bump version: 0.1.7-beta -> 0.1.8-beta

Resolve "Custom Property Mapping"

Closes #22

See merge request BeryJu.org/passbook!8

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.1-beta
+current_version = 0.1.8-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
@@ -9,6 +9,7 @@ tag_name = version/{new_version}
 
 [bumpversion:part:release]
 optional_value = stable
+first_value = beta
 values = 
 	alpha
 	beta
@@ -36,6 +37,10 @@ values =
 
 [bumpversion:file:passbook/lib/__init__.py]
 
+[bumpversion:file:passbook/hibp_policy/__init__.py]
+
+[bumpversion:file:passbook/password_expiry_policy/__init__.py]
+
 [bumpversion:file:passbook/saml_idp/__init__.py]
 
 [bumpversion:file:passbook/audit/__init__.py]

.gitlab-ci.yml

@@ -53,7 +53,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.1-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.8-beta
   stage: build
   only:
     - tags
@@ -68,54 +68,30 @@ package-helm:
   only:
     - tags
     - /^version/.*$/
-# package-3.5:
+package-debian:
-#   before_script:
+  before_script:
-#     - apt update
+    - apt update
-#     - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
+    - apt install -y --no-install-recommends build-essential debhelper devscripts equivs python3 python3-dev python3-pip libsasl2-dev libldap2-dev
-#     - cp debian/control-3.5 debian/control
+    - mk-build-deps debian/control
-#     - mk-build-deps debian/control
+    - apt install ./*build-deps*deb -f -y
-#     - apt install ./*build-deps*deb -f -y
+    - python3 -m pip install -U virtualenv pip
-#     - "python3 -m pip install -U virtualenv"
+    - virtualenv env
-#     - "virtualenv env"
+    - source env/bin/activate
-#     - "source env/bin/activate"
+    - pip3 install -U -r requirements.txt -r requirements-dev.txt
-#     - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
+    - ./manage.py collectstatic --no-input
-#   image: debian
+  image: ubuntu:18.04
-#   script:
+  script:
-#     - debuild -us -uc
+    - debuild -us -uc
-#     - cp ../passbook*.deb .
+    - cp ../passbook*.deb .
-#     - python manage.py nexus_upload
+    - ./manage.py nexus_upload --method post --url $NEXUS_URL --auth $NEXUS_AUTH --repo apt passbook*deb
-#   artifacts:
+  artifacts:
-#     paths:
+    paths:
-#     - passbook-python3.5*deb
+    - passbook*deb
-#     expire_in: 2 days
+    expire_in: 2 days
-#   stage: build
+  stage: build
-#   only:
+  only:
-#   - tags
+  - tags
-#   - /^debian/.*$/
+  - /^version/.*$/
-# package-3.6:
-#   before_script:
-#     - apt update
-#     - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
-#     - cp debian/control-3.6 debian/control
-#     - mk-build-deps debian/control
-#     - apt install ./*build-deps*deb -f -y
-#     - "python3 -m pip install -U virtualenv"
-#     - "virtualenv env"
-#     - "source env/bin/activate"
-#     - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
-#   image: debian:buster
-#   script:
-#     - debuild -us -uc
-#     - cp ../passbook*.deb .
-#     - python manage.py nexus_upload
-#   artifacts:
-#     paths:
-#     - passbook-python3.6*deb
-#     expire_in: 2 days
-#   stage: build
-#   only:
-#     - tags
-#     - /^debian/.*$r
 
 # docs:
 #   stage: docs

debian/changelog

@@ -0,0 +1,25 @@
+passbook (0.1.7) stable; urgency=medium
+
+  * bump version: 0.1.3-beta -> 0.1.4-beta
+  * implicitly add kubernetes-healthcheck-host in helm configmap
+  * fix debian build (again)
+  * add PropertyMapping Model, add Subclass for SAML, test with AWS
+  * add custom DynamicArrayField to better handle arrays
+  * format data before inserting it
+  * bump version: 0.1.4-beta -> 0.1.5-beta
+  * fix static files missing for debian package
+  * fix password not getting set on user import
+  * remove audit's login attempt
+  * add passing property to PolicyEngine
+  * fix captcha factor not loading keys from Factor class
+  * bump version: 0.1.5-beta -> 0.1.6-beta
+  * fix MATCH_EXACT not working as intended
+  * Improve access control for saml
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 08 Mar 2019 20:37:05 +0000
+
+passbook (0.1.4) stable; urgency=medium
+
+  * initial debian package release
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 06 Mar 2019 18:22:41 +0000

debian/compat

@@ -0,0 +1 @@
+10

debian/config

@@ -0,0 +1,20 @@
+#!/bin/sh
+# config maintainer script for passbook
+set -e
+
+# source debconf stuff
+. /usr/share/debconf/confmodule
+
+dbc_first_version=1.0.0
+dbc_dbuser=passbook
+dbc_dbname=passbook
+
+# source dbconfig-common shell library, and call the hook function
+if [ -f /usr/share/dbconfig-common/dpkg/config.pgsql ]; then
+    . /usr/share/dbconfig-common/dpkg/config.pgsql
+    dbc_go passbook "$@"
+fi
+
+#DEBHELPER#
+
+exit 0

debian/control

@@ -0,0 +1,14 @@
+Source: passbook
+Section: admin
+Priority: optional
+Maintainer: BeryJu.org <support@beryju.org>
+Uploaders: Jens Langhammer <jens@beryju.org>, BeryJu.org <support@beryju.org>
+Build-Depends: debhelper (>= 10), dh-systemd (>= 1.5), dh-exec, wget, dh-exec, python3 (>= 3.5) | python3.6 | python3.7
+Standards-Version: 3.9.6
+
+Package: passbook
+Architecture: all
+Recommends: mysql-server, redis-server
+Pre-Depends: adduser, libldap2-dev, libsasl2-dev
+Depends: python3 (>= 3.5) | python3.6 | python3.7, python3-pip, dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends}
+Description: Authentication Provider/Proxy supporting protocols like SAML, OAuth, LDAP and more.

debian/copyright

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2019 BeryJu.org
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

debian/dirs

@@ -0,0 +1,4 @@
+etc/passbook/
+etc/passbook/config.d/
+var/log/passbook/
+usr/share/passbook/

debian/etc/passbook/config.yml

@@ -0,0 +1,44 @@
+debug: false
+http:
+    host: 0.0.0.0
+    port: 8000
+secret_key_file: /etc/passbook/secret_key
+log:
+    level:
+        console: INFO
+        file: DEBUG
+    file: /var/log/passbook/passbook.log
+# Error reporting, disabled by default
+# error_report_enabled: true
+
+# Set this to the server's external address.
+# This is used to generate external URLs
+external_url: http://image.example.com
+
+# This dictates how the Path is generated
+# can be either of:
+# - view_sha512_short
+# - view_md5
+# - view_sha256
+# - view_sha512
+default_return_view: view_sha256
+
+# Set this to true if you only want to use external authentication
+external_auth_only: false
+
+# If this is true, images are automatically claimed if the windows user exists
+# in django
+auto_claim_enabled: true
+
+# LDAP Authentication
+# ldap:
+#     enabled: false
+#     server:
+#         uri: 'ldap://dc1.example.com'
+#         tls: false
+#     bind:
+#         dn: ''
+#         password: ''
+#     search_base: ''
+#     filter: '(sAMAccountName=%(user)s)'
+#     require_group: ''

debian/gbp.conf

@@ -0,0 +1,2 @@
+[buildpackage]
+export-dir=../build-area

debian/install

@@ -0,0 +1,8 @@
+passbook		/usr/share/passbook/
+static			/usr/share/passbook/
+manage.py		/usr/share/passbook/
+passbook.sh		/usr/share/passbook/
+vendor			/usr/share/passbook/
+
+debian/etc/passbook								/etc/
+debian/templates/database.yml					/usr/share/passbook/

debian/passbook-worker.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=passbook - Authentication Provider/Proxy (Background worker)
+After=network.target
+Requires=network.target
+
+[Service]
+User=passbook
+Group=passbook
+WorkingDirectory=/usr/share/passbook
+Type=simple
+ExecStart=/usr/share/passbook/passbook.sh worker
+
+[Install]
+WantedBy=multi-user.target

debian/passbook.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=passbook - Authentication Provider/Proxy
+After=network.target
+Requires=network.target
+
+[Service]
+User=passbook
+Group=passbook
+WorkingDirectory=/usr/share/passbook
+Type=simple
+ExecStart=/usr/share/passbook/passbook.sh web
+
+[Install]
+WantedBy=multi-user.target

debian/postinst

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+. /usr/share/debconf/confmodule
+. /usr/share/dbconfig-common/dpkg/postinst.pgsql
+
+# you can set the default database encoding to something else
+dbc_pgsql_createdb_encoding="UTF8"
+dbc_generate_include=template:/etc/passbook/config.d/database.yml
+dbc_generate_include_args="-o template_infile=/usr/share/passbook/database.yml"
+dbc_go passbook "$@"
+
+if [ -z "`getent group passbook`" ]; then
+	addgroup --quiet --system passbook
+fi
+if [ -z "`getent passwd passbook`" ]; then
+	echo " * Creating user and group passbook..."
+	adduser --quiet --system --home /usr/share/passbook --shell /bin/false --ingroup passbook --disabled-password --disabled-login --gecos "passbook User" passbook  >> /var/log/passbook/passbook.log 2>&1
+fi
+echo " * Updating binary packages (psycopg2)"
+python3 -m pip install --target=/usr/share/passbook/vendor/ --no-cache-dir --upgrade --force-reinstall psycopg2 >> /var/log/passbook/passbook.log 2>&1
+if [ ! -f '/etc/passbook/secret_key' ]; then
+	echo " * Generating Secret Key"
+	python3 -c 'import random; result = "".join([random.choice("abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)") for i in range(50)]); print(result)' > /etc/passbook/secret_key 2> /dev/null
+fi
+chown -R passbook: /usr/share/passbook/
+chown -R passbook: /etc/passbook/
+chown -R passbook: /var/log/passbook/
+chmod 440 /etc/passbook/secret_key
+echo " * Running Database Migration"
+/usr/share/passbook/passbook.sh migrate
+echo " * A superuser can be created with this command '/usr/share/passbook/passbook.sh createsuperuser'"
+echo " * You should probably also adjust your settings in '/etc/passbook/config.yml'"
+
+#DEBHELPER#

