bump version: 0.1.29-beta -> 0.1.30-beta

Resolve "Websocket Proxying"

Closes #38

See merge request BeryJu.org/passbook!24

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.14-beta
+current_version = 0.1.30-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
@@ -15,6 +15,10 @@ values =
 	beta
 	stable
 
+[bumpversion:file:client-packages/allauth/setup.py]
+
+[bumpversion:file:client-packages/sentry-auth-passbook/setup.py]
+
 [bumpversion:file:helm/passbook/values.yaml]
 
 [bumpversion:file:helm/passbook/Chart.yaml]
@@ -49,3 +53,7 @@ values =
 
 [bumpversion:file:passbook/otp/__init__.py]
 
+[bumpversion:file:passbook/app_gw/__init__.py]
+
+[bumpversion:file:passbook/suspicious_policy/__init__.py]
+

.gitlab-ci.yml

@@ -1,98 +1,126 @@
 # Global Variables
 before_script:
-  - "python3 -m pip install -U virtualenv"
-  - "virtualenv env"
-  - "source env/bin/activate"
-  - "pip3 install -U -r requirements-dev.txt"
+    - "python3 -m pip install -U virtualenv"
+    - "virtualenv env"
+    - "source env/bin/activate"
+    - "pip3 install -U -r requirements-dev.txt"
 stages:
-  - test
-  - build
-  - docs
-  - deploy
+    - test
+    - build
+    - docs
+    - deploy
 image: python:3.6
 services:
-  - postgres:latest
+    - postgres:latest
+    - redis:latest
 
 variables:
-  POSTGRES_DB: passbook
-  POSTGRES_USER: passbook
-  POSTGRES_PASSWORD: 'EK-5jnKfjrGRm<77'
+    POSTGRES_DB: passbook
+    POSTGRES_USER: passbook
+    POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
 include:
-  - /allauth/.gitlab-ci.yml
+    - /client-packages/allauth/.gitlab-ci.yml
 
 isort:
-  script:
-    - isort -c -sg env
-  stage: test
+    script:
+        - isort -c -sg env
+    stage: test
 migrations:
-  script:
-    - python manage.py migrate
-  stage: test
+    script:
+        - python manage.py migrate
+    stage: test
 prospector:
-  script:
-    - prospector
-  stage: test
+    script:
+        - prospector
+    stage: test
 pylint:
-  script:
-    - pylint passbook
-  stage: test
+    script:
+        - pylint passbook
+    stage: test
 coverage:
-  script:
-    - coverage run manage.py test
-    - coverage report
-  stage: test
+    script:
+        - python manage.py collectstatic --no-input
+        - coverage run manage.py test
+        - coverage report
+    stage: test
 bandit:
-  script:
-    - bandit -r passbook
-  stage: test
+    script:
+        - bandit -r passbook
+    stage: test
 
 package-docker:
-  image:
-    name: gcr.io/kaniko-project/executor:debug
-    entrypoint: [""]
-  before_script:
-    - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
-  script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.14-beta
-  stage: build
-  only:
-    - tags
-    - /^version/.*$/
+    image:
+        name: gcr.io/kaniko-project/executor:debug
+        entrypoint: [""]
+    before_script:
+        - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
+    script:
+        - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.30-beta
+    stage: build
+    only:
+        - tags
+        - /^version/.*$/
 package-helm:
-  stage: build
-  script:
-    - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
-    - helm init --client-only
-    - helm package helm/passbook
-    - ./manage.py nexus_upload --method put --url $NEXUS_URL --auth $NEXUS_AUTH --repo helm *.tgz
-  only:
-    - tags
-    - /^version/.*$/
+    stage: build
+    script:
+        - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
+        - helm init --client-only
+        - helm package helm/passbook
+        - ./manage.py nexus_upload --method put --url $NEXUS_URL --auth $NEXUS_AUTH --repo helm *.tgz
+    only:
+        - tags
+        - /^version/.*$/
 package-debian:
-  before_script:
-    - apt update
-    - apt install -y --no-install-recommends build-essential debhelper devscripts equivs python3 python3-dev python3-pip libsasl2-dev libldap2-dev
-    - mk-build-deps debian/control
-    - apt install ./*build-deps*deb -f -y
-    - python3 -m pip install -U virtualenv pip
-    - virtualenv env
-    - source env/bin/activate
-    - pip3 install -U -r requirements.txt -r requirements-dev.txt
-    - ./manage.py collectstatic --no-input
-  image: ubuntu:18.04
-  script:
-    - debuild -us -uc
-    - cp ../passbook*.deb .
-    - ./manage.py nexus_upload --method post --url $NEXUS_URL --auth $NEXUS_AUTH --repo apt passbook*deb
-  artifacts:
-    paths:
-    - passbook*deb
-    expire_in: 2 days
-  stage: build
-  only:
-  - tags
-  - /^version/.*$/
+    before_script:
+        - apt update
+        - apt install -y --no-install-recommends build-essential debhelper devscripts equivs python3 python3-dev python3-pip libsasl2-dev libldap2-dev
+        - mk-build-deps debian/control
+        - apt install ./*build-deps*deb -f -y
+        - python3 -m pip install -U virtualenv pip
+        - virtualenv env
+        - source env/bin/activate
+        - pip3 install -U -r requirements.txt -r requirements-dev.txt
+        - ./manage.py collectstatic --no-input
+    image: ubuntu:18.04
+    script:
+        - debuild -us -uc
+        - cp ../passbook*.deb .
+        - ./manage.py nexus_upload --method post --url $NEXUS_URL --auth $NEXUS_AUTH --repo apt passbook*deb
+    artifacts:
+        paths:
+            - passbook*deb
+        expire_in: 2 days
+    stage: build
+    only:
+        - tags
+        - /^version/.*$/
+
+package-client-package-allauth:
+    script:
+        - cd client-packages/allauth
+        - python setup.py sdist
+        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
+    stage: build
+    only:
+        refs:
+            - tags
+            - /^version/.*$/
+        changes:
+            - client-packages/allauth/**
+
+package-client-package-sentry:
+    script:
+        - cd client-packages/sentry-auth-passbook
+        - python setup.py sdist
+        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
+    stage: build
+    only:
+        refs:
+            - tags
+            - /^version/.*$/
+        changes:
+            - client-packages/sentry-auth-passbook/**
 
 # docs:
 #   stage: docs

.prospector.yaml

@@ -7,6 +7,7 @@ ignore-paths:
   - migrations
   - docs
   - node_modules
+  - client-packages
 
 uses:
  - django

Dockerfile

@@ -6,7 +6,7 @@ COPY ./requirements.txt /app/
 
 WORKDIR /app/
 
-RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev -y && \
+RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
     mkdir /app/static/ && \
     pip install -r requirements.txt && \
     pip install psycopg2 && \
@@ -23,7 +23,7 @@ COPY --from=build /app/static /app/static/
 
 WORKDIR /app/
 
-RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev -y && \
+RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
     pip install -r requirements.txt && \
     pip install psycopg2 && \
     adduser --system --home /app/ passbook && \

client-packages/allauth/allauth_passbook/urls.py

@@ -1,5 +1,6 @@
 """passbook provider"""
 from allauth.socialaccount.providers.oauth2.urls import default_urlpatterns
+
 from allauth_passbook.provider import PassbookProvider
 
 urlpatterns = default_urlpatterns(PassbookProvider)

client-packages/allauth/allauth_passbook/views.py

@@ -1,10 +1,10 @@
 """passbook adapter"""
 import requests
-
 from allauth.socialaccount import app_settings
 from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter,
                                                           OAuth2CallbackView,
                                                           OAuth2LoginView)
+
 from allauth_passbook.provider import PassbookProvider
 
 

client-packages/allauth/setup.py

@@ -3,7 +3,7 @@ from setuptools import setup
 
 setup(
     name='django-allauth-passbook',
-    version='1.0.0',
+    version='0.1.30-beta',
     description='passbook support for django-allauth',
     # long_description='\n'.join(read_simple('docs/index.md')[2:]),
     long_description_content_type='text/markdown',

client-packages/sentry-auth-passbook/.gitignore

@@ -0,0 +1,5 @@
+*.pyc
+*.egg-info/
+*.eggs
+/dist
+/build

client-packages/sentry-auth-passbook/.travis.yml

@@ -0,0 +1,32 @@
+sudo: false
+language: python
+services:
+  - memcached
+  - postgresql
+  - redis-server
+python:
+  - '2.7'
+cache:
+  directories:
+    - node_modules
+    - "$HOME/.cache/pip"
+deploy:
+  provider: pypi
+  user: getsentry
+  password:
+    secure: kVmxKHkBWRLYyZme05p+WZSJmb8GjHV9uyuaSCVMRlqWCW+GXRB7P1xXR2jb9URTlNdcs56Ab/UrwzCbMFGC8LmwCeFVgIR/ltytVZG2FgXZPWaeA4dH25qK2oGWgzJ/xeiMpmuJqN9hRl25MX6jG7FZKvrrOkG7+8tpPd1yO+uYWZQbnebZMjcPBqEpn7CC0hR39GSoyVAbydpMe5hwENGQM26CepcicdrelfawItoUrXrkJzBHkIQQTO/xRSbCtRJOtzI5lwtv3GP0hcbOy5tI5dhG/93pLwZRc5+dZaCaP7oaVeOcBjN0zfINRQobt8d6h2Qgvd/YyFkGi0/xKn1zMmKIVLOG6VsYwEAUq8wNOsP4A/jdm4Y0J/1oEZStCkpaGpx85TYi4kq1hWQdyqaVJSPhh4Tk4roIaS2zOYQl+nIpbHqmJ4FJrg1il+TCdjBXobATQ1mKRBUrjD+RDzH/r4ogbd8+UwvvvevpqS2K+/wgT6UD0MzDInv9S29CUQvuFhPoqyJb5XRddHMRE9EEK/2Z8tFN91sDATnqfXHgwnvu00q/nKP5JnijBPzGmx7ydgUViIukklDrlPvo9BbRJz0Vr2vbAvMTrLMLCXqi5CwTm+v+iaOf/YaCziaG2vx0eVASYjpOLCedSgRZBubPM8z4E/HMXhChN7sVDWk=
+  on:
+    tags: true
+  distributions: sdist bdist_wheel
+env:
+  global:
+    - PIP_DOWNLOAD_CACHE=".pip_download_cache"
+before_install:
+  - pip install codecov
+install:
+  - make develop
+script:
+  - PYFLAKES_NODOCTEST=1 flake8
+  - coverage run --source=. -m py.test tests
+after_success:
+  - codecov

