bump version: 0.0.11-alpha -> 0.0.12-alpha

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.0.9-alpha
+current_version = 0.0.12-alpha
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
@@ -14,6 +14,8 @@ values =
 	beta
 	stable
 
+[bumpversion:file:helm/passbook/values.yaml]
+
 [bumpversion:file:helm/passbook/Chart.yaml]
 
 [bumpversion:file:.gitlab-ci.yml]

.gitlab-ci.yml

@@ -16,7 +16,6 @@ variables:
   POSTGRES_DB: passbook
   POSTGRES_USER: passbook
   POSTGRES_PASSWORD: 'EK-5jnKfjrGRm<77'
-  SUPERVISR_ENV: ci
 
 include:
   - /allauth/.gitlab-ci.yml
@@ -54,7 +53,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.0.9-alpha
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.0.12-alpha
   stage: build
   only:
     - tags

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.0.9-alpha"
+appVersion: "0.0.12-alpha"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.0.9-alpha"
+version: "0.0.12-alpha"
 icon: https://passbook.beryju.org/images/logo.png

helm/passbook/templates/passbook-configmap.yaml

@@ -36,7 +36,7 @@ data:
     debug: false
     secure_proxy_header:
       HTTP_X_FORWARDED_PROTO: https
-    redis: {{ .Release.Name }}-redis
+    redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master"
     # Error reporting, sends stacktrace to sentry.services.beryju.org
     error_report_enabled: {{ .Values.config.error_reporting }}
 

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: latest
+  tag: 0.0.12-alpha
 
 nameOverride: ""
 

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/audit/__init__.py

@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/captcha_factor/__init__.py

@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/core/__init__.py

@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/core/auth/factors/password.py

@@ -5,7 +5,7 @@ from django.contrib import messages
 from django.contrib.auth import authenticate
 from django.core.exceptions import PermissionDenied
 from django.forms.utils import ErrorList
-from django.shortcuts import redirect
+from django.shortcuts import redirect, reverse
 from django.utils.translation import gettext as _
 from django.views.generic import FormView
 
@@ -13,6 +13,7 @@ from passbook.core.auth.factor import AuthenticationFactor
 from passbook.core.auth.view import AuthenticationView
 from passbook.core.forms.authentication import PasswordFactorForm
 from passbook.core.models import Nonce
+from passbook.core.tasks import send_email
 from passbook.lib.config import CONFIG
 
 LOGGER = getLogger(__name__)
@@ -32,7 +33,16 @@ class PasswordFactor(FormView, AuthenticationFactor):
         if 'password-forgotten' in request.GET:
             nonce = Nonce.objects.create(user=self.pending_user)
             LOGGER.debug("DEBUG %s", str(nonce.uuid))
-            # TODO: Send email to user
+            # Send mail to user
+            send_email.delay(self.pending_user.email, _('Forgotten password'),
+                             'email/account_password_reset.html', {
+                                 'url': self.request.build_absolute_uri(
+                                     reverse('passbook_core:passbook_core:auth-password-reset',
+                                             kwargs={
+                                                 'nonce': nonce.uuid
+                                             })
+                                 )
+                             })
             self.authenticator.cleanup()
             messages.success(request, _('Check your E-Mails for a password reset link.'))
             return redirect('passbook_core:auth-login')

passbook/core/auth/view.py

@@ -4,6 +4,7 @@ from logging import getLogger
 from django.contrib.auth import login
 from django.contrib.auth.mixins import UserPassesTestMixin
 from django.shortcuts import get_object_or_404, redirect, reverse
+from django.utils.http import urlencode
 from django.views.generic import View
 
 from passbook.core.models import Factor, User
@@ -13,6 +14,12 @@ from passbook.lib.utils.urls import is_url_absolute
 
 LOGGER = getLogger(__name__)
 
+def _redirect_with_qs(view, get_query_set=None):
+    """Wrapper to redirect whilst keeping GET Parameters"""
+    target = reverse(view)
+    if get_query_set:
+        target += '?' + urlencode({key: value for key, value in get_query_set.items()})
+    return redirect(target)
 
 class AuthenticationView(UserPassesTestMixin, View):
     """Wizard-like Multi-factor authenticator"""
@@ -37,7 +44,7 @@ class AuthenticationView(UserPassesTestMixin, View):
         # Function from UserPassesTestMixin
         if 'next' in self.request.GET:
             return redirect(self.request.GET.get('next'))
-        return redirect(reverse('passbook_core:overview'))
+        return _redirect_with_qs('passbook_core:overview', self.request.GET)
 
     def dispatch(self, request, *args, **kwargs):
         # Extract pending user from session (only remember uid)
@@ -46,7 +53,7 @@ class AuthenticationView(UserPassesTestMixin, View):
                 User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])
         else:
             # No Pending user, redirect to login screen
-            return redirect(reverse('passbook_core:auth-login'))
+            return _redirect_with_qs('passbook_core:auth-login', request.GET)
         # Write pending factors to session
         if AuthenticationView.SESSION_PENDING_FACTORS in request.session:
             self.pending_factors = request.session[AuthenticationView.SESSION_PENDING_FACTORS]
@@ -101,8 +108,8 @@ class AuthenticationView(UserPassesTestMixin, View):
                 self.pending_factors
             self.request.session[AuthenticationView.SESSION_FACTOR] = next_factor
             LOGGER.debug("Rendering Factor is %s", next_factor)
-            # return redirect(reverse('passbook_core:auth-process', kwargs={'factor': next_factor}))
-            return redirect(reverse('passbook_core:auth-process'))
+            # return _redirect_with_qs('passbook_core:auth-process', kwargs={'factor': next_factor})
+            return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
         # User passed all factors
         LOGGER.debug("User passed all factors, logging in")
         return self._user_passed()
@@ -112,7 +119,7 @@ class AuthenticationView(UserPassesTestMixin, View):
         This should only be shown if user authenticated successfully, but is disabled/locked/etc"""
         LOGGER.debug("User invalid")
         self.cleanup()
-        return redirect(reverse('passbook_core:auth-denied'))
+        return _redirect_with_qs('passbook_core:auth-denied', self.request.GET)
 
     def _user_passed(self):
         """User Successfully passed all factors"""
@@ -123,9 +130,9 @@ class AuthenticationView(UserPassesTestMixin, View):
         # Cleanup
         self.cleanup()
         next_param = self.request.GET.get('next', None)
-        if next_param and is_url_absolute(next_param):
+        if next_param and not is_url_absolute(next_param):
             return redirect(next_param)
-        return redirect(reverse('passbook_core:overview'))
+        return _redirect_with_qs('passbook_core:overview')
 
     def cleanup(self):
         """Remove temporary data from session"""

passbook/core/exceptions.py

@@ -0,0 +1,10 @@
+"""passbook core exceptions"""
+
+class PasswordPolicyInvalid(Exception):
+    """Exception raised when a Password Policy fails"""
+
+    messages = []
+
+    def __init__(self, *messages):
+        super().__init__()
+        self.messages = messages

passbook/core/forms/authentication.py

@@ -91,4 +91,7 @@ class SignUpForm(forms.Form):
 class PasswordFactorForm(forms.Form):
     """Password authentication form"""
 
