Compare commits
65 Commits
version/0.
...
version/0.
| Author | SHA1 | Date | |
|---|---|---|---|
| a5dc193cfd | |||
| 7507ad2620 | |||
| f1291fec8d | |||
| 37aeeea239 | |||
| 0fa1fc86da | |||
| c3034ab9ac | |||
| 76694e037a | |||
| 787db41cc3 | |||
| 74da3df7cd | |||
| a6e435bd70 | |||
| c313b496aa | |||
| a7eaa74191 | |||
| 11ecdc4fcf | |||
| 2f7781b67a | |||
| 296d4f691a | |||
| 64033031b1 | |||
| 9daff7608d | |||
| 0a4af80b9b | |||
| a54adb05c4 | |||
| 43a389e596 | |||
| cf11f6b121 | |||
| 6dcdf7bcce | |||
| 56d872af15 | |||
| ca663d16fc | |||
| e05c18b19b | |||
| a7b86e46bc | |||
| 84f56674c2 | |||
| 02ab177c6d | |||
| 1232c487e9 | |||
| ef0a2bfbe8 | |||
| 05242a11ad | |||
| 4593ad7bcc | |||
| d7fd5a7fa6 | |||
| 4439378fd4 | |||
| acf65eafdd | |||
| c2ebff55ef | |||
| 99c82676b6 | |||
| 4991e9b825 | |||
| 612f95c3ba | |||
| cd91d5ca15 | |||
| cbbbb5dc08 | |||
| c1640b9411 | |||
| a4842c1f95 | |||
| a4707ddc54 | |||
| fb82d56307 | |||
| 1a1005f80d | |||
| e86cae6cac | |||
| 0b282f45e0 | |||
| 791e88ffc1 | |||
| 7bd3c4bccf | |||
| 722e2e4050 | |||
| c7fc444c95 | |||
| 20ad062814 | |||
| fcb5d36e07 | |||
| 9b131b619f | |||
| 54427f7c68 | |||
| 35eef9c28d | |||
| e88a82553d | |||
| 01a9520140 | |||
| 46667615c3 | |||
| c6721a83a4 | |||
| 46866e8ef0 | |||
| 4a49681127 | |||
| 4c3fced4e9 | |||
| 172347d90f |
@ -1,5 +1,5 @@
|
||||
[bumpversion]
|
||||
current_version = 0.0.13-alpha
|
||||
current_version = 0.1.9-beta
|
||||
tag = True
|
||||
commit = True
|
||||
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
|
||||
@ -9,6 +9,7 @@ tag_name = version/{new_version}
|
||||
|
||||
[bumpversion:part:release]
|
||||
optional_value = stable
|
||||
first_value = beta
|
||||
values =
|
||||
alpha
|
||||
beta
|
||||
@ -36,6 +37,10 @@ values =
|
||||
|
||||
[bumpversion:file:passbook/lib/__init__.py]
|
||||
|
||||
[bumpversion:file:passbook/hibp_policy/__init__.py]
|
||||
|
||||
[bumpversion:file:passbook/password_expiry_policy/__init__.py]
|
||||
|
||||
[bumpversion:file:passbook/saml_idp/__init__.py]
|
||||
|
||||
[bumpversion:file:passbook/audit/__init__.py]
|
||||
|
||||
@ -53,7 +53,7 @@ package-docker:
|
||||
before_script:
|
||||
- echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
|
||||
script:
|
||||
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.0.13-alpha
|
||||
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.9-beta
|
||||
stage: build
|
||||
only:
|
||||
- tags
|
||||
@ -68,54 +68,30 @@ package-helm:
|
||||
only:
|
||||
- tags
|
||||
- /^version/.*$/
|
||||
# package-3.5:
|
||||
# before_script:
|
||||
# - apt update
|
||||
# - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
|
||||
# - cp debian/control-3.5 debian/control
|
||||
# - mk-build-deps debian/control
|
||||
# - apt install ./*build-deps*deb -f -y
|
||||
# - "python3 -m pip install -U virtualenv"
|
||||
# - "virtualenv env"
|
||||
# - "source env/bin/activate"
|
||||
# - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
|
||||
# image: debian
|
||||
# script:
|
||||
# - debuild -us -uc
|
||||
# - cp ../passbook*.deb .
|
||||
# - python manage.py nexus_upload
|
||||
# artifacts:
|
||||
# paths:
|
||||
# - passbook-python3.5*deb
|
||||
# expire_in: 2 days
|
||||
# stage: build
|
||||
# only:
|
||||
# - tags
|
||||
# - /^debian/.*$/
|
||||
# package-3.6:
|
||||
# before_script:
|
||||
# - apt update
|
||||
# - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
|
||||
# - cp debian/control-3.6 debian/control
|
||||
# - mk-build-deps debian/control
|
||||
# - apt install ./*build-deps*deb -f -y
|
||||
# - "python3 -m pip install -U virtualenv"
|
||||
# - "virtualenv env"
|
||||
# - "source env/bin/activate"
|
||||
# - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
|
||||
# image: debian:buster
|
||||
# script:
|
||||
# - debuild -us -uc
|
||||
# - cp ../passbook*.deb .
|
||||
# - python manage.py nexus_upload
|
||||
# artifacts:
|
||||
# paths:
|
||||
# - passbook-python3.6*deb
|
||||
# expire_in: 2 days
|
||||
# stage: build
|
||||
# only:
|
||||
# - tags
|
||||
# - /^debian/.*$r
|
||||
package-debian:
|
||||
before_script:
|
||||
- apt update
|
||||
- apt install -y --no-install-recommends build-essential debhelper devscripts equivs python3 python3-dev python3-pip libsasl2-dev libldap2-dev
|
||||
- mk-build-deps debian/control
|
||||
- apt install ./*build-deps*deb -f -y
|
||||
- python3 -m pip install -U virtualenv pip
|
||||
- virtualenv env
|
||||
- source env/bin/activate
|
||||
- pip3 install -U -r requirements.txt -r requirements-dev.txt
|
||||
- ./manage.py collectstatic --no-input
|
||||
image: ubuntu:18.04
|
||||
script:
|
||||
- debuild -us -uc
|
||||
- cp ../passbook*.deb .
|
||||
- ./manage.py nexus_upload --method post --url $NEXUS_URL --auth $NEXUS_AUTH --repo apt passbook*deb
|
||||
artifacts:
|
||||
paths:
|
||||
- passbook*deb
|
||||
expire_in: 2 days
|
||||
stage: build
|
||||
only:
|
||||
- tags
|
||||
- /^version/.*$/
|
||||
|
||||
# docs:
|
||||
# stage: docs
|
||||
|
||||
14
Dockerfile
14
Dockerfile
@ -6,10 +6,13 @@ COPY ./requirements.txt /app/
|
||||
|
||||
WORKDIR /app/
|
||||
|
||||
RUN mkdir /app/static/ && \
|
||||
RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev -y && \
|
||||
mkdir /app/static/ && \
|
||||
pip install -r requirements.txt && \
|
||||
pip install psycopg2 && \
|
||||
./manage.py collectstatic --no-input
|
||||
./manage.py collectstatic --no-input && \
|
||||
apt-get remove --purge -y build-essential && \
|
||||
apt-get autoremove --purge -y
|
||||
|
||||
FROM python:3.6-slim-stretch
|
||||
|
||||
@ -20,9 +23,12 @@ COPY --from=build /app/static /app/static/
|
||||
|
||||
WORKDIR /app/
|
||||
|
||||
RUN pip install -r requirements.txt && \
|
||||
RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev -y && \
|
||||
pip install -r requirements.txt && \
|
||||
pip install psycopg2 && \
|
||||
adduser --system --home /app/ passbook && \
|
||||
chown -R passbook /app/
|
||||
chown -R passbook /app/ && \
|
||||
apt-get remove --purge -y build-essential && \
|
||||
apt-get autoremove --purge -y
|
||||
|
||||
USER passbook
|
||||
|
||||
25
debian/changelog
vendored
Normal file
25
debian/changelog
vendored
Normal file
@ -0,0 +1,25 @@
|
||||
passbook (0.1.7) stable; urgency=medium
|
||||
|
||||
* bump version: 0.1.3-beta -> 0.1.4-beta
|
||||
* implicitly add kubernetes-healthcheck-host in helm configmap
|
||||
* fix debian build (again)
|
||||
* add PropertyMapping Model, add Subclass for SAML, test with AWS
|
||||
* add custom DynamicArrayField to better handle arrays
|
||||
* format data before inserting it
|
||||
* bump version: 0.1.4-beta -> 0.1.5-beta
|
||||
* fix static files missing for debian package
|
||||
* fix password not getting set on user import
|
||||
* remove audit's login attempt
|
||||
* add passing property to PolicyEngine
|
||||
* fix captcha factor not loading keys from Factor class
|
||||
* bump version: 0.1.5-beta -> 0.1.6-beta
|
||||
* fix MATCH_EXACT not working as intended
|
||||
* Improve access control for saml
|
||||
|
||||
-- Jens Langhammer <jens.langhammer@beryju.org> Fri, 08 Mar 2019 20:37:05 +0000
|
||||
|
||||
passbook (0.1.4) stable; urgency=medium
|
||||
|
||||
* initial debian package release
|
||||
|
||||
-- Jens Langhammer <jens.langhammer@beryju.org> Wed, 06 Mar 2019 18:22:41 +0000
|
||||
1
debian/compat
vendored
Normal file
1
debian/compat
vendored
Normal file
@ -0,0 +1 @@
|
||||
10
|
||||
20
debian/config
vendored
Normal file
20
debian/config
vendored
Normal file
@ -0,0 +1,20 @@
|
||||
#!/bin/sh
|
||||
# config maintainer script for passbook
|
||||
set -e
|
||||
|
||||
# source debconf stuff
|
||||
. /usr/share/debconf/confmodule
|
||||
|
||||
dbc_first_version=1.0.0
|
||||
dbc_dbuser=passbook
|
||||
dbc_dbname=passbook
|
||||
|
||||
# source dbconfig-common shell library, and call the hook function
|
||||
if [ -f /usr/share/dbconfig-common/dpkg/config.pgsql ]; then
|
||||
. /usr/share/dbconfig-common/dpkg/config.pgsql
|
||||
dbc_go passbook "$@"
|
||||
fi
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
||||
14
debian/control
vendored
Normal file
14
debian/control
vendored
Normal file
@ -0,0 +1,14 @@
|
||||
Source: passbook
|
||||
Section: admin
|
||||
Priority: optional
|
||||
Maintainer: BeryJu.org <support@beryju.org>
|
||||
Uploaders: Jens Langhammer <jens@beryju.org>, BeryJu.org <support@beryju.org>
|
||||
Build-Depends: debhelper (>= 10), dh-systemd (>= 1.5), dh-exec, wget, dh-exec, python3 (>= 3.5) | python3.6 | python3.7
|
||||
Standards-Version: 3.9.6
|
||||
|
||||
Package: passbook
|
||||
Architecture: all
|
||||
Recommends: mysql-server, redis-server
|
||||
Pre-Depends: adduser, libldap2-dev, libsasl2-dev
|
||||
Depends: python3 (>= 3.5) | python3.6 | python3.7, python3-pip, dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends}
|
||||
Description: Authentication Provider/Proxy supporting protocols like SAML, OAuth, LDAP and more.