client-packages/sentry-auth-passbook/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright 2016 Functional Software, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

client-packages/sentry-auth-passbook/MANIFEST.in

@@ -0,0 +1,3 @@
+include setup.py package.json webpack.config.js README.rst MANIFEST.in LICENSE AUTHORS
+recursive-include sentry_auth_supervisr/templates *
+global-exclude *~

client-packages/sentry-auth-passbook/Makefile

@@ -0,0 +1,26 @@
+.PHONY: clean develop install-tests lint publish test
+
+develop:
+	pip install "pip>=7"
+	pip install -e .
+	make install-tests
+
+install-tests:
+	pip install .[tests]
+
+lint:
+	@echo "--> Linting python"
+	flake8
+	@echo ""
+
+test:
+	@echo "--> Running Python tests"
+	py.test tests || exit 1
+	@echo ""
+
+publish:
+	python setup.py sdist bdist_wheel upload
+
+clean:
+	rm -rf *.egg-info src/*.egg-info
+	rm -rf dist build

client-packages/sentry-auth-passbook/README.rst

@@ -0,0 +1,55 @@
+GitHub Auth for Sentry
+======================
+
+An SSO provider for Sentry which enables GitHub organization-restricted authentication.
+
+Install
+-------
+
+::
+
+    $ pip install https://github.com/getsentry/sentry-auth-github/archive/master.zip
+
+Setup
+-----
+
+Create a new application under your organization in GitHub. Enter the **Authorization
+callback URL** as the prefix to your Sentry installation:
+
+::
+
+    https://example.sentry.com
+
+
+Once done, grab your API keys and drop them in your ``sentry.conf.py``:
+
+.. code-block:: python
+
+    GITHUB_APP_ID = ""
+
+    GITHUB_API_SECRET = ""
+
+
+Verified email addresses can optionally be required:
+
+.. code-block:: python
+
+    GITHUB_REQUIRE_VERIFIED_EMAIL = True
+
+
+Optionally you may also specify the domain (for GHE users):
+
+.. code-block:: python
+
+    GITHUB_BASE_DOMAIN = "git.example.com"
+
+    GITHUB_API_DOMAIN = "api.git.example.com"
+
+
+If Subdomain isolation is disabled in GHE:
+
+.. code-block:: python
+
+    GITHUB_BASE_DOMAIN = "git.example.com"
+
+    GITHUB_API_DOMAIN = "git.example.com/api/v3"

client-packages/sentry-auth-passbook/conftest.py

@@ -0,0 +1,14 @@
+from __future__ import absolute_import
+
+# Run tests against sqlite for simplicity
+import os
+import os.path
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__)))
+
+os.environ.setdefault('DB', 'sqlite')
+
+pytest_plugins = [
+    'sentry.utils.pytest'
+]

client-packages/sentry-auth-passbook/sentry_auth_passbook/__init__.py

@@ -0,0 +1,7 @@
+from __future__ import absolute_import
+
+from sentry.auth import register
+
+from .provider import PassbookOAuth2Provider
+
+register('passbook', PassbookOAuth2Provider)

client-packages/sentry-auth-passbook/sentry_auth_passbook/client.py

@@ -0,0 +1,45 @@
+from __future__ import absolute_import, print_function
+
+from requests.exceptions import RequestException
+
+from sentry import http
+from sentry.utils import json
+
+from .constants import BASE_DOMAIN
+
+
+class PassbookApiError(Exception):
+    def __init__(self, message='', status=0):
+        super(PassbookApiError, self).__init__(message)
+        self.status = status
+
+
+class PassbookClient(object):
+    def __init__(self, client_id, client_secret):
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.http = http.build_session()
+
+    def _request(self, path, access_token):
+        params = {
+            'client_id': self.client_id,
+            'client_secret': self.client_secret,
+        }
+
+        headers = {
+            'Authorization': 'Bearer {0}'.format(access_token),
+        }
+
+        try:
+            req = self.http.get('https://{0}/{1}'.format(BASE_DOMAIN, path.lstrip('/')),
+                params=params,
+                headers=headers,
+            )
+        except RequestException as e:
+            raise PassbookApiError(unicode(e), status=getattr(e, 'status_code', 0))
+        if req.status_code < 200 or req.status_code >= 300:
+            raise PassbookApiError(req.content, status=req.status_code)
+        return json.loads(req.content)
+
+    def get_user(self, access_token):
+        return self._request('/api/v1/openid/', access_token)

client-packages/sentry-auth-passbook/sentry_auth_passbook/constants.py

@@ -0,0 +1,14 @@
+from __future__ import absolute_import, print_function
+
+from django.conf import settings
+
+CLIENT_ID = getattr(settings, 'PASSBOOK_APP_ID', None)
+
+CLIENT_SECRET = getattr(settings, 'PASSBOOK_API_SECRET', None)
+
+SCOPE = 'openid:userinfo'
+
+BASE_DOMAIN = getattr(settings, 'PASSBOOK_BASE_DOMAIN', 'id.beryju.org')
+
+ACCESS_TOKEN_URL = 'https://{0}/application/oauth/token/'.format(BASE_DOMAIN)
+AUTHORIZE_URL = 'https://{0}/application/oauth/authorize/'.format(BASE_DOMAIN)

client-packages/sentry-auth-passbook/sentry_auth_passbook/provider.py

@@ -0,0 +1,62 @@
+from __future__ import absolute_import, print_function
+
+from sentry.auth.exceptions import IdentityNotValid
+from sentry.auth.providers.oauth2 import (OAuth2Callback, OAuth2Login,
+                                          OAuth2Provider)
+
+from .client import PassbookApiError, PassbookClient
+from .constants import (ACCESS_TOKEN_URL, AUTHORIZE_URL, CLIENT_ID,
+                        CLIENT_SECRET, SCOPE)
+from .views import FetchUser, PassbookConfigureView
+
+
+class PassbookOAuth2Provider(OAuth2Provider):
+    access_token_url = ACCESS_TOKEN_URL
+    authorize_url = AUTHORIZE_URL
+    name = 'Passbook'
+    client_id = CLIENT_ID
+    client_secret = CLIENT_SECRET
+
+    def __init__(self, **config):
+        super(PassbookOAuth2Provider, self).__init__(**config)
+
+    def get_configure_view(self):
+        return PassbookConfigureView.as_view()
+
+    def get_auth_pipeline(self):
+        return [
+            OAuth2Login(
+                authorize_url=self.authorize_url,
+                client_id=self.client_id,
+                scope=SCOPE,
+            ),
+            OAuth2Callback(
+                access_token_url=self.access_token_url,
+                client_id=self.client_id,
+                client_secret=self.client_secret,
+            ),
+            FetchUser(
+                client_id=self.client_id,
+                client_secret=self.client_secret,
+            ),
+        ]
+
+    def get_refresh_token_url(self):
+        return ACCESS_TOKEN_URL
+
+    def build_identity(self, state):
+        data = state['data']
+        user_data = state['user']
+        return {
+            'id': user_data['email'],
+            'email': user_data['email'],
+            'name': user_data['name'],
+            'data': self.get_oauth_data(data),
+        }
+
+    def build_config(self, state):
+        return {}
+
+    def refresh_identity(self, auth_identity):
+        client = PassbookClient(self.client_id, self.client_secret)
+        access_token = auth_identity.data['access_token']