-    password = forms.CharField(widget=forms.PasswordInput(attrs={'placeholder': _('Password')}))
+    password = forms.CharField(widget=forms.PasswordInput(attrs={
+        'placeholder': _('Password'),
+        'autofocus': 'autofocus'
+        }))

passbook/core/forms/policies.py

@@ -3,7 +3,8 @@
 from django import forms
 from django.utils.translation import gettext as _
 
-from passbook.core.models import DebugPolicy, FieldMatcherPolicy, WebhookPolicy
+from passbook.core.models import (DebugPolicy, FieldMatcherPolicy,
+                                  PasswordPolicy, WebhookPolicy)
 
 GENERAL_FIELDS = ['name', 'action', 'negate', 'order', ]
 
@@ -50,3 +51,25 @@ class DebugPolicyForm(forms.ModelForm):
         labels = {
             'result': _('Allow user')
         }
+
+
+class PasswordPolicyForm(forms.ModelForm):
+    """PasswordPolicy Form"""
+
+    class Meta:
+
+        model = PasswordPolicy
+        fields = GENERAL_FIELDS + ['amount_uppercase', 'amount_lowercase',
+                                   'amount_symbols', 'length_min', 'symbol_charset',
+                                   'error_message']
+        widgets = {
+            'name': forms.TextInput(),
+            'symbol_charset': forms.TextInput(),
+            'error_message': forms.TextInput(),
+        }
+        labels = {
+            'amount_uppercase': _('Minimum amount of Uppercase Characters'),
+            'amount_lowercase': _('Minimum amount of Lowercase Characters'),
+            'amount_symbols': _('Minimum amount of Symbols Characters'),
+            'length_min': _('Minimum Length'),
+        }

passbook/core/migrations/0015_passwordpolicy_error_message.py

@@ -0,0 +1,19 @@
+# Generated by Django 2.1.7 on 2019-02-26 14:28
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0014_auto_20190226_0850'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='passwordpolicy',
+            name='error_message',
+            field=models.TextField(default=''),
+            preserve_default=False,
+        ),
+    ]

passbook/core/models.py

@@ -4,6 +4,7 @@ from datetime import timedelta
 from logging import getLogger
 from random import SystemRandom
 from time import sleep
+from typing import Tuple, Union
 from uuid import uuid4
 
 from django.contrib.auth.models import AbstractUser
@@ -49,7 +50,8 @@ class User(AbstractUser):
     password_change_date = models.DateTimeField(auto_now_add=True)
 
     def set_password(self, password):
-        password_changed.send(sender=self, user=self, password=password)
+        if self.pk:
+            password_changed.send(sender=self, user=self, password=password)
         self.password_change_date = now()
         return super().set_password(password)
 
@@ -69,8 +71,9 @@ class PolicyModel(UUIDModel, CreatedUpdatedModel):
 
     policies = models.ManyToManyField('Policy', blank=True)
 
-    def passes(self, user: User) -> bool:
-        """Return true if user passes, otherwise False or raise Exception"""
+    def passes(self, user: User) -> Union[bool, Tuple[bool, str]]:
+        """Return False, str if a user fails where str is a
+        reasons shown to the user. Return True if user succeeds."""
         for policy in self.policies.all():
             if not policy.passes(user):
                 return False
@@ -222,7 +225,7 @@ class Policy(UUIDModel, CreatedUpdatedModel):
             return self.name
         return "%s action %s" % (self.name, self.action)
 
-    def passes(self, user: User) -> bool:
+    def passes(self, user: User) -> Union[bool, Tuple[bool, str]]:
         """Check if user instance passes this policy"""
         raise NotImplementedError()
 
@@ -267,7 +270,7 @@ class FieldMatcherPolicy(Policy):
             description = "%s: %s" % (self.name, description)
         return description
 
-    def passes(self, user: User) -> bool:
+    def passes(self, user: User) -> Union[bool, Tuple[bool, str]]:
         """Check if user instance passes this role"""
         if not hasattr(user, self.user_field):
             raise ValueError("Field does not exist")
@@ -302,10 +305,11 @@ class PasswordPolicy(Policy):
     amount_symbols = models.IntegerField(default=0)
     length_min = models.IntegerField(default=0)
     symbol_charset = models.TextField(default=r"!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ")
+    error_message = models.TextField()
 
     form = 'passbook.core.forms.policies.PasswordPolicyForm'
 
-    def passes(self, user: User) -> bool:
+    def passes(self, user: User) -> Union[bool, Tuple[bool, str]]:
         # Only check if password is being set
         if not hasattr(user, '__password__'):
             return True
@@ -320,6 +324,8 @@ class PasswordPolicy(Policy):
             filter_regex += r'[%s]{%d,}' % (self.symbol_charset, self.amount_symbols)
         result = bool(re.compile(filter_regex).match(password))
         LOGGER.debug("User got %r", result)
+        if not result:
+            return result, self.error_message
         return result
 
     class Meta:
@@ -378,7 +384,7 @@ class DebugPolicy(Policy):
         wait = SystemRandom().randrange(self.wait_min, self.wait_max)
         LOGGER.debug("Policy '%s' waiting for %ds", self.name, wait)
         sleep(wait)
-        return self.result
+        return self.result, 'Debugging'
 
     class Meta:
 

passbook/core/policies.py

@@ -42,7 +42,11 @@ class PolicyEngine:
     @property
     def result(self):
         """Get policy-checking result"""
+        messages = []
         for policy_result in self._group.get():
+            if isinstance(policy_result, (tuple, list)):
+                policy_result, policy_message = policy_result
+                messages.append(policy_message)
             if policy_result is False:
-                return False
-        return True
+                return False, messages
+        return True, messages

passbook/core/settings.py

@@ -291,6 +291,7 @@ TEST_OUTPUT_FILE_NAME = 'unittest.xml'
 if any('test' in arg for arg in sys.argv):
     LOGGING = None
     TEST = True
+    CELERY_TASK_ALWAYS_EAGER = True
 
 _DISALLOWED_ITEMS = ['INSTALLED_APPS', 'MIDDLEWARE', 'AUTHENTICATION_BACKENDS']
 # Load subapps's INSTALLED_APPS

passbook/core/signals.py

@@ -1,12 +1,27 @@
 """passbook core signals"""
 
 from django.core.signals import Signal
+from django.dispatch import receiver
 
-# from django.db.models.signals import post_save, pre_delete
-# from django.dispatch import receiver
-# from passbook.core.models import Invitation, User
+from passbook.core.exceptions import PasswordPolicyInvalid
 
 user_signed_up = Signal(providing_args=['request', 'user'])
 invitation_created = Signal(providing_args=['request', 'invitation'])
 invitation_used = Signal(providing_args=['request', 'invitation', 'user'])
 password_changed = Signal(providing_args=['user', 'password'])
+
+@receiver(password_changed)
+# pylint: disable=unused-argument
+def password_policy_checker(sender, password, **kwargs):
+    """Run password through all password policies which are applied to the user"""
+    from passbook.core.models import PasswordFactor
+    from passbook.core.policies import PolicyEngine
+    setattr(sender, '__password__', password)
+    _all_factors = PasswordFactor.objects.filter(enabled=True).order_by('order')
+    for factor in _all_factors:
+        if factor.passes(sender):
+            policy_engine = PolicyEngine(factor.password_policies.all().select_subclasses())
+            policy_engine.for_user(sender)
+            passing, messages = policy_engine.result
+            if not passing:
+                raise PasswordPolicyInvalid(*messages)