debian/postrm

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+set -e
+
+if [ -f /usr/share/debconf/confmodule ]; then
+    . /usr/share/debconf/confmodule
+fi
+if [ -f /usr/share/dbconfig-common/dpkg/postrm.pgsql ]; then
+    . /usr/share/dbconfig-common/dpkg/postrm.pgsql
+    dbc_go passbook "$@"
+fi
+
+
+if [ "$1" = "purge" ]; then
+    if which ucf >/dev/null 2>&1; then
+        ucf --purge /etc/passbook/config.d/database.yml
+        ucfr --purge passbook /etc/passbook/config.d/database.yml
+    fi
+    rm -rf /etc/passbook/
+    rm -rf /usr/share/passbook/
+fi
+
+#DEBHELPER#
+

debian/prerm

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+. /usr/share/debconf/confmodule
+. /usr/share/dbconfig-common/dpkg/prerm.pgsql
+dbc_go passbook "$@"
+
+#DEBHELPER#
+

debian/rules

@@ -0,0 +1,27 @@
+#!/usr/bin/make -f
+
+# Uncomment this to turn on verbose mode.
+# export DH_VERBOSE=1
+
+%:
+	dh $@ --with=systemd
+
+build-arch:
+	python3 -m pip install setuptools
+	python3 -m pip install --target=vendor/ -r requirements.txt
+
+override_dh_strip:
+	dh_strip --exclude=psycopg2
+
+override_dh_shlibdeps:
+	dh_shlibdeps --exclude=psycopg2
+
+override_dh_installinit:
+	dh_installinit --name=passbook
+	dh_installinit --name=passbook-worker
+	dh_systemd_enable --name=passbook
+	dh_systemd_enable --name=passbook-worker
+	dh_systemd_start
+
+# override_dh_usrlocal to do nothing
+override_dh_usrlocal:

debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

debian/templates/database.yml

@@ -0,0 +1,8 @@
+databases:
+  default:
+    engine: django.db.backends.postgresql
+    name: _DBC_DBNAME_
+    user: _DBC_DBUSER_
+    password: _DBC_DBPASS_
+    host: _DBC_DBSERVER_
+    port: _DBC_DBPORT_

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.1-beta"
+appVersion: "0.1.8-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.1-beta"
+version: "0.1.8-beta"
 icon: https://passbook.beryju.org/images/logo.png

helm/passbook/templates/passbook-configmap.yaml

@@ -50,6 +50,7 @@ data:
         {{- range .Values.ingress.hosts }}
         - {{ . | quote }}
         {{- end }}
+        - kubernetes-healthcheck-host
 
     passbook:
       sign_up:
@@ -130,6 +131,7 @@ data:
       # List of python packages with provider types to load.
       types:
         - passbook.saml_idp.processors.generic
+        - passbook.saml_idp.processors.aws
         - passbook.saml_idp.processors.gitlab
         - passbook.saml_idp.processors.nextcloud
         - passbook.saml_idp.processors.salesforce

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.1-beta
+  tag: 0.1.8-beta
 
 nameOverride: ""
 

passbook.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Check if this file is a symlink, if so, read real base dir
+BASE_DIR=$(dirname $(readlink -f ${BASH_SOURCE[0]}))
+
+cd $BASE_DIR
+PYTHONPATH="${BASE_DIR}/vendor/" python3 manage.py $@

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/admin/forms/users.py

@@ -0,0 +1,17 @@
+"""passbook administrative user forms"""
+
+from django import forms
+
+from passbook.core.models import User
+
+
+class UserForm(forms.ModelForm):
+    """Update User Details"""
+
+    class Meta:
+
+        model = User
+        fields = ['username', 'name', 'email', 'is_staff', 'is_active']
+        widgets = {
+            'name': forms.TextInput
+        }

passbook/admin/templates/administration/base.html

@@ -5,35 +5,45 @@
 
 {% block nav_secondary %}
 <ul class="nav navbar-nav navbar-persistent">
-  <li class="{% is_active 'passbook_admin:overview' %}">
+    <li class="{% is_active 'passbook_admin:overview' %}">
-    <a href="{% url 'passbook_admin:overview' %}">{% trans 'Overview' %}</a>
+        <a href="{% url 'passbook_admin:overview' %}">{% trans 'Overview' %}</a>
-  </li>
+    </li>
-  <li class="{% is_active 'passbook_admin:applications' 'passbook_admin:application-create' 'passbook_admin:application-update' 'passbook_admin:application-delete' %}">
+    <li
-    <a href="{% url 'passbook_admin:applications' %}">{% trans 'Applications' %}</a>
+        class="{% is_active 'passbook_admin:applications' 'passbook_admin:application-create' 'passbook_admin:application-update' 'passbook_admin:application-delete' %}">
-  </li>
+        <a href="{% url 'passbook_admin:applications' %}">{% trans 'Applications' %}</a>
-  <li class="{% is_active 'passbook_admin:sources' 'passbook_admin:source-create' 'passbook_admin:source-update' 'passbook_admin:source-delete' %}">
+    </li>
-    <a href="{% url 'passbook_admin:sources' %}">{% trans 'Sources' %}</a>
+    <li
-  </li>
+        class="{% is_active 'passbook_admin:sources' 'passbook_admin:source-create' 'passbook_admin:source-update' 'passbook_admin:source-delete' %}">
-  <li class="{% is_active 'passbook_admin:providers' 'passbook_admin:provider-create' 'passbook_admin:provider-update' 'passbook_admin:provider-delete' %}">
+        <a href="{% url 'passbook_admin:sources' %}">{% trans 'Sources' %}</a>
-    <a href="{% url 'passbook_admin:providers' %}">{% trans 'Providers' %}</a>
+    </li>
-  </li>
+    <li
-  <li class="{% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
+        class="{% is_active 'passbook_admin:providers' 'passbook_admin:provider-create' 'passbook_admin:provider-update' 'passbook_admin:provider-delete' %}">
-    <a href="{% url 'passbook_admin:factors' %}">{% trans 'Factors' %}</a>
+        <a href="{% url 'passbook_admin:providers' %}">{% trans 'Providers' %}</a>
-  </li>
+    </li>
-  <li class="{% is_active 'passbook_admin:policies' 'passbook_admin:policy-create' 'passbook_admin:policy-update' 'passbook_admin:policy-delete' 'passbook_admin:policy-test' %}">
+    <li
-    <a href="{% url 'passbook_admin:policies' %}">{% trans 'Policies' %}</a>
+        class="{% is_active 'passbook_admin:property-mappings' 'passbook_admin:property-mapping-create' 'passbook_admin:property-mapping-update' 'passbook_admin:property-mapping-delete' %}">
-  </li>
+        <a href="{% url 'passbook_admin:property-mappings' %}">{% trans 'Property Mappings' %}</a>
-  <li class="{% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
+    </li>
-    <a href="{% url 'passbook_admin:invitations' %}">{% trans 'Invitations' %}</a>
+    <li
-  </li>
+        class="{% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
-  <li class="{% is_active 'passbook_admin:users' 'passbook_admin:user-update' 'passbook_admin:user-delete' %}">
+        <a href="{% url 'passbook_admin:factors' %}">{% trans 'Factors' %}</a>
-    <a href="{% url 'passbook_admin:users' %}">{% trans 'Users' %}</a>
+    </li>
-  </li>
+    <li
-  <li class="{% is_active 'passbook_admin:audit-log' %}">
+        class="{% is_active 'passbook_admin:policies' 'passbook_admin:policy-create' 'passbook_admin:policy-update' 'passbook_admin:policy-delete' 'passbook_admin:policy-test' %}">
-    <a href="{% url 'passbook_admin:audit-log' %}">{% trans 'Audit Log' %}</a>
+        <a href="{% url 'passbook_admin:policies' %}">{% trans 'Policies' %}</a>
-  </li>
+    </li>
-  <li class="{% is_active_app 'admin' %}">
+    <li
-    <a href="{% url 'admin:index' %}">{% trans 'Django' %}</a>
+        class="{% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
-  </li>
+        <a href="{% url 'passbook_admin:invitations' %}">{% trans 'Invitations' %}</a>
+    </li>
+    <li class="{% is_active 'passbook_admin:users' 'passbook_admin:user-update' 'passbook_admin:user-delete' %}">
+        <a href="{% url 'passbook_admin:users' %}">{% trans 'Users' %}</a>
+    </li>
+    <li class="{% is_active 'passbook_admin:audit-log' %}">
+        <a href="{% url 'passbook_admin:audit-log' %}">{% trans 'Audit Log' %}</a>
+    </li>
+    <li class="{% is_active_app 'admin' %}">
+        <a href="{% url 'admin:index' %}">{% trans 'Django' %}</a>
+    </li>
 </ul>
 {% endblock %}