|
||||
22
debian/copyright
vendored
Normal file
22
debian/copyright
vendored
Normal file
@ -0,0 +1,22 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2019 BeryJu.org
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
4
debian/dirs
vendored
Normal file
4
debian/dirs
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
etc/passbook/
|
||||
etc/passbook/config.d/
|
||||
var/log/passbook/
|
||||
usr/share/passbook/
|
||||
44
debian/etc/passbook/config.yml
vendored
Normal file
44
debian/etc/passbook/config.yml
vendored
Normal file
@ -0,0 +1,44 @@
|
||||
debug: false
|
||||
http:
|
||||
host: 0.0.0.0
|
||||
port: 8000
|
||||
secret_key_file: /etc/passbook/secret_key
|
||||
log:
|
||||
level:
|
||||
console: INFO
|
||||
file: DEBUG
|
||||
file: /var/log/passbook/passbook.log
|
||||
# Error reporting, disabled by default
|
||||
# error_report_enabled: true
|
||||
|
||||
# Set this to the server's external address.
|
||||
# This is used to generate external URLs
|
||||
external_url: http://image.example.com
|
||||
|
||||
# This dictates how the Path is generated
|
||||
# can be either of:
|
||||
# - view_sha512_short
|
||||
# - view_md5
|
||||
# - view_sha256
|
||||
# - view_sha512
|
||||
default_return_view: view_sha256
|
||||
|
||||
# Set this to true if you only want to use external authentication
|
||||
external_auth_only: false
|
||||
|
||||
# If this is true, images are automatically claimed if the windows user exists
|
||||
# in django
|
||||
auto_claim_enabled: true
|
||||
|
||||
# LDAP Authentication
|
||||
# ldap:
|
||||
# enabled: false
|
||||
# server:
|
||||
# uri: 'ldap://dc1.example.com'
|
||||
# tls: false
|
||||
# bind:
|
||||
# dn: ''
|
||||
# password: ''
|
||||
# search_base: ''
|
||||
# filter: '(sAMAccountName=%(user)s)'
|
||||
# require_group: ''
|
||||
2
debian/gbp.conf
vendored
Normal file
2
debian/gbp.conf
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
[buildpackage]
|
||||
export-dir=../build-area
|
||||
8
debian/install
vendored
Normal file
8
debian/install
vendored
Normal file
@ -0,0 +1,8 @@
|
||||
passbook /usr/share/passbook/
|
||||
static /usr/share/passbook/
|
||||
manage.py /usr/share/passbook/
|
||||
passbook.sh /usr/share/passbook/
|
||||
vendor /usr/share/passbook/
|
||||
|
||||
debian/etc/passbook /etc/
|
||||
debian/templates/database.yml /usr/share/passbook/
|
||||
0
debian/links
vendored
Normal file
0
debian/links
vendored
Normal file
14
debian/passbook-worker.service
vendored
Normal file
14
debian/passbook-worker.service
vendored
Normal file
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=passbook - Authentication Provider/Proxy (Background worker)
|
||||
After=network.target
|
||||
Requires=network.target
|
||||
|
||||
[Service]
|
||||
User=passbook
|
||||
Group=passbook
|
||||
WorkingDirectory=/usr/share/passbook
|
||||
Type=simple
|
||||
ExecStart=/usr/share/passbook/passbook.sh worker
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
14
debian/passbook.service
vendored
Normal file
14
debian/passbook.service
vendored
Normal file
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=passbook - Authentication Provider/Proxy
|
||||
After=network.target
|
||||
Requires=network.target
|
||||
|
||||
[Service]
|
||||
User=passbook
|
||||
Group=passbook
|
||||
WorkingDirectory=/usr/share/passbook
|
||||
Type=simple
|
||||
ExecStart=/usr/share/passbook/passbook.sh web
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
36
debian/postinst
vendored
Executable file
36
debian/postinst
vendored
Executable file
@ -0,0 +1,36 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
. /usr/share/debconf/confmodule
|
||||
. /usr/share/dbconfig-common/dpkg/postinst.pgsql
|
||||
|
||||
# you can set the default database encoding to something else
|
||||
dbc_pgsql_createdb_encoding="UTF8"
|
||||
dbc_generate_include=template:/etc/passbook/config.d/database.yml
|
||||
dbc_generate_include_args="-o template_infile=/usr/share/passbook/database.yml"
|
||||
dbc_go passbook "$@"
|
||||
|
||||
if [ -z "`getent group passbook`" ]; then
|
||||
addgroup --quiet --system passbook
|
||||
fi
|
||||
if [ -z "`getent passwd passbook`" ]; then
|
||||
echo " * Creating user and group passbook..."
|
||||
adduser --quiet --system --home /usr/share/passbook --shell /bin/false --ingroup passbook --disabled-password --disabled-login --gecos "passbook User" passbook >> /var/log/passbook/passbook.log 2>&1
|
||||
fi
|
||||
echo " * Updating binary packages (psycopg2)"
|
||||
python3 -m pip install --target=/usr/share/passbook/vendor/ --no-cache-dir --upgrade --force-reinstall psycopg2 >> /var/log/passbook/passbook.log 2>&1
|
||||
if [ ! -f '/etc/passbook/secret_key' ]; then
|
||||
echo " * Generating Secret Key"
|
||||
python3 -c 'import random; result = "".join([random.choice("abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)") for i in range(50)]); print(result)' > /etc/passbook/secret_key 2> /dev/null
|
||||
fi
|
||||
chown -R passbook: /usr/share/passbook/
|
||||
chown -R passbook: /etc/passbook/
|
||||
chown -R passbook: /var/log/passbook/
|
||||
chmod 440 /etc/passbook/secret_key
|
||||
echo " * Running Database Migration"
|
||||
/usr/share/passbook/passbook.sh migrate
|
||||
echo " * A superuser can be created with this command '/usr/share/passbook/passbook.sh createsuperuser'"
|
||||
echo " * You should probably also adjust your settings in '/etc/passbook/config.yml'"
|
||||
|
||||
#DEBHELPER#
|
||||
24
debian/postrm
vendored
Normal file
24
debian/postrm
vendored
Normal file
@ -0,0 +1,24 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
if [ -f /usr/share/debconf/confmodule ]; then
|
||||
. /usr/share/debconf/confmodule
|
||||
fi
|
||||
if [ -f /usr/share/dbconfig-common/dpkg/postrm.pgsql ]; then
|
||||
. /usr/share/dbconfig-common/dpkg/postrm.pgsql
|
||||
dbc_go passbook "$@"
|
||||
fi
|
||||
|
||||
|
||||
if [ "$1" = "purge" ]; then
|
||||
if which ucf >/dev/null 2>&1; then
|
||||
ucf --purge /etc/passbook/config.d/database.yml
|
||||
ucfr --purge passbook /etc/passbook/config.d/database.yml
|
||||
fi
|
||||
rm -rf /etc/passbook/
|
||||
rm -rf /usr/share/passbook/
|
||||
fi
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
10
debian/prerm
vendored
Normal file
10
debian/prerm
vendored
Normal file
@ -0,0 +1,10 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
. /usr/share/debconf/confmodule
|
||||
. /usr/share/dbconfig-common/dpkg/prerm.pgsql
|
||||
dbc_go passbook "$@"
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
27
debian/rules
vendored
Executable file
27
debian/rules
vendored
Executable file
@ -0,0 +1,27 @@
|
||||
#!/usr/bin/make -f
|
||||
|
||||
# Uncomment this to turn on verbose mode.
|
||||
# export DH_VERBOSE=1
|
||||
|
||||
%:
|
||||
dh $@ --with=systemd
|
||||
|
||||
build-arch:
|
||||
python3 -m pip install setuptools
|
||||
python3 -m pip install --target=vendor/ -r requirements.txt
|
||||
|
||||
override_dh_strip:
|
||||
dh_strip --exclude=psycopg2
|
||||
|
||||
override_dh_shlibdeps:
|
||||
dh_shlibdeps --exclude=psycopg2
|
||||
|
||||
override_dh_installinit:
|
||||
dh_installinit --name=passbook
|
||||
dh_installinit --name=passbook-worker
|
||||
dh_systemd_enable --name=passbook
|
||||
dh_systemd_enable --name=passbook-worker
|
||||
dh_systemd_start
|
||||
|
||||
# override_dh_usrlocal to do nothing
|
||||
override_dh_usrlocal:
|
||||
1
debian/source/format
vendored
Normal file
1
debian/source/format
vendored
Normal file
@ -0,0 +1 @@
|
||||
3.0 (native)
|
||||
8
debian/templates/database.yml
vendored
Normal file
8
debian/templates/database.yml
vendored
Normal file
@ -0,0 +1,8 @@
|
||||
databases:
|
||||
default:
|
||||
engine: django.db.backends.postgresql
|
||||
name: _DBC_DBNAME_
|
||||
user: _DBC_DBUSER_
|
||||
password: _DBC_DBPASS_
|
||||
host: _DBC_DBSERVER_
|
||||
port: _DBC_DBPORT_
|
||||
@ -1,6 +1,6 @@
|
||||
apiVersion: v1
|
||||
appVersion: "0.0.13-alpha"
|
||||
appVersion: "0.1.9-beta"
|
||||
description: A Helm chart for passbook.
|
||||
name: passbook
|
||||
version: "0.0.13-alpha"
|
||||
version: "0.1.9-beta"
|
||||
icon: https://passbook.beryju.org/images/logo.png
|
||||
|
||||
@ -50,6 +50,7 @@ data:
|
||||
{{- range .Values.ingress.hosts }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
- kubernetes-healthcheck-host
|
||||
|
||||
passbook:
|
||||
sign_up:
|
||||
@ -130,6 +131,7 @@ data:
|
||||
# List of python packages with provider types to load.
|
||||
types:
|
||||
- passbook.saml_idp.processors.generic
|
||||
- passbook.saml_idp.processors.aws
|
||||
- passbook.saml_idp.processors.gitlab
|
||||
- passbook.saml_idp.processors.nextcloud
|
||||
- passbook.saml_idp.processors.salesforce
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
replicaCount: 1
|
||||
|
||||
image:
|
||||
tag: 0.0.13-alpha
|
||||
tag: 0.1.9-beta
|
||||
|
||||
nameOverride: ""
|
||||
|
||||
|
||||
7
passbook.sh
Executable file
7
passbook.sh
Executable file
@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Check if this file is a symlink, if so, read real base dir
|
||||
BASE_DIR=$(dirname $(readlink -f ${BASH_SOURCE[0]}))
|
||||
|
||||
cd $BASE_DIR
|
||||
PYTHONPATH="${BASE_DIR}/vendor/" python3 manage.py $@
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook admin"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
17
passbook/admin/forms/users.py
Normal file
17
passbook/admin/forms/users.py
Normal file
@ -0,0 +1,17 @@
|
||||
"""passbook administrative user forms"""
|
||||
|
||||
from django import forms
|
||||
|
||||
from passbook.core.models import User
|
||||
|
||||
|
||||
class UserForm(forms.ModelForm):
|
||||
"""Update User Details"""
|
||||
|
||||
class Meta:
|
||||
|
||||
model = User
|
||||
fields = ['username', 'name', 'email', 'is_staff', 'is_active']
|
||||
widgets = {
|
||||
'name': forms.TextInput
|
||||
}
|
||||
25
passbook/admin/middleware.py
Normal file
25
passbook/admin/middleware.py
Normal file
@ -0,0 +1,25 @@
|
||||
"""passbook admin Middleware to impersonate users"""
|
||||
|
||||
from passbook.core.models import User
|
||||
|
||||
|
||||
def impersonate(get_response):
|
||||
"""Middleware to impersonate users"""
|
||||
|
||||
def middleware(request):
|
||||
"""Middleware to impersonate users"""
|
||||
|
||||
# User is superuser and has __impersonate ID set
|
||||
if request.user.is_superuser and "__impersonate" in request.GET:
|
||||
request.session['impersonate_id'] = request.GET["__impersonate"]
|
||||
# user wants to stop impersonation
|
||||
elif "__unimpersonate" in request.GET and 'impersonate_id' in request.session:
|
||||
del request.session['impersonate_id']
|
||||
|
||||
# Actually impersonate user
|
||||
if request.user.is_superuser and 'impersonate_id' in request.session:
|
||||
request.user = User.objects.get(pk=request.session['impersonate_id'])
|
||||
|
||||
response = get_response(request)
|
||||
return response
|
||||
return middleware
|
||||
5
passbook/admin/settings.py
Normal file
5
passbook/admin/settings.py
Normal file
@ -0,0 +1,5 @@
|
||||
"""passbook admin settings"""
|
||||
|
||||
MIDDLEWARE = [
|
||||
'passbook.admin.middleware.impersonate',
|
||||
]
|