passbook/core/tasks.py

@@ -0,0 +1,17 @@
+"""passbook core tasks"""
+from django.core.mail import EmailMultiAlternatives
+from django.template.loader import render_to_string
+from django.utils.html import strip_tags
+
+from passbook.core.celery import CELERY_APP
+from passbook.lib.config import CONFIG
+
+
+@CELERY_APP.task()
+def send_email(to_address, subject, template, context):
+    """Send Email to user(s)"""
+    html_content = render_to_string(template, context=context)
+    text_content = strip_tags(html_content)
+    msg = EmailMultiAlternatives(subject, text_content, CONFIG.y('email.from'), [to_address])
+    msg.attach_alternative(html_content, "text/html")
+    msg.send()

passbook/core/templates/base/skeleton.html

@@ -6,6 +6,7 @@
 <html lang="en">
   <head>
     <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>
       {% block title %}
         {% title %}
@@ -19,6 +20,7 @@
         .login-pf {
             background-attachment: fixed;
             scroll-behavior: smooth;
+            background-size: cover;
         }
     </style>
     {% block head %}

passbook/core/templates/email/account_confirm.html

@@ -0,0 +1,84 @@
+{% extends 'email/base.html' %}
+
+{% load inline %}
+{% load i18n %}
+
+{% block pre_header %}
+{% trans "We're thrilled to have you here! Get ready to dive into your new account." %}
+{% endblock %}
+
+{% block content %}
+<!-- HERO -->
+<tr>
+    <td bgcolor="#3625b7" align="center" style="padding: 0px 10px 0px 10px;">
+        <table border="0" cellpadding="0" cellspacing="0" width="480">
+            <tr>
+                <td bgcolor="#566572" align="center" valign="top"
+                    style="padding: 40px 20px 20px 20px; border-radius: 4px 4px 0px 0px; color: #8F9BA3; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 48px; font-weight: 400; letter-spacing: 4px; line-height: 48px;">
+                    <h1 style="font-size: 32px; font-weight: 400; margin: 0; color: #E9ECEF;">{% trans 'Welcome!' %}
+                    </h1>
+                </td>
+            </tr>
+        </table>
+    </td>
+</tr>
+<!-- COPY BLOCK -->
+<tr>
+    <td bgcolor="#1b2a32" align="center" style="padding: 0px 10px 0px 10px;">
+        <table border="0" cellpadding="0" cellspacing="0" width="480">
+            <!-- COPY -->
+            <tr>
+                <td bgcolor="#566572" align="left"
+                    style="padding: 20px 30px 40px 30px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+                    <p style="margin: 0;">
+                        {% trans "We're excited to have you get started. First, you need to confirm your account. Just press the button below."%}
+                    </p>
+                </td>
+            </tr>
+            <!-- BULLETPROOF BUTTON -->
+            <tr>
+                <td bgcolor="#566572" align="left">
+                    <table width="100%" border="0" cellspacing="0" cellpadding="0">
+                        <tr>
+                            <td bgcolor="#566572" align="center" style="padding: 20px 30px 60px 30px;">
+                                <table border="0" cellspacing="0" cellpadding="0">
+                                    <tr>
+                                        <td align="center" style="border-radius: 3px;" bgcolor="#3625b7"><a
+                                                href="{{ url }}" target="_blank"
+                                                style="font-size: 20px; font-family: Helvetica, Arial, sans-serif; color: #ffffff; text-decoration: none; color: #ffffff; text-decoration: none; padding: 15px 25px; border-radius: 2px; border: 1px solid #3625b7; display: inline-block;">{% trans 'Confirm Account' %}</a>
+                                        </td>
+                                    </tr>
+                                </table>
+                            </td>
+                        </tr>
+                    </table>
+                </td>
+            </tr>
+            <!-- COPY -->
+            <tr>
+                <td bgcolor="#566572" align="left"
+                    style="padding: 0px 30px 0px 30px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+                    <p style="margin: 0;">
+                        {% trans "If that doesn't work, copy and paste the following link in your browser:" %}</p>
+                </td>
+            </tr>
+            <!-- COPY -->
+            <tr>
+                <td bgcolor="#566572" align="left"
+                    style="padding: 20px 30px 20px 30px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+                    <p style="margin: 0;"><a href="{{ url }}" target="_blank" style="color: #3625b7;">{{ url }}</a></p>
+                </td>
+            </tr>
+            <!-- COPY -->
+            <tr>
+                <td bgcolor="#566572" align="left"
+                    style="padding: 0px 30px 20px 30px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+                    <p style="margin: 0;">
+                        {% trans "If you have any questions, just reply to this email—we're always happy to help out." %}
+                    </p>
+                </td>
+            </tr>
+        </table>
+    </td>
+</tr>
+{% endblock %}

passbook/core/templates/email/account_password_reset.html

@@ -0,0 +1,78 @@
+{% extends "email/base.html" %}
+
+{% load utils %}
+{% load i18n %}
+
+{% block pre_header %}
+{% trans "Looks like you tried signing in a few too many times. Let's see if we can get you back into your account." %}
+{% endblock %}
+
+{% block content %}
+{% config 'passbook.branding' as branding %}
+<!-- HERO -->
+<tr>
+  <td bgcolor="#7c72dc" align="center" style="padding: 0px 10px 0px 10px;">
+    <table border="0" cellpadding="0" cellspacing="0" width="600" class="wrapper">
+      <tr>
+        <td bgcolor="#ffffff" align="center" valign="top" style="padding: 40px 20px 20px 20px; border-radius: 4px 4px 0px 0px; color: #111111; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 48px; font-weight: 400; letter-spacing: 4px; line-height: 48px;">
+          <h1 style="font-size: 48px; font-weight: 400; margin: 0;">{% trans 'Trouble signing in?' %}</h1>
+        </td>
+      </tr>
+    </table>
+  </td>
+</tr>
+<!-- COPY BLOCK -->
+<tr>
+  <td bgcolor="#f4f4f4" align="center" style="padding: 0px 10px 0px 10px;">
+    <table border="0" cellpadding="0" cellspacing="0" width="600" class="wrapper">
+      <!-- COPY -->
+      <tr>
+        <td bgcolor="#ffffff" align="left" style="padding: 20px 30px 40px 30px; color: #666666; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+          <p style="margin: 0;">{% trans "Resetting your password is easy. Just press the button below and follow the instructions. We'll have you up and running in no time." %}</p>
+        </td>
+      </tr>
+      <!-- BULLETPROOF BUTTON -->
+      <tr>
+        <td bgcolor="#ffffff" align="left">
+          <table width="100%" border="0" cellspacing="0" cellpadding="0">
+            <tr>
+              <td bgcolor="#ffffff" align="center" style="padding: 20px 30px 60px 30px;">
+                <table border="0" cellspacing="0" cellpadding="0">
+                  <tr>
+                    <td align="center" style="border-radius: 3px;" bgcolor="#7c72dc"><a href="{{ url }}" target="_blank" style="font-size: 20px; font-family: Helvetica, Arial, sans-serif; color: #ffffff; text-decoration: none; color: #ffffff; text-decoration: none; padding: 15px 25px; border-radius: 2px; border: 1px solid #7c72dc; display: inline-block;">{% trans 'Reset Password' %}</a></td>
+                  </tr>
+                </table>
+              </td>
+            </tr>
+          </table>
+        </td>
+      </tr>
+    </table>
+  </td>
+</tr>
+<!-- COPY CALLOUT -->
+<tr>
+  <td bgcolor="#f4f4f4" align="center" style="padding: 0px 10px 0px 10px;">
+    <table border="0" cellpadding="0" cellspacing="0" width="600" class="wrapper">
+      <!-- HEADLINE -->
+      <tr>
+        <td bgcolor="#111111" align="left" style="padding: 40px 30px 20px 30px; color: #ffffff; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+          <h2 style="font-size: 24px; font-weight: 400; margin: 0;">{% trans 'Want a more secure account?' %}</h2>
+        </td>
+      </tr>
+      <!-- COPY -->
+      <tr>
+        <td bgcolor="#111111" align="left" style="padding: 0px 30px 20px 30px; color: #666666; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+          <p style="margin: 0;">{% trans 'We support two-factor authentication to help keep your information private.' %}</p>
+        </td>
+      </tr>
+      <!-- COPY -->
+      <tr>
+        <td bgcolor="#111111" align="left" style="padding: 0px 30px 40px 30px; border-radius: 0px 0px 4px 4px; color: #666666; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+          <p style="margin: 0;"><a href="http://litmus.com" target="_blank" style="color: #7c72dc;">{% trans 'See how easy it is to get started' %}</a></p>
+        </td>
+      </tr>
+    </table>
+  </td>
+</tr>
+{% endblock %}