passbook/admin/templates/administration/overview.html

@@ -76,9 +76,13 @@
             <div class="card-pf-body">
                 <p class="card-pf-aggregate-status-notifications">
                     <span class="card-pf-aggregate-status-notification">
-                        <a href="{% url 'passbook_admin:factors' %}">
+                        {% if factor_count < 1 %}
-                            <span class="pficon pficon-ok"></span>{{ factor_count }}
+                        <span class="pficon-error-circle-o" data-toggle="tooltip" data-placement="right"
-                        </a>
+                            title="{% trans 'No Factors configured. No Users will be able to login.' %}"></span>
+                        {{ factor_count }}
+                        {% else %}
+                        <span class="pficon pficon-ok"></span>{{ factor_count }}
+                        {% endif %}
                     </span>
                 </p>
             </div>
@@ -95,9 +99,13 @@
             <div class="card-pf-body">
                 <p class="card-pf-aggregate-status-notifications">
                     <span class="card-pf-aggregate-status-notification">
-                        <a href="{% url 'passbook_admin:policies' %}">
+                        {% if policies_without_attachment > 0 %}
-                            <span class="pficon pficon-ok"></span>{{ policy_count }}
+                        <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right"
-                        </a>
+                            title="{% trans 'Policies without attachment exist.' %}"></span>
+                        {{ policy_count }}
+                        {% else %}
+                        <span class="pficon pficon-ok"></span>{{ policy_count }}
+                        {% endif %}
                     </span>
                 </p>
             </div>
@@ -174,7 +182,7 @@
                         <a href="#">
                             {% if worker_count < 1%}
                             <span class="pficon-error-circle-o" data-toggle="tooltip" data-placement="right"
-                                title="{% trans 'No workers connected. Policies may not work.' %}"></span> {{ worker_count }}
+                                title="{% trans 'No workers connected. Policies will not work and you may expect other issues.' %}"></span> {{ worker_count }}
                             {% else %}
                             <span class="pficon pficon-ok"></span>{{ worker_count }}
                             {% endif %}

passbook/admin/templates/administration/policy/list.html

@@ -28,6 +28,7 @@
     <table class="table table-striped table-bordered">
         <thead>
             <tr>
+                <th></th>
                 <th>{% trans 'Name' %}</th>
                 <th>{% trans 'Type' %}</th>
                 <th></th>
@@ -35,7 +36,14 @@
         </thead>
         <tbody>
             {% for policy in object_list %}
-            <tr>
+            <tr {% if not policy.policymodel_set.exists %} class="warning" {% endif %}>
+                <th>
+                    {% if not policy.policymodel_set.exists %}
+                    <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right" title="{% trans 'Warning: Policy is not assigned.' %}"></span>
+                    {% else %}
+                    <span class="pficon-ok" data-toggle="tooltip" data-placement="right" title="{% blocktrans with objects=policy.policymodel_set.all|join:', ' %}Assigned to objects {{ objects }}{% endblocktrans %}"></span>
+                    {% endif %}
+                </th>
                 <td>{{ policy.name }}</td>
                 <td>{{ policy|verbose_name }}</td>
                 <td>

passbook/admin/templates/administration/property_mapping/list.html

@@ -0,0 +1,52 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="fa fa-table"></span> {% trans "Property Mappings" %}</h1>
+    <span>{% trans "Property Mappings allow you expose provider-specific attributes." %}</span>
+    <hr>
+    <div class="dropdown">
+        <button class="btn btn-primary dropdown-toggle" type="button" id="createDropdown" data-toggle="dropdown">
+            {% trans 'Create...' %}
+            <span class="caret"></span>
+        </button>
+        <ul class="dropdown-menu" role="menu" aria-labelledby="createDropdown">
+            {% for type, name in types.items %}
+            <li role="presentation"><a role="menuitem" tabindex="-1"
+                    href="{% url 'passbook_admin:property-mapping-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a></li>
+            {% endfor %}
+        </ul>
+    </div>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Name' %}</th>
+                <th>{% trans 'Type' %}</th>
+                <th></th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for property_mapping in object_list %}
+            <tr>
+                <td>{{ property_mapping.name }} ({{ property_mapping.slug }})</td>
+                <td>{{ property_mapping|verbose_name }}</td>
+                <td>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:property-mapping-update' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:property-mapping-delete' pk=property_mapping.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                </td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}

passbook/admin/templates/generic/form.html

@@ -3,6 +3,11 @@
 {% load i18n %}
 {% load utils %}
 
+{% block head %}
+{{ block.super }}
+{{ form.media.css }}
+{% endblock %}
+
 {% block content %}
 <div class="container">
   {% block above_form %}
@@ -16,3 +21,8 @@
   </div>
 </div>
 {% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+{{ form.media.js }}
+{% endblock %}

passbook/admin/urls.py

@@ -2,8 +2,8 @@
 from django.urls import include, path
 
 from passbook.admin.views import (applications, audit, factors, groups,
-                                  invitations, overview, policy, providers,
+                                  invitations, overview, policy,
-                                  sources, users)
+                                  property_mapping, providers, sources, users)
 
 urlpatterns = [
     path('', overview.AdministrationOverviewView.as_view(), name='overview'),
@@ -43,6 +43,15 @@ urlpatterns = [
          factors.FactorUpdateView.as_view(), name='factor-update'),
     path('factors/<uuid:pk>/delete/',
          factors.FactorDeleteView.as_view(), name='factor-delete'),
+    # Factors
+    path('property-mappings/', property_mapping.PropertyMappingListView.as_view(),
+         name='property-mappings'),
+    path('property-mappings/create/',
+         property_mapping.PropertyMappingCreateView.as_view(), name='property-mapping-create'),
+    path('property-mappings/<uuid:pk>/update/',
+         property_mapping.PropertyMappingUpdateView.as_view(), name='property-mapping-update'),
+    path('property-mappings/<uuid:pk>/delete/',
+         property_mapping.PropertyMappingDeleteView.as_view(), name='property-mapping-delete'),
     # Invitations
     path('invitations/', invitations.InvitationListView.as_view(), name='invitations'),
     path('invitations/create/',

passbook/admin/views/overview.py

@@ -24,4 +24,5 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
         kwargs['version'] = __version__
         kwargs['worker_count'] = len(CELERY_APP.control.ping(timeout=0.5))
         kwargs['providers_without_application'] = Provider.objects.filter(application=None)
+        kwargs['policies_without_attachment'] = len(Policy.objects.filter(policymodel__isnull=True))
         return super().get_context_data(**kwargs)

passbook/admin/views/property_mapping.py

@@ -0,0 +1,90 @@
+"""passbook PropertyMapping administration"""
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import Http404
+from django.urls import reverse_lazy
+from django.utils.translation import ugettext as _
+from django.views.generic import CreateView, DeleteView, ListView, UpdateView
+
+from passbook.admin.mixins import AdminRequiredMixin
+from passbook.core.models import PropertyMapping
+from passbook.lib.utils.reflection import path_to_class
+
+
+def all_subclasses(cls):
+    """Recursively return all subclassess of cls"""
+    return set(cls.__subclasses__()).union(
+        [s for c in cls.__subclasses__() for s in all_subclasses(c)])
+
+
+class PropertyMappingListView(AdminRequiredMixin, ListView):
+    """Show list of all property_mappings"""
+
+    model = PropertyMapping
+    template_name = 'administration/property_mapping/list.html'
+    ordering = 'name'
+
+    def get_context_data(self, **kwargs):
+        kwargs['types'] = {
+            x.__name__: x._meta.verbose_name for x in all_subclasses(PropertyMapping)}
+        return super().get_context_data(**kwargs)
+
+    def get_queryset(self):
+        return super().get_queryset().select_subclasses()
+
+
+class PropertyMappingCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
+    """Create new PropertyMapping"""
+
+    template_name = 'generic/create.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully created Property Mapping')
+
+    def get_context_data(self, **kwargs):
+        kwargs = super().get_context_data(**kwargs)
+        property_mapping_type = self.request.GET.get('type')
+        model = next(x for x in all_subclasses(PropertyMapping)
+                     if x.__name__ == property_mapping_type)
+        kwargs['type'] = model._meta.verbose_name
+        return kwargs
+
+    def get_form_class(self):
+        property_mapping_type = self.request.GET.get('type')
+        model = next(x for x in all_subclasses(PropertyMapping)
+                     if x.__name__ == property_mapping_type)
+        if not model:
+            raise Http404
+        return path_to_class(model.form)
+
+
+class PropertyMappingUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
+    """Update property_mapping"""
+
+    model = PropertyMapping
+    template_name = 'generic/update.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully updated Property Mapping')
+
+    def get_form_class(self):
+        form_class_path = self.get_object().form
+        form_class = path_to_class(form_class_path)
+        return form_class
+
+    def get_object(self, queryset=None):
+        return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
+
+
+class PropertyMappingDeleteView(SuccessMessageMixin, AdminRequiredMixin, DeleteView):
+    """Delete property_mapping"""
+
+    model = PropertyMapping
+    template_name = 'generic/delete.html'
+    success_url = reverse_lazy('passbook_admin:property-mappings')
+    success_message = _('Successfully deleted Property Mapping')
+
+    def get_object(self, queryset=None):
+        return PropertyMapping.objects.filter(pk=self.kwargs.get('pk')).select_subclasses().first()
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)

passbook/admin/views/users.py

@@ -7,8 +7,8 @@ from django.utils.translation import ugettext as _
 from django.views import View
 from django.views.generic import DeleteView, ListView, UpdateView
 
+from passbook.admin.forms.users import UserForm
 from passbook.admin.mixins import AdminRequiredMixin
-from passbook.core.forms.users import UserDetailForm
 from passbook.core.models import Nonce, User
 
 
@@ -23,7 +23,7 @@ class UserUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
     """Update user"""
 
     model = User
-    form_class = UserDetailForm
+    form_class = UserForm
 
     template_name = 'generic/update.html'
     success_url = reverse_lazy('passbook_admin:users')

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/audit/__init__.py

@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/audit/migrations/0004_delete_loginattempt.py

@@ -0,0 +1,16 @@
+# Generated by Django 2.1.7 on 2019-03-08 14:53
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_audit', '0003_auto_20190221_1240'),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name='LoginAttempt',
+        ),
+    ]

passbook/audit/models.py

@@ -1,5 +1,4 @@
 """passbook audit models"""
-from datetime import timedelta
 from logging import getLogger
 
 from django.conf import settings
@@ -7,11 +6,10 @@ from django.contrib.auth.models import AnonymousUser
 from django.contrib.postgres.fields import JSONField
 from django.core.exceptions import ValidationError
 from django.db import models
-from django.utils import timezone
 from django.utils.translation import gettext as _
 from ipware import get_client_ip
 
-from passbook.lib.models import CreatedUpdatedModel, UUIDModel
+from passbook.lib.models import UUIDModel
 