||||
@ -8,22 +8,32 @@
|
||||
<li class="{% is_active 'passbook_admin:overview' %}">
|
||||
<a href="{% url 'passbook_admin:overview' %}">{% trans 'Overview' %}</a>
|
||||
</li>
|
||||
<li class="{% is_active 'passbook_admin:applications' 'passbook_admin:application-create' 'passbook_admin:application-update' 'passbook_admin:application-delete' %}">
|
||||
<li
|
||||
class="{% is_active 'passbook_admin:applications' 'passbook_admin:application-create' 'passbook_admin:application-update' 'passbook_admin:application-delete' %}">
|
||||
<a href="{% url 'passbook_admin:applications' %}">{% trans 'Applications' %}</a>
|
||||
</li>
|
||||
<li class="{% is_active 'passbook_admin:sources' 'passbook_admin:source-create' 'passbook_admin:source-update' 'passbook_admin:source-delete' %}">
|
||||
<li
|
||||
class="{% is_active 'passbook_admin:sources' 'passbook_admin:source-create' 'passbook_admin:source-update' 'passbook_admin:source-delete' %}">
|
||||
<a href="{% url 'passbook_admin:sources' %}">{% trans 'Sources' %}</a>
|
||||
</li>
|
||||
<li class="{% is_active 'passbook_admin:providers' 'passbook_admin:provider-create' 'passbook_admin:provider-update' 'passbook_admin:provider-delete' %}">
|
||||
<li
|
||||
class="{% is_active 'passbook_admin:providers' 'passbook_admin:provider-create' 'passbook_admin:provider-update' 'passbook_admin:provider-delete' %}">
|
||||
<a href="{% url 'passbook_admin:providers' %}">{% trans 'Providers' %}</a>
|
||||
</li>
|
||||
<li class="{% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
|
||||
<li
|
||||
class="{% is_active 'passbook_admin:property-mappings' 'passbook_admin:property-mapping-create' 'passbook_admin:property-mapping-update' 'passbook_admin:property-mapping-delete' %}">
|
||||
<a href="{% url 'passbook_admin:property-mappings' %}">{% trans 'Property Mappings' %}</a>
|
||||
</li>
|
||||
<li
|
||||
class="{% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
|
||||
<a href="{% url 'passbook_admin:factors' %}">{% trans 'Factors' %}</a>
|
||||
</li>
|
||||
<li class="{% is_active 'passbook_admin:policies' 'passbook_admin:policy-create' 'passbook_admin:policy-update' 'passbook_admin:policy-delete' 'passbook_admin:policy-test' %}">
|
||||
<li
|
||||
class="{% is_active 'passbook_admin:policies' 'passbook_admin:policy-create' 'passbook_admin:policy-update' 'passbook_admin:policy-delete' 'passbook_admin:policy-test' %}">
|
||||
<a href="{% url 'passbook_admin:policies' %}">{% trans 'Policies' %}</a>
|
||||
</li>
|
||||
<li class="{% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
|
||||
<li
|
||||
class="{% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
|
||||
<a href="{% url 'passbook_admin:invitations' %}">{% trans 'Invitations' %}</a>
|
||||
</li>
|
||||
<li class="{% is_active 'passbook_admin:users' 'passbook_admin:user-update' 'passbook_admin:user-delete' %}">
|
||||
|
||||
@ -76,9 +76,13 @@
|
||||
<div class="card-pf-body">
|
||||
<p class="card-pf-aggregate-status-notifications">
|
||||
<span class="card-pf-aggregate-status-notification">
|
||||
<a href="{% url 'passbook_admin:factors' %}">
|
||||
{% if factor_count < 1 %}
|
||||
<span class="pficon-error-circle-o" data-toggle="tooltip" data-placement="right"
|
||||
title="{% trans 'No Factors configured. No Users will be able to login.' %}"></span>
|
||||
{{ factor_count }}
|
||||
{% else %}
|
||||
<span class="pficon pficon-ok"></span>{{ factor_count }}
|
||||
</a>
|
||||
{% endif %}
|
||||
</span>
|
||||
</p>
|
||||
</div>
|
||||
@ -95,9 +99,13 @@
|
||||
<div class="card-pf-body">
|
||||
<p class="card-pf-aggregate-status-notifications">
|
||||
<span class="card-pf-aggregate-status-notification">
|
||||
<a href="{% url 'passbook_admin:policies' %}">
|
||||
{% if policies_without_attachment > 0 %}
|
||||
<span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right"
|
||||
title="{% trans 'Policies without attachment exist.' %}"></span>
|
||||
{{ policy_count }}
|
||||
{% else %}
|
||||
<span class="pficon pficon-ok"></span>{{ policy_count }}
|
||||
</a>
|
||||
{% endif %}
|
||||
</span>
|
||||
</p>
|
||||
</div>
|
||||
@ -174,7 +182,7 @@
|
||||
<a href="#">
|
||||
{% if worker_count < 1%}
|
||||
<span class="pficon-error-circle-o" data-toggle="tooltip" data-placement="right"
|
||||
title="{% trans 'No workers connected. Policies may not work.' %}"></span> {{ worker_count }}
|
||||
title="{% trans 'No workers connected. Policies will not work and you may expect other issues.' %}"></span> {{ worker_count }}
|
||||
{% else %}
|
||||
<span class="pficon pficon-ok"></span>{{ worker_count }}
|
||||
{% endif %}
|
||||
|
||||
@ -28,6 +28,7 @@
|
||||
<table class="table table-striped table-bordered">
|
||||
<thead>
|
||||
<tr>
|
||||
<th></th>
|
||||
<th>{% trans 'Name' %}</th>
|
||||
<th>{% trans 'Type' %}</th>
|
||||
<th></th>
|
||||
@ -35,7 +36,14 @@
|
||||
</thead>
|
||||
<tbody>
|
||||
{% for policy in object_list %}
|
||||
<tr>
|
||||
<tr {% if not policy.policymodel_set.exists %} class="warning" {% endif %}>
|
||||
<th>
|
||||
{% if not policy.policymodel_set.exists %}
|
||||
<span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right" title="{% trans 'Warning: Policy is not assigned.' %}"></span>
|
||||
{% else %}
|
||||
<span class="pficon-ok" data-toggle="tooltip" data-placement="right" title="{% blocktrans with objects=policy.policymodel_set.all|join:', ' %}Assigned to objects {{ objects }}{% endblocktrans %}"></span>
|
||||
{% endif %}
|
||||
</th>
|
||||
<td>{{ policy.name }}</td>
|
||||
<td>{{ policy|verbose_name }}</td>
|
||||
<td>
|
||||
|
||||
@ -0,0 +1,52 @@
|
||||
{% extends "administration/base.html" %}
|
||||
|
||||
{% load i18n %}
|
||||
{% load utils %}
|
||||
|
||||
{% block title %}
|
||||
{% title %}
|
||||
{% endblock %}
|
||||
|
||||
{% block content %}
|
||||
<div class="container">
|
||||
<h1><span class="fa fa-table"></span> {% trans "Property Mappings" %}</h1>
|
||||
<span>{% trans "Property Mappings allow you expose provider-specific attributes." %}</span>
|
||||
<hr>
|
||||
<div class="dropdown">
|
||||
<button class="btn btn-primary dropdown-toggle" type="button" id="createDropdown" data-toggle="dropdown">
|
||||
{% trans 'Create...' %}
|
||||
<span class="caret"></span>
|
||||
</button>
|
||||
<ul class="dropdown-menu" role="menu" aria-labelledby="createDropdown">
|
||||
{% for type, name in types.items %}
|
||||
<li role="presentation"><a role="menuitem" tabindex="-1"
|
||||
href="{% url 'passbook_admin:property-mapping-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a></li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
</div>
|
||||
<hr>
|
||||
<table class="table table-striped table-bordered">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>{% trans 'Name' %}</th>
|
||||
<th>{% trans 'Type' %}</th>
|
||||
<th></th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
{% for property_mapping in object_list %}
|
||||
<tr>
|
||||
<td>{{ property_mapping.name }} ({{ property_mapping.slug }})</td>
|
||||
<td>{{ property_mapping|verbose_name }}</td>
|
||||
<td>
|
||||
<a class="btn btn-default btn-sm"
|
||||
href="{% url 'passbook_admin:property-mapping-update' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
|
||||
<a class="btn btn-default btn-sm"
|
||||
href="{% url 'passbook_admin:property-mapping-delete' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
|
||||
</td>
|
||||
</tr>
|
||||
{% endfor %}
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
{% endblock %}
|
||||
@ -31,6 +31,8 @@
|
||||
href="{% url 'passbook_admin:user-delete' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
|
||||
<a class="btn btn-default btn-sm"
|
||||
href="{% url 'passbook_admin:user-password-reset' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Reset Password' %}</a>
|
||||
<a class="btn btn-default btn-sm"
|
||||
href="{% url 'passbook_core:overview' %}?__impersonate={{ user.pk }}">{% trans 'Impersonate' %}</a>
|
||||
</td>
|
||||
</tr>
|
||||
{% endfor %}
|
||||
|
||||
@ -3,6 +3,11 @@
|
||||
{% load i18n %}
|
||||
{% load utils %}
|
||||
|
||||
{% block head %}
|
||||
{{ block.super }}
|
||||
{{ form.media.css }}
|
||||
{% endblock %}
|
||||
|
||||
{% block content %}
|
||||
<div class="container">
|
||||
{% block above_form %}
|
||||
@ -16,3 +21,8 @@
|
||||
</div>
|
||||
</div>
|
||||
{% endblock %}
|
||||
|
||||
{% block scripts %}
|
||||
{{ block.super }}
|
||||
{{ form.media.js }}
|
||||
{% endblock %}
|
||||
|
||||
@ -2,8 +2,8 @@
|
||||
from django.urls import include, path
|
||||
|
||||
from passbook.admin.views import (applications, audit, factors, groups,
|
||||
invitations, overview, policy, providers,
|
||||
sources, users)
|
||||
invitations, overview, policy,
|
||||
property_mapping, providers, sources, users)
|
||||
|
||||
urlpatterns = [
|
||||
path('', overview.AdministrationOverviewView.as_view(), name='overview'),
|
||||
@ -43,6 +43,15 @@ urlpatterns = [
|
||||
factors.FactorUpdateView.as_view(), name='factor-update'),
|
||||
path('factors/<uuid:pk>/delete/',
|
||||
factors.FactorDeleteView.as_view(), name='factor-delete'),
|
||||
# Factors
|
||||
path('property-mappings/', property_mapping.PropertyMappingListView.as_view(),
|
||||
name='property-mappings'),
|
||||
path('property-mappings/create/',
|
||||
property_mapping.PropertyMappingCreateView.as_view(), name='property-mapping-create'),
|
||||
path('property-mappings/<uuid:pk>/update/',
|
||||
property_mapping.PropertyMappingUpdateView.as_view(), name='property-mapping-update'),
|
||||
path('property-mappings/<uuid:pk>/delete/',
|
||||
property_mapping.PropertyMappingDeleteView.as_view(), name='property-mapping-delete'),
|
||||
# Invitations
|
||||
path('invitations/', invitations.InvitationListView.as_view(), name='invitations'),
|
||||
path('invitations/create/',
|
||||
|
||||
@ -24,4 +24,5 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
|
||||
kwargs['version'] = __version__
|
||||
kwargs['worker_count'] = len(CELERY_APP.control.ping(timeout=0.5))
|
||||
kwargs['providers_without_application'] = Provider.objects.filter(application=None)
|
||||
kwargs['policies_without_attachment'] = len(Policy.objects.filter(policymodel__isnull=True))
|
||||
return super().get_context_data(**kwargs)
|
||||
|
||||
@ -11,6 +11,7 @@ from django.views.generic.detail import DetailView
|
||||
from passbook.admin.forms.policies import PolicyTestForm
|
||||
from passbook.admin.mixins import AdminRequiredMixin
|
||||
from passbook.core.models import Policy
|
||||
from passbook.core.policies import PolicyEngine
|
||||
from passbook.lib.utils.reflection import path_to_class
|
||||
|
||||
|
||||
@ -100,7 +101,9 @@ class PolicyTestView(AdminRequiredMixin, DetailView, FormView):
|
||||
def form_valid(self, form):
|
||||
policy = self.get_object()
|
||||
user = form.cleaned_data.get('user')
|
||||
result = policy.passes(user)
|
||||
policy_engine = PolicyEngine([policy])
|
||||
policy_engine.for_user(user).with_request(self.request).build()
|
||||
result = policy_engine.passing
|
||||
if result:
|
||||
messages.success(self.request, _('User successfully passed policy.'))