client-packages/sentry-auth-passbook/sentry_auth_passbook/views.py

@@ -0,0 +1,75 @@
+from __future__ import absolute_import, print_function
+
+from django import forms
+
+from sentry.auth.view import AuthView, ConfigureView
+from sentry.models import AuthIdentity
+
+from .client import PassbookClient
+
+
+def _get_name_from_email(email):
+    """
+    Given an email return a capitalized name. Ex. john.smith@example.com would return John Smith.
+    """
+    name = email.rsplit('@', 1)[0]
+    name = ' '.join([n_part.capitalize() for n_part in name.split('.')])
+    return name
+
+
+class FetchUser(AuthView):
+    def __init__(self, client_id, client_secret, *args, **kwargs):
+        self.client = PassbookClient(client_id, client_secret)
+        super(FetchUser, self).__init__(*args, **kwargs)
+
+    def handle(self, request, helper):
+        access_token = helper.fetch_state('data')['access_token']
+
+        user = self.client.get_user(access_token)
+
+        # A user hasn't set their name in their Passbook profile so it isn't
+        # populated in the response
+        if not user.get('name'):
+            user['name'] = _get_name_from_email(user['email'])
+
+        helper.bind_state('user', user)
+
+        return helper.next_step()
+
+
+class ConfirmEmailForm(forms.Form):
+    email = forms.EmailField(label='Email')
+
+
+class ConfirmEmail(AuthView):
+    def handle(self, request, helper):
+        user = helper.fetch_state('user')
+
+        # TODO(dcramer): this isnt ideal, but our current flow doesnt really
+        # support this behavior;
+        try:
+            auth_identity = AuthIdentity.objects.select_related('user').get(
+                auth_provider=helper.auth_provider,
+                ident=user['id'],
+            )
+        except AuthIdentity.DoesNotExist:
+            pass
+        else:
+            user['email'] = auth_identity.user.email
+
+        if user.get('email'):
+            return helper.next_step()
+
+        form = ConfirmEmailForm(request.POST or None)
+        if form.is_valid():
+            user['email'] = form.cleaned_data['email']
+            helper.bind_state('user', user)
+            return helper.next_step()
+
+        return self.respond('sentry_auth_passbook/enter-email.html', {
+            'form': form,
+        })
+
+class PassbookConfigureView(ConfigureView):
+    def dispatch(self, request, organization, auth_provider):
+        return self.render('sentry_auth_passbook/configure.html')

client-packages/sentry-auth-passbook/setup.cfg

@@ -0,0 +1,12 @@
+[wheel]
+universal = 1
+
+[pytest]
+python_files = test*.py
+addopts = --tb=native -p no:doctest
+norecursedirs = bin dist docs htmlcov script hooks node_modules .* {args}
+
+[flake8]
+ignore = F999,E501,E128,E124,E402,W503,E731,C901
+max-line-length = 100
+exclude = .tox,.git,*/migrations/*,node_modules/*,docs/*

client-packages/sentry-auth-passbook/setup.py

@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+"""
+sentry-auth-passbook
+==================
+
+:copyright: (c) 2016 Functional Software, Inc
+"""
+from setuptools import find_packages, setup
+
+install_requires = [
+    'sentry>=7.0.0',
+]
+
+tests_require = [
+    'mock',
+    'flake8>=2.0,<2.1',
+]
+
+setup(
+    name='sentry-auth-passbook',
+    version='0.1.30-beta',
+    author='BeryJu.org',
+    author_email='support@beryju.org',
+    url='https://passbook.beryju.org',
+    description='passbook authentication provider for Sentry',
+    long_description=__doc__,
+    license='MIT',
+    packages=find_packages(exclude=['tests']),
+    zip_safe=False,
+    install_requires=install_requires,
+    tests_require=tests_require,
+    extras_require={'tests': tests_require},
+    include_package_data=True,
+    entry_points={
+        'sentry.apps': [
+            'auth_passbook = sentry_auth_passbook',
+        ],
+    },
+    classifiers=[
+        'Intended Audience :: Developers',
+        'Intended Audience :: System Administrators',
+        'Operating System :: OS Independent',
+        'Topic :: Software Development'
+    ],
+)

client-packages/sentry-auth-passbook/tests/test_provider.py

@@ -0,0 +1,6 @@
+from sentry.testutils import TestCase
+
+
+class GitHubOAuth2ProviderTest(TestCase):
+    def test_simple(self):
+        pass

client-packages/sentry-auth-passbook/tests/test_views.py

@@ -0,0 +1,17 @@
+from __future__ import absolute_import, print_function
+
+import pytest
+from sentry_auth_sentry.views import _get_name_from_email
+
+expected_data = [
+    ('john.smith@example.com', 'John Smith'),
+    ('john@example.com', 'John'),
+    ('XYZ-234=3523@example.com', 'Xyz-234=3523'),
+    ('XYZ.1111@example.com', 'Xyz 1111'),
+    ('JOHN@example.com', 'John'),
+]
+
+
+@pytest.mark.parametrize("email,expected_name", expected_data)
+def test_get_name_from_email(email, expected_name):
+    assert _get_name_from_email(email) == expected_name

debian/changelog

@@ -1,3 +1,152 @@
+passbook (0.1.30) stable; urgency=medium
+
+  * bump version: 0.1.28-beta -> 0.1.29-beta
+  * don't use context manager in web command
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 11 Apr 2019 12:21:58 +0000
+
+passbook (0.1.29) stable; urgency=medium
+
+  * bump version: 0.1.27-beta -> 0.1.28-beta
+  * Add libpq-dev dependency so psycopg2 build works
+  * switch to whitenoise for static files
+  * replace cherrypy with daphne
+  * Run collectstatic before coverage, use autoreload on celery worker
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 11 Apr 2019 12:00:27 +0000
+
+passbook (0.1.28) stable; urgency=medium
+
+  * bump version: 0.1.26-beta -> 0.1.27-beta
+  * fix allauth client's formatting
+  * switch from raven to sentry_sdk
+  * add ability to have non-expiring nonces, clean up expired nonces
+  * fully remove raven and switch WSGI and logging to sentry_sdk
+  * fix failing CI
+  * trigger autoreload from config files
+  * Choose upstream more cleverly
+  * Move code from django-revproxy to app_gw to fix cookie bug
+  * Implement websocket proxy
+  * switch kubernetes deployment to daphne server
+  * set default log level to warn, fix clean_nonces not working
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 11 Apr 2019 08:46:44 +0000
+
+passbook (0.1.27) stable; urgency=medium
+
+  * bump version: 0.1.25-beta -> 0.1.26-beta
+  * fix broken app_gw
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 22 Mar 2019 13:50:31 +0000
+
+passbook (0.1.26) stable; urgency=medium
+
+  * bump version: 0.1.24-beta -> 0.1.25-beta
+  * always parse url instead of once
+  * validate upstream in form
+  * add custom template views
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 22 Mar 2019 11:47:08 +0000
+
+passbook (0.1.25) stable; urgency=medium
+
+  * initial implementation of reverse proxy, using django-revproxy from within a middleware
+  * fix TypeError: can only concatenate list (not "str") to list
+  * bump version: 0.1.23-beta -> 0.1.24-beta
+  * add redis dependency back in for caching
+  * utilise cache in PolicyEngine
+  * explicitly use redis db
+  * invalidate cache when policy is saved
+  * add redis as service in CI for unittests
+  * add timeout field to policy to prevent stuck policies
+  * Don't use LoginRequired for PermissionDenied View
+  * Check for policies in app_gw
+  * Better handle policy timeouts
+  * cleanup post-migration mess
+  * prevent ZeroDivisionError
+  * Redirect to login on reverse proxy
+  * cleanup property_mapping list
+  * add compiled regex to RewriteRule
+  * implement actual Rewriting logic
+  * Invalidate cache when ApplicationGateway instance is saved
+  * validate server_name in form
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 21 Mar 2019 15:47:58 +0000
+
+passbook (0.1.24) stable; urgency=medium
+
+  * bump version: 0.1.22-beta -> 0.1.23-beta
+  * add modal for OAuth Providers showing the URLs
+  * remove user field from form. Closes #32
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 20 Mar 2019 21:59:21 +0000
+
+passbook (0.1.23) stable; urgency=medium
+
+  * add support for OpenID-Connect Discovery
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 18 Mar 2019 20:19:27 +0000
+
+passbook (0.1.22) stable; urgency=medium
+
+  * bump version: 0.1.20-beta -> 0.1.21-beta
+  * fix missing debug template
+  * move icons to single folder, cleanup
+  * fix layout when on mobile viewport and scrolling
+  * fix delete form not working
+  * point to correct icons
+  * add Azure AD Source
+  * Fix OAuth Client's disconnect view having invalid URL names
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 14 Mar 2019 20:19:27 +0000
+
+passbook (0.1.21) stable; urgency=medium
+
+  * bump version: 0.1.19-beta -> 0.1.20-beta
+  * add request debug view
+  * detect HTTPS from reverse proxy
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 14 Mar 2019 17:01:49 +0000
+
+passbook (0.1.20) stable; urgency=medium
+
+  * bump version: 0.1.18-beta -> 0.1.19-beta
+  * fix GitHub Pretend again
+  * add user settings for Sources
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 13 Mar 2019 15:49:44 +0000
+
+passbook (0.1.18) stable; urgency=medium
+
+  * bump version: 0.1.16-beta -> 0.1.17-beta
+  * fix Server Error when downloading metadata
+  * add sentry client
+  * fix included yaml file
+  * adjust versions for client packages, auto build client-packages
+  * bump version: 0.1.17-beta -> 0.1.18-beta
+  * fix API Call for sentry-client, add missing template
+  * fix GitHub Pretend throwing a 500 error
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 13 Mar 2019 14:14:10 +0000
+
+passbook (0.1.17) stable; urgency=medium
+
+  * bump version: 0.1.15-beta -> 0.1.16-beta
+  * remove Application.user_is_authorized
+  * don't use celery heartbeat, use TCP keepalive instead
+  * switch to vertical navigation
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Tue, 12 Mar 2019 14:54:27 +0000
+
+passbook (0.1.16) stable; urgency=medium
+
+  * Replace redis with RabbitMQ
+  * updated debian package to suggest RabbitMQ
+  * update helm chart to require RabbitMQ
+  * fix invalid default config in debian package
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 10:28:36 +0000
+
 passbook (0.1.14) stable; urgency=medium
 