 LOGGER = getLogger(__name__)
 
@@ -75,43 +73,3 @@ class AuditEntry(UUIDModel):
 
         verbose_name = _('Audit Entry')
         verbose_name_plural = _('Audit Entries')
-
-
-class LoginAttempt(CreatedUpdatedModel):
-    """Track failed login-attempts"""
-
-    target_uid = models.CharField(max_length=254)
-    request_ip = models.GenericIPAddressField()
-    attempts = models.IntegerField(default=1)
-
-    @staticmethod
-    def attempt(target_uid, request):
-        """Helper function to create attempt or count up existing one"""
-        if not target_uid:
-            return
-        client_ip, _ = get_client_ip(request)
-        # Since we can only use 254 chars for target_uid, truncate target_uid.
-        target_uid = target_uid[:254]
-        time_threshold = timezone.now() - timedelta(minutes=10)
-        existing_attempts = LoginAttempt.objects.filter(
-            target_uid=target_uid,
-            request_ip=client_ip,
-            last_updated__gt=time_threshold).order_by('created')
-        if existing_attempts.exists():
-            attempt = existing_attempts.first()
-            attempt.attempts += 1
-            attempt.save()
-            LOGGER.debug("Increased attempts on %s", attempt)
-        else:
-            attempt = LoginAttempt.objects.create(
-                target_uid=target_uid,
-                request_ip=client_ip)
-            LOGGER.debug("Created new attempt %s", attempt)
-
-    def __str__(self):
-        return "LoginAttempt to %s from %s (x%d)" % (self.target_uid,
-                                                     self.request_ip, self.attempts)
-
-    class Meta:
-
-        unique_together = (('target_uid', 'request_ip', 'created'),)

passbook/audit/requirements.txt

@@ -1 +0,0 @@
-django-ipware

passbook/audit/signals.py

@@ -1,9 +1,8 @@
 """passbook audit signal listener"""
-from django.contrib.auth.signals import (user_logged_in, user_logged_out,
+from django.contrib.auth.signals import user_logged_in, user_logged_out
-                                         user_login_failed)
 from django.dispatch import receiver
 
-from passbook.audit.models import AuditEntry, LoginAttempt
+from passbook.audit.models import AuditEntry
 from passbook.core.signals import (invitation_created, invitation_used,
                                    user_signed_up)
 
@@ -34,8 +33,3 @@ def on_invitation_used(sender, request, invitation, **kwargs):
     """Log Invitation usage"""
     AuditEntry.create(AuditEntry.ACTION_INVITE_USED, request,
                       invitation_uuid=invitation.uuid.hex)
-
-@receiver(user_login_failed)
-def on_user_login_failed(sender, request, credentials, **kwargs):
-    """Log failed login attempt"""
-    LoginAttempt.attempt(target_uid=credentials.get('username'), request=request)

passbook/captcha_factor/__init__.py

@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/captcha_factor/factor.py

@@ -13,3 +13,10 @@ class CaptchaFactor(FormView, AuthenticationFactor):
 
     def form_valid(self, form):
         return self.authenticator.user_ok()
+
+    def get_form(self, form_class=None):
+        form = CaptchaForm(**self.get_form_kwargs())
+        form.fields['captcha'].public_key = '6Lfi1w8TAAAAAELH-YiWp0OFItmMzvjGmw2xkvUN'
+        form.fields['captcha'].private_key = '6Lfi1w8TAAAAAMQI3f86tGMvd1QkcqqVQyBWI23D'
+        form.fields['captcha'].widget.attrs["data-sitekey"] = form.fields['captcha'].public_key
+        return form

passbook/core/__init__.py

@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/core/auth/factors/password.py

@@ -37,7 +37,7 @@ class PasswordFactor(FormView, AuthenticationFactor):
             send_email.delay(self.pending_user.email, _('Forgotten password'),
                              'email/account_password_reset.html', {
                                  'url': self.request.build_absolute_uri(
-                                     reverse('passbook_core:passbook_core:auth-password-reset',
+                                     reverse('passbook_core:auth-password-reset',
                                              kwargs={
                                                  'nonce': nonce.uuid
                                              })

passbook/core/auth/view.py

@@ -65,8 +65,8 @@ class AuthenticationView(UserPassesTestMixin, View):
             self.pending_factors = []
             for factor in _all_factors:
                 policy_engine = PolicyEngine(factor.policies.all())
-                policy_engine.for_user(self.pending_user)
+                policy_engine.for_user(self.pending_user).with_request(request).build()
-                if policy_engine.result[0]:
+                if policy_engine.passing:
                     self.pending_factors.append((factor.uuid.hex, factor.type))
         # Read and instantiate factor from session
         factor_uuid, factor_class = None, None

passbook/core/celery.py

@@ -5,9 +5,8 @@ import os
 
 import celery
 from django.conf import settings
-
+from raven import Client
-# from raven import Client
+from raven.contrib.celery import register_logger_signal, register_signal
-# from raven.contrib.celery import register_logger_signal, register_signal
 
 # set the default Django settings module for the 'celery' program.
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.core.settings")
@@ -18,16 +17,17 @@ LOGGER = logging.getLogger(__name__)
 class Celery(celery.Celery):
     """Custom Celery class with Raven configured"""
 
-    # def on_configure(self):
+    # pylint: disable=method-hidden
-    #     """Update raven client"""
+    def on_configure(self):
-    #     try:
+        """Update raven client"""
-    #         client = Client(settings.RAVEN_CONFIG.get('dsn'))
+        try:
-    #         # register a custom filter to filter out duplicate logs
+            client = Client(settings.RAVEN_CONFIG.get('dsn'))
-    #         register_logger_signal(client)
+            # register a custom filter to filter out duplicate logs
-    #         # hook into the Celery error handler
+            register_logger_signal(client)
-    #         register_signal(client)
+            # hook into the Celery error handler
-    #     except RecursionError:  # This error happens when pdoc is running
+            register_signal(client)
-    #         pass
+        except RecursionError:  # This error happens when pdoc is running
+            pass
 
 
 # pylint: disable=unused-argument

passbook/core/forms/authentication.py

@@ -81,8 +81,6 @@ class SignUpForm(forms.Form):
         password_repeat = self.cleaned_data.get('password_repeat')
         if password != password_repeat:
             raise ValidationError(_("Passwords don't match"))
-        # TODO: Password policy? Via Plugin? via Policy?
-        # return check_password(self)
         return self.cleaned_data.get('password_repeat')
 
 
@@ -91,5 +89,6 @@ class PasswordFactorForm(forms.Form):
 
     password = forms.CharField(widget=forms.PasswordInput(attrs={
         'placeholder': _('Password'),
-        'autofocus': 'autofocus'
+        'autofocus': 'autofocus',
+        'autocomplete': 'current-password'
         }))

passbook/core/forms/factors.py

@@ -2,6 +2,7 @@
 from django import forms
 
 from passbook.core.models import DummyFactor, PasswordFactor
+from passbook.lib.fields import DynamicArrayField
 
 GENERAL_FIELDS = ['name', 'slug', 'order', 'policies', 'enabled']
 
@@ -16,6 +17,9 @@ class PasswordFactorForm(forms.ModelForm):
             'name': forms.TextInput(),
             'order': forms.NumberInput(),
         }
+        field_classes = {
+            'backends': DynamicArrayField
+        }
 
 class DummyFactorForm(forms.ModelForm):
     """Form to create/edit Dummy Factor"""

passbook/core/forms/users.py

@@ -22,10 +22,14 @@ class PasswordChangeForm(forms.Form):
     """Form to update password"""
 
     password = forms.CharField(label=_('Password'),
-                               widget=forms.PasswordInput(attrs={'placeholder': _('New Password')}))
+                               widget=forms.PasswordInput(attrs={
+                                   'placeholder': _('New Password'),
+                                   'autocomplete': 'new-password'
+                                   }))
     password_repeat = forms.CharField(label=_('Repeat Password'),
                                       widget=forms.PasswordInput(attrs={
-                                          'placeholder': _('Repeat Password')
+                                          'placeholder': _('Repeat Password'),
+                                          'autocomplete': 'new-password'
                                       }))
 
     def clean_password_repeat(self):
@@ -34,5 +38,4 @@ class PasswordChangeForm(forms.Form):
         password_repeat = self.cleaned_data.get('password_repeat')
         if password != password_repeat:
             raise ValidationError(_("Passwords don't match"))
-        # TODO: Password policy check
         return self.cleaned_data.get('password_repeat')

passbook/core/management/commands/import_users.py

@@ -0,0 +1,45 @@
+"""passbook import_users management command"""
+from csv import DictReader
+from logging import getLogger
+
+from django.core.management.base import BaseCommand
+from django.core.validators import EmailValidator, ValidationError
+
+from passbook.core.models import User
+
+LOGGER = getLogger(__name__)
+
+class Command(BaseCommand):
+    """Import users from CSV file"""
+
+    def add_arguments(self, parser):
+        # Positional arguments
+        parser.add_argument('file', nargs='+', type=str)
+
+    def handle(self, *args, **options):
+        """Create Users from CSV file"""
+        for file in options.get('file'):
+            with open(file, 'r') as _file:
+                reader = DictReader(_file)
+                for user in reader:
+                    LOGGER.debug('User %s', user.get('username'))
+                    try:
+                        # only import users with valid email addresses
+                        if user.get('email'):
+                            validator = EmailValidator()
+                            validator(user.get('email'))
+                        # use combination of username and email to check for existing user
+                        if User.objects.filter(
+                                username=user.get('username'),
+                                email=user.get('email')).exists():
+                            LOGGER.debug('User %s exists already, skipping', user.get('username'))
+                        # Create user
+                        User.objects.create(
+                            username=user.get('username'),
+                            email=user.get('email'),
+                            name=user.get('name'),
+                            password=user.get('password'))
+                        LOGGER.debug('Created User %s', user.get('username'))
+                    except ValidationError as exc:
+                        LOGGER.warning('User %s caused %r, skipping', user.get('username'), exc)
+                        continue

passbook/core/migrations/0017_propertymapping.py

@@ -0,0 +1,26 @@
+# Generated by Django 2.1.7 on 2019-03-08 10:40
+
+import uuid
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0016_auto_20190227_1355'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='PropertyMapping',
+            fields=[
+                ('uuid', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.TextField()),
+            ],
+            options={
+                'verbose_name': 'Property Mapping',
+                'verbose_name_plural': 'Property Mappings',
+            },
+        ),
+    ]

passbook/core/migrations/0018_provider_property_mappings.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-03-08 10:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0017_propertymapping'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='provider',
+            name='property_mappings',
+            field=models.ManyToManyField(blank=True, default=None, to='passbook_core.PropertyMapping'),
+        ),
+    ]

passbook/core/models.py

@@ -60,6 +60,8 @@ class User(AbstractUser):
 class Provider(models.Model):
     """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
 