|
||||
else:
|
||||
|
||||
90
passbook/admin/views/property_mapping.py
Normal file
90
passbook/admin/views/property_mapping.py
Normal file
@ -0,0 +1,90 @@
|
||||
"""passbook PropertyMapping administration"""
|
||||
from django.contrib import messages
|
||||
from django.contrib.messages.views import SuccessMessageMixin
|
||||
from django.http import Http404
|
||||
from django.urls import reverse_lazy
|
||||
from django.utils.translation import ugettext as _
|
||||
from django.views.generic import CreateView, DeleteView, ListView, UpdateView
|
||||
|
||||
from passbook.admin.mixins import AdminRequiredMixin
|
||||
from passbook.core.models import PropertyMapping
|
||||
from passbook.lib.utils.reflection import path_to_class
|
||||
|
||||
|
||||
def all_subclasses(cls):
|
||||
"""Recursively return all subclassess of cls"""
|
||||
return set(cls.__subclasses__()).union(
|
||||
[s for c in cls.__subclasses__() for s in all_subclasses(c)])
|
||||
|
||||
|
||||
class PropertyMappingListView(AdminRequiredMixin, ListView):
|
||||
"""Show list of all property_mappings"""
|
||||
|
||||
model = PropertyMapping
|
||||
template_name = 'administration/property_mapping/list.html'
|
||||
ordering = 'name'
|
||||
|
||||
def get_context_data(self, **kwargs):
|
||||
kwargs['types'] = {
|
||||
x.__name__: x._meta.verbose_name for x in all_subclasses(PropertyMapping)}
|
||||
return super().get_context_data(**kwargs)
|
||||
|
||||
def get_queryset(self):
|
||||
return super().get_queryset().select_subclasses()
|
||||
|
||||
|
||||
class PropertyMappingCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
|
||||
"""Create new PropertyMapping"""
|
||||
|
||||
template_name = 'generic/create.html'
|
||||
success_url = reverse_lazy('passbook_admin:property-mappings')
|
||||
success_message = _('Successfully created Property Mapping')
|
||||
|
||||
def get_context_data(self, **kwargs):
|
||||
kwargs = super().get_context_data(**kwargs)
|
||||
property_mapping_type = self.request.GET.get('type')
|
||||
model = next(x for x in all_subclasses(PropertyMapping)
|
||||
if x.__name__ == property_mapping_type)
|
||||
kwargs['type'] = model._meta.verbose_name
|
||||
return kwargs
|
||||
|
||||
def get_form_class(self):
|
||||
property_mapping_type = self.request.GET.get('type')
|
||||
model = next(x for x in all_subclasses(PropertyMapping)
|
||||
if x.__name__ == property_mapping_type)
|
||||
if not model:
|
||||
raise Http404
|
||||
return path_to_class(model.form)
|
||||
|
||||
|
||||
class PropertyMappingUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
|
||||
"""Update property_mapping"""
|
||||
|
||||
model = PropertyMapping
|
||||
template_name = 'generic/update.html'
|
||||
success_url = reverse_lazy('passbook_admin:property-mappings')
|
||||
success_message = _('Successfully updated Property Mapping')
|
||||
|
||||
def get_form_class(self):
|
||||
form_class_path = self.get_object().form
|
||||
form_class = path_to_class(form_class_path)
|
||||
return form_class
|
||||
|
||||
def get_object(self, queryset=None):
|
||||
return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
|
||||
|
||||
|
||||
class PropertyMappingDeleteView(SuccessMessageMixin, AdminRequiredMixin, DeleteView):
|
||||
"""Delete property_mapping"""
|
||||
|
||||
model = PropertyMapping
|
||||
template_name = 'generic/delete.html'
|
||||
success_url = reverse_lazy('passbook_admin:property-mappings')
|
||||
success_message = _('Successfully deleted Property Mapping')
|
||||
|
||||
def get_object(self, queryset=None):
|
||||
return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
|
||||
|
||||
def delete(self, request, *args, **kwargs):
|
||||
messages.success(self.request, self.success_message)
|
||||
return super().delete(request, *args, **kwargs)
|
||||
@ -7,8 +7,8 @@ from django.utils.translation import ugettext as _
|
||||
from django.views import View
|
||||
from django.views.generic import DeleteView, ListView, UpdateView
|
||||
|
||||
from passbook.admin.forms.users import UserForm
|
||||
from passbook.admin.mixins import AdminRequiredMixin
|
||||
from passbook.core.forms.users import UserDetailForm
|
||||
from passbook.core.models import Nonce, User
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ class UserUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
|
||||
"""Update user"""
|
||||
|
||||
model = User
|
||||
form_class = UserDetailForm
|
||||
form_class = UserForm
|
||||
|
||||
template_name = 'generic/update.html'
|
||||
success_url = reverse_lazy('passbook_admin:users')
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook api"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook audit Header"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
16
passbook/audit/migrations/0004_delete_loginattempt.py
Normal file
16
passbook/audit/migrations/0004_delete_loginattempt.py
Normal file
@ -0,0 +1,16 @@
|
||||
# Generated by Django 2.1.7 on 2019-03-08 14:53
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('passbook_audit', '0003_auto_20190221_1240'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.DeleteModel(
|
||||
name='LoginAttempt',
|
||||
),
|
||||
]
|
||||
@ -1,5 +1,4 @@
|
||||
"""passbook audit models"""
|
||||
from datetime import timedelta
|
||||
from logging import getLogger
|
||||
|
||||
from django.conf import settings
|
||||
@ -7,11 +6,10 @@ from django.contrib.auth.models import AnonymousUser
|
||||
from django.contrib.postgres.fields import JSONField
|
||||
from django.core.exceptions import ValidationError
|
||||
from django.db import models
|
||||
from django.utils import timezone
|
||||
from django.utils.translation import gettext as _
|
||||
from ipware import get_client_ip
|
||||
|
||||
from passbook.lib.models import CreatedUpdatedModel, UUIDModel
|
||||
from passbook.lib.models import UUIDModel
|
||||
|
||||
LOGGER = getLogger(__name__)
|
||||
|
||||
@ -75,43 +73,3 @@ class AuditEntry(UUIDModel):
|
||||
|
||||
verbose_name = _('Audit Entry')
|
||||
verbose_name_plural = _('Audit Entries')
|
||||
|
||||
|
||||
class LoginAttempt(CreatedUpdatedModel):
|
||||
"""Track failed login-attempts"""
|
||||
|
||||
target_uid = models.CharField(max_length=254)
|
||||
request_ip = models.GenericIPAddressField()
|
||||
attempts = models.IntegerField(default=1)
|
||||
|
||||
@staticmethod
|
||||
def attempt(target_uid, request):
|
||||
"""Helper function to create attempt or count up existing one"""
|
||||
if not target_uid:
|
||||
return
|
||||
client_ip, _ = get_client_ip(request)
|
||||
# Since we can only use 254 chars for target_uid, truncate target_uid.
|
||||
target_uid = target_uid[:254]
|
||||
time_threshold = timezone.now() - timedelta(minutes=10)
|
||||
existing_attempts = LoginAttempt.objects.filter(
|
||||
target_uid=target_uid,
|
||||
request_ip=client_ip,
|
||||
last_updated__gt=time_threshold).order_by('created')
|
||||
if existing_attempts.exists():
|
||||
attempt = existing_attempts.first()
|
||||
attempt.attempts += 1
|
||||
attempt.save()
|
||||
LOGGER.debug("Increased attempts on %s", attempt)
|
||||
else:
|
||||
attempt = LoginAttempt.objects.create(
|
||||
target_uid=target_uid,
|
||||
request_ip=client_ip)
|
||||
LOGGER.debug("Created new attempt %s", attempt)
|
||||
|
||||
def __str__(self):
|
||||
return "LoginAttempt to %s from %s (x%d)" % (self.target_uid,
|
||||
self.request_ip, self.attempts)
|
||||
|
||||
class Meta:
|
||||
|
||||
unique_together = (('target_uid', 'request_ip', 'created'),)
|
||||
|
||||
@ -1 +0,0 @@
|
||||
django-ipware
|
||||
@ -1,9 +1,8 @@
|
||||
"""passbook audit signal listener"""
|
||||
from django.contrib.auth.signals import (user_logged_in, user_logged_out,
|
||||
user_login_failed)
|
||||
from django.contrib.auth.signals import user_logged_in, user_logged_out
|
||||
from django.dispatch import receiver
|
||||
|
||||
from passbook.audit.models import AuditEntry, LoginAttempt
|
||||
from passbook.audit.models import AuditEntry
|
||||
from passbook.core.signals import (invitation_created, invitation_used,
|
||||
user_signed_up)
|
||||
|
||||
@ -34,8 +33,3 @@ def on_invitation_used(sender, request, invitation, **kwargs):
|
||||
"""Log Invitation usage"""
|
||||
AuditEntry.create(AuditEntry.ACTION_INVITE_USED, request,
|
||||
invitation_uuid=invitation.uuid.hex)
|
||||
|
||||
@receiver(user_login_failed)
|
||||
def on_user_login_failed(sender, request, credentials, **kwargs):
|
||||
"""Log failed login attempt"""
|
||||
LoginAttempt.attempt(target_uid=credentials.get('username'), request=request)
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook captcha_factor Header"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -13,3 +13,10 @@ class CaptchaFactor(FormView, AuthenticationFactor):
|
||||
|
||||
def form_valid(self, form):
|
||||
return self.authenticator.user_ok()
|
||||
|
||||
def get_form(self, form_class=None):
|
||||
form = CaptchaForm(**self.get_form_kwargs())
|
||||
form.fields['captcha'].public_key = '6Lfi1w8TAAAAAELH-YiWp0OFItmMzvjGmw2xkvUN'
|
||||
form.fields['captcha'].private_key = '6Lfi1w8TAAAAAMQI3f86tGMvd1QkcqqVQyBWI23D'
|
||||
form.fields['captcha'].widget.attrs["data-sitekey"] = form.fields['captcha'].public_key
|
||||
return form
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook core"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -37,7 +37,7 @@ class PasswordFactor(FormView, AuthenticationFactor):
|
||||
send_email.delay(self.pending_user.email, _('Forgotten password'),
|
||||
'email/account_password_reset.html', {
|
||||
'url': self.request.build_absolute_uri(
|
||||
reverse('passbook_core:passbook_core:auth-password-reset',
|
||||
reverse('passbook_core:auth-password-reset',
|
||||
kwargs={
|
||||
'nonce': nonce.uuid
|
||||
})
|
||||
|
||||
@ -39,35 +39,41 @@ class AuthenticationView(UserPassesTestMixin, View):
|
||||
|
||||
# Allow only not authenticated users to login
|
||||
def test_func(self):
|
||||
return self.request.user.is_authenticated is False
|
||||
return AuthenticationView.SESSION_PENDING_USER in self.request.session
|
||||
|
||||
def handle_no_permission(self):
|
||||
# Function from UserPassesTestMixin
|
||||
if 'next' in self.request.GET:
|
||||
return redirect(self.request.GET.get('next'))
|
||||
if self.request.user.is_authenticated:
|
||||
return _redirect_with_qs('passbook_core:overview', self.request.GET)
|
||||
return _redirect_with_qs('passbook_core:auth-login', self.request.GET)
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
# Extract pending user from session (only remember uid)
|
||||
if AuthenticationView.SESSION_PENDING_USER in request.session:
|
||||
self.pending_user = get_object_or_404(
|
||||
User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])
|
||||
else:
|
||||
# No Pending user, redirect to login screen
|
||||
return _redirect_with_qs('passbook_core:auth-login', request.GET)
|
||||
def get_pending_factors(self):
|
||||
"""Loading pending factors from Database or load from session variable"""
|
||||
# Write pending factors to session
|
||||
if AuthenticationView.SESSION_PENDING_FACTORS in request.session:
|
||||
self.pending_factors = request.session[AuthenticationView.SESSION_PENDING_FACTORS]
|
||||
else:
|
||||
if AuthenticationView.SESSION_PENDING_FACTORS in self.request.session:
|
||||
return self.request.session[AuthenticationView.SESSION_PENDING_FACTORS]
|
||||
# Get an initial list of factors which are currently enabled
|
||||
# and apply to the current user. We check policies here and block the request
|
||||
_all_factors = Factor.objects.filter(enabled=True).order_by('order').select_subclasses()
|
||||
self.pending_factors = []
|
||||
pending_factors = []
|
||||
for factor in _all_factors:
|
||||
policy_engine = PolicyEngine(factor.policies.all())
|
||||
policy_engine.for_user(self.pending_user)
|
||||
if policy_engine.result[0]:
|
||||
self.pending_factors.append((factor.uuid.hex, factor.type))
|
||||
policy_engine.for_user(self.pending_user).with_request(self.request).build()
|
||||
if policy_engine.passing:
|
||||
pending_factors.append((factor.uuid.hex, factor.type))
|
||||
return pending_factors
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
# Check if user passes test (i.e. SESSION_PENDING_USER is set)
|
||||
user_test_result = self.get_test_func()()
|
||||
if not user_test_result:
|
||||
return self.handle_no_permission()
|
||||
# Extract pending user from session (only remember uid)
|
||||
self.pending_user = get_object_or_404(
|
||||
User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])
|
||||
self.pending_factors = self.get_pending_factors()
|
||||
# Read and instantiate factor from session
|
||||
factor_uuid, factor_class = None, None
|
||||
if AuthenticationView.SESSION_FACTOR not in request.session:
|
||||
@ -107,11 +113,11 @@ class AuthenticationView(UserPassesTestMixin, View):
|
||||
next_factor = None
|
||||
if self.pending_factors:
|
||||
next_factor = self.pending_factors.pop()
|
||||
# Save updated pening_factor list to session
|
||||
self.request.session[AuthenticationView.SESSION_PENDING_FACTORS] = \
|
||||
self.pending_factors
|
||||
self.request.session[AuthenticationView.SESSION_FACTOR] = next_factor
|
||||
LOGGER.debug("Rendering Factor is %s", next_factor)
|
||||
# return _redirect_with_qs('passbook_core:auth-process', kwargs={'factor': next_factor})
|
||||
return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
|
||||
# User passed all factors
|
||||
LOGGER.debug("User passed all factors, logging in")
|
||||
@ -126,7 +132,6 @@ class AuthenticationView(UserPassesTestMixin, View):
|
||||
|
||||
def _user_passed(self):
|
||||
"""User Successfully passed all factors"""
|
||||
# user = authenticate(request=self.request, )
|
||||
backend = self.request.session[AuthenticationView.SESSION_USER_BACKEND]
|
||||
login(self.request, self.pending_user, backend=backend)
|
||||
LOGGER.debug("Logged in user %s", self.pending_user)