passbook/core/templates/email/base.html

@@ -0,0 +1,129 @@
+{% load inline %}
+{% load utils %}
+{% load static %}
+{% load i18n %}
+<!DOCTYPE html>
+<html>
+<head>
+    <title>{% config passbook.branding %}</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+    <style type="text/css">
+        /* CLIENT-SPECIFIC STYLES */
+        body, table, td, a {
+            -webkit-text-size-adjust: 100%;
+            -ms-text-size-adjust: 100%;
+        }
+
+        table, td {
+            mso-table-lspace: 0pt;
+            mso-table-rspace: 0pt;
+        }
+
+        img {
+            -ms-interpolation-mode: bicubic;
+        }
+
+        /* RESET STYLES */
+        img {
+            border: 0;
+            height: auto;
+            line-height: 100%;
+            outline: none;
+            text-decoration: none;
+        }
+
+        table {
+            border-collapse: collapse !important;
+        }
+
+        body {
+            height: 100% !important;
+            margin: 0 !important;
+            padding: 0 !important;
+            width: 100% !important;
+        }
+
+        /* iOS BLUE LINKS */
+        a[x-apple-data-detectors] {
+            color: inherit !important;
+            text-decoration: none !important;
+            font-size: inherit !important;
+            font-family: inherit !important;
+            font-weight: inherit !important;
+            line-height: inherit !important;
+        }
+
+        /* ANDROID CENTER FIX */
+        div[style*="margin: 16px 0;"] {
+            margin: 0 !important;
+        }
+    </style>
+    </head>
+
+    <body style="background-color: #1b2a32; margin: 0 !important; padding: 0 !important;">
+
+        <!-- HIDDEN PREHEADER TEXT -->
+        <div style="display: none; font-size: 1px; color: #fefefe; line-height: 1px; font-family: 'Metropolis', Helvetica, Arial, sans-serif; max-height: 0px; max-width: 0px; opacity: 0; overflow: hidden;">
+            {% block pre_header %}
+            {% endblock %}
+        </div>
+
+        <table border="0" cellpadding="0" cellspacing="0" width="100%">
+            <!-- LOGO -->
+            <tr>
+                <td bgcolor="#3625b7" align="center">
+                    <table border="0" cellpadding="0" cellspacing="0" width="480">
+                        <tr>
+                            <td align="center" valign="top" style="padding: 40px 10px 40px 10px;">
+                                <a href="" target="_blank">
+                                    <img alt="Logo" src="{% inline_static 'assets/dark.svg' %}" width="64" height="64"
+                                    style="display: block; width: 64px; max-width: 64px; min-width: 64px; font-family: 'Metropolis', Helvetica, Arial, sans-serif; color: #ffffff; font-size: 18px;"
+                                    border="0">
+                                </a>
+                            </td>
+                        </tr>
+                    </table>
+                </td>
+            </tr>
+            {% block content %}
+            {% endblock %}
+            <!-- SUPPORT CALLOUT -->
+            <!-- <tr>
+                <td bgcolor="#1b2a32" align="center" style="padding: 30px 10px 0px 10px;">
+                    <table border="0" cellpadding="0" cellspacing="0" width="480">
+                        HEADLINE
+                        <tr>
+                            <td bgcolor="#566572" align="center" style="padding: 30px 30px 30px 30px; border-radius: 4px 4px 4px 4px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+                                <h2 style="font-size: 20px; font-weight: 400; color: ##E9ECEF; margin: 0;">Need more help?</h2>
+                                <p style="margin: 0;"><a href="http://litmus.com" target="_blank" style="color: #3625b7;">We&rsquo;re
+                                    here, ready to talk</a></p>
+                            </td>
+                        </tr>
+                    </table>
+                </td>
+            </tr> -->
+            <!-- FOOTER -->
+            <tr>
+                <td bgcolor="#1b2a32" align="center" style="padding: 0px 10px 0px 10px;">
+                    <table border="0" cellpadding="0" cellspacing="0" width="480">
+                        <!-- NAVIGATION -->
+                        <tr>
+                            <td bgcolor="#1b2a32" align="left" style="padding: 30px 30px 30px 30px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 14px; font-weight: 400; line-height: 18px;">
+                                <p style="margin: 0;">
+                                </p>
+                            </td>
+                        </tr>
+                        <!-- ADDRESS -->
+                        <tr>
+                            <td bgcolor="#1b2a32" align="left" style="padding: 0px 30px 30px 30px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 14px; font-weight: 400; line-height: 18px;">
+                                <p style="margin: 0;"><a href="{% config 'passbook.branding' %}">{% config 'passbook.branding' %}</a></p>
+                            </td>
+                        </tr>
+                    </table>
+                </td>
+            </tr>
+        </table>
+    </body>
+</html>

passbook/core/templates/email/generic_email.html

@@ -0,0 +1,26 @@
+{% extends "email/base.html" %}
+
+{% block content %}
+<tr>
+  <td bgcolor="#3625b7" align="center" style="padding: 0px 10px 0px 10px;">
+    <table border="0" cellpadding="0" cellspacing="0" width="480">
+      <tr>
+        <td bgcolor="#566572" align="center" valign="top" style="padding: 40px 20px 20px 20px; border-radius: 4px 4px 0px 0px; color: #8F9BA3; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 48px; font-weight: 400; letter-spacing: 4px; line-height: 48px;">
+          <h1 style="font-size: 32px; font-weight: 400; margin: 0; color: #E9ECEF;">{{ title }}!</h1>
+        </td>
+      </tr>
+    </table>
+  </td>
+</tr>
+<tr>
+  <td bgcolor="#1b2a32" align="center" style="padding: 0px 10px 0px 10px;">
+    <table border="0" cellpadding="0" cellspacing="0" width="480">
+      <tr>
+        <td bgcolor="#566572" align="left" style="padding: 20px 30px 40px 30px; color: #E9ECEF; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
+          <p style="margin: 0;">{{ body }}</p>
+        </td>
+      </tr>
+    </table>
+  </td>
+</tr>
+{% endblock %}