   * bump version: 0.1.11-beta -> 0.1.12-beta

debian/control

@@ -3,12 +3,12 @@ Section: admin
 Priority: optional
 Maintainer: BeryJu.org <support@beryju.org>
 Uploaders: Jens Langhammer <jens@beryju.org>, BeryJu.org <support@beryju.org>
-Build-Depends: debhelper (>= 10), dh-systemd (>= 1.5), dh-exec, wget, dh-exec, python3 (>= 3.5) | python3.6 | python3.7
+Build-Depends: debhelper (>= 10), dh-systemd (>= 1.5), dh-exec, wget, dh-exec, python3 (>= 3.5) | python3.6 | python3.7, libpq-dev
 Standards-Version: 3.9.6
 
 Package: passbook
 Architecture: all
-Recommends: mysql-server, redis-server
+Recommends: mysql-server, rabbitmq-server, redis-server
 Pre-Depends: adduser, libldap2-dev, libsasl2-dev
 Depends: python3 (>= 3.5) | python3.6 | python3.7, python3-pip, dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends}
 Description: Authentication Provider/Proxy supporting protocols like SAML, OAuth, LDAP and more.

debian/etc/passbook/config.yml

@@ -1,4 +1,3 @@
-debug: false
 http:
     host: 0.0.0.0
     port: 8000
@@ -8,37 +7,75 @@ log:
         console: INFO
         file: DEBUG
     file: /var/log/passbook/passbook.log
-# Error reporting, disabled by default
-# error_report_enabled: true
+debug: false
+secure_proxy_header:
+  HTTP_X_FORWARDED_PROTO: https
+rabbitmq: guest:guest@localhost/passbook
+redis: localhost/0
 
-# Set this to the server's external address.
-# This is used to generate external URLs
-external_url: http://image.example.com
+# Error reporting, sends stacktrace to sentry.services.beryju.org
+error_report_enabled: true
 
-# This dictates how the Path is generated
-# can be either of:
-# - view_sha512_short
-# - view_md5
-# - view_sha256
-# - view_sha512
-default_return_view: view_sha256
+primary_domain: passbook.local
 
-# Set this to true if you only want to use external authentication
-external_auth_only: false
-
-# If this is true, images are automatically claimed if the windows user exists
-# in django
-auto_claim_enabled: true
-
-# LDAP Authentication
-# ldap:
-#     enabled: false
-#     server:
-#         uri: 'ldap://dc1.example.com'
-#         tls: false
-#     bind:
-#         dn: ''
-#         password: ''
-#     search_base: ''
-#     filter: '(sAMAccountName=%(user)s)'
-#     require_group: ''
+passbook:
+  sign_up:
+    # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true
+    enabled: true
+  password_reset:
+    # Enable password reset, passwords are reset in internal Database and in LDAP if ldap.reset_password is true
+    enabled: true
+    # Verification the user has to provide in order to be able to reset passwords. Can be any combination of `email`, `2fa`, `security_questions`
+    verification:
+      - email
+  # Text used in title, on login page and multiple other places
+  branding: passbook
+  login:
+    # Override URL used for logo
+    logo_url: null
+    # Override URL used for Background on Login page
+    bg_url: null
+    # Optionally add a subtext, placed below logo on the login page
+    subtext: null
+  footer:
+    links:
+      # Optionally add links to the footer on the login page
+      #  - name: test
+      #    href: https://test
+  # Specify which fields can be used to authenticate. Can be any combination of `username` and `email`
+  uid_fields:
+    - username
+    - email
+  session:
+    remember_age: 2592000 # 60 * 60 * 24 * 30, one month
+# Provider-specific settings
+ldap:
+  # Which field from `uid_fields` maps to which LDAP Attribute
+  login_field_map:
+    username: sAMAccountName
+    email: mail # or userPrincipalName
+  user_attribute_map:
+    active_directory:
+      username: "%(sAMAccountName)s"
+      email: "%(mail)s"
+      name: "%(displayName)"
+oauth_client:
+  # List of python packages with sources types to load.
+  types:
+    - passbook.oauth_client.source_types.discord
+    - passbook.oauth_client.source_types.facebook
+    - passbook.oauth_client.source_types.github
+    - passbook.oauth_client.source_types.google
+    - passbook.oauth_client.source_types.reddit
+    - passbook.oauth_client.source_types.supervisr
+    - passbook.oauth_client.source_types.twitter
+saml_idp:
+  # List of python packages with provider types to load.
+  types:
+    - passbook.saml_idp.processors.generic
+    - passbook.saml_idp.processors.aws
+    - passbook.saml_idp.processors.gitlab
+    - passbook.saml_idp.processors.nextcloud
+    - passbook.saml_idp.processors.salesforce
+    - passbook.saml_idp.processors.shibboleth
+    - passbook.saml_idp.processors.wordpress_orange

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.14-beta"
+appVersion: "0.1.30-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.14-beta"
+version: "0.1.30-beta"
 icon: https://passbook.beryju.org/images/logo.png

helm/passbook/requirements.lock

@@ -1,9 +1,12 @@
 dependencies:
-- name: redis
+- name: rabbitmq
   repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 5.1.0
+  version: 4.3.2
 - name: postgresql
   repository: https://kubernetes-charts.storage.googleapis.com/
   version: 3.10.1
-digest: sha256:04bd136761f070e94a2ff32ff48ff87f5e07fbd451e5fd7f65551e3bd4680e5e
-generated: 2019-02-08T12:08:49.090666+01:00
+- name: redis
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 5.1.0
+digest: sha256:8bf68bc928a2e3c0f05139635be05fa0840554c7bde4cecd624fac78fb5fa5a3
+generated: 2019-03-21T11:06:51.553379+01:00

helm/passbook/requirements.yaml

@@ -1,7 +1,10 @@
 dependencies:
-- name: redis
-  version: 5.1.0
+- name: rabbitmq
+  version: 4.3.2
   repository: https://kubernetes-charts.storage.googleapis.com/
 - name: postgresql
   version: 3.10.1
   repository: https://kubernetes-charts.storage.googleapis.com/
+- name: redis
+  version: 5.1.0
+  repository: https://kubernetes-charts.storage.googleapis.com/

helm/passbook/templates/passbook-configmap.yaml

@@ -15,8 +15,8 @@ data:
         port: ''
     log:
       level:
-        console: DEBUG
-        file: DEBUG
+        console: WARNING
+        file: WARNING
       file: /dev/null
       syslog:
         host: 127.0.0.1
@@ -36,7 +36,8 @@ data:
     debug: false
     secure_proxy_header:
       HTTP_X_FORWARDED_PROTO: https
-    redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master"
+    rabbitmq: "user:{{ .Values.rabbitmq.rabbitmq.password }}@{{ .Release.Name }}-rabbitmq"
+    redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master/0"
     # Error reporting, sends stacktrace to sentry.services.beryju.org
     error_report_enabled: {{ .Values.config.error_reporting }}
 
@@ -46,6 +47,7 @@ data:
     secret_key: {{ randAlphaNum 50 }}
     {{- end }}
 
+    primary_domain: {{ .Values.primary_domain }}
     domains:
         {{- range .Values.ingress.hosts }}
         - {{ . | quote }}
@@ -123,6 +125,7 @@ data:
         - passbook.oauth_client.source_types.reddit
         - passbook.oauth_client.source_types.supervisr
         - passbook.oauth_client.source_types.twitter
+        - passbook.oauth_client.source_types.azure_ad
     saml_idp:
       signing: true
       autosubmit: false

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.14-beta
+  tag: 0.1.30-beta
 
 nameOverride: ""
 
@@ -18,8 +18,12 @@ config:
     host: localhost
 
 postgresql:
-    postgresqlDatabase: passbook
-    postgresqlPassword: foo
+  postgresqlDatabase: passbook
+  postgresqlPassword: foo
+
+rabbitmq:
+  rabbitmq:
+    password: foo
 
 service:
   type: ClusterIP
@@ -33,7 +37,6 @@ ingress:
   path: /
   hosts:
     - passbook.k8s.local
-    - kubernetes-healthcheck-host
   defaultHost: passbook.k8s.local
   tls: []
   #  - secretName: chart-example-tls