|
||||
|
||||
@ -5,9 +5,8 @@ import os
|
||||
|
||||
import celery
|
||||
from django.conf import settings
|
||||
|
||||
# from raven import Client
|
||||
# from raven.contrib.celery import register_logger_signal, register_signal
|
||||
from raven import Client
|
||||
from raven.contrib.celery import register_logger_signal, register_signal
|
||||
|
||||
# set the default Django settings module for the 'celery' program.
|
||||
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.core.settings")
|
||||
@ -18,16 +17,17 @@ LOGGER = logging.getLogger(__name__)
|
||||
class Celery(celery.Celery):
|
||||
"""Custom Celery class with Raven configured"""
|
||||
|
||||
# def on_configure(self):
|
||||
# """Update raven client"""
|
||||
# try:
|
||||
# client = Client(settings.RAVEN_CONFIG.get('dsn'))
|
||||
# # register a custom filter to filter out duplicate logs
|
||||
# register_logger_signal(client)
|
||||
# # hook into the Celery error handler
|
||||
# register_signal(client)
|
||||
# except RecursionError: # This error happens when pdoc is running
|
||||
# pass
|
||||
# pylint: disable=method-hidden
|
||||
def on_configure(self):
|
||||
"""Update raven client"""
|
||||
try:
|
||||
client = Client(settings.RAVEN_CONFIG.get('dsn'))
|
||||
# register a custom filter to filter out duplicate logs
|
||||
register_logger_signal(client)
|
||||
# hook into the Celery error handler
|
||||
register_signal(client)
|
||||
except RecursionError: # This error happens when pdoc is running
|
||||
pass
|
||||
|
||||
|
||||
# pylint: disable=unused-argument
|
||||
|
||||
@ -81,8 +81,6 @@ class SignUpForm(forms.Form):
|
||||
password_repeat = self.cleaned_data.get('password_repeat')
|
||||
if password != password_repeat:
|
||||
raise ValidationError(_("Passwords don't match"))
|
||||
# TODO: Password policy? Via Plugin? via Policy?
|
||||
# return check_password(self)
|
||||
return self.cleaned_data.get('password_repeat')
|
||||
|
||||
|
||||
@ -91,5 +89,6 @@ class PasswordFactorForm(forms.Form):
|
||||
|
||||
password = forms.CharField(widget=forms.PasswordInput(attrs={
|
||||
'placeholder': _('Password'),
|
||||
'autofocus': 'autofocus'
|
||||
'autofocus': 'autofocus',
|
||||
'autocomplete': 'current-password'
|
||||
}))
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
from django import forms
|
||||
|
||||
from passbook.core.models import DummyFactor, PasswordFactor
|
||||
from passbook.lib.fields import DynamicArrayField
|
||||
|
||||
GENERAL_FIELDS = ['name', 'slug', 'order', 'policies', 'enabled']
|
||||
|
||||
@ -16,6 +17,9 @@ class PasswordFactorForm(forms.ModelForm):
|
||||
'name': forms.TextInput(),
|
||||
'order': forms.NumberInput(),
|
||||
}
|
||||
field_classes = {
|
||||
'backends': DynamicArrayField
|
||||
}
|
||||
|
||||
class DummyFactorForm(forms.ModelForm):
|
||||
"""Form to create/edit Dummy Factor"""
|
||||
|
||||
@ -22,10 +22,14 @@ class PasswordChangeForm(forms.Form):
|
||||
"""Form to update password"""
|
||||
|
||||
password = forms.CharField(label=_('Password'),
|
||||
widget=forms.PasswordInput(attrs={'placeholder': _('New Password')}))
|
||||
widget=forms.PasswordInput(attrs={
|
||||
'placeholder': _('New Password'),
|
||||
'autocomplete': 'new-password'
|
||||
}))
|
||||
password_repeat = forms.CharField(label=_('Repeat Password'),
|
||||
widget=forms.PasswordInput(attrs={
|
||||
'placeholder': _('Repeat Password')
|
||||
'placeholder': _('Repeat Password'),
|
||||
'autocomplete': 'new-password'
|
||||
}))
|
||||
|
||||
def clean_password_repeat(self):
|
||||
@ -34,5 +38,4 @@ class PasswordChangeForm(forms.Form):
|
||||
password_repeat = self.cleaned_data.get('password_repeat')
|
||||
if password != password_repeat:
|
||||
raise ValidationError(_("Passwords don't match"))
|
||||
# TODO: Password policy check
|
||||
return self.cleaned_data.get('password_repeat')
|
||||
|
||||
45
passbook/core/management/commands/import_users.py
Normal file
45
passbook/core/management/commands/import_users.py
Normal file
@ -0,0 +1,45 @@
|
||||
"""passbook import_users management command"""
|
||||
from csv import DictReader
|
||||
from logging import getLogger
|
||||
|
||||
from django.core.management.base import BaseCommand
|
||||
from django.core.validators import EmailValidator, ValidationError
|
||||
|
||||
from passbook.core.models import User
|
||||
|
||||
LOGGER = getLogger(__name__)
|
||||
|
||||
class Command(BaseCommand):
|
||||
"""Import users from CSV file"""
|
||||
|
||||
def add_arguments(self, parser):
|
||||
# Positional arguments
|
||||
parser.add_argument('file', nargs='+', type=str)
|
||||
|
||||
def handle(self, *args, **options):
|
||||
"""Create Users from CSV file"""
|
||||
for file in options.get('file'):
|
||||
with open(file, 'r') as _file:
|
||||
reader = DictReader(_file)
|
||||
for user in reader:
|
||||
LOGGER.debug('User %s', user.get('username'))
|
||||
try:
|
||||
# only import users with valid email addresses
|
||||
if user.get('email'):
|
||||
validator = EmailValidator()
|
||||
validator(user.get('email'))
|
||||
# use combination of username and email to check for existing user
|
||||
if User.objects.filter(
|
||||
username=user.get('username'),
|
||||
email=user.get('email')).exists():
|
||||
LOGGER.debug('User %s exists already, skipping', user.get('username'))
|
||||
# Create user
|
||||
User.objects.create(
|
||||
username=user.get('username'),
|
||||
email=user.get('email'),
|
||||
name=user.get('name'),
|
||||
password=user.get('password'))
|
||||
LOGGER.debug('Created User %s', user.get('username'))
|
||||
except ValidationError as exc:
|
||||
LOGGER.warning('User %s caused %r, skipping', user.get('username'), exc)
|
||||
continue
|
||||
26
passbook/core/migrations/0017_propertymapping.py
Normal file
26
passbook/core/migrations/0017_propertymapping.py
Normal file
@ -0,0 +1,26 @@
|
||||
# Generated by Django 2.1.7 on 2019-03-08 10:40
|
||||
|
||||
import uuid
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('passbook_core', '0016_auto_20190227_1355'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='PropertyMapping',
|
||||
fields=[
|
||||
('uuid', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
|
||||
('name', models.TextField()),
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Property Mapping',
|
||||
'verbose_name_plural': 'Property Mappings',
|
||||
},
|
||||
),
|
||||
]
|
||||
18
passbook/core/migrations/0018_provider_property_mappings.py
Normal file
18
passbook/core/migrations/0018_provider_property_mappings.py
Normal file
@ -0,0 +1,18 @@
|
||||
# Generated by Django 2.1.7 on 2019-03-08 10:50
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('passbook_core', '0017_propertymapping'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AddField(
|
||||
model_name='provider',
|
||||
name='property_mappings',
|
||||
field=models.ManyToManyField(blank=True, default=None, to='passbook_core.PropertyMapping'),
|
||||
),
|
||||
]
|
||||
@ -60,6 +60,8 @@ class User(AbstractUser):
|
||||
class Provider(models.Model):
|
||||
"""Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
|
||||
|
||||
property_mappings = models.ManyToManyField('PropertyMapping', default=None, blank=True)
|
||||
|
||||
objects = InheritanceManager()
|
||||
|
||||
# This class defines no field for easier inheritance
|
||||
@ -153,10 +155,12 @@ class Application(PolicyModel):
|
||||
def user_is_authorized(self, user: User) -> bool:
|
||||
"""Check if user is authorized to use this application"""
|
||||
from passbook.core.policies import PolicyEngine
|
||||
return PolicyEngine(self.policies.all()).for_user(user).result
|
||||
return PolicyEngine(self.policies.all()).for_user(user).build().result
|
||||
|
||||
def get_provider(self):
|
||||
"""Get casted provider instance"""
|
||||
if not self.provider:
|
||||
return None
|
||||
return Provider.objects.get_subclass(pk=self.provider.pk)
|
||||
|
||||
def __str__(self):
|
||||
@ -284,8 +288,9 @@ class FieldMatcherPolicy(Policy):
|
||||
if self.match_action == FieldMatcherPolicy.MATCH_REGEXP:
|
||||
pattern = re.compile(self.value)
|
||||
passes = bool(pattern.match(user_field_value))
|
||||
if self.negate:
|
||||
passes = not passes
|
||||
if self.match_action == FieldMatcherPolicy.MATCH_EXACT:
|
||||
passes = user_field_value == self.value
|
||||
|
||||
LOGGER.debug("User got '%r'", passes)
|
||||
return passes
|
||||
|
||||
@ -411,7 +416,7 @@ class Invitation(UUIDModel):
|
||||
verbose_name_plural = _('Invitations')
|
||||
|
||||
class Nonce(UUIDModel):
|
||||
"""One-time link for password resets/signup-confirmations"""
|
||||
"""One-time link for password resets/sign-up-confirmations"""
|
||||
|
||||
expires = models.DateTimeField(default=default_nonce_duration)
|
||||
user = models.ForeignKey('User', on_delete=models.CASCADE)
|
||||
@ -423,3 +428,19 @@ class Nonce(UUIDModel):
|
||||
|
||||
verbose_name = _('Nonce')
|
||||
verbose_name_plural = _('Nonces')
|
||||
|
||||
class PropertyMapping(UUIDModel):
|
||||
"""User-defined key -> x mapping which can be used by providers to expose extra data."""
|
||||
|
||||
name = models.TextField()
|
||||
|
||||
form = ''
|
||||
objects = InheritanceManager()
|
||||
|
||||
def __str__(self):
|
||||
return "Property Mapping %s" % self.name
|
||||
|
||||
class Meta:
|
||||
|
||||
verbose_name = _('Property Mapping')
|
||||
verbose_name_plural = _('Property Mappings')
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
from logging import getLogger
|
||||
|
||||
from celery import group
|
||||
from ipware import get_client_ip
|
||||
|
||||
from passbook.core.celery import CELERY_APP
|
||||
from passbook.core.models import Policy, User
|
||||
@ -17,25 +18,54 @@ def _policy_engine_task(user_pk, policy_pk, **kwargs):
|
||||
setattr(user_obj, key, value)
|
||||
LOGGER.debug("Running policy `%s`#%s for user %s...", policy_obj.name,
|
||||
policy_obj.pk.hex, user_obj)
|
||||
return policy_obj.passes(user_obj)
|
||||
policy_result = policy_obj.passes(user_obj)
|
||||
# Handle policy result correctly if result, message or just result
|
||||
message = None
|
||||
if isinstance(policy_result, (tuple, list)):
|
||||
policy_result, message = policy_result
|
||||
# Invert result if policy.negate is set
|
||||
if policy_obj.negate:
|
||||
policy_result = not policy_result
|
||||
LOGGER.debug("Policy %r#%s got %s", policy_obj.name, policy_obj.pk.hex, policy_result)
|
||||
return policy_obj.action, policy_result, message
|
||||
|
||||
class PolicyEngine:
|
||||
"""Orchestrate policy checking, launch tasks and return result"""
|
||||
|
||||
policies = None
|
||||
_group = None
|
||||
_request = None
|
||||
_user = None
|
||||
|
||||
def __init__(self, policies):
|
||||
self.policies = policies
|
||||
self._request = None
|
||||
self._user = None
|
||||
|
||||
def for_user(self, user):
|
||||
"""Check policies for user"""
|
||||
self._user = user
|
||||
return self
|
||||
|
||||
def with_request(self, request):
|
||||
"""Set request"""
|
||||
self._request = request
|
||||
return self
|
||||
|
||||
def build(self):
|
||||
"""Build task group"""
|
||||
if not self._user:
|
||||
raise ValueError("User not set.")