passbook/core/templates/partials/form_login.html

@@ -3,45 +3,48 @@
 
 {% csrf_token %}
 {% for field in form %}
-<div class="form-group login-pf-settings">
-  {% if field.field.widget|fieldtype == 'RadioSelect' %}
-    <label class="col-sm-2 control-label" {% if field.field.required %}class="required"{% endif %} for="{{ field.name }}-{{ forloop.counter0 }}">
-      {{ field.label }}
+<div class="form-group login-pf-settings {% if field.errors %} has-error {% endif %}">
+    {% if field.field.widget|fieldtype == 'RadioSelect' %}
+    <label class="col-sm-2 control-label" {% if field.field.required %}class="required" {% endif %}
+        for="{{ field.name }}-{{ forloop.counter0 }}">
+        {{ field.label }}
     </label>
     {% for c in field %}
     <div class="radio col-sm-10">
-      <input type="radio" id="{{ field.name }}-{{ forloop.counter0 }}" name="{% if wizard %}{{ wizard.steps.current }}-{% endif %}{{ field.name }}" value="{{ c.data.value }}" {% if c.data.selected %} checked {% endif %}>
-      <label class="col-sm-2 control-label" for="{{ field.name }}-{{ forloop.counter0 }}">{{ c.choice_label }}</label>
+        <input type="radio" id="{{ field.name }}-{{ forloop.counter0 }}"
+            name="{% if wizard %}{{ wizard.steps.current }}-{% endif %}{{ field.name }}" value="{{ c.data.value }}"
+            {% if c.data.selected %} checked {% endif %}>
+        <label class="col-sm-2 control-label" for="{{ field.name }}-{{ forloop.counter0 }}">{{ c.choice_label }}</label>
     </div>
     {% endfor %}
-  {% elif field.field.widget|fieldtype == 'Select' %}
-    <label class="col-sm-2 control-label" {% if field.field.required %}class="required"{% endif %} for="{{ field.name }}-{{ forloop.counter0 }}">
-      {{ field.label }}
+    {% elif field.field.widget|fieldtype == 'Select' %}
+    <label class="col-sm-2 control-label" {% if field.field.required %}class="required" {% endif %}
+        for="{{ field.name }}-{{ forloop.counter0 }}">
+        {{ field.label }}
     </label>
     <div class="select col-sm-10">
-      {{ field }}
+        {{ field }}
     </div>
-  {% elif field.field.widget|fieldtype == 'CheckboxInput' %}
+    {% elif field.field.widget|fieldtype == 'CheckboxInput' %}
     <label class="checkbox-label">
-      {{ field }} {{ field.label }}
+        {{ field }} {{ field.label }}
     </label>
-  {% else %}
-  <label class="col-sm-2 sr-only" {% if field.field.required %}class="required"{% endif %} for="{{ field.name }}-{{ forloop.counter0 }}">
-    {{ field.label }}
-  </label>
-  {{ field|css_class:'form-control input-lg' }}
-  {% if field.help_text %}
-  <span>
-    {{ field.help_text }}
-  </span>
-  {% endif %}
-  {% endif %}
-  {% for error in field.errors %}
-  <hr>
-  <div class="alert alert-danger alert-block">
-    <span class="pficon pficon-error-circle-o"></span>
-    <strong>{{ error }}</strong>
-  </div>
-  {% endfor %}
+    {% else %}
+    <label class="col-sm-2 sr-only" {% if field.field.required %}class="required" {% endif %}
+        for="{{ field.name }}-{{ forloop.counter0 }}">
+        {{ field.label }}
+    </label>
+    {{ field|css_class:'form-control input-lg' }}
+    {% if field.help_text %}
+    <span>
+        {{ field.help_text }}
+    </span>
+    {% endif %}
+    {% endif %}
+    {% for error in field.errors %}
+    <span class="help-block">
+        {{ error }}
+    </span>
+    {% endfor %}
 </div>
 {% endfor %}

passbook/core/tests/test_views_authentication.py

@@ -1,4 +1,6 @@
 """passbook Core Account Test"""
+import string
+from random import SystemRandom
 
 from django.test import TestCase
 from django.urls import reverse
@@ -26,7 +28,9 @@ class TestAuthenticationViews(TestCase):
         self.user = User.objects.create_superuser(
             username='unittest user',
             email='unittest@example.com',
-            password='test123')
+            password=''.join(SystemRandom().choice(
+                string.ascii_uppercase + string.digits) for _ in range(8)))
+
 
     def test_sign_up_view(self):
         """Test account.sign_up view (Anonymous)"""

passbook/core/tests/test_views_overview.py

@@ -1,4 +1,7 @@
 """passbook user view tests"""
+import string
+from random import SystemRandom
+
 from django.shortcuts import reverse
 from django.test import TestCase
 
@@ -13,7 +16,8 @@ class TestOverviewViews(TestCase):
         self.user = User.objects.create_superuser(
             username='unittest user',
             email='unittest@example.com',
-            password='test123')
+            password=''.join(SystemRandom().choice(
+                string.ascii_uppercase + string.digits) for _ in range(8)))
         self.client.force_login(self.user)
 
     def test_overview(self):

passbook/core/tests/test_views_user.py

@@ -1,4 +1,7 @@
 """passbook user view tests"""
+import string
+from random import SystemRandom
+
 from django.shortcuts import reverse
 from django.test import TestCase
 
@@ -14,7 +17,8 @@ class TestUserViews(TestCase):
         self.user = User.objects.create_superuser(
             username='unittest user',
             email='unittest@example.com',
-            password='test123')
+            password=''.join(SystemRandom().choice(
+                string.ascii_uppercase + string.digits) for _ in range(8)))
         self.client.force_login(self.user)
 
     def test_user_settings(self):

passbook/core/views/authentication.py

@@ -1,24 +1,28 @@
-"""Core views"""
+"""passbook core authentication views"""
 from logging import getLogger
 from typing import Dict
 
 from django.contrib import messages
 from django.contrib.auth import login, logout
 from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
+from django.forms.utils import ErrorList
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404, redirect, reverse
 from django.utils.translation import ugettext as _
 from django.views import View
 from django.views.generic import FormView
 
-from passbook.core.auth.view import AuthenticationView
+from passbook.core.auth.view import AuthenticationView, _redirect_with_qs
+from passbook.core.exceptions import PasswordPolicyInvalid
 from passbook.core.forms.authentication import LoginForm, SignUpForm
 from passbook.core.models import Invitation, Nonce, Source, User
 from passbook.core.signals import invitation_used, user_signed_up
+from passbook.core.tasks import send_email
 from passbook.lib.config import CONFIG
 
 LOGGER = getLogger(__name__)
 
+
 class LoginView(UserPassesTestMixin, FormView):
     """Allow users to sign in"""
 