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.14-beta'
+__version__ = '0.1.30-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.14-beta'
+__version__ = '0.1.30-beta'

passbook/admin/templates/administration/base.html

@@ -4,49 +4,4 @@
 {% load is_active %}
 
 {% block nav_secondary %}
-<ul class="nav navbar-nav navbar-persistent">
-    <li class="{% is_active 'passbook_admin:overview' %}">
-        <a href="{% url 'passbook_admin:overview' %}">{% trans 'Overview' %}</a>
-    </li>
-    <li
-        class="{% is_active 'passbook_admin:applications' 'passbook_admin:application-create' 'passbook_admin:application-update' 'passbook_admin:application-delete' %}">
-        <a href="{% url 'passbook_admin:applications' %}">{% trans 'Applications' %}</a>
-    </li>
-    <li
-        class="{% is_active 'passbook_admin:sources' 'passbook_admin:source-create' 'passbook_admin:source-update' 'passbook_admin:source-delete' %}">
-        <a href="{% url 'passbook_admin:sources' %}">{% trans 'Sources' %}</a>
-    </li>
-    <li
-        class="{% is_active 'passbook_admin:providers' 'passbook_admin:provider-create' 'passbook_admin:provider-update' 'passbook_admin:provider-delete' %}">
-        <a href="{% url 'passbook_admin:providers' %}">{% trans 'Providers' %}</a>
-    </li>
-    <li
-        class="{% is_active 'passbook_admin:property-mappings' 'passbook_admin:property-mapping-create' 'passbook_admin:property-mapping-update' 'passbook_admin:property-mapping-delete' %}">
-        <a href="{% url 'passbook_admin:property-mappings' %}">{% trans 'Property Mappings' %}</a>
-    </li>
-    <li
-        class="{% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
-        <a href="{% url 'passbook_admin:factors' %}">{% trans 'Factors' %}</a>
-    </li>
-    <li
-        class="{% is_active 'passbook_admin:policies' 'passbook_admin:policy-create' 'passbook_admin:policy-update' 'passbook_admin:policy-delete' 'passbook_admin:policy-test' %}">
-        <a href="{% url 'passbook_admin:policies' %}">{% trans 'Policies' %}</a>
-    </li>
-    <li
-        class="{% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
-        <a href="{% url 'passbook_admin:invitations' %}">{% trans 'Invitations' %}</a>
-    </li>
-    <li class="{% is_active 'passbook_admin:users' 'passbook_admin:user-update' 'passbook_admin:user-delete' %}">
-        <a href="{% url 'passbook_admin:users' %}">{% trans 'Users' %}</a>
-    </li>
-    <li class="{% is_active 'passbook_admin:groups' 'passbook_admin:group-update' 'passbook_admin:group-delete' %}">
-        <a href="{% url 'passbook_admin:groups' %}">{% trans 'Groups' %}</a>
-    </li>
-    <li class="{% is_active 'passbook_admin:audit-log' %}">
-        <a href="{% url 'passbook_admin:audit-log' %}">{% trans 'Audit Log' %}</a>
-    </li>
-    <li class="{% is_active_app 'admin' %}">
-        <a href="{% url 'admin:index' %}">{% trans 'Django' %}</a>
-    </li>
-</ul>
 {% endblock %}

passbook/admin/templates/administration/debug/request.html

@@ -0,0 +1,31 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="pficon-applications"></span> {% trans "Request" %}</h1>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Key' %}</th>
+                <th>{% trans 'Value' %}</th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for key, value in request_dict.items %}
+            <tr>
+                <td>{{ key }}</td>
+                <td>{{ value }}</td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}

passbook/admin/templates/administration/property_mapping/list.html

@@ -36,7 +36,7 @@
         <tbody>
             {% for property_mapping in object_list %}
             <tr>
-                <td>{{ property_mapping.name }} ({{ property_mapping.slug }})</td>
+                <td>{{ property_mapping.name }}</td>
                 <td>{{ property_mapping|verbose_name }}</td>
                 <td>
                     <a class="btn btn-default btn-sm"

passbook/admin/templates/administration/provider/list.html

@@ -57,6 +57,10 @@
                     <a class="btn btn-default btn-sm"
                         href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a>
                     {% endfor %}
+                    {% get_htmls provider as htmls %}
+                    {% for html in htmls %}
+                    {{ html|safe }}
+                    {% endfor %}
                 </td>
             </tr>
             {% endfor %}

passbook/admin/templatetags/admin_reflection.py

@@ -5,6 +5,8 @@ from logging import getLogger
 from django import template
 from django.db.models import Model
 
+from passbook.lib.utils.template import render_to_string
+
 register = template.Library()
 LOGGER = getLogger(__name__)
 
@@ -29,3 +31,24 @@ def get_links(model_instance):
         pass
 
     return links
+
+
+@register.simple_tag(takes_context=True)
+def get_htmls(context, model_instance):
+    """Find all html_ methods on an object instance, run them and return as dict"""
+    prefix = 'html_'
+    htmls = []
+
+    if not isinstance(model_instance, Model):
+        LOGGER.warning("Model %s is not instance of Model", model_instance)
+        return htmls
+
+    try:
+        for name, method in inspect.getmembers(model_instance, predicate=inspect.ismethod):
+            if name.startswith(prefix):
+                template, _context = method(context.get('request'))
+                htmls.append(render_to_string(template, _context))
+    except NotImplementedError:
+        pass
+
+    return htmls

passbook/admin/urls.py

@@ -1,7 +1,7 @@
 """passbook URL Configuration"""
 from django.urls import include, path
 
-from passbook.admin.views import (applications, audit, factors, groups,
+from passbook.admin.views import (applications, audit, debug, factors, groups,
                                   invitations, overview, policy,
                                   property_mapping, providers, sources, users)
 
@@ -77,5 +77,7 @@ urlpatterns = [
     # Groups
     path('groups/', groups.GroupListView.as_view(), name='groups'),
     # API
-    path('api/', include('passbook.admin.api.urls'))
+    path('api/', include('passbook.admin.api.urls')),
+    # Debug
+    path('debug/request/', debug.DebugRequestView.as_view(), name='debug-request'),
 ]

passbook/admin/views/debug.py

@@ -0,0 +1,17 @@
+"""passbook administration debug views"""
+
+from django.views.generic import TemplateView
+
+from passbook.admin.mixins import AdminRequiredMixin
+
+
+class DebugRequestView(AdminRequiredMixin, TemplateView):
+    """Show debug info about request"""
+
+    template_name = 'administration/debug/request.html'
+
+    def get_context_data(self, **kwargs):
+        kwargs['request_dict'] = {}
+        for key in dir(self.request):
+            kwargs['request_dict'][key] = getattr(self.request, key)
+        return super().get_context_data(**kwargs)

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.14-beta'
+__version__ = '0.1.30-beta'

passbook/app_gw/__init__.py

@@ -0,0 +1,2 @@
+"""passbook Application Security Gateway Header"""
+__version__ = '0.1.30-beta'

passbook/app_gw/admin.py

@@ -0,0 +1,5 @@
+"""passbook Application Security Gateway model admin"""
+
+from passbook.lib.admin import admin_autoregister
+
+admin_autoregister('passbook_app_gw')

passbook/app_gw/apps.py

@@ -0,0 +1,16 @@
+"""passbook Application Security Gateway app"""
+from importlib import import_module
+
+from django.apps import AppConfig
+
+
+class PassbookApplicationApplicationGatewayConfig(AppConfig):
+    """passbook app_gw app"""
+
+    name = 'passbook.app_gw'
+    label = 'passbook_app_gw'
+    verbose_name = 'passbook Application Security Gateway'
+    mountpoint = 'app_gw/'
+
+    def ready(self):
+        import_module('passbook.app_gw.signals')

passbook/app_gw/forms.py

@@ -0,0 +1,66 @@
+"""passbook Application Security Gateway Forms"""
+from urllib.parse import urlparse
+
+from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
+from django.forms import ValidationError
+from django.utils.translation import gettext as _
+
+from passbook.app_gw.models import ApplicationGatewayProvider, RewriteRule
+from passbook.lib.fields import DynamicArrayField
+
+
+class ApplicationGatewayProviderForm(forms.ModelForm):
+    """Security Gateway Provider form"""
+
+    def clean_server_name(self):
+        """Check if server_name is in DB already, since
+        Postgres ArrayField doesn't suppport keys."""
+        current = self.cleaned_data.get('server_name')
+        if ApplicationGatewayProvider.objects \
+                .filter(server_name__overlap=current) \
+                .exclude(pk=self.instance.pk).exists():
+            raise ValidationError(_("Server Name already in use."))
+        return current
+
+    def clean_upstream(self):
+        """Check that upstream begins with http(s)"""
+        for upstream in self.cleaned_data.get('upstream'):
+            _parsed_url = urlparse(upstream)
+
+            if _parsed_url.scheme not in ('http', 'https'):
+                raise ValidationError(_("URL Scheme must be either http or https"))
+        return self.cleaned_data.get('upstream')
+
+    class Meta:
+
+        model = ApplicationGatewayProvider
+        fields = ['server_name', 'upstream', 'enabled', 'authentication_header',
+                  'default_content_type', 'upstream_ssl_verification', 'property_mappings']
+        widgets = {
+            'authentication_header': forms.TextInput(),
+            'default_content_type': forms.TextInput(),
+            'property_mappings': FilteredSelectMultiple(_('Property Mappings'), False)
+        }
+        field_classes = {
+            'server_name': DynamicArrayField,
+            'upstream': DynamicArrayField
+        }
+        labels = {
+            'upstream_ssl_verification': _('Verify upstream SSL Certificates?'),
+            'property_mappings': _('Rewrite Rules')
+        }
+
+class RewriteRuleForm(forms.ModelForm):
+    """Rewrite Rule Form"""
+
+    class Meta:
+
+        model = RewriteRule
+        fields = ['name', 'match', 'halt', 'replacement', 'redirect', 'conditions']
+        widgets = {
+            'name': forms.TextInput(),
+            'match': forms.TextInput(attrs={'data-is-monospace': True}),
+            'replacement': forms.TextInput(attrs={'data-is-monospace': True}),
+            'conditions': FilteredSelectMultiple(_('Conditions'), False)
+        }