|
||||
signatures = []
|
||||
kwargs = {
|
||||
'__password__': getattr(user, '__password__', None)
|
||||
'__password__': getattr(self._user, '__password__', None),
|
||||
}
|
||||
if self._request:
|
||||
kwargs['remote_ip'], _ = get_client_ip(self._request)
|
||||
if not kwargs['remote_ip']:
|
||||
kwargs['remote_ip'] = '255.255.255.255'
|
||||
for policy in self.policies:
|
||||
signatures.append(_policy_engine_task.s(user.pk, policy.pk.hex, **kwargs))
|
||||
signatures.append(_policy_engine_task.s(self._user.pk, policy.pk.hex, **kwargs))
|
||||
self._group = group(signatures)()
|
||||
return self
|
||||
|
||||
@ -43,10 +73,17 @@ class PolicyEngine:
|
||||
def result(self):
|
||||
"""Get policy-checking result"""
|
||||
messages = []
|
||||
for policy_result in self._group.get():
|
||||
if isinstance(policy_result, (tuple, list)):
|
||||
policy_result, policy_message = policy_result
|
||||
for policy_action, policy_result, policy_message in self._group.get():
|
||||
passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \
|
||||
(policy_action == Policy.ACTION_DENY and not policy_result)
|
||||
LOGGER.debug('Action=%s, Result=%r => %r', policy_action, policy_result, passing)
|
||||
if policy_message:
|
||||
messages.append(policy_message)
|
||||
if policy_result is False:
|
||||
if not passing:
|
||||
return False, messages
|
||||
return True, messages
|
||||
|
||||
@property
|
||||
def passing(self):
|
||||
"""Only get true/false if user passes"""
|
||||
return self.result[0]
|
||||
|
||||
@ -1,12 +1,13 @@
|
||||
django>=2.0
|
||||
django-model-utils
|
||||
django-ipware
|
||||
djangorestframework
|
||||
PyYAML
|
||||
raven
|
||||
markdown
|
||||
colorlog
|
||||
celery
|
||||
redis<3.0
|
||||
redis
|
||||
psycopg2
|
||||
idna<2.8,>=2.5
|
||||
cherrypy
|
||||
|
||||
@ -62,6 +62,7 @@ INSTALLED_APPS = [
|
||||
'django.contrib.staticfiles',
|
||||
'rest_framework',
|
||||
'drf_yasg',
|
||||
'raven.contrib.django.raven_compat',
|
||||
'passbook.core.apps.PassbookCoreConfig',
|
||||
'passbook.admin.apps.PassbookAdminConfig',
|
||||
'passbook.api.apps.PassbookAPIConfig',
|
||||
@ -75,6 +76,8 @@ INSTALLED_APPS = [
|
||||
'passbook.captcha_factor.apps.PassbookCaptchaFactorConfig',
|
||||
'passbook.hibp_policy.apps.PassbookHIBPConfig',
|
||||
'passbook.pretend.apps.PassbookPretendConfig',
|
||||
'passbook.password_expiry_policy.apps.PassbookPasswordExpiryPolicyConfig',
|
||||
'passbook.suspicious_policy.apps.PassbookSuspiciousPolicyConfig',
|
||||
]
|
||||
|
||||
# Message Tag fix for bootstrap CSS Classes
|
||||
@ -103,6 +106,7 @@ MIDDLEWARE = [
|
||||
'django.contrib.auth.middleware.AuthenticationMiddleware',
|
||||
'django.contrib.messages.middleware.MessageMiddleware',
|
||||
'django.middleware.clickjacking.XFrameOptionsMiddleware',
|
||||
'raven.contrib.django.raven_compat.middleware.SentryResponseErrorIdMiddleware',
|
||||
]
|
||||
|
||||
ROOT_URLCONF = 'passbook.core.urls'
|
||||
@ -183,6 +187,14 @@ CELERY_TASK_DEFAULT_QUEUE = 'passbook'
|
||||
CELERY_BROKER_URL = 'redis://%s' % CONFIG.get('redis')
|
||||
CELERY_RESULT_BACKEND = 'redis://%s' % CONFIG.get('redis')
|
||||
|
||||
# Raven settings
|
||||
RAVEN_CONFIG = {
|
||||
'dsn': ('https://55b5dd780bc14f4c96bba69b7a9abbcc:449af483bd0745'
|
||||
'0d83be640d834e5458@sentry.services.beryju.org/8'),
|
||||
'release': VERSION,
|
||||
'environment': 'dev' if DEBUG else 'production',
|
||||
}
|
||||
|
||||
# CherryPY settings
|
||||
with CONFIG.cd('web'):
|
||||
CHERRYPY_SERVER = {
|
||||
|
||||
@ -20,7 +20,7 @@ def password_policy_checker(sender, password, **kwargs):
|
||||
_all_factors = PasswordFactor.objects.filter(enabled=True).order_by('order')
|
||||
for factor in _all_factors:
|
||||
policy_engine = PolicyEngine(factor.password_policies.all().select_subclasses())
|
||||
policy_engine.for_user(sender)
|
||||
policy_engine.for_user(sender).build()
|
||||
passing, messages = policy_engine.result
|
||||
if not passing:
|
||||
raise PasswordPolicyInvalid(*messages)
|
||||
|
||||
23
passbook/core/static/css/passbook.css
Normal file
23
passbook/core/static/css/passbook.css
Normal file
@ -0,0 +1,23 @@
|
||||
.dynamic-array-widget .array-item {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
margin-bottom: 15px;
|
||||
}
|
||||
|
||||
.dynamic-array-widget .remove_sign {
|
||||
width: 10px;
|
||||
height: 2px;
|
||||
background: #a41515;
|
||||
border-radius: 1px;
|
||||
}
|
||||
|
||||
.dynamic-array-widget .remove {
|
||||
height: 15px;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
margin-left: 5px;
|
||||
}
|
||||
|
||||
.dynamic-array-widget .remove:hover {
|
||||
cursor: pointer;
|
||||
}
|
||||
@ -16,3 +16,33 @@ const typeHandler = function (e) {
|
||||
|
||||
$source.on('input', typeHandler) // register for oninput
|
||||
$source.on('propertychange', typeHandler) // for IE8
|
||||
|
||||
window.addEventListener('load', function () {
|
||||
|
||||
function addRemoveEventListener(widgetElement) {
|
||||
widgetElement.querySelectorAll('.array-remove').forEach(function (element) {
|
||||
element.addEventListener('click', function () {
|
||||
this.parentNode.parentNode.remove();
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
document.querySelectorAll('.dynamic-array-widget').forEach(function (widgetElement) {
|
||||
|
||||
addRemoveEventListener(widgetElement);
|
||||
|
||||
widgetElement.querySelector('.add-array-item').addEventListener('click', function () {
|
||||
var first = widgetElement.querySelector('.array-item');
|
||||
var newElement = first.cloneNode(true);
|
||||
var id_parts = newElement.querySelector('input').getAttribute('id').split('_');
|
||||
var id = id_parts.slice(0, -1).join('_') + '_' + String(parseInt(id_parts.slice(-1)[0]) + 1);
|
||||
newElement.querySelector('input').setAttribute('id', id);
|
||||
newElement.querySelector('input').value = '';
|
||||
|
||||
addRemoveEventListener(newElement);
|
||||
first.parentElement.insertBefore(newElement, first.parentNode.lastChild);
|
||||
});
|
||||
|
||||
});
|
||||
|
||||
});
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
@ -16,6 +17,7 @@
|
||||
<link rel="shortcut icon" type="image/png" href="{% static 'img/logo.png' %}">
|
||||
<link rel="stylesheet" type="text/css" href="{% static 'css/patternfly.min.css' %}">
|
||||
<link rel="stylesheet" type="text/css" href="{% static 'css/patternfly-additions.min.css' %}">
|
||||
<link rel="stylesheet" type="text/css" href="{% static 'css/passbook.css' %}">
|
||||
<style>
|
||||
.login-pf {
|
||||
background-attachment: fixed;
|
||||
@ -26,7 +28,16 @@
|
||||
{% block head %}
|
||||
{% endblock %}
|
||||
</head>
|
||||
|
||||
<body {% if is_login %} class="login-pf" {% endif %}>
|
||||
{% if 'impersonate_id' in request.session %}
|
||||
<div class="experimental-pf-bar">
|
||||
<span id="experimentalBar" class="experimental-pf-text">
|
||||
{% blocktrans with user=user %}You're currently impersonating {{ user }}.{% endblocktrans %}
|
||||
<a href="?__unimpersonate=True" id="acceptMessage">{% trans 'Stop impersonation' %}</a>
|
||||
</span>
|
||||
</div>
|
||||
{% endif %}
|
||||
{% block body %}
|
||||
{% endblock %}
|
||||
<script src="{% static 'js/jquery.min.js' %}"></script>
|
||||
@ -39,4 +50,5 @@
|
||||
{% include 'partials/about_modal.html' %}
|
||||
</div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
||||
@ -6,13 +6,13 @@
|
||||
{% block content %}
|
||||
<div class="container">
|
||||
{% block above_form %}
|
||||
<h1>{% blocktrans with object_type=object|fieldtype|title %}Delete {{ object_type }}{% endblocktrans %}</h1>
|
||||
<h1>{% blocktrans with object_type=object|verbose_name %}Delete {{ object_type }}{% endblocktrans %}</h1>
|
||||
{% endblock %}
|
||||
<div class="">
|
||||
<form method="post" class="form-horizontal">
|
||||
{% csrf_token %}
|
||||
<p>
|
||||
{% blocktrans with object_type=object|fieldtype|title name=object %}
|
||||
{% blocktrans with object_type=object|verbose_name name=object %}
|
||||
Are you sure you want to delete {{ object_type }} "{{ object }}"?