@@ -69,13 +73,14 @@ class LoginView(UserPassesTestMixin, FormView):
             return self.invalid_login(self.request)
         self.request.session.flush()
         self.request.session[AuthenticationView.SESSION_PENDING_USER] = pre_user.pk
-        return redirect(reverse('passbook_core:auth-process'))
+        return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
 
     def invalid_login(self, request: HttpRequest, disabled_user: User = None) -> HttpResponse:
         """Handle login for disabled users/invalid login attempts"""
         messages.error(request, _('Failed to authenticate.'))
         return self.render_to_response(self.get_context_data())
 
+
 class LogoutView(LoginRequiredMixin, View):
     """Log current user out"""
 
@@ -138,14 +143,30 @@ class SignUpView(UserPassesTestMixin, FormView):
 
     def form_valid(self, form: SignUpForm) -> HttpResponse:
         """Create user"""
-        self._user = SignUpView.create_user(form.cleaned_data, self.request)
+        try:
+            self._user = SignUpView.create_user(form.cleaned_data, self.request)
+        except PasswordPolicyInvalid as exc:
+            # Manually inject error into form
+            # pylint: disable=protected-access
+            errors = form._errors.setdefault("password", ErrorList())
+            for error in exc.messages:
+                errors.append(error)
+            return self.form_invalid(form)
         needs_confirmation = True
         if self._invitation and not self._invitation.needs_confirmation:
             needs_confirmation = False
         if needs_confirmation:
             nonce = Nonce.objects.create(user=self._user)
             LOGGER.debug(str(nonce.uuid))
-            # TODO: Send E-Mail to user
+            # Send email to user
+            send_email.delay(self._user.email, _('Confirm your account.'),
+                             'email/account_confirm.html', {
+                                 'url': self.request.build_absolute_uri(
+                                     reverse('passbook_core:auth-sign-up-confirm', kwargs={
+                                         'nonce': nonce.uuid
+                                     })
+                                 )
+                             })
             self._user.is_active = False
             self._user.save()
         self.consume_invitation()
@@ -176,25 +197,31 @@ class SignUpView(UserPassesTestMixin, FormView):
             The user created
 
         Raises:
-            SignalException: if any signals raise an exception. This also deletes the created user.
+            PasswordPolicyInvalid: if any policy are not fulfilled.
+                                   This also deletes the created user.
         """
         # Create user
-        new_user = User.objects.create_user(
+        new_user = User.objects.create(
             username=data.get('username'),
             email=data.get('email'),
             first_name=data.get('first_name'),
             last_name=data.get('last_name'),
         )
         new_user.is_active = True
-        new_user.set_password(data.get('password'))
-        new_user.save()
-        request.user = new_user
-        # Send signal for other auth sources
-        user_signed_up.send(
-            sender=SignUpView,
-            user=new_user,
-            request=request)
-        return new_user
+        try:
+            new_user.set_password(data.get('password'))
+            new_user.save()
+            request.user = new_user
+            # Send signal for other auth sources
+            user_signed_up.send(
+                sender=SignUpView,
+                user=new_user,
+                request=request)
+            return new_user
+        except PasswordPolicyInvalid as exc:
+            new_user.delete()
+            raise exc
+
 
 class SignUpConfirmView(View):
     """Confirm registration from Nonce"""

passbook/core/views/user.py

@@ -1,10 +1,12 @@
 """passbook core user views"""
 from django.contrib import messages
 from django.contrib.auth import logout, update_session_auth_hash
+from django.forms.utils import ErrorList
 from django.shortcuts import redirect, reverse
 from django.utils.translation import gettext as _
 from django.views.generic import DeleteView, FormView, UpdateView
 
+from passbook.core.exceptions import PasswordPolicyInvalid
 from passbook.core.forms.users import PasswordChangeForm, UserDetailForm
 from passbook.lib.config import CONFIG
 
@@ -38,10 +40,20 @@ class UserChangePasswordView(FormView):
     template_name = 'login/form_with_user.html'
 
     def form_valid(self, form: PasswordChangeForm):
-        self.request.user.set_password(form.cleaned_data.get('password'))
-        self.request.user.save()
-        update_session_auth_hash(self.request, self.request.user)
-        messages.success(self.request, _('Successfully changed password'))
+        try:
+            self.request.user.set_password(form.cleaned_data.get('password'))
+            self.request.user.save()
+            update_session_auth_hash(self.request, self.request.user)
+            messages.success(self.request, _('Successfully changed password'))
+        except PasswordPolicyInvalid as exc:
+            # Manually inject error into form
+            # pylint: disable=protected-access
+            errors = form._errors.setdefault("password_repeat", ErrorList(''))
+            # pylint: disable=protected-access
+            errors = form._errors.setdefault("password", ErrorList())
+            for error in exc.messages:
+                errors.append(error)
+            return self.form_invalid(form)
         return redirect('passbook_core:overview')
 
     def get_context_data(self, **kwargs):

passbook/hibp_policy/models.py

@@ -1,6 +1,6 @@
 """passbook HIBP Models"""
-
 from hashlib import sha1
+from logging import getLogger
 
 from django.db import models
 from django.utils.translation import gettext as _
@@ -8,6 +8,7 @@ from requests import get
 
 from passbook.core.models import Policy, User
 
+LOGGER = getLogger(__name__)
 
 class HaveIBeenPwendPolicy(Policy):
     """Check if password is on HaveIBeenPwned's list by upload the first
@@ -33,8 +34,9 @@ class HaveIBeenPwendPolicy(Policy):
             full_hash, count = line.split(':')
             if pw_hash[5:] == full_hash.lower():
                 final_count = int(count)
+        LOGGER.debug("Got count %d for hash %s", final_count, pw_hash[:5])
         if final_count > self.allowed_count:
-            return False
+            return False, _("Password exists on %(count)d online lists." % {'count': final_count})
         return True
 
     class Meta:

passbook/ldap/__init__.py

@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/ldap/forms.py

@@ -39,7 +39,7 @@ class LDAPSourceForm(forms.ModelForm):
 #         (MODE_CREATE_USERS, _('Create Users'))
 #     )
 
-#     namespace = 'supervisr.mod.auth.ldap'
+#     namespace = 'passbook.ldap'
 #     settings = ['enabled', 'mode']
 
 #     widgets = {
@@ -51,7 +51,7 @@ class LDAPSourceForm(forms.ModelForm):
 # class ConnectionSettings(SettingsForm):
 #     """Connection settings form"""
 
-#     namespace = 'supervisr.mod.auth.ldap'
+#     namespace = 'passbook.ldap'
 #     settings = ['server', 'server:tls', 'bind:user', 'bind:password', 'domain']
 
 #     attrs_map = {
@@ -68,7 +68,7 @@ class LDAPSourceForm(forms.ModelForm):
 # class AuthenticationBackendSettings(SettingsForm):
 #     """Authentication backend settings"""
 
-#     namespace = 'supervisr.mod.auth.ldap'
+#     namespace = 'passbook.ldap'
 #     settings = ['base']
 
 #     attrs_map = {
@@ -79,7 +79,7 @@ class LDAPSourceForm(forms.ModelForm):
 # class CreateUsersSettings(SettingsForm):
 #     """Create users settings"""
 
-#     namespace = 'supervisr.mod.auth.ldap'
+#     namespace = 'passbook.ldap'
 #     settings = ['create_base']
 