passbook/app_gw/middleware.py

@@ -0,0 +1,238 @@
+"""passbook app_gw middleware"""
+import mimetypes
+from logging import getLogger
+from random import SystemRandom
+from urllib.parse import urlparse
+
+import certifi
+import urllib3
+from django.core.cache import cache
+from django.utils.http import urlencode
+from django.views.generic import RedirectView
+from revproxy.exceptions import InvalidUpstream
+
+from passbook.app_gw.models import ApplicationGatewayProvider
+from passbook.app_gw.proxy.response import get_django_response
+from passbook.app_gw.proxy.utils import encode_items, normalize_request_headers
+from passbook.app_gw.rewrite import Rewriter
+from passbook.core.models import Application
+from passbook.core.policies import PolicyEngine
+from passbook.lib.config import CONFIG
+
+SESSION_UPSTREAM_KEY = 'passbook_app_gw_upstream'
+IGNORED_HOSTNAMES_KEY = 'passbook_app_gw_ignored'
+LOGGER = getLogger(__name__)
+QUOTE_SAFE = r'<.;>\(}*+|~=-$/_:^@)[{]&\'!,"`'
+ERRORS_MESSAGES = {
+    'upstream-no-scheme': ("Upstream URL scheme must be either "
+                           "'http' or 'https' (%s).")
+}
+
+# pylint: disable=too-many-instance-attributes
+class ApplicationGatewayMiddleware:
+    """Check if request should be proxied or handeled normally"""
+
+    ignored_hosts = []
+    request = None
+    app_gw = None
+    http = None
+    http_no_verify = None
+    host_header = ''
+
+    _parsed_url = None
+    _request_headers = None
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.ignored_hosts = cache.get(IGNORED_HOSTNAMES_KEY, [])
+        self.http_no_verify = urllib3.PoolManager()
+        self.http = urllib3.PoolManager(
+            cert_reqs='CERT_REQUIRED',
+            ca_certs=certifi.where())
+
+    def precheck(self, request):
+        """Check if a request should be proxied or forwarded to passbook"""
+        # Check if hostname is in cached list of ignored hostnames
+        # This saves us having to query the database on each request
+        self.host_header = request.META.get('HTTP_HOST')
+        if self.host_header in self.ignored_hosts:
+            LOGGER.debug("%s is ignored", self.host_header)
+            return True, None
+        # Look through all ApplicationGatewayProviders and check hostnames
+        matches = ApplicationGatewayProvider.objects.filter(
+            server_name__contains=[self.host_header],
+            enabled=True)
+        if not matches.exists():
+            # Mo matching Providers found, add host header to ignored list
+            self.ignored_hosts.append(self.host_header)
+            cache.set(IGNORED_HOSTNAMES_KEY, self.ignored_hosts)
+            LOGGER.debug("Ignoring %s", self.host_header)
+            return True, None
+        # At this point we're certain there's a matching ApplicationGateway
+        if len(matches) > 1:
+            # This should never happen
+            raise ValueError
+        app_gw = matches.first()
+        try:
+            # Check if ApplicationGateway is associated with application
+            getattr(app_gw, 'application')
+            return False, app_gw
+        except Application.DoesNotExist:
+            LOGGER.debug("ApplicationGateway not associated with Application")
+            return True, None
+        return True, None
+
+    def __call__(self, request):
+        forward, self.app_gw = self.precheck(request)
+        if forward:
+            return self.get_response(request)
+        self.request = request
+        return self.dispatch(request)
+
+    def _get_upstream(self):
+        """Choose random upstream and save in session"""
+        if SESSION_UPSTREAM_KEY not in self.request.session:
+            self.request.session[SESSION_UPSTREAM_KEY] = {}
+        if self.app_gw.pk not in self.request.session[SESSION_UPSTREAM_KEY]:
+            upstream_index = SystemRandom().randrange(len(self.app_gw.upstream))
+            self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk] = upstream_index
+        return self.app_gw.upstream[self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk]]
+
+    def get_upstream(self):
+        """Get upstream as parsed url"""
+        upstream = self._get_upstream()
+
+        self._parsed_url = urlparse(upstream)
+
+        if self._parsed_url.scheme not in ('http', 'https'):
+            raise InvalidUpstream(ERRORS_MESSAGES['upstream-no-scheme'] %
+                                  upstream)
+
+        return upstream
+
+    def _format_path_to_redirect(self, request):
+        LOGGER.debug("Path before: %s", request.get_full_path())
+        rewriter = Rewriter(self.app_gw, request)
+        after = rewriter.build()
+        LOGGER.debug("Path after: %s", after)
+        return after
+
+    def get_proxy_request_headers(self, request):
+        """Get normalized headers for the upstream
+        Gets all headers from the original request and normalizes them.
+        Normalization occurs by removing the prefix ``HTTP_`` and
+        replacing and ``_`` by ``-``. Example: ``HTTP_ACCEPT_ENCODING``
+        becames ``Accept-Encoding``.
+        .. versionadded:: 0.9.1
+        :param request:  The original HTTPRequest instance
+        :returns:  Normalized headers for the upstream
+        """
+        return normalize_request_headers(request)
+
+    def get_request_headers(self):
+        """Return request headers that will be sent to upstream.
+        The header REMOTE_USER is set to the current user
+        if AuthenticationMiddleware is enabled and
+        the view's add_remote_user property is True.
+        .. versionadded:: 0.9.8
+        """
+        request_headers = self.get_proxy_request_headers(self.request)
+        request_headers[self.app_gw.authentication_header] = self.request.user.get_username()
+        LOGGER.info("%s set", self.app_gw.authentication_header)
+
+        return request_headers
+
+    def check_permission(self):
+        """Check if user is authenticated and has permission to access app"""
+        if not hasattr(self.request, 'user'):
+            return False
+        if not self.request.user.is_authenticated:
+            return False
+        policy_engine = PolicyEngine(self.app_gw.application.policies.all())
+        policy_engine.for_user(self.request.user).with_request(self.request).build()
+        passing, _messages = policy_engine.result
+
+        return passing
+
+    def get_encoded_query_params(self):
+        """Return encoded query params to be used in proxied request"""
+        get_data = encode_items(self.request.GET.lists())
+        return urlencode(get_data)
+
+    def _created_proxy_response(self, request, path):
+        request_payload = request.body
+
+        LOGGER.debug("Request headers: %s", self._request_headers)
+
+        request_url = self.get_upstream() + path
+        LOGGER.debug("Request URL: %s", request_url)
+
+        if request.GET:
+            request_url += '?' + self.get_encoded_query_params()
+            LOGGER.debug("Request URL: %s", request_url)
+
+        http = self.http
+        if not self.app_gw.upstream_ssl_verification:
+            http = self.http_no_verify
+
+        try:
+            proxy_response = http.urlopen(request.method,
+                                          request_url,
+                                          redirect=False,
+                                          retries=None,
+                                          headers=self._request_headers,
+                                          body=request_payload,
+                                          decode_content=False,
+                                          preload_content=False)
+            LOGGER.debug("Proxy response header: %s",
+                         proxy_response.getheaders())
+        except urllib3.exceptions.HTTPError as error:
+            LOGGER.exception(error)
+            raise
+
+        return proxy_response
+
+    def _replace_host_on_redirect_location(self, request, proxy_response):
+        location = proxy_response.headers.get('Location')
+        if location:
+            if request.is_secure():
+                scheme = 'https://'
+            else:
+                scheme = 'http://'
+            request_host = scheme + self.host_header
+
+            upstream_host_http = 'http://' + self._parsed_url.netloc
+            upstream_host_https = 'https://' + self._parsed_url.netloc
+
+            location = location.replace(upstream_host_http, request_host)
+            location = location.replace(upstream_host_https, request_host)
+            proxy_response.headers['Location'] = location
+            LOGGER.debug("Proxy response LOCATION: %s",
+                         proxy_response.headers['Location'])
+
+    def _set_content_type(self, request, proxy_response):
+        content_type = proxy_response.headers.get('Content-Type')
+        if not content_type:
+            content_type = (mimetypes.guess_type(request.path)[0] or
+                            self.app_gw.default_content_type)
+            proxy_response.headers['Content-Type'] = content_type
+            LOGGER.debug("Proxy response CONTENT-TYPE: %s",
+                         proxy_response.headers['Content-Type'])
+
+    def dispatch(self, request):
+        """Build proxied request and pass to upstream"""
+        if not self.check_permission():
+            to_url = 'https://%s/?next=%s' % (CONFIG.get('domains')[0], request.get_full_path())
+            return RedirectView.as_view(url=to_url)(request)
+
+        self._request_headers = self.get_request_headers()
+
+        path = self._format_path_to_redirect(request)
+        proxy_response = self._created_proxy_response(request, path)
+
+        self._replace_host_on_redirect_location(request, proxy_response)
+        self._set_content_type(request, proxy_response)
+        response = get_django_response(proxy_response, strict_cookies=False)
+
+        LOGGER.debug("RESPONSE RETURNED: %s", response)
+        return response

passbook/app_gw/migrations/0001_initial.py

@@ -0,0 +1,50 @@
+# Generated by Django 2.1.7 on 2019-03-20 21:38
+
+import django.contrib.postgres.fields
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('passbook_core', '0020_groupmembershippolicy'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ApplicationGatewayProvider',
+            fields=[
+                ('provider_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Provider')),
+                ('server_name', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
+                ('upstream', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
+                ('enabled', models.BooleanField(default=True)),
+                ('authentication_header', models.TextField(default='X-Remote-User')),
+                ('default_content_type', models.TextField(default='application/octet-stream')),
+                ('upstream_ssl_verification', models.BooleanField(default=True)),
+            ],
+            options={
+                'verbose_name': 'Application Gateway Provider',
+                'verbose_name_plural': 'Application Gateway Providers',
+            },
+            bases=('passbook_core.provider',),
+        ),
+        migrations.CreateModel(
+            name='RewriteRule',
+            fields=[
+                ('propertymapping_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.PropertyMapping')),
+                ('match', models.TextField()),
+                ('halt', models.BooleanField(default=False)),
+                ('replacement', models.TextField()),
+                ('redirect', models.CharField(choices=[('internal', 'Internal'), (301, 'Moved Permanently'), (302, 'Found')], max_length=50)),
+                ('conditions', models.ManyToManyField(to='passbook_core.Policy')),
+            ],
+            options={
+                'verbose_name': 'Rewrite Rule',
+                'verbose_name_plural': 'Rewrite Rules',
+            },
+            bases=('passbook_core.propertymapping',),
+        ),
+    ]