+    property_mappings = models.ManyToManyField('PropertyMapping', default=None, blank=True)
+
     objects = InheritanceManager()
 
     # This class defines no field for easier inheritance
@@ -153,10 +155,12 @@ class Application(PolicyModel):
     def user_is_authorized(self, user: User) -> bool:
         """Check if user is authorized to use this application"""
         from passbook.core.policies import PolicyEngine
-        return PolicyEngine(self.policies.all()).for_user(user).result
+        return PolicyEngine(self.policies.all()).for_user(user).build().result
 
     def get_provider(self):
         """Get casted provider instance"""
+        if not self.provider:
+            return None
         return Provider.objects.get_subclass(pk=self.provider.pk)
 
     def __str__(self):
@@ -284,8 +288,9 @@ class FieldMatcherPolicy(Policy):
         if self.match_action == FieldMatcherPolicy.MATCH_REGEXP:
             pattern = re.compile(self.value)
             passes = bool(pattern.match(user_field_value))
-        if self.negate:
+        if self.match_action == FieldMatcherPolicy.MATCH_EXACT:
-            passes = not passes
+            passes = user_field_value == self.value
+
         LOGGER.debug("User got '%r'", passes)
         return passes
 
@@ -411,7 +416,7 @@ class Invitation(UUIDModel):
         verbose_name_plural = _('Invitations')
 
 class Nonce(UUIDModel):
-    """One-time link for password resets/signup-confirmations"""
+    """One-time link for password resets/sign-up-confirmations"""
 
     expires = models.DateTimeField(default=default_nonce_duration)
     user = models.ForeignKey('User', on_delete=models.CASCADE)
@@ -423,3 +428,19 @@ class Nonce(UUIDModel):
 
         verbose_name = _('Nonce')
         verbose_name_plural = _('Nonces')
+
+class PropertyMapping(UUIDModel):
+    """User-defined key -> x mapping which can be used by providers to expose extra data."""
+
+    name = models.TextField()
+
+    form = ''
+    objects = InheritanceManager()
+
+    def __str__(self):
+        return "Property Mapping %s" % self.name
+
+    class Meta:
+
+        verbose_name = _('Property Mapping')
+        verbose_name_plural = _('Property Mappings')

passbook/core/policies.py

@@ -2,6 +2,7 @@
 from logging import getLogger
 
 from celery import group
+from ipware import get_client_ip
 
 from passbook.core.celery import CELERY_APP
 from passbook.core.models import Policy, User
@@ -17,25 +18,52 @@ def _policy_engine_task(user_pk, policy_pk, **kwargs):
         setattr(user_obj, key, value)
     LOGGER.debug("Running policy `%s`#%s for user %s...", policy_obj.name,
                  policy_obj.pk.hex, user_obj)
-    return policy_obj.passes(user_obj)
+    policy_result = policy_obj.passes(user_obj)
+    # Handle policy result correctly if result, message or just result
+    message = None
+    if isinstance(policy_result, (tuple, list)):
+        policy_result, message = policy_result
+    # Invert result if policy.negate is set
+    if policy_obj.negate:
+        policy_result = not policy_result
+    LOGGER.debug("Policy %r#%s got %s", policy_obj.name, policy_obj.pk.hex, policy_result)
+    return policy_obj.action, policy_result, message
 
 class PolicyEngine:
     """Orchestrate policy checking, launch tasks and return result"""
 
     policies = None
     _group = None
+    _request = None
+    _user = None
 
     def __init__(self, policies):
         self.policies = policies
+        self._request = None
+        self._user = None
 
     def for_user(self, user):
         """Check policies for user"""
+        self._user = user
+        return self
+
+    def with_request(self, request):
+        """Set request"""
+        self._request = request
+        return self
+
+    def build(self):
+        """Build task group"""
         signatures = []
         kwargs = {
-            '__password__': getattr(user, '__password__', None)
+            '__password__': getattr(self._user, '__password__', None),
         }
+        if self._request:
+            kwargs['remote_ip'], _ = get_client_ip(self._request)
+            if not kwargs['remote_ip']:
+                kwargs['remote_ip'] = '255.255.255.255'
         for policy in self.policies:
-            signatures.append(_policy_engine_task.s(user.pk, policy.pk.hex, **kwargs))
+            signatures.append(_policy_engine_task.s(self._user.pk, policy.pk.hex, **kwargs))
         self._group = group(signatures)()
         return self
 
@@ -43,10 +71,16 @@ class PolicyEngine:
     def result(self):
         """Get policy-checking result"""
         messages = []
-        for policy_result in self._group.get():
+        for policy_action, policy_result, policy_message in self._group.get():
-            if isinstance(policy_result, (tuple, list)):
+            passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \
-                policy_result, policy_message = policy_result
+                      (policy_action == Policy.ACTION_DENY and not policy_result)
+            if policy_message:
                 messages.append(policy_message)
-            if policy_result is False:
+            if not passing:
                 return False, messages
         return True, messages
+
+    @property
+    def passing(self):
+        """Only get true/false if user passes"""
+        return self.result[0]

passbook/core/requirements.txt

@@ -1,12 +1,13 @@
 django>=2.0
 django-model-utils
+django-ipware
 djangorestframework
 PyYAML
 raven
 markdown
 colorlog
 celery
-redis<3.0
+redis
 psycopg2
 idna<2.8,>=2.5
 cherrypy

passbook/core/settings.py

@@ -62,6 +62,7 @@ INSTALLED_APPS = [
     'django.contrib.staticfiles',
     'rest_framework',
     'drf_yasg',
+    'raven.contrib.django.raven_compat',
     'passbook.core.apps.PassbookCoreConfig',
     'passbook.admin.apps.PassbookAdminConfig',
     'passbook.api.apps.PassbookAPIConfig',
@@ -75,6 +76,8 @@ INSTALLED_APPS = [
     'passbook.captcha_factor.apps.PassbookCaptchaFactorConfig',
     'passbook.hibp_policy.apps.PassbookHIBPConfig',
     'passbook.pretend.apps.PassbookPretendConfig',
+    'passbook.password_expiry_policy.apps.PassbookPasswordExpiryPolicyConfig',
+    'passbook.suspicious_policy.apps.PassbookSuspiciousPolicyConfig',
 ]
 
 # Message Tag fix for bootstrap CSS Classes
@@ -103,6 +106,7 @@ MIDDLEWARE = [
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'raven.contrib.django.raven_compat.middleware.SentryResponseErrorIdMiddleware',
 ]
 
 ROOT_URLCONF = 'passbook.core.urls'
@@ -183,6 +187,14 @@ CELERY_TASK_DEFAULT_QUEUE = 'passbook'
 CELERY_BROKER_URL = 'redis://%s' % CONFIG.get('redis')
 CELERY_RESULT_BACKEND = 'redis://%s' % CONFIG.get('redis')
 
+# Raven settings
+RAVEN_CONFIG = {
+    'dsn': ('https://55b5dd780bc14f4c96bba69b7a9abbcc:449af483bd0745'
+            '0d83be640d834e5458@sentry.services.beryju.org/8'),
+    'release': VERSION,
+    'environment': 'dev' if DEBUG else 'production',
+}
+
 # CherryPY settings
 with CONFIG.cd('web'):
     CHERRYPY_SERVER = {

passbook/core/signals.py

@@ -20,7 +20,7 @@ def password_policy_checker(sender, password, **kwargs):
     _all_factors = PasswordFactor.objects.filter(enabled=True).order_by('order')
     for factor in _all_factors:
         policy_engine = PolicyEngine(factor.password_policies.all().select_subclasses())
-        policy_engine.for_user(sender)
+        policy_engine.for_user(sender).build()
         passing, messages = policy_engine.result
         if not passing:
             raise PasswordPolicyInvalid(*messages)

passbook/core/static/css/passbook.css

@@ -0,0 +1,23 @@
+.dynamic-array-widget .array-item {
+  display: flex;
+  align-items: center;
+  margin-bottom: 15px;
+}
+
+.dynamic-array-widget .remove_sign {
+  width: 10px;
+  height: 2px;
+  background: #a41515;
+  border-radius: 1px;
+}
+
+.dynamic-array-widget .remove {
+  height: 15px;
+  display: flex;
+  align-items: center;
+  margin-left: 5px;
+}
+
+.dynamic-array-widget .remove:hover {
+  cursor: pointer;
+}

passbook/core/static/js/passbook.js

@@ -16,3 +16,33 @@ const typeHandler = function (e) {
 
 $source.on('input', typeHandler) // register for oninput
 $source.on('propertychange', typeHandler) // for IE8
+
+window.addEventListener('load', function () {
+
+    function addRemoveEventListener(widgetElement) {
+        widgetElement.querySelectorAll('.array-remove').forEach(function (element) {
+            element.addEventListener('click', function () {
+                this.parentNode.parentNode.remove();
+            });
+        });
+    }
+
+    document.querySelectorAll('.dynamic-array-widget').forEach(function (widgetElement) {
+
+        addRemoveEventListener(widgetElement);
+
+        widgetElement.querySelector('.add-array-item').addEventListener('click', function () {
+            var first = widgetElement.querySelector('.array-item');
+            var newElement = first.cloneNode(true);
+            var id_parts = newElement.querySelector('input').getAttribute('id').split('_');
+            var id = id_parts.slice(0, -1).join('_') + '_' + String(parseInt(id_parts.slice(-1)[0]) + 1);
+            newElement.querySelector('input').setAttribute('id', id);
+            newElement.querySelector('input').value = '';
+
+            addRemoveEventListener(newElement);
+            first.parentElement.insertBefore(newElement, first.parentNode.lastChild);
+        });
+
+    });
+
+});