 #     attrs_map = {

passbook/ldap/models.py

@@ -57,7 +57,7 @@ class LDAPSource(Source):
 
 
 # class LDAPGroupMapping(UUIDModel, CreatedUpdatedModel):
-#     """Model to map an LDAP Group to a supervisr group"""
+#     """Model to map an LDAP Group to a passbook group"""
 
 #     ldap_dn = models.TextField()
 #     group = models.ForeignKey(Group, on_delete=models.CASCADE)

passbook/ldap/urls.py

@@ -2,7 +2,7 @@
 
 # from django.conf.urls import url
 
-# from supervisr.mod.auth.ldap import views
+# from passbook.mod.auth.ldap import views
 
 # urlpatterns = [
 #     url(r'^settings/$', views.admin_settings, name='admin_settings'),

passbook/ldap/views.py

@@ -1,4 +1,4 @@
-# """Supervisr Mod LDAP Views"""
+# """passbook LDAP Views"""
 
 
 # from django.contrib import messages
@@ -8,7 +8,7 @@
 # from django.urls import reverse
 # from django.utils.translation import ugettext as _
 
-# from supervisr.mod.auth.ldap.forms import (AuthenticationBackendSettings,
+# from passbook.ldap.forms import (AuthenticationBackendSettings,
 #                                            ConnectionSettings,
 #                                            CreateUsersSettings,
 #                                            GeneralSettingsForm)
@@ -34,5 +34,5 @@
 #             if form.is_valid():
 #                 update_count += form.save()
 #         messages.success(request, _('Successfully updated %d settings.' % update_count))
-#         return redirect(reverse('supervisr_mod_auth_ldap:admin_settings'))
+#         return redirect(reverse('passbook_ldap:admin_settings'))
 #     return render(request, 'ldap/settings.html', render_data)

passbook/lib/__init__.py

@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/lib/utils/inline.py

@@ -0,0 +1,20 @@
+"""passbook core inlining template tags"""
+import os
+
+from django import template
+from django.conf import settings
+
+register = template.Library()
+
+
+@register.simple_tag()
+def inline_static(path):
+    """Inline static asset. If file is binary, return b64 representation"""
+    prefix = 'data:image/svg+xml;utf8,'
+    data = ''
+    full_path = settings.STATIC_ROOT + '/' + path
+    if os.path.exists(full_path):
+        if full_path.endswith('.svg'):
+            with open(full_path) as _file:
+                data = _file.read()
+    return prefix + data

passbook/oauth_client/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/oauth_client/source_types/discord.py

@@ -2,7 +2,6 @@
 import json
 from logging import getLogger
 
-from django.contrib.auth import get_user_model
 from requests.exceptions import RequestException
 
 from passbook.oauth_client.clients import OAuth2Client
@@ -50,12 +49,11 @@ class DiscordOAuth2Callback(OAuthCallback):
     client_class = DiscordOAuth2Client
 
     def get_or_create_user(self, source, access, info):
-        user = get_user_model()
         user_data = {
-            user.USERNAME_FIELD: info.get('username'),
+            'username': info.get('username'),
             'email': info.get('email', 'None'),
             'first_name': info.get('username'),
             'password': None,
         }
-        discord_user = user_get_or_create(user_model=user, **user_data)
+        discord_user = user_get_or_create(**user_data)
         return discord_user

passbook/oauth_client/source_types/facebook.py

@@ -1,7 +1,5 @@
 """Facebook OAuth Views"""
 
-from django.contrib.auth import get_user_model
-
 from passbook.oauth_client.source_types.manager import MANAGER, RequestKind
 from passbook.oauth_client.utils import user_get_or_create
 from passbook.oauth_client.views.core import OAuthCallback, OAuthRedirect
@@ -22,12 +20,11 @@ class FacebookOAuth2Callback(OAuthCallback):
     """Facebook OAuth2 Callback"""
 
     def get_or_create_user(self, source, access, info):
-        user = get_user_model()
         user_data = {
-            user.USERNAME_FIELD: info.get('name'),
+            'username': info.get('name'),
             'email': info.get('email', ''),
             'first_name': info.get('name'),
             'password': None,
         }
-        fb_user = user_get_or_create(user_model=user, **user_data)
+        fb_user = user_get_or_create(**user_data)
         return fb_user

passbook/oauth_client/source_types/github.py

@@ -1,7 +1,5 @@
 """GitHub OAuth Views"""
 
-from django.contrib.auth import get_user_model
-
 from passbook.oauth_client.source_types.manager import MANAGER, RequestKind
 from passbook.oauth_client.utils import user_get_or_create
 from passbook.oauth_client.views.core import OAuthCallback
@@ -12,12 +10,11 @@ class GitHubOAuth2Callback(OAuthCallback):
     """GitHub OAuth2 Callback"""
 
     def get_or_create_user(self, source, access, info):
-        user = get_user_model()
         user_data = {
-            user.USERNAME_FIELD: info.get('login'),
+            'username': info.get('login'),
             'email': info.get('email', ''),
             'first_name': info.get('name'),
             'password': None,
         }
-        gh_user = user_get_or_create(user_model=user, **user_data)
+        gh_user = user_get_or_create(**user_data)
         return gh_user

passbook/oauth_client/source_types/google.py

@@ -1,6 +1,4 @@
 """Google OAuth Views"""
-from django.contrib.auth import get_user_model
-
 from passbook.oauth_client.source_types.manager import MANAGER, RequestKind
 from passbook.oauth_client.utils import user_get_or_create
 from passbook.oauth_client.views.core import OAuthCallback, OAuthRedirect
@@ -21,12 +19,11 @@ class GoogleOAuth2Callback(OAuthCallback):
     """Google OAuth2 Callback"""
 
     def get_or_create_user(self, source, access, info):
-        user = get_user_model()
         user_data = {
-            user.USERNAME_FIELD: info.get('email'),
+            'username': info.get('email'),
             'email': info.get('email', ''),
             'first_name': info.get('name'),
             'password': None,
         }
-        google_user = user_get_or_create(user_model=user, **user_data)
+        google_user = user_get_or_create(**user_data)
         return google_user

passbook/oauth_client/source_types/reddit.py

@@ -2,7 +2,6 @@
 import json
 from logging import getLogger
 
-from django.contrib.auth import get_user_model
 from requests.auth import HTTPBasicAuth
 from requests.exceptions import RequestException
 