|
||||
{% endblocktrans %}
|
||||
</p>
|
||||
|
||||
@ -29,7 +29,7 @@
|
||||
<div class="login-pf-page">
|
||||
<div class="container-fluid">
|
||||
<div class="row">
|
||||
<div class="col-sm-12 col-md-8 col-md-offset-2 col-lg-4 col-lg-offset-4">
|
||||
<div class="col-sm-12 col-md-8 col-md-offset-2 col-lg-6 col-lg-offset-3">
|
||||
<header class="login-pf-page-header">
|
||||
<img class="login-pf-brand" style="max-height: 10rem;" src="{% static 'img/logo.svg' %}"
|
||||
alt="passbook logo" />
|
||||
|
||||
@ -16,7 +16,7 @@ def user_factors(context):
|
||||
for factor in _all_factors:
|
||||
_link = factor.has_user_settings()
|
||||
policy_engine = PolicyEngine(factor.policies.all())
|
||||
policy_engine.for_user(user)
|
||||
if policy_engine.result[0] and _link:
|
||||
policy_engine.for_user(user).with_request(context.get('request')).build()
|
||||
if policy_engine.passing and _link:
|
||||
matching_factors.append(_link)
|
||||
return matching_factors
|
||||
|
||||
130
passbook/core/tests/test_auth_view.py
Normal file
130
passbook/core/tests/test_auth_view.py
Normal file
@ -0,0 +1,130 @@
|
||||
"""passbook Core Authentication Test"""
|
||||
import string
|
||||
from random import SystemRandom
|
||||
|
||||
from django.contrib.auth.models import AnonymousUser
|
||||
from django.contrib.sessions.middleware import SessionMiddleware
|
||||
from django.test import RequestFactory, TestCase
|
||||
from django.urls import reverse
|
||||
|
||||
from passbook.core.auth.view import AuthenticationView
|
||||
from passbook.core.models import DummyFactor, PasswordFactor, User
|
||||
|
||||
|
||||
class TestFactorAuthentication(TestCase):
|
||||
"""passbook Core Authentication Test"""
|
||||
|
||||
def setUp(self):
|
||||
super().setUp()
|
||||
self.password = ''.join(SystemRandom().choice(
|
||||
string.ascii_uppercase + string.digits) for _ in range(8))
|
||||
self.factor, _ = PasswordFactor.objects.get_or_create(name='password',
|
||||
slug='password',
|
||||
backends=[])
|
||||
self.user = User.objects.create_user(username='test',
|
||||
email='test@test.test',
|
||||
password=self.password)
|
||||
|
||||
def test_unauthenticated_raw(self):
|
||||
"""test direct call to AuthenticationView"""
|
||||
response = self.client.get(reverse('passbook_core:auth-process'))
|
||||
# Response should be 302 since no pending user is set
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertEqual(response.url, reverse('passbook_core:auth-login'))
|
||||
|
||||
def test_unauthenticated_prepared(self):
|
||||
"""test direct call but with pending_uesr in session"""
|
||||
request = RequestFactory().get(reverse('passbook_core:auth-process'))
|
||||
request.user = AnonymousUser()
|
||||
request.session = {}
|
||||
request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
|
||||
|
||||
response = AuthenticationView.as_view()(request)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
def test_no_factors(self):
|
||||
"""Test with all factors disabled"""
|
||||
self.factor.enabled = False
|
||||
self.factor.save()
|
||||
request = RequestFactory().get(reverse('passbook_core:auth-process'))
|
||||
request.user = AnonymousUser()
|
||||
request.session = {}
|
||||
request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
|
||||
|
||||
response = AuthenticationView.as_view()(request)
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertEqual(response.url, reverse('passbook_core:auth-denied'))
|
||||
self.factor.enabled = True
|
||||
self.factor.save()
|
||||
|
||||
def test_authenticated(self):
|
||||
"""Test with already logged in user"""
|
||||
self.client.force_login(self.user)
|
||||
response = self.client.get(reverse('passbook_core:auth-process'))
|
||||
# Response should be 302 since no pending user is set
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertEqual(response.url, reverse('passbook_core:overview'))
|
||||
self.client.logout()
|
||||
|
||||
def test_unauthenticated_post(self):
|
||||
"""Test post request as unauthenticated user"""
|
||||
request = RequestFactory().post(reverse('passbook_core:auth-process'), data={
|
||||
'password': self.password
|
||||
})
|
||||
request.user = AnonymousUser()
|
||||
middleware = SessionMiddleware()
|
||||
middleware.process_request(request)
|
||||
request.session.save()
|
||||
request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
|
||||
|
||||
response = AuthenticationView.as_view()(request)
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertEqual(response.url, reverse('passbook_core:overview'))
|
||||
self.client.logout()
|
||||
|
||||
def test_unauthenticated_post_invalid(self):
|
||||
"""Test post request as unauthenticated user"""
|
||||
request = RequestFactory().post(reverse('passbook_core:auth-process'), data={
|
||||
'password': self.password + 'a'
|
||||
})
|
||||
request.user = AnonymousUser()
|
||||
middleware = SessionMiddleware()
|
||||
middleware.process_request(request)
|
||||
request.session.save()
|
||||
request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
|
||||
|
||||
response = AuthenticationView.as_view()(request)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.client.logout()
|
||||
|
||||
def test_multifactor(self):
|
||||
"""Test view with multiple active factors"""
|
||||
DummyFactor.objects.get_or_create(name='dummy',
|
||||
slug='dummy',
|
||||
order=1)
|
||||
request = RequestFactory().post(reverse('passbook_core:auth-process'), data={
|
||||
'password': self.password
|
||||
})
|
||||
request.user = AnonymousUser()
|
||||
middleware = SessionMiddleware()
|
||||
middleware.process_request(request)
|
||||
request.session.save()
|
||||
request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
|
||||
|
||||
response = AuthenticationView.as_view()(request)
|
||||
session_copy = request.session.items()
|
||||
self.assertEqual(response.status_code, 302)
|
||||
# Verify view redirects to itself after auth
|
||||
self.assertEqual(response.url, reverse('passbook_core:auth-process'))
|
||||
|
||||
# Run another request with same session which should result in a logged in user
|
||||
request = RequestFactory().post(reverse('passbook_core:auth-process'))
|
||||
request.user = AnonymousUser()
|
||||
middleware = SessionMiddleware()
|
||||
middleware.process_request(request)
|
||||
for key, value in session_copy:
|
||||
request.session[key] = value
|
||||
request.session.save()
|
||||
response = AuthenticationView.as_view()(request)
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertEqual(response.url, reverse('passbook_core:overview'))
|
||||
@ -46,6 +46,7 @@ class UserChangePasswordView(FormView):
|
||||
|
||||
def form_valid(self, form: PasswordChangeForm):
|
||||
try:
|
||||
# user.set_password checks against Policies so we don't need to manually do it here
|
||||
self.request.user.set_password(form.cleaned_data.get('password'))
|
||||
self.request.user.save()
|
||||
update_session_auth_hash(self.request, self.request.user)
|
||||
|
||||
@ -10,7 +10,8 @@ https://docs.djangoproject.com/en/2.1/howto/deployment/wsgi/
|
||||
import os
|
||||
|
||||
from django.core.wsgi import get_wsgi_application
|
||||
from raven.contrib.django.raven_compat.middleware.wsgi import Sentry
|
||||
|
||||
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'passbook.settings')
|
||||
|
||||
application = get_wsgi_application()
|
||||
application = Sentry(get_wsgi_application())
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook hibp_policy"""
|
||||
__version__ = '0.0.7-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""Passbook ldap app Header"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook lib"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -0,0 +1,44 @@
|
||||
"""passbook lib fields"""
|
||||
from itertools import chain
|
||||
|
||||
from django import forms
|
||||
from django.contrib.postgres.utils import prefix_validation_error
|
||||
|
||||
from passbook.lib.widgets import DynamicArrayWidget
|
||||
|
||||
|
||||
class DynamicArrayField(forms.Field):
|
||||
"""Show array field as a dynamic amount of textboxes"""
|
||||
|
||||
default_error_messages = {"item_invalid": "Item %(nth)s in the array did not validate: "}
|
||||
|
||||
def __init__(self, base_field, **kwargs):
|
||||
self.base_field = base_field
|
||||
self.max_length = kwargs.pop("max_length", None)
|
||||
kwargs.setdefault("widget", DynamicArrayWidget)
|
||||
super().__init__(**kwargs)
|
||||
|
||||
def clean(self, value):
|
||||
cleaned_data = []
|
||||
errors = []
|
||||
value = [x for x in value if x]
|
||||
for index, item in enumerate(value):
|
||||
try:
|
||||
cleaned_data.append(self.base_field.clean(item))
|
||||
except forms.ValidationError as error:
|
||||
errors.append(
|
||||
prefix_validation_error(
|
||||
error, self.error_messages["item_invalid"],
|
||||
code="item_invalid", params={"nth": index}
|
||||
)
|
||||
)
|
||||
if errors:
|
||||
raise forms.ValidationError(list(chain.from_iterable(errors)))
|
||||
if not cleaned_data and self.required:
|
||||
raise forms.ValidationError(self.error_messages["required"])
|
||||
return cleaned_data
|
||||
|
||||
def has_changed(self, initial, data):
|
||||
if not data and not initial:
|
||||
return False
|
||||
return super().has_changed(initial, data)
|
||||
|
||||
17
passbook/lib/templates/lib/arrayfield.html
Normal file
17
passbook/lib/templates/lib/arrayfield.html
Normal file
@ -0,0 +1,17 @@
|
||||
{% load utils %}
|
||||
|
||||
{% spaceless %}
|
||||
<div class="dynamic-array-widget">
|
||||
{% for widget in widget.subwidgets %}
|
||||
<div class="array-item input-group">
|
||||
{% include widget.template_name %}
|
||||
<div class="input-group-btn">
|
||||
<button class="array-remove btn btn-danger" type="button">
|
||||
<span class="pficon-delete"></span>
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
{% endfor %}
|
||||
<div><button type="button" class="add-array-item btn btn-default">Add another</button></div>
|
||||
</div>
|
||||
{% endspaceless %}
|
||||
@ -212,10 +212,14 @@ def gravatar(email, size=None, rating=None):
|
||||
@register.filter
|
||||
def verbose_name(obj):
|
||||
"""Return Object's Verbose Name"""
|
||||
if not obj:
|
||||
return ''
|
||||
return obj._meta.verbose_name
|
||||
|
||||
|
||||
@register.filter
|
||||
def form_verbose_name(obj):
|
||||
"""Return ModelForm's Object's Verbose Name"""
|
||||
if not obj:
|
||||
return ''
|
||||
return obj._meta.model._meta.verbose_name
|
||||
|
||||
36
passbook/lib/widgets.py
Normal file
36
passbook/lib/widgets.py
Normal file
@ -0,0 +1,36 @@
|
||||
"""Dynamic array widget"""
|
||||
from django import forms
|
||||
|
||||
|
||||
class DynamicArrayWidget(forms.TextInput):
|
||||
"""Dynamic array widget"""
|
||||
|
||||
template_name = "lib/arrayfield.html"
|
||||
|
||||
def get_context(self, name, value, attrs):
|
||||
value = value or [""]
|
||||
context = super().get_context(name, value, attrs)
|
||||
final_attrs = context["widget"]["attrs"]
|
||||
id_ = context["widget"]["attrs"].get("id")
|
||||
|
||||
subwidgets = []
|
||||
for index, item in enumerate(context["widget"]["value"]):
|
||||
widget_attrs = final_attrs.copy()
|
||||
if id_:
|
||||
widget_attrs["id"] = "{id_}_{index}".format(id_=id_, index=index)
|
||||
widget = forms.TextInput()
|
||||
widget.is_required = self.is_required
|
||||
subwidgets.append(widget.get_context(name, item, widget_attrs)["widget"])
|
||||
|
||||
context["widget"]["subwidgets"] = subwidgets
|
||||
return context
|
||||
|
||||
def value_from_datadict(self, data, files, name):
|
||||
try:
|
||||
getter = data.getlist
|
||||
return [value for value in getter(name) if value]
|
||||
except AttributeError:
|
||||
return data.get(name)
|
||||
|
||||
def format_value(self, value):
|
||||
return value or []
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook oauth_client Header"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook oauth_provider Header"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -12,7 +12,7 @@ class OAuth2Provider(Provider, AbstractApplication):
|
||||
form = 'passbook.oauth_provider.forms.OAuth2ProviderForm'
|
||||
|
||||
def __str__(self):
|
||||
return self.name
|
||||
return "OAuth2 Provider %s" % self.name
|
||||
|
||||
class Meta:
|
||||
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook otp Header"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
2
passbook/password_expiry_policy/__init__.py
Normal file
2
passbook/password_expiry_policy/__init__.py
Normal file
@ -0,0 +1,2 @@
|
||||
"""passbook password_expiry"""
|
||||
__version__ = '0.1.9-beta'
|
||||
5
passbook/password_expiry_policy/admin.py
Normal file
5
passbook/password_expiry_policy/admin.py
Normal file
@ -0,0 +1,5 @@
|
||||
"""Passbook password_expiry_policy Admin"""
|
||||
|
||||
from passbook.lib.admin import admin_autoregister
|
||||
|
||||
admin_autoregister('passbook_password_expiry_policy')
|
||||
11
passbook/password_expiry_policy/apps.py
Normal file
11
passbook/password_expiry_policy/apps.py
Normal file
@ -0,0 +1,11 @@
|
||||
"""Passbook password_expiry_policy app config"""
|
||||
|
||||
from django.apps import AppConfig
|
||||
|
||||
|
||||
class PassbookPasswordExpiryPolicyConfig(AppConfig):
|
||||
"""Passbook password_expiry_policy app config"""
|
||||
|
||||
name = 'passbook.password_expiry_policy'
|
||||
label = 'passbook_password_expiry_policy'
|
||||
verbose_name = 'passbook Password Expiry Policy'
|
||||
24
passbook/password_expiry_policy/forms.py
Normal file
24
passbook/password_expiry_policy/forms.py
Normal file
@ -0,0 +1,24 @@
|
||||
"""passbook PasswordExpiry Policy forms"""
|
||||
|
||||
from django import forms
|
||||
from django.utils.translation import gettext as _
|
||||
|
||||
from passbook.core.forms.policies import GENERAL_FIELDS
|
||||
from passbook.password_expiry_policy.models import PasswordExpiryPolicy
|
||||
|
||||
|
||||
class PasswordExpiryPolicyForm(forms.ModelForm):
|
||||
"""Edit PasswordExpiryPolicy instances"""
|
||||
|
||||
class Meta:
|
||||
|
||||
model = PasswordExpiryPolicy
|
||||
fields = GENERAL_FIELDS + ['days', 'deny_only']
|
||||
widgets = {
|
||||
'name': forms.TextInput(),
|
||||
'order': forms.NumberInput(),
|
||||
'days': forms.NumberInput(),
|
||||
}
|
||||
labels = {
|
||||
'deny_only': _("Only fail the policy, don't set user's password.")
|
||||
}
|
||||
29
passbook/password_expiry_policy/migrations/0001_initial.py
Normal file
29
passbook/password_expiry_policy/migrations/0001_initial.py
Normal file
@ -0,0 +1,29 @@
|
||||
# Generated by Django 2.1.7 on 2019-03-03 13:46
|
||||
|
||||
import django.db.models.deletion
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
initial = True
|
||||
|
||||
dependencies = [
|
||||
('passbook_core', '0016_auto_20190227_1355'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='PasswordExpiryPolicy',
|
||||
fields=[
|
||||
('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
|
||||
('deny_only', models.BooleanField(default=False)),
|
||||
('days', models.IntegerField()),
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Password Expiry Policy',
|
||||
'verbose_name_plural': 'Password Expiry Policies',
|
||||
},
|
||||
bases=('passbook_core.policy',),
|
||||
),
|
||||
]
|
||||
42
passbook/password_expiry_policy/models.py
Normal file
42
passbook/password_expiry_policy/models.py
Normal file
@ -0,0 +1,42 @@
|
||||
"""passbook password_expiry_policy Models"""
|
||||
from datetime import timedelta
|
||||
from logging import getLogger
|
||||
|
||||
from django.db import models
|
||||
from django.utils.timezone import now
|
||||
from django.utils.translation import gettext as _
|
||||
|
||||
from passbook.core.models import Policy, User
|
||||
|
||||
LOGGER = getLogger(__name__)
|
||||
|
||||
|
||||
class PasswordExpiryPolicy(Policy):
|
||||
"""If password change date is more than x days in the past, call set_unusable_password
|
||||
and show a notice"""
|
||||
|
||||
deny_only = models.BooleanField(default=False)
|
||||
days = models.IntegerField()
|
||||
|
||||
form = 'passbook.password_expiry_policy.forms.PasswordExpiryPolicyForm'
|
||||
|
||||
def passes(self, user: User) -> bool:
|
||||
"""If password change date is more than x days in the past, call set_unusable_password
|
||||
and show a notice"""
|
||||
actual_days = (now() - user.password_change_date).days
|
||||
days_since_expiry = (now() - (user.password_change_date + timedelta(days=self.days))).days
|
||||
if actual_days >= self.days:
|
||||
if not self.deny_only:
|
||||
user.set_unusable_password()
|
||||
user.save()
|
||||
return False, _(('Password expired %(days)d days ago. '
|
||||
'Please update your password.') % {
|
||||
'days': days_since_expiry
|
||||
})
|
||||
return False, _('Password has expired.')