passbook/core/templates/base/skeleton.html

@@ -16,6 +16,7 @@
     <link rel="shortcut icon" type="image/png" href="{% static 'img/logo.png' %}">
     <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly.min.css' %}">
     <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly-additions.min.css' %}">
+    <link rel="stylesheet" type="text/css" href="{% static 'css/passbook.css' %}">
     <style>
         .login-pf {
             background-attachment: fixed;

passbook/core/templates/generic/delete.html

@@ -6,13 +6,13 @@
 {% block content %}
 <div class="container">
     {% block above_form %}
-    <h1>{% blocktrans with object_type=object|fieldtype|title %}Delete {{ object_type }}{% endblocktrans %}</h1>
+    <h1>{% blocktrans with object_type=object|verbose_name %}Delete {{ object_type }}{% endblocktrans %}</h1>
     {% endblock %}
     <div class="">
         <form method="post" class="form-horizontal">
             {% csrf_token %}
             <p>
-                {% blocktrans with object_type=object|fieldtype|title name=object %}
+                {% blocktrans with object_type=object|verbose_name name=object %}
                 Are you sure you want to delete {{ object_type }} "{{ object }}"?
                 {% endblocktrans %}
             </p>

passbook/core/templates/login/base.html

@@ -29,7 +29,7 @@
 <div class="login-pf-page">
     <div class="container-fluid">
         <div class="row">
-            <div class="col-sm-12 col-md-8 col-md-offset-2 col-lg-4 col-lg-offset-4">
+            <div class="col-sm-12 col-md-8 col-md-offset-2 col-lg-6 col-lg-offset-3">
                 <header class="login-pf-page-header">
                     <img class="login-pf-brand" style="max-height: 10rem;" src="{% static 'img/logo.svg' %}"
                         alt="passbook logo" />

passbook/core/templatetags/passbook_user_settings.py

@@ -16,7 +16,7 @@ def user_factors(context):
     for factor in _all_factors:
         _link = factor.has_user_settings()
         policy_engine = PolicyEngine(factor.policies.all())
-        policy_engine.for_user(user)
+        policy_engine.for_user(user).with_request(context.get('request')).build()
-        if policy_engine.result[0] and _link:
+        if policy_engine.passing and _link:
             matching_factors.append(_link)
     return matching_factors

passbook/core/views/user.py

@@ -46,6 +46,7 @@ class UserChangePasswordView(FormView):
 
     def form_valid(self, form: PasswordChangeForm):
         try:
+            # user.set_password checks against Policies so we don't need to manually do it here
             self.request.user.set_password(form.cleaned_data.get('password'))
             self.request.user.save()
             update_session_auth_hash(self.request, self.request.user)

passbook/core/wsgi.py

@@ -10,7 +10,8 @@ https://docs.djangoproject.com/en/2.1/howto/deployment/wsgi/
 import os
 
 from django.core.wsgi import get_wsgi_application
+from raven.contrib.django.raven_compat.middleware.wsgi import Sentry
 
 os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'passbook.settings')
 
-application = get_wsgi_application()
+application = Sentry(get_wsgi_application())

passbook/hibp_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.0.7-alpha'
+__version__ = '0.1.8-beta'

passbook/ldap/__init__.py

@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/lib/__init__.py

@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/lib/fields.py

@@ -0,0 +1,44 @@
+"""passbook lib fields"""
+from itertools import chain
+
+from django import forms
+from django.contrib.postgres.utils import prefix_validation_error
+
+from passbook.lib.widgets import DynamicArrayWidget
+
+
+class DynamicArrayField(forms.Field):
+    """Show array field as a dynamic amount of textboxes"""
+
+    default_error_messages = {"item_invalid": "Item %(nth)s in the array did not validate: "}
+
+    def __init__(self, base_field, **kwargs):
+        self.base_field = base_field
+        self.max_length = kwargs.pop("max_length", None)
+        kwargs.setdefault("widget", DynamicArrayWidget)
+        super().__init__(**kwargs)
+
+    def clean(self, value):
+        cleaned_data = []
+        errors = []
+        value = [x for x in value if x]
+        for index, item in enumerate(value):
+            try:
+                cleaned_data.append(self.base_field.clean(item))
+            except forms.ValidationError as error:
+                errors.append(
+                    prefix_validation_error(
+                        error, self.error_messages["item_invalid"],
+                        code="item_invalid", params={"nth": index}
+                    )
+                )
+        if errors:
+            raise forms.ValidationError(list(chain.from_iterable(errors)))
+        if not cleaned_data and self.required:
+            raise forms.ValidationError(self.error_messages["required"])
+        return cleaned_data
+
+    def has_changed(self, initial, data):
+        if not data and not initial:
+            return False
+        return super().has_changed(initial, data)

passbook/lib/templates/lib/arrayfield.html

@@ -0,0 +1,17 @@
+{% load utils %}
+
+{% spaceless %}
+<div class="dynamic-array-widget">
+    {% for widget in widget.subwidgets %}
+    <div class="array-item input-group">
+        {% include widget.template_name %}
+        <div class="input-group-btn">
+            <button class="array-remove btn btn-danger" type="button">
+                <span class="pficon-delete"></span>
+            </button>
+        </div>
+    </div>
+    {% endfor %}
+    <div><button type="button" class="add-array-item btn btn-default">Add another</button></div>
+</div>
+{% endspaceless %}

passbook/lib/templatetags/utils.py

@@ -212,10 +212,14 @@ def gravatar(email, size=None, rating=None):
 @register.filter
 def verbose_name(obj):
     """Return Object's Verbose Name"""
+    if not obj:
+        return ''
     return obj._meta.verbose_name
 
 
 @register.filter
 def form_verbose_name(obj):
     """Return ModelForm's Object's Verbose Name"""
+    if not obj:
+        return ''
     return obj._meta.model._meta.verbose_name

passbook/lib/widgets.py

@@ -0,0 +1,36 @@
+"""Dynamic array widget"""
+from django import forms
+
+
+class DynamicArrayWidget(forms.TextInput):
+    """Dynamic array widget"""
+
+    template_name = "lib/arrayfield.html"
+
+    def get_context(self, name, value, attrs):
+        value = value or [""]
+        context = super().get_context(name, value, attrs)
+        final_attrs = context["widget"]["attrs"]
+        id_ = context["widget"]["attrs"].get("id")
+
+        subwidgets = []
+        for index, item in enumerate(context["widget"]["value"]):
+            widget_attrs = final_attrs.copy()
+            if id_:
+                widget_attrs["id"] = "{id_}_{index}".format(id_=id_, index=index)
+            widget = forms.TextInput()
+            widget.is_required = self.is_required
+            subwidgets.append(widget.get_context(name, item, widget_attrs)["widget"])
+
+        context["widget"]["subwidgets"] = subwidgets
+        return context
+
+    def value_from_datadict(self, data, files, name):
+        try:
+            getter = data.getlist
+            return [value for value in getter(name) if value]
+        except AttributeError:
+            return data.get(name)
+
+    def format_value(self, value):
+        return value or []

passbook/oauth_client/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/oauth_provider/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/oauth_provider/models.py

@@ -12,7 +12,7 @@ class OAuth2Provider(Provider, AbstractApplication):
     form = 'passbook.oauth_provider.forms.OAuth2ProviderForm'
 
     def __str__(self):
-        return self.name
+        return "OAuth2 Provider %s" % self.name
 
     class Meta:
 

passbook/otp/__init__.py

@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/password_expiry_policy/__init__.py

@@ -0,0 +1,2 @@
+"""passbook password_expiry"""
+__version__ = '0.1.8-beta'

passbook/password_expiry_policy/admin.py

@@ -0,0 +1,5 @@
+"""Passbook password_expiry_policy Admin"""
+
+from passbook.lib.admin import admin_autoregister
+
+admin_autoregister('passbook_password_expiry_policy')

passbook/password_expiry_policy/apps.py

@@ -0,0 +1,11 @@
+"""Passbook password_expiry_policy app config"""
+
+from django.apps import AppConfig
+
+
+class PassbookPasswordExpiryPolicyConfig(AppConfig):
+    """Passbook password_expiry_policy app config"""
+
+    name = 'passbook.password_expiry_policy'
+    label = 'passbook_password_expiry_policy'
+    verbose_name = 'passbook Password Expiry Policy'

passbook/password_expiry_policy/forms.py

@@ -0,0 +1,24 @@
+"""passbook PasswordExpiry Policy forms"""
+
+from django import forms
+from django.utils.translation import gettext as _
+
+from passbook.core.forms.policies import GENERAL_FIELDS
+from passbook.password_expiry_policy.models import PasswordExpiryPolicy
+
+
+class PasswordExpiryPolicyForm(forms.ModelForm):
+    """Edit PasswordExpiryPolicy instances"""
+
+    class Meta:
+
+        model = PasswordExpiryPolicy
+        fields = GENERAL_FIELDS + ['days', 'deny_only']
+        widgets = {
+            'name': forms.TextInput(),
+            'order': forms.NumberInput(),
+            'days': forms.NumberInput(),
+        }
+        labels = {
+            'deny_only': _("Only fail the policy, don't set user's password.")
+        }