passbook/app_gw/migrations/0002_auto_20190321_1521.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-03-21 15:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_app_gw', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='rewriterule',
+            name='conditions',
+            field=models.ManyToManyField(blank=True, to='passbook_core.Policy'),
+        ),
+    ]

passbook/app_gw/models.py

@@ -0,0 +1,74 @@
+"""passbook app_gw models"""
+import re
+
+from django.contrib.postgres.fields import ArrayField
+from django.db import models
+from django.utils.translation import gettext as _
+
+from passbook.core.models import Policy, PropertyMapping, Provider
+
+
+class ApplicationGatewayProvider(Provider):
+    """Virtual server which proxies requests to any hostname in server_name to upstream"""
+
+    server_name = ArrayField(models.TextField())
+    upstream = ArrayField(models.TextField())
+    enabled = models.BooleanField(default=True)
+
+    authentication_header = models.TextField(default='X-Remote-User')
+    default_content_type = models.TextField(default='application/octet-stream')
+    upstream_ssl_verification = models.BooleanField(default=True)
+
+    form = 'passbook.app_gw.forms.ApplicationGatewayProviderForm'
+
+    @property
+    def name(self):
+        """since this model has no name property, return a joined list of server_names as name"""
+        return ', '.join(self.server_name)
+
+    def __str__(self):
+        return "Application Gateway %s" % ', '.join(self.server_name)
+
+    class Meta:
+
+        verbose_name = _('Application Gateway Provider')
+        verbose_name_plural = _('Application Gateway Providers')
+
+
+class RewriteRule(PropertyMapping):
+    """Rewrite requests matching `match` with `replacement`, if all polcies in `conditions` apply"""
+
+    REDIRECT_INTERNAL = 'internal'
+    REDIRECT_PERMANENT = 301
+    REDIRECT_FOUND = 302
+
+    REDIRECTS = (
+        (REDIRECT_INTERNAL, _('Internal')),
+        (REDIRECT_PERMANENT, _('Moved Permanently')),
+        (REDIRECT_FOUND, _('Found')),
+    )
+
+    match = models.TextField()
+    halt = models.BooleanField(default=False)
+    conditions = models.ManyToManyField(Policy, blank=True)
+    replacement = models.TextField() # python formatted strings, use {match.1}
+    redirect = models.CharField(max_length=50, choices=REDIRECTS)
+
+    form = 'passbook.app_gw.forms.RewriteRuleForm'
+
+    _matcher = None
+
+    @property
+    def compiled_matcher(self):
+        """Cache the compiled regex in memory"""
+        if not self._matcher:
+            self._matcher = re.compile(self.match)
+        return self._matcher
+
+    def __str__(self):
+        return "Rewrite Rule %s" % self.name
+
+    class Meta:
+
+        verbose_name = _('Rewrite Rule')
+        verbose_name_plural = _('Rewrite Rules')

passbook/app_gw/proxy/exceptions.py

@@ -0,0 +1,8 @@
+"""Exception classes"""
+
+class ReverseProxyException(Exception):
+    """Base for revproxy exception"""
+
+
+class InvalidUpstream(ReverseProxyException):
+    """Invalid upstream set"""

passbook/app_gw/proxy/response.py

@@ -0,0 +1,63 @@
+"""response functions from django-revproxy"""
+import logging
+
+from django.http import HttpResponse, StreamingHttpResponse
+
+from passbook.app_gw.proxy.utils import (cookie_from_string,
+                                         set_response_headers, should_stream)
+
+#: Default number of bytes that are going to be read in a file lecture
+DEFAULT_AMT = 2 ** 16
+
+logger = logging.getLogger('revproxy.response')
+
+
+def get_django_response(proxy_response, strict_cookies=False):
+    """This method is used to create an appropriate response based on the
+    Content-Length of the proxy_response. If the content is bigger than
+    MIN_STREAMING_LENGTH, which is found on utils.py,
+    than django.http.StreamingHttpResponse will be created,
+    else a django.http.HTTPResponse will be created instead
+
+    :param proxy_response: An Instance of urllib3.response.HTTPResponse that
+                           will create an appropriate response
+    :param strict_cookies: Whether to only accept RFC-compliant cookies
+    :returns: Returns an appropriate response based on the proxy_response
+              content-length
+    """
+    status = proxy_response.status
+    headers = proxy_response.headers
+
+    logger.debug('Proxy response headers: %s', headers)
+
+    content_type = headers.get('Content-Type')
+
+    logger.debug('Content-Type: %s', content_type)
+
+    if should_stream(proxy_response):
+        logger.info('Content-Length is bigger than %s', DEFAULT_AMT)
+        response = StreamingHttpResponse(proxy_response.stream(DEFAULT_AMT),
+                                         status=status,
+                                         content_type=content_type)
+    else:
+        content = proxy_response.data or b''
+        response = HttpResponse(content, status=status,
+                                content_type=content_type)
+
+    logger.info('Normalizing response headers')
+    set_response_headers(response, headers)
+
+    logger.debug('Response headers: %s', getattr(response, '_headers'))
+
+    cookies = proxy_response.headers.getlist('set-cookie')
+    logger.info('Checking for invalid cookies')
+    for cookie_string in cookies:
+        cookie_dict = cookie_from_string(cookie_string,
+                                         strict_cookies=strict_cookies)
+        # if cookie is invalid cookie_dict will be None
+        if cookie_dict:
+            response.set_cookie(**cookie_dict)
+
+    logger.debug('Response cookies: %s', response.cookies)
+
+    return response

