CONTENT_TYPES = (
+    'text/html',
+    'application/xhtml+xml'
+)
+
+#: Variable used to represent a minimal content size required for response
+#: to be turned into stream
+MIN_STREAMING_LENGTH = 4 * 1024  # 4KB
+
+#: Regex used to find charset in a html content type
+_get_charset_re = re.compile(r';\s*charset=(?P<charset>[^\s;]+)', re.I)
+
+
+def is_html_content_type(content_type):
+    """Function used to verify if the parameter is a proper html content type
+
+    :param content_type: String variable that represent a content-type
+    :returns:  A boolean value stating if the content_type is a valid html
+               content type
+    """
+    for html_content_type in HTML_CONTENT_TYPES:
+        if content_type.startswith(html_content_type):
+            return True
+
+    return False
+
+
+def should_stream(proxy_response):
+    """Function to verify if the proxy_response must be converted into
+    a stream.This will be done by checking the proxy_response content-length
+    and verify if its length is bigger than one stipulated
+    by MIN_STREAMING_LENGTH.
+
+    :param proxy_response: An Instance of urllib3.response.HTTPResponse
+    :returns: A boolean stating if the proxy_response should
+              be treated as a stream
+    """
+    content_type = proxy_response.headers.get('Content-Type')
+
+    if is_html_content_type(content_type):
+        return False
+
+    try:
+        content_length = int(proxy_response.headers.get('Content-Length', 0))
+    except ValueError:
+        content_length = 0
+
+    if not content_length or content_length > MIN_STREAMING_LENGTH:
+        return True
+
+    return False
+
+
+def get_charset(content_type):
+    """Function used to retrieve the charset from a content-type.If there is no
+    charset in the content type then the charset defined on DEFAULT_CHARSET
+    will be returned
+
+    :param  content_type:   A string containing a Content-Type header
+    :returns:               A string containing the charset
+    """
+    if not content_type:
+        return DEFAULT_CHARSET
+
+    matched = _get_charset_re.search(content_type)
+    if matched:
+        # Extract the charset and strip its double quotes
+        return matched.group('charset').replace('"', '')
+    return DEFAULT_CHARSET
+
+
+def required_header(header):
+    """Function that verify if the header parameter is a essential header
+
+    :param header:  A string represented a header
+    :returns:       A boolean value that represent if the header is required
+    """
+    if header in IGNORE_HEADERS:
+        return False
+
+    if header.startswith('HTTP_') or header == 'CONTENT_TYPE':
+        return True
+
+    return False
+
+
+def set_response_headers(response, response_headers):
+    """Set response's header"""
+    for header, value in response_headers.items():
+        if is_hop_by_hop(header) or header.lower() == 'set-cookie':
+            continue
+
+        response[header.title()] = value
+
+    logger.debug('Response headers: %s', getattr(response, '_headers'))
+
+
+def normalize_request_headers(request):
+    """Function used to transform header, replacing 'HTTP\\_' to ''
+    and replace '_' to '-'
+
+    :param request:  A HttpRequest that will be transformed
+    :returns:        A dictionary with the normalized headers
+    """
+    norm_headers = {}
+    for header, value in request.META.items():
+        if required_header(header):
+            norm_header = header.replace('HTTP_', '').title().replace('_', '-')
+            norm_headers[norm_header] = value
+
+    return norm_headers
+
+
+def encode_items(items):
+    """Function that encode all elements in the list of items passed as
+    a parameter
+
+    :param items:  A list of tuple
+    :returns:      A list of tuple with all items encoded in 'utf-8'
+    """
+    encoded = []
+    for key, values in items:
+        for value in values:
+            encoded.append((key.encode('utf-8'), value.encode('utf-8')))
+    return encoded
+
+
+logger = logging.getLogger('revproxy.cookies')
+
+
+def cookie_from_string(cookie_string, strict_cookies=False):
+    """Parser for HTTP header set-cookie
+    The return from this function will be used as parameters for
+    django's response.set_cookie method. Because set_cookie doesn't
+    have parameter comment, this cookie attribute will be ignored.
+
+    :param  cookie_string: A string representing a valid cookie
+    :param  strict_cookies: Whether to only accept RFC-compliant cookies
+    :returns: A dictionary containing the cookie_string attributes
+    """
+
+    if strict_cookies:
+
+        cookies = SimpleCookie(COOKIE_PREFIX + cookie_string)
+        if not cookies.keys():
+            return None
+        cookie_name, = cookies.keys()
+        cookie_dict = {k: v for k, v in cookies[cookie_name].items()
+                       if v and k != 'comment'}
+        cookie_dict['key'] = cookie_name
+        cookie_dict['value'] = cookies[cookie_name].value
+        return cookie_dict
+    valid_attrs = ('path', 'domain', 'comment', 'expires',
+                   'max_age', 'httponly', 'secure')
+
+    cookie_dict = {}
+
+    cookie_parts = cookie_string.split(';')
+    try:
+        cookie_dict['key'], cookie_dict['value'] = \
+            cookie_parts[0].split('=', 1)
+        cookie_dict['value'] = cookie_dict['value'].replace('"', '')
+        # print('aaaaaaaaaaaaaaaaaaaaaaaaaaaa')
+        # print(cookie_parts[0].split('=', 1))
+    except ValueError:
+        logger.warning('Invalid cookie: `%s`', cookie_string)
+        return None
+
+    if cookie_dict['value'].startswith('='):
+        logger.warning('Invalid cookie: `%s`', cookie_string)
+        return None
+
+    for part in cookie_parts[1:]:
+        if '=' in part:
+            attr, value = part.split('=', 1)
+            value = value.strip()
+        else:
+            attr = part
+            value = ''
+
+        attr = attr.strip().lower()
+        if not attr:
+            continue
+
+        if attr in valid_attrs:
+            if attr in ('httponly', 'secure'):
+                cookie_dict[attr] = True
+            elif attr in 'comment':
+                # ignoring comment attr as explained in the
+                # function docstring
+                continue
+            else:
+                cookie_dict[attr] = value
+        else:
+            logger.warning('Unknown cookie attribute %s', attr)
+
+        return cookie_dict