passbook/password_expiry_policy/migrations/0001_initial.py

@@ -0,0 +1,29 @@
+# Generated by Django 2.1.7 on 2019-03-03 13:46
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('passbook_core', '0016_auto_20190227_1355'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='PasswordExpiryPolicy',
+            fields=[
+                ('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
+                ('deny_only', models.BooleanField(default=False)),
+                ('days', models.IntegerField()),
+            ],
+            options={
+                'verbose_name': 'Password Expiry Policy',
+                'verbose_name_plural': 'Password Expiry Policies',
+            },
+            bases=('passbook_core.policy',),
+        ),
+    ]

passbook/password_expiry_policy/models.py

@@ -0,0 +1,42 @@
+"""passbook password_expiry_policy Models"""
+from datetime import timedelta
+from logging import getLogger
+
+from django.db import models
+from django.utils.timezone import now
+from django.utils.translation import gettext as _
+
+from passbook.core.models import Policy, User
+
+LOGGER = getLogger(__name__)
+
+
+class PasswordExpiryPolicy(Policy):
+    """If password change date is more than x days in the past, call set_unusable_password
+    and show a notice"""
+
+    deny_only = models.BooleanField(default=False)
+    days = models.IntegerField()
+
+    form = 'passbook.password_expiry_policy.forms.PasswordExpiryPolicyForm'
+
+    def passes(self, user: User) -> bool:
+        """If password change date is more than x days in the past, call set_unusable_password
+        and show a notice"""
+        actual_days = (now() - user.password_change_date).days
+        days_since_expiry = (now() - (user.password_change_date + timedelta(days=self.days))).days
+        if actual_days >= self.days:
+            if not self.deny_only:
+                user.set_unusable_password()
+                user.save()
+                return False, _(('Password expired %(days)d days ago. '
+                                 'Please update your password.') % {
+                                     'days': days_since_expiry
+                                 })
+            return False, _('Password has expired.')
+        return True
+
+    class Meta:
+
+        verbose_name = _('Password Expiry Policy')
+        verbose_name_plural = _('Password Expiry Policies')

passbook/saml_idp/__init__.py

@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.1-beta'
+__version__ = '0.1.8-beta'

passbook/saml_idp/base.py

@@ -6,7 +6,6 @@ from logging import getLogger
 
 from bs4 import BeautifulSoup
 
-from passbook.lib.config import CONFIG
 from passbook.saml_idp import exceptions, utils, xml_render
 
 MINUTES = 60
@@ -52,9 +51,7 @@ class Processor:
     _session_index = None
     _subject = None
     _subject_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
-    _system_params = {
+    _system_params = {}
-        'ISSUER': CONFIG.y('saml_idp.issuer'),
-    }
 
     @property
     def dotted_path(self):
@@ -67,7 +64,7 @@ class Processor:
         self.name = remote.name
         self._remote = remote
         self._logger = getLogger(__name__)
-
+        self._system_params['ISSUER'] = self._remote.issuer
         self._logger.info('processor configured')
 
     def _build_assertion(self):
@@ -170,6 +167,20 @@ class Processor:
                 'Value': self._django_request.user.username,
             },
         ]
+        from passbook.saml_idp.models import SAMLPropertyMapping
+        for mapping in self._remote.property_mappings.all().select_subclasses():
+            if isinstance(mapping, SAMLPropertyMapping):
+                mapping_payload = {
+                    'Name': mapping.saml_name,
+                    'ValueArray': [],
+                    'FriendlyName': mapping.friendly_name
+                }
+                for value in mapping.values:
+                    mapping_payload['ValueArray'].append(value.format(
+                        user=self._django_request.user,
+                        request=self._django_request
+                    ))
+                self._assertion_params['ATTRIBUTES'].append(mapping_payload)
         self._assertion_xml = xml_render.get_assertion_xml(
             'saml/xml/assertions/generic.xml', self._assertion_params, signed=True)
 
@@ -227,7 +238,7 @@ class Processor:
         self._subject = sp_config
         self._subject_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
         self._system_params = {
-            'ISSUER': CONFIG.y('saml_idp.issuer'),
+            'ISSUER': self._remote.issuer
         }
 
     def _validate_request(self):

passbook/saml_idp/forms.py

@@ -2,7 +2,9 @@
 
 from django import forms
 
-from passbook.saml_idp.models import SAMLProvider, get_provider_choices
+from passbook.lib.fields import DynamicArrayField
+from passbook.saml_idp.models import (SAMLPropertyMapping, SAMLProvider,
+                                      get_provider_choices)
 from passbook.saml_idp.utils import CertificateBuilder
 
 
@@ -21,7 +23,7 @@ class SAMLProviderForm(forms.ModelForm):
     class Meta:
 
         model = SAMLProvider
-        fields = ['name', 'acs_url', 'processor_path', 'issuer',
+        fields = ['name', 'property_mappings', 'acs_url', 'processor_path', 'issuer',
                   'assertion_valid_for', 'signing', 'signing_cert', 'signing_key', ]
         labels = {
             'acs_url': 'ACS URL',
@@ -31,3 +33,20 @@ class SAMLProviderForm(forms.ModelForm):
             'name': forms.TextInput(),
             'issuer': forms.TextInput(),
         }
+
+
+class SAMLPropertyMappingForm(forms.ModelForm):
+    """SAML Property Mapping form"""
+
+    class Meta:
+
+        model = SAMLPropertyMapping
+        fields = ['name', 'saml_name', 'friendly_name', 'values']
+        widgets = {
+            'name': forms.TextInput(),
+            'saml_name': forms.TextInput(),
+            'friendly_name': forms.TextInput(),
+        }
+        field_classes = {
+            'values': DynamicArrayField
+        }

passbook/saml_idp/migrations/0002_samlpropertymapping.py

@@ -0,0 +1,30 @@
+# Generated by Django 2.1.7 on 2019-03-08 10:40
+
+import django.contrib.postgres.fields
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0017_propertymapping'),
+        ('passbook_saml_idp', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SAMLPropertyMapping',
+            fields=[
+                ('propertymapping_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.PropertyMapping')),
+                ('saml_name', models.TextField()),
+                ('friendly_name', models.TextField(blank=True, default=None, null=True)),
+                ('values', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
+            ],
+            options={
+                'verbose_name': 'SAML Property Mapping',
+                'verbose_name_plural': 'SAML Property Mappings',
+            },
+            bases=('passbook_core.propertymapping',),
+        ),
+    ]

passbook/saml_idp/models.py

@@ -1,10 +1,11 @@
 """passbook saml_idp Models"""
 
+from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.shortcuts import reverse
 from django.utils.translation import gettext as _
 
-from passbook.core.models import Provider
+from passbook.core.models import PropertyMapping, Provider
 from passbook.lib.utils.reflection import class_to_path, path_to_class
 from passbook.saml_idp.base import Processor
 
@@ -36,13 +37,13 @@ class SAMLProvider(Provider):
         return self._processor
 
     def __str__(self):
-        return "SAMLProvider %s (processor=%s)" % (self.name, self.processor_path)
+        return "SAML Provider %s" % self.name
 
     def link_download_metadata(self):
         """Get link to download XML metadata for admin interface"""
         try:
             # pylint: disable=no-member
-            return reverse('passbook_saml_idp:metadata_xml',
+            return reverse('passbook_saml_idp:saml-metadata',
                            kwargs={'application': self.application.slug})
         except Provider.application.RelatedObjectDoesNotExist:
             return None
@@ -53,6 +54,23 @@ class SAMLProvider(Provider):
         verbose_name_plural = _('SAML Providers')
 
 
+class SAMLPropertyMapping(PropertyMapping):
+    """SAML Property mapping, allowing Name/FriendlyName mapping to a list of strings"""
+
+    saml_name = models.TextField()
+    friendly_name = models.TextField(default=None, blank=True, null=True)
+    values = ArrayField(models.TextField())
+
+    form = 'passbook.saml_idp.forms.SAMLPropertyMappingForm'
+
+    def __str__(self):
+        return "SAML Property Mapping %s" % self.saml_name
+
+    class Meta:
+
+        verbose_name = _('SAML Property Mapping')
+        verbose_name_plural = _('SAML Property Mappings')
+
 def get_provider_choices():
     """Return tuple of class_path, class name of all providers."""
     return [(class_to_path(x), x.__name__) for x in Processor.__subclasses__()]

passbook/saml_idp/processors/aws.py

@@ -11,16 +11,12 @@ class AWSProcessor(Processor):
 
     def _format_assertion(self):
         """Formats _assertion_params as _assertion_xml."""
-        self._assertion_params['ATTRIBUTES'] = [
+        super()._format_assertion()
+        self._assertion_params['ATTRIBUTES'].append(
             {
                 'Name': 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
                 'Value': self._django_request.user.username,
-            },
-            {
-                'Name': 'https://aws.amazon.com/SAML/Attributes/Role',
-                # 'Value': 'arn:aws:iam::471432361072:saml-provider/passbook_dev,
-                # arn:aws:iam::471432361072:role/saml_role'
             }
-        ]
+        )
         self._assertion_xml = xml_render.get_assertion_xml(
             'saml/xml/assertions/generic.xml', self._assertion_params, signed=True)