@@ -59,12 +58,11 @@ class RedditOAuth2Callback(OAuthCallback):
     client_class = RedditOAuth2Client
 
     def get_or_create_user(self, source, access, info):
-        user = get_user_model()
         user_data = {
-            user.USERNAME_FIELD: info.get('name'),
+            'username': info.get('name'),
             'email': None,
             'first_name': info.get('name'),
             'password': None,
         }
-        reddit_user = user_get_or_create(user_model=user, **user_data)
+        reddit_user = user_get_or_create(**user_data)
         return reddit_user

passbook/oauth_client/source_types/supervisr.py

@@ -3,7 +3,6 @@
 import json
 from logging import getLogger
 
-from django.contrib.auth import get_user_model
 from requests.exceptions import RequestException
 
 from passbook.oauth_client.clients import OAuth2Client
@@ -44,12 +43,11 @@ class SupervisrOAuthCallback(OAuthCallback):
         return info['pk']
 
     def get_or_create_user(self, source, access, info):
-        user = get_user_model()
         user_data = {
-            user.USERNAME_FIELD: info.get('username'),
+            'username': info.get('username'),
             'email': info.get('email', ''),
             'first_name': info.get('first_name'),
             'password': None,
         }
-        sv_user = user_get_or_create(user_model=user, **user_data)
+        sv_user = user_get_or_create(**user_data)
         return sv_user

passbook/oauth_client/source_types/twitter.py

@@ -2,7 +2,6 @@
 
 from logging import getLogger
 
-from django.contrib.auth import get_user_model
 from requests.exceptions import RequestException
 
 from passbook.oauth_client.clients import OAuthClient
@@ -36,12 +35,11 @@ class TwitterOAuthCallback(OAuthCallback):
     client_class = TwitterOAuthClient
 
     def get_or_create_user(self, source, access, info):
-        user = get_user_model()
         user_data = {
-            user.USERNAME_FIELD: info.get('screen_name'),
+            'username': info.get('screen_name'),
             'email': info.get('email', ''),
             'first_name': info.get('name'),
             'password': None,
         }
-        tw_user = user_get_or_create(user_model=user, **user_data)
+        tw_user = user_get_or_create(**user_data)
         return tw_user

passbook/oauth_client/utils.py

@@ -1,16 +1,17 @@
 """OAuth Client User Creation Utils"""
 
-from django.contrib.auth import get_user_model
 from django.db.utils import IntegrityError
 
+from passbook.core.models import User
 
-def user_get_or_create(user_model=None, **kwargs):
+
+def user_get_or_create(**kwargs):
     """Create user or return existing user"""
-    if user_model is None:
-        user_model = get_user_model()
     try:
-        new_user = user_model.objects.create_user(**kwargs)
+        new_user = User.objects.create_user(**kwargs)
     except IntegrityError:
-        # TODO: Fix potential username change vuln
-        new_user = user_model.objects.get(username=kwargs['username'])
+        # At this point we've already checked that there is no existing connection
+        # to any user. Hence if we can't create the user,
+        kwargs['username'] = '%s_1' % kwargs['username']
+        new_user = User.objects.create_user(**kwargs)
     return new_user

passbook/oauth_client/views/core.py

@@ -113,7 +113,9 @@ class OAuthCallback(OAuthClientMixin, View):
                 )
             user = authenticate(source=self.source, identifier=identifier, request=request)
             if user is None:
+                LOGGER.debug("Handling new user")
                 return self.handle_new_user(self.source, connection, info)
+            LOGGER.debug("Handling existing user")
             return self.handle_existing_user(self.source, user, connection, info)
 
     # pylint: disable=unused-argument

passbook/oauth_provider/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/otp/__init__.py

@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/otp/views.py

@@ -6,11 +6,11 @@ from logging import getLogger
 from django.contrib import messages
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import Http404, HttpRequest, HttpResponse
-from django.shortcuts import redirect, get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.translation import ugettext as _
 from django.views import View
-from django.views.generic import FormView, TemplateView, DeleteView
+from django.views.generic import FormView, TemplateView
 from django_otp.plugins.otp_static.models import StaticDevice, StaticToken
 from django_otp.plugins.otp_totp.models import TOTPDevice
 from qrcode import make

passbook/saml_idp/__init__.py

@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.0.9-alpha'
+__version__ = '0.0.12-alpha'

passbook/saml_idp/views.py

@@ -8,7 +8,9 @@ from django.core.validators import URLValidator
 from django.http import HttpResponse, HttpResponseBadRequest
 from django.shortcuts import get_object_or_404, redirect, render, reverse
 from django.utils.datastructures import MultiValueDictKeyError
+from django.utils.decorators import method_decorator
 from django.views import View
+from django.views.decorators.csrf import csrf_exempt
 from signxml.util import strip_pem_header
 
 from passbook.core.models import Application
@@ -26,6 +28,7 @@ def _generate_response(request, provider: SAMLProvider):
     """Generate a SAML response using processor_instance and return it in the proper Django
     response."""
     try:
+        provider.processor.init_deep_link(request, '')
         ctx = provider.processor.generate_response()
         ctx['remote'] = provider
         ctx['is_login'] = True
@@ -54,10 +57,11 @@ class ProviderMixin:
         return self._provider
 
 
-class LoginBeginView(CSRFExemptMixin, View):
+class LoginBeginView(LoginRequiredMixin, View):
     """Receives a SAML 2.0 AuthnRequest from a Service Provider and
     stores it in the session prior to enforcing login."""
 
+    @method_decorator(csrf_exempt)
     def dispatch(self, request, application):
         if request.method == 'POST':
             source = request.POST
@@ -71,12 +75,12 @@ class LoginBeginView(CSRFExemptMixin, View):
             return HttpResponseBadRequest('the SAML request payload is missing')
 
         request.session['RelayState'] = source.get('RelayState', '')
-        return redirect(reverse('passbook_saml_idp:saml_login_process'), kwargs={
+        return redirect(reverse('passbook_saml_idp:saml_login_process', kwargs={
             'application': application
-        })
+        }))
 
 
-class RedirectToSPView(View):
+class RedirectToSPView(LoginRequiredMixin, View):
     """Return autosubmit form"""
 
     def get(self, request, acs_url, saml_response, relay_state):
@@ -90,16 +94,17 @@ class RedirectToSPView(View):
         })
 
 
-class LoginProcessView(ProviderMixin, View):
+class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
     """Processor-based login continuation.
     Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
 
-    def dispatch(self, request, application):
+    def get(self, request, application):
+        """Handle get request, i.e. render form"""
         LOGGER.debug("Request: %s", request)
         # Check if user has access
         access = True
         # TODO: Check access here
-        if self.provider.skip_authorization and access:
+        if self.provider.application.skip_authorization and access:
             ctx = self.provider.processor.generate_response()
             # TODO: AuditLog Skipped Authz
             return RedirectToSPView.as_view()(
@@ -107,7 +112,19 @@ class LoginProcessView(ProviderMixin, View):
                 acs_url=ctx['acs_url'],
                 saml_response=ctx['saml_response'],
                 relay_state=ctx['relay_state'])
-        if request.method == 'POST' and request.POST.get('ACSUrl', None) and access:
+        try:
+            full_res = _generate_response(request, self.provider)
+            return full_res
+        except exceptions.CannotHandleAssertion as exc:
+            LOGGER.debug(exc)
+
+    def post(self, request, application):
+        """Handle post request, return back to ACS"""
+        LOGGER.debug("Request: %s", request)
+        # Check if user has access
+        access = True
+        # TODO: Check access here
+        if request.POST.get('ACSUrl', None) and access:
             # User accepted request
             # TODO: AuditLog accepted
             return RedirectToSPView.as_view()(
@@ -122,7 +139,7 @@ class LoginProcessView(ProviderMixin, View):
             LOGGER.debug(exc)
 
 
-class LogoutView(CSRFExemptMixin, View):
+class LogoutView(CSRFExemptMixin, LoginRequiredMixin, View):
     """Allows a non-SAML 2.0 URL to log out the user and
     returns a standard logged-out page. (SalesForce and others use this method,
     though it's technically not SAML 2.0)."""