passbook/app_gw/requirements.txt

@@ -0,0 +1,7 @@
+django-revproxy
+urllib3[secure]
+channels
+service_identity
+websocket-client
+daphne<2.3.0
+asgiref~=2.3

passbook/app_gw/rewrite.py

@@ -0,0 +1,38 @@
+"""passbook app_gw rewriter"""
+
+from passbook.app_gw.models import RewriteRule
+
+
+class Context:
+    """Empty class which we dynamically add attributes to"""
+
+class Rewriter:
+    """Apply rewrites"""
+
+    __application = None
+    __request = None
+
+    def __init__(self, application, request):
+        self.__application = application
+        self.__request = request
+
+    def __build_context(self, matches):
+        """Build object with .0, .1, etc as groups and give access to request"""
+        context = Context()
+        for index, group_match in enumerate(matches.groups()):
+            setattr(context, "g%d" % (index + 1), group_match)
+        setattr(context, 'request', self.__request)
+        return context
+
+    def build(self):
+        """Run all rules over path and return final path"""
+        path = self.__request.get_full_path()
+        for rule in RewriteRule.objects.filter(provider__in=[self.__application]):
+            matches = rule.compiled_matcher.search(path)
+            if not matches:
+                continue
+            replace_context = self.__build_context(matches)
+            path = rule.replacement.format(context=replace_context)
+            if rule.halt:
+                return path
+        return path

passbook/app_gw/settings.py

@@ -0,0 +1,5 @@
+"""Application Security Gateway settings"""
+INSTALLED_APPS = [
+    'channels'
+]
+ASGI_APPLICATION = "passbook.app_gw.websocket.routing.application"