passbook/saml_idp/templates/saml/idp/login.html

@@ -9,40 +9,26 @@
 
 {% block card %}
 <header class="login-pf-header">
-  <h1>{% trans 'Authorize Application' %}</h1>
+    <h1>{% trans 'Authorize Application' %}</h1>
 </header>
-<form method="POST" action="{{ acs_url }}">>
+<form method="POST" action="{{ acs_url }}">
-  {% csrf_token %}
+    {% csrf_token %}
-  <input type="hidden" name="ACSUrl" value="{{ acs_url }}">
+    <input type="hidden" name="ACSUrl" value="{{ acs_url }}">
-  <input type="hidden" name="RelayState" value="{{ relay_state }}" />
+    <input type="hidden" name="RelayState" value="{{ relay_state }}" />
-  <input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
+    <input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
-  <label class="title">
+    <div class="login-group">
-    <clr-icon shape="passbook" class="is-info" size="48"></clr-icon>
+        <h3>
-    {% config 'passbook.branding' %}
+            {% blocktrans with remote=remote.application.name %}
-  </label>
+            You're about to sign into {{ remote }}
-  <label class="subtitle">
+            {% endblocktrans %}
-    {% trans 'SSO - Authorize External Source' %}
+        </h3>
-  </label>
+        <p>
-  <div class="login-group">
+            {% blocktrans with user=user %}
-    <p class="subtitle">
+            You are logged in as {{ user }}.
-      {% blocktrans with remote=remote.name %}
+            {% endblocktrans %}
-        You're about to sign into {{ remote }}
+            <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Not you?' %}</a>
-      {% endblocktrans %}
+        </p>
-    </p>
+        <input class="btn btn-primary btn-block btn-lg" type="submit" value="{% trans 'Continue' %}" />
-    <p>
-      {% blocktrans with user=user %}
-        You are logged in as {{ user }}. Not you?
-      {% endblocktrans %}
-      <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
-    </p>
-    <div class="row">
-      <div class="col-md-6">
-        <input class="btn btn-success btn-block" type="submit" value="{% trans "Continue" %}" />
-      </div>
-      <div class="col-md-6">
-        <a href="{% url 'passbook_core:overview' %}" class="btn btn-outline btn-block">{% trans "Cancel" %}</a>
-      </div>
     </div>
-  </div>
 </form>
 {% endblock %}

passbook/saml_idp/templates/saml/idp/settings.html

@@ -39,7 +39,7 @@
         </section>
       </div>
       <div class="card-footer">
-        <a href="{% url 'passbook_saml_idp:metadata_xml' %}" class="btn btn-primary"><clr-icon shape="download"></clr-icon>{% trans 'Download Metadata' %}</a>
+        <a href="{% url 'passbook_saml_idp:saml-metadata' %}" class="btn btn-primary"><clr-icon shape="download"></clr-icon>{% trans 'Download Metadata' %}</a>
       </div>
     </div>
   </div>

passbook/saml_idp/templates/saml/xml/attributes.xml

@@ -1,7 +1,14 @@
 <saml:AttributeStatement>
     {% for attr in attributes %}
         <saml:Attribute {% if attr.FriendlyName %}FriendlyName="{{ attr.FriendlyName }}" {% endif %}Name="{{ attr.Name }}">
-           <saml:AttributeValue>{{ attr.Value }}</saml:AttributeValue>
+            {% if attr.Value %}
+            <saml:AttributeValue>{{ attr.Value }}</saml:AttributeValue>
+            {% endif %}
+            {% if attr.ValueArray %}
+                {% for value in attr.ValueArray %}
+                <saml:AttributeValue>{{ value }}</saml:AttributeValue>
+                {% endfor %}
+            {% endif %}
         </saml:Attribute>
     {% endfor %}
 </saml:AttributeStatement>

passbook/saml_idp/urls.py

@@ -4,13 +4,14 @@ from django.urls import path
 from passbook.saml_idp import views
 
 urlpatterns = [
-    path('login/<slug:application>/',
+    path('<slug:application>/login/',
-         views.LoginBeginView.as_view(), name="saml_login_begin"),
+         views.LoginBeginView.as_view(), name="saml-login"),
-    path('login/<slug:application>/initiate/',
+    path('<slug:application>/login/initiate/',
-         views.InitiateLoginView.as_view(), name="saml_login_init"),
+         views.InitiateLoginView.as_view(), name="saml-login-initiate"),
-    path('login/<slug:application>/process/',
+    path('<slug:application>/login/process/',
-         views.LoginProcessView.as_view(), name='saml_login_process'),
+         views.LoginProcessView.as_view(), name='saml-login-process'),
-    path('logout/', views.LogoutView.as_view(), name="saml_logout"),
+    path('<slug:application>/logout/', views.LogoutView.as_view(), name="saml-logout"),
-    path('metadata/<slug:application>/',
+    path('<slug:application>/logout/slo/', views.SLOLogout.as_view(), name="saml-logout-slo"),
-         views.DescriptorDownloadView.as_view(), name='metadata_xml'),
+    path('<slug:application>/metadata/',
+         views.DescriptorDownloadView.as_view(), name='saml-metadata'),
 ]

passbook/saml_idp/views.py

@@ -9,11 +9,14 @@ from django.http import HttpResponse, HttpResponseBadRequest
 from django.shortcuts import get_object_or_404, redirect, render, reverse
 from django.utils.datastructures import MultiValueDictKeyError
 from django.utils.decorators import method_decorator
+from django.utils.translation import gettext as _
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from signxml.util import strip_pem_header
 
+from passbook.audit.models import AuditEntry
 from passbook.core.models import Application
+from passbook.core.policies import PolicyEngine
 from passbook.lib.config import CONFIG
 from passbook.lib.mixins import CSRFExemptMixin
 from passbook.lib.utils.template import render_to_string
@@ -75,7 +78,7 @@ class LoginBeginView(LoginRequiredMixin, View):
             return HttpResponseBadRequest('the SAML request payload is missing')
 
         request.session['RelayState'] = source.get('RelayState', '')
-        return redirect(reverse('passbook_saml_idp:saml_login_process', kwargs={
+        return redirect(reverse('passbook_saml_idp:saml-login-process', kwargs={
             'application': application
         }))
 
@@ -94,19 +97,33 @@ class RedirectToSPView(LoginRequiredMixin, View):
         })
 
 
+
 class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
     """Processor-based login continuation.
     Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
 
+    def _has_access(self):
+        """Check if user has access to application"""
+        policy_engine = PolicyEngine(self.provider.application.policies.all())
+        policy_engine.for_user(self.request.user).with_request(self.request).build()
+        return policy_engine.passing
+
     def get(self, request, application):
         """Handle get request, i.e. render form"""
         LOGGER.debug("Request: %s", request)
+        if not self._has_access():
+            return render(request, 'login/denied.html', {
+                'title': _("You don't have access to this application")
+            })
         # Check if user has access
-        access = True
+        if self.provider.application.skip_authorization:
-        # TODO: Check access here
-        if self.provider.application.skip_authorization and access:
             ctx = self.provider.processor.generate_response()
-            # TODO: AuditLog Skipped Authz
+            # Log Application Authorization
+            AuditEntry.create(
+                action=AuditEntry.ACTION_AUTHORIZE_APPLICATION,
+                request=request,
+                app=self.provider.application.name,
+                skipped_authorization=True)
             return RedirectToSPView.as_view()(
                 request=request,
                 acs_url=ctx['acs_url'],
@@ -121,12 +138,18 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
     def post(self, request, application):
         """Handle post request, return back to ACS"""
         LOGGER.debug("Request: %s", request)
+        if not self._has_access():
+            return render(request, 'login/denied.html', {
+                'title': _("You don't have access to this application")
+            })
         # Check if user has access
-        access = True
+        if request.POST.get('ACSUrl', None):
-        # TODO: Check access here
-        if request.POST.get('ACSUrl', None) and access:
             # User accepted request
-            # TODO: AuditLog accepted
+            AuditEntry.create(
+                action=AuditEntry.ACTION_AUTHORIZE_APPLICATION,
+                request=request,
+                app=self.provider.application.name,
+                skipped_authorization=False)
             return RedirectToSPView.as_view()(
                 request=request,
                 acs_url=request.POST.get('ACSUrl'),
@@ -144,7 +167,7 @@ class LogoutView(CSRFExemptMixin, LoginRequiredMixin, View):
     returns a standard logged-out page. (SalesForce and others use this method,
     though it's technically not SAML 2.0)."""
 
-    def get(self, request):
+    def get(self, request, application):
         """Perform logout"""
         logout(request)
 
@@ -164,11 +187,10 @@ class SLOLogout(CSRFExemptMixin, LoginRequiredMixin, View):
     """Receives a SAML 2.0 LogoutRequest from a Service Provider,
     logs out the user and returns a standard logged-out page."""
 
-    def post(self, request):
+    def post(self, request, application):
         """Perform logout"""
         request.session['SAMLRequest'] = request.POST['SAMLRequest']
         # TODO: Parse SAML LogoutRequest from POST data, similar to login_process().
-        # TODO: Add a URL dispatch for this view.
         # TODO: Modify the base processor to handle logouts?
         # TODO: Combine this with login_process(), since they are so very similar?
         # TODO: Format a LogoutResponse and return it to the browser.
@@ -183,8 +205,8 @@ class DescriptorDownloadView(ProviderMixin, View):
     def get(self, request, application):
         """Replies with the XML Metadata IDSSODescriptor."""
         entity_id = CONFIG.y('saml_idp.issuer')
-        slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_logout'))
+        slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml-logout'))
-        sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_login_begin', kwargs={
+        sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml-login', kwargs={
             'application': application
         }))
         pubkey = strip_pem_header(self.provider.signing_cert.replace('\r', '')).replace('\n', '')
@@ -206,6 +228,5 @@ class InitiateLoginView(ProviderMixin, LoginRequiredMixin, View):
 
     def dispatch(self, request, application):
         """Initiates an IdP-initiated link to a simple SP resource/target URL."""
-        super().dispatch(request, application)
         self.provider.processor.init_deep_link(request, '')
         return _generate_response(request, self.provider)

passbook/suspicious_policy/__init__.py

@@ -0,0 +1,2 @@
+"""passbook suspicious_policy"""
+__version__ = '0.1.1-beta'

passbook/suspicious_policy/admin.py

@@ -0,0 +1,5 @@
+"""Passbook suspicious_policy Admin"""
+
+from passbook.lib.admin import admin_autoregister
+
+admin_autoregister('passbook_suspicious_policy')

passbook/suspicious_policy/apps.py

@@ -0,0 +1,15 @@
+"""Passbook suspicious_policy app config"""
+from importlib import import_module
+
+from django.apps import AppConfig
+
+
+class PassbookSuspiciousPolicyConfig(AppConfig):
+    """Passbook suspicious_policy app config"""
+
+    name = 'passbook.suspicious_policy'
+    label = 'passbook_suspicious_policy'
+    verbose_name = 'passbook Suspicious Request Detector'
+
+    def ready(self):
+        import_module('passbook.suspicious_policy.signals')