|
||||
return True
|
||||
|
||||
class Meta:
|
||||
|
||||
verbose_name = _('Password Expiry Policy')
|
||||
verbose_name_plural = _('Password Expiry Policies')
|
||||
@ -1,2 +1,2 @@
|
||||
"""passbook saml_idp Header"""
|
||||
__version__ = '0.0.13-alpha'
|
||||
__version__ = '0.1.9-beta'
|
||||
|
||||
@ -6,7 +6,6 @@ from logging import getLogger
|
||||
|
||||
from bs4 import BeautifulSoup
|
||||
|
||||
from passbook.lib.config import CONFIG
|
||||
from passbook.saml_idp import exceptions, utils, xml_render
|
||||
|
||||
MINUTES = 60
|
||||
@ -52,9 +51,7 @@ class Processor:
|
||||
_session_index = None
|
||||
_subject = None
|
||||
_subject_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
|
||||
_system_params = {
|
||||
'ISSUER': CONFIG.y('saml_idp.issuer'),
|
||||
}
|
||||
_system_params = {}
|
||||
|
||||
@property
|
||||
def dotted_path(self):
|
||||
@ -67,7 +64,7 @@ class Processor:
|
||||
self.name = remote.name
|
||||
self._remote = remote
|
||||
self._logger = getLogger(__name__)
|
||||
|
||||
self._system_params['ISSUER'] = self._remote.issuer
|
||||
self._logger.info('processor configured')
|
||||
|
||||
def _build_assertion(self):
|
||||
@ -170,6 +167,20 @@ class Processor:
|
||||
'Value': self._django_request.user.username,
|
||||
},
|
||||
]
|
||||
from passbook.saml_idp.models import SAMLPropertyMapping
|
||||
for mapping in self._remote.property_mappings.all().select_subclasses():
|
||||
if isinstance(mapping, SAMLPropertyMapping):
|
||||
mapping_payload = {
|
||||
'Name': mapping.saml_name,
|
||||
'ValueArray': [],
|
||||
'FriendlyName': mapping.friendly_name
|
||||
}
|
||||
for value in mapping.values:
|
||||
mapping_payload['ValueArray'].append(value.format(
|
||||
user=self._django_request.user,
|
||||
request=self._django_request
|
||||
))
|
||||
self._assertion_params['ATTRIBUTES'].append(mapping_payload)
|
||||
self._assertion_xml = xml_render.get_assertion_xml(
|
||||
'saml/xml/assertions/generic.xml', self._assertion_params, signed=True)
|
||||
|
||||
@ -227,7 +238,7 @@ class Processor:
|
||||
self._subject = sp_config
|
||||
self._subject_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
|
||||
self._system_params = {
|
||||
'ISSUER': CONFIG.y('saml_idp.issuer'),
|
||||
'ISSUER': self._remote.issuer
|
||||
}
|
||||
|
||||
def _validate_request(self):
|
||||
|
||||
@ -2,7 +2,9 @@
|
||||
|
||||
from django import forms
|
||||
|
||||
from passbook.saml_idp.models import SAMLProvider, get_provider_choices
|
||||
from passbook.lib.fields import DynamicArrayField
|
||||
from passbook.saml_idp.models import (SAMLPropertyMapping, SAMLProvider,
|
||||
get_provider_choices)
|
||||
from passbook.saml_idp.utils import CertificateBuilder
|
||||
|
||||
|
||||
@ -21,7 +23,7 @@ class SAMLProviderForm(forms.ModelForm):
|
||||
class Meta:
|
||||
|
||||
model = SAMLProvider
|
||||
fields = ['name', 'acs_url', 'processor_path', 'issuer',
|
||||
fields = ['name', 'property_mappings', 'acs_url', 'processor_path', 'issuer',
|
||||
'assertion_valid_for', 'signing', 'signing_cert', 'signing_key', ]
|
||||
labels = {
|
||||
'acs_url': 'ACS URL',
|
||||
@ -31,3 +33,20 @@ class SAMLProviderForm(forms.ModelForm):
|
||||
'name': forms.TextInput(),
|
||||
'issuer': forms.TextInput(),
|
||||
}
|
||||
|
||||
|
||||
class SAMLPropertyMappingForm(forms.ModelForm):
|
||||
"""SAML Property Mapping form"""
|
||||
|
||||
class Meta:
|
||||
|
||||
model = SAMLPropertyMapping
|
||||
fields = ['name', 'saml_name', 'friendly_name', 'values']
|
||||
widgets = {
|
||||
'name': forms.TextInput(),
|
||||
'saml_name': forms.TextInput(),
|
||||
'friendly_name': forms.TextInput(),
|
||||
}
|
||||
field_classes = {
|
||||
'values': DynamicArrayField
|
||||
}
|
||||
|
||||
30
passbook/saml_idp/migrations/0002_samlpropertymapping.py
Normal file
30
passbook/saml_idp/migrations/0002_samlpropertymapping.py
Normal file
@ -0,0 +1,30 @@
|
||||
# Generated by Django 2.1.7 on 2019-03-08 10:40
|
||||
|
||||
import django.contrib.postgres.fields
|
||||
import django.db.models.deletion
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('passbook_core', '0017_propertymapping'),
|
||||
('passbook_saml_idp', '0001_initial'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='SAMLPropertyMapping',
|
||||
fields=[
|
||||
('propertymapping_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.PropertyMapping')),
|
||||
('saml_name', models.TextField()),
|
||||
('friendly_name', models.TextField(blank=True, default=None, null=True)),
|
||||
('values', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'SAML Property Mapping',
|
||||
'verbose_name_plural': 'SAML Property Mappings',
|
||||
},
|
||||
bases=('passbook_core.propertymapping',),
|
||||
),
|
||||
]
|
||||
@ -1,10 +1,11 @@
|
||||
"""passbook saml_idp Models"""
|
||||
|
||||
from django.contrib.postgres.fields import ArrayField
|
||||
from django.db import models
|
||||
from django.shortcuts import reverse
|
||||
from django.utils.translation import gettext as _
|
||||
|
||||
from passbook.core.models import Provider
|
||||
from passbook.core.models import PropertyMapping, Provider
|
||||
from passbook.lib.utils.reflection import class_to_path, path_to_class
|
||||
from passbook.saml_idp.base import Processor
|
||||
|
||||
@ -36,13 +37,13 @@ class SAMLProvider(Provider):
|
||||
return self._processor
|
||||
|
||||
def __str__(self):
|
||||
return "SAMLProvider %s (processor=%s)" % (self.name, self.processor_path)
|
||||
return "SAML Provider %s" % self.name
|
||||
|
||||
def link_download_metadata(self):
|
||||
"""Get link to download XML metadata for admin interface"""
|
||||
try:
|
||||
# pylint: disable=no-member
|
||||
return reverse('passbook_saml_idp:metadata_xml',
|
||||
return reverse('passbook_saml_idp:saml-metadata',
|
||||
kwargs={'application': self.application.slug})
|
||||
except Provider.application.RelatedObjectDoesNotExist:
|
||||
return None
|
||||
@ -53,6 +54,23 @@ class SAMLProvider(Provider):
|
||||
verbose_name_plural = _('SAML Providers')
|
||||
|
||||
|
||||
class SAMLPropertyMapping(PropertyMapping):
|
||||
"""SAML Property mapping, allowing Name/FriendlyName mapping to a list of strings"""
|
||||
|
||||
saml_name = models.TextField()
|
||||
friendly_name = models.TextField(default=None, blank=True, null=True)
|
||||
values = ArrayField(models.TextField())
|
||||
|
||||
form = 'passbook.saml_idp.forms.SAMLPropertyMappingForm'
|
||||
|
||||
def __str__(self):
|
||||
return "SAML Property Mapping %s" % self.saml_name
|
||||
|
||||
class Meta:
|
||||
|
||||
verbose_name = _('SAML Property Mapping')
|
||||
verbose_name_plural = _('SAML Property Mappings')
|
||||
|
||||
def get_provider_choices():
|
||||
"""Return tuple of class_path, class name of all providers."""
|
||||
return [(class_to_path(x), x.__name__) for x in Processor.__subclasses__()]
|
||||
|
||||
@ -11,16 +11,12 @@ class AWSProcessor(Processor):
|
||||
|
||||
def _format_assertion(self):
|
||||
"""Formats _assertion_params as _assertion_xml."""
|
||||
self._assertion_params['ATTRIBUTES'] = [
|
||||
super()._format_assertion()
|
||||
self._assertion_params['ATTRIBUTES'].append(
|
||||
{
|
||||
'Name': 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
|
||||
'Value': self._django_request.user.username,
|
||||
},
|
||||
{
|
||||
'Name': 'https://aws.amazon.com/SAML/Attributes/Role',
|
||||
# 'Value': 'arn:aws:iam::471432361072:saml-provider/passbook_dev,
|
||||
# arn:aws:iam::471432361072:role/saml_role'
|
||||
}
|
||||
]
|
||||
)
|
||||
self._assertion_xml = xml_render.get_assertion_xml(
|
||||
'saml/xml/assertions/generic.xml', self._assertion_params, signed=True)
|
||||
|
||||
@ -11,38 +11,24 @@
|
||||
<header class="login-pf-header">
|
||||
<h1>{% trans 'Authorize Application' %}</h1>
|
||||
</header>
|
||||
<form method="POST" action="{{ acs_url }}">>
|
||||
<form method="POST" action="{{ acs_url }}">
|
||||
{% csrf_token %}
|
||||
<input type="hidden" name="ACSUrl" value="{{ acs_url }}">
|
||||
<input type="hidden" name="RelayState" value="{{ relay_state }}" />
|
||||
<input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
|
||||
<label class="title">
|
||||
<clr-icon shape="passbook" class="is-info" size="48"></clr-icon>
|
||||
{% config 'passbook.branding' %}
|
||||
</label>
|
||||
<label class="subtitle">
|
||||
{% trans 'SSO - Authorize External Source' %}
|
||||
</label>
|
||||
<div class="login-group">
|
||||
<p class="subtitle">
|
||||
{% blocktrans with remote=remote.name %}
|
||||
<h3>
|
||||
{% blocktrans with remote=remote.application.name %}
|
||||
You're about to sign into {{ remote }}
|
||||
{% endblocktrans %}
|
||||
</p>
|
||||
</h3>
|
||||
<p>
|
||||
{% blocktrans with user=user %}
|
||||
You are logged in as {{ user }}. Not you?
|
||||
You are logged in as {{ user }}.
|
||||
{% endblocktrans %}
|
||||
<a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
|
||||
<a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Not you?' %}</a>
|
||||
</p>
|
||||
<div class="row">
|
||||
<div class="col-md-6">
|
||||
<input class="btn btn-success btn-block" type="submit" value="{% trans "Continue" %}" />
|
||||
</div>
|
||||
<div class="col-md-6">
|
||||
<a href="{% url 'passbook_core:overview' %}" class="btn btn-outline btn-block">{% trans "Cancel" %}</a>
|
||||
</div>
|
||||
</div>
|
||||
<input class="btn btn-primary btn-block btn-lg" type="submit" value="{% trans 'Continue' %}" />
|
||||
</div>
|
||||
</form>
|
||||
{% endblock %}
|
||||
|
||||
@ -39,7 +39,7 @@
|
||||
</section>
|
||||
</div>
|
||||
<div class="card-footer">
|
||||
<a href="{% url 'passbook_saml_idp:metadata_xml' %}" class="btn btn-primary"><clr-icon shape="download"></clr-icon>{% trans 'Download Metadata' %}</a>
|
||||
<a href="{% url 'passbook_saml_idp:saml-metadata' %}" class="btn btn-primary"><clr-icon shape="download"></clr-icon>{% trans 'Download Metadata' %}</a>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user