passbook/app_gw/proxy/utils.py

@@ -0,0 +1,227 @@
+"""Utils from django-revproxy, slightly adjusted"""
+import logging
+import re
+from wsgiref.util import is_hop_by_hop
+
+try:
+    from http.cookies import SimpleCookie
+    COOKIE_PREFIX = ''
+except ImportError:
+    from Cookie import SimpleCookie
+    COOKIE_PREFIX = 'Set-Cookie: '
+
+
+#: List containing string constant that are used to represent headers that can
+#: be ignored in the required_header function
+IGNORE_HEADERS = (
+    'HTTP_ACCEPT_ENCODING',  # We want content to be uncompressed so
+                             # we remove the Accept-Encoding from
+                             # original request
+    'HTTP_HOST',
+    'HTTP_REMOTE_USER',
+)
+
+
+# Default from HTTP RFC 2616
+#   See: http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7.1
+#: Variable that represent the default charset used
+DEFAULT_CHARSET = 'latin-1'
+
+#: List containing string constants that represents possible html content type
+HTML_CONTENT_TYPES = (
+    'text/html',
+    'application/xhtml+xml'
+)
+
+#: Variable used to represent a minimal content size required for response
+#: to be turned into stream
+MIN_STREAMING_LENGTH = 4 * 1024  # 4KB
+
+#: Regex used to find charset in a html content type
+_get_charset_re = re.compile(r';\s*charset=(?P<charset>[^\s;]+)', re.I)
+
+
+def is_html_content_type(content_type):
+    """Function used to verify if the parameter is a proper html content type
+
+    :param content_type: String variable that represent a content-type
+    :returns:  A boolean value stating if the content_type is a valid html
+               content type
+    """
+    for html_content_type in HTML_CONTENT_TYPES:
+        if content_type.startswith(html_content_type):
+            return True
+
+    return False
+
+
+def should_stream(proxy_response):
+    """Function to verify if the proxy_response must be converted into
+    a stream.This will be done by checking the proxy_response content-length
+    and verify if its length is bigger than one stipulated
+    by MIN_STREAMING_LENGTH.
+
+    :param proxy_response: An Instance of urllib3.response.HTTPResponse
+    :returns: A boolean stating if the proxy_response should
+              be treated as a stream
+    """
+    content_type = proxy_response.headers.get('Content-Type')
+
+    if is_html_content_type(content_type):
+        return False
+
+    try:
+        content_length = int(proxy_response.headers.get('Content-Length', 0))
+    except ValueError:
+        content_length = 0
+
+    if not content_length or content_length > MIN_STREAMING_LENGTH:
+        return True
+
+    return False
+
+
+def get_charset(content_type):
+    """Function used to retrieve the charset from a content-type.If there is no
+    charset in the content type then the charset defined on DEFAULT_CHARSET
+    will be returned
+
+    :param  content_type:   A string containing a Content-Type header
+    :returns:               A string containing the charset
+    """
+    if not content_type:
+        return DEFAULT_CHARSET
+
+    matched = _get_charset_re.search(content_type)
+    if matched:
+        # Extract the charset and strip its double quotes
+        return matched.group('charset').replace('"', '')
+    return DEFAULT_CHARSET
+
+
+def required_header(header):
+    """Function that verify if the header parameter is a essential header
+
+    :param header:  A string represented a header
+    :returns:       A boolean value that represent if the header is required
+    """
+    if header in IGNORE_HEADERS:
+        return False
+
+    if header.startswith('HTTP_') or header == 'CONTENT_TYPE':
+        return True
+
+    return False
+
+
+def set_response_headers(response, response_headers):
+    """Set response's header"""
+    for header, value in response_headers.items():
+        if is_hop_by_hop(header) or header.lower() == 'set-cookie':
+            continue
+
+        response[header.title()] = value
+
+    logger.debug('Response headers: %s', getattr(response, '_headers'))
+
+
+def normalize_request_headers(request):
+    """Function used to transform header, replacing 'HTTP\\_' to ''
+    and replace '_' to '-'
+
+    :param request:  A HttpRequest that will be transformed
+    :returns:        A dictionary with the normalized headers
+    """
+    norm_headers = {}
+    for header, value in request.META.items():
+        if required_header(header):
+            norm_header = header.replace('HTTP_', '').title().replace('_', '-')
+            norm_headers[norm_header] = value
+
+    return norm_headers
+
+
+def encode_items(items):
+    """Function that encode all elements in the list of items passed as
+    a parameter
+
+    :param items:  A list of tuple
+    :returns:      A list of tuple with all items encoded in 'utf-8'
+    """
+    encoded = []
+    for key, values in items:
+        for value in values:
+            encoded.append((key.encode('utf-8'), value.encode('utf-8')))
+    return encoded
+
+
+logger = logging.getLogger('revproxy.cookies')
+
+
+def cookie_from_string(cookie_string, strict_cookies=False):
+    """Parser for HTTP header set-cookie
+    The return from this function will be used as parameters for
+    django's response.set_cookie method. Because set_cookie doesn't
+    have parameter comment, this cookie attribute will be ignored.
+
+    :param  cookie_string: A string representing a valid cookie
+    :param  strict_cookies: Whether to only accept RFC-compliant cookies
+    :returns: A dictionary containing the cookie_string attributes
+    """
+
+    if strict_cookies:
+
+        cookies = SimpleCookie(COOKIE_PREFIX + cookie_string)
+        if not cookies.keys():
+            return None
+        cookie_name, = cookies.keys()
+        cookie_dict = {k: v for k, v in cookies[cookie_name].items()
+                       if v and k != 'comment'}
+        cookie_dict['key'] = cookie_name
+        cookie_dict['value'] = cookies[cookie_name].value
+        return cookie_dict
+    valid_attrs = ('path', 'domain', 'comment', 'expires',
+                   'max_age', 'httponly', 'secure')
+
+    cookie_dict = {}
+
+    cookie_parts = cookie_string.split(';')
+    try:
+        cookie_dict['key'], cookie_dict['value'] = \
+            cookie_parts[0].split('=', 1)
+        cookie_dict['value'] = cookie_dict['value'].replace('"', '')
+        # print('aaaaaaaaaaaaaaaaaaaaaaaaaaaa')
+        # print(cookie_parts[0].split('=', 1))
+    except ValueError:
+        logger.warning('Invalid cookie: `%s`', cookie_string)
+        return None
+
+    if cookie_dict['value'].startswith('='):
+        logger.warning('Invalid cookie: `%s`', cookie_string)
+        return None
+
+    for part in cookie_parts[1:]:
+        if '=' in part:
+            attr, value = part.split('=', 1)
+            value = value.strip()
+        else:
+            attr = part
+            value = ''
+
+        attr = attr.strip().lower()
+        if not attr:
+            continue
+
+        if attr in valid_attrs:
+            if attr in ('httponly', 'secure'):
+                cookie_dict[attr] = True
+            elif attr in 'comment':
+                # ignoring comment attr as explained in the
+                # function docstring
+                continue
+            else:
+                cookie_dict[attr] = value
+        else:
+            logger.warning('Unknown cookie attribute %s', attr)
+
+        return cookie_dict

passbook/app_gw/requirements.txt

@@ -0,0 +1,7 @@
+django-revproxy
+urllib3[secure]
+channels
+service_identity
+websocket-client
+daphne<2.3.0
+asgiref~=2.3

passbook/app_gw/rewrite.py

@@ -0,0 +1,38 @@
+"""passbook app_gw rewriter"""
+
+from passbook.app_gw.models import RewriteRule
+
+
+class Context:
+    """Empty class which we dynamically add attributes to"""
+
+class Rewriter:
+    """Apply rewrites"""
+
+    __application = None
+    __request = None
+
+    def __init__(self, application, request):
+        self.__application = application
+        self.__request = request
+
+    def __build_context(self, matches):
+        """Build object with .0, .1, etc as groups and give access to request"""
+        context = Context()
+        for index, group_match in enumerate(matches.groups()):
+            setattr(context, "g%d" % (index + 1), group_match)
+        setattr(context, 'request', self.__request)
+        return context
+
+    def build(self):
+        """Run all rules over path and return final path"""
+        path = self.__request.get_full_path()
+        for rule in RewriteRule.objects.filter(provider__in=[self.__application]):
+            matches = rule.compiled_matcher.search(path)
+            if not matches:
+                continue
+            replace_context = self.__build_context(matches)
+            path = rule.replacement.format(context=replace_context)
+            if rule.halt:
+                return path
+        return path

passbook/app_gw/settings.py

@@ -0,0 +1,5 @@
+"""Application Security Gateway settings"""
+INSTALLED_APPS = [
+    'channels'
+]
+ASGI_APPLICATION = "passbook.app_gw.websocket.routing.application"

passbook/app_gw/signals.py

@@ -0,0 +1,20 @@
+"""passbook app_gw cache clean signals"""
+
+from logging import getLogger
+
+from django.core.cache import cache
+from django.db.models.signals import post_save
+from django.dispatch import receiver
+
+from passbook.app_gw.middleware import IGNORED_HOSTNAMES_KEY
+from passbook.app_gw.models import ApplicationGatewayProvider
+
+LOGGER = getLogger(__name__)
+
+@receiver(post_save)
+# pylint: disable=unused-argument
+def invalidate_app_gw_cache(sender, instance, **kwargs):
+    """Invalidate Policy cache when app_gw is updated"""
+    if isinstance(instance, ApplicationGatewayProvider):
+        LOGGER.debug("Invalidating cache for ignored hostnames")
+        cache.delete(IGNORED_HOSTNAMES_KEY)

passbook/app_gw/urls.py

@@ -0,0 +1,2 @@
+"""passbook app_gw urls"""
+urlpatterns = []

passbook/app_gw/websocket/consumer.py

@@ -0,0 +1,83 @@
+"""websocket proxy consumer"""
+import threading
+from logging import getLogger
+from ssl import CERT_NONE
+
+import websocket
+from channels.generic.websocket import WebsocketConsumer
+
+from passbook.app_gw.models import ApplicationGatewayProvider
+
+LOGGER = getLogger(__name__)
+
+class ProxyConsumer(WebsocketConsumer):
+    """Proxy websocket connection to upstream"""
+
+    _headers_dict = {}
+    _app_gw = None
+    _client = None
+    _thread = None
+
+    def _fix_headers(self, input_dict):
+        """Fix headers from bytestrings to normal strings"""
+        return {
+            key.decode('utf-8'): value.decode('utf-8')
+            for key, value in dict(input_dict).items()
+        }
+
+    def connect(self):
+        """Extract host header, lookup in database and proxy connection"""
+        self._headers_dict = self._fix_headers(dict(self.scope.get('headers')))
+        host = self._headers_dict.pop('host')
+        query_string = self.scope.get('query_string').decode('utf-8')
+        matches = ApplicationGatewayProvider.objects.filter(
+            server_name__contains=[host],
+            enabled=True)
+        if matches.exists():
+            self._app_gw = matches.first()
+            # TODO: Get upstream that starts with wss or
+            upstream = self._app_gw.upstream[0].replace('http', 'ws') + self.scope.get('path')
+            if query_string:
+                upstream += '?' + query_string
+            sslopt = {}
+            if not self._app_gw.upstream_ssl_verification:
+                sslopt = {"cert_reqs": CERT_NONE}
+            self._client = websocket.WebSocketApp(
+                url=upstream,
+                subprotocols=self.scope.get('subprotocols'),
+                header=self._headers_dict,
+                on_message=self._client_on_message_handler(),
+                on_error=self._client_on_error_handler(),
+                on_close=self._client_on_close_handler(),
+                on_open=self._client_on_open_handler())
+            LOGGER.debug("Accepting connection for %s", host)
+            self._thread = threading.Thread(target=lambda: self._client.run_forever(sslopt=sslopt))
+            self._thread.start()
+
+    def _client_on_open_handler(self):
+        return lambda ws: self.accept(self._client.sock.handshake_response.subprotocol)
+
+    def _client_on_message_handler(self):
+        # pylint: disable=unused-argument,invalid-name
+        def message_handler(ws, message):
+            if isinstance(message, str):
+                self.send(text_data=message)
+            else:
+                self.send(bytes_data=message)
+        return message_handler
+
+    def _client_on_error_handler(self):
+        return lambda ws, error: print(error)
+
+    def _client_on_close_handler(self):
+        return lambda ws: self.disconnect(0)
+
+    def disconnect(self, code):
+        self._client.close()
+
+    def receive(self, text_data=None, bytes_data=None):
+        if text_data:
+            opcode = websocket.ABNF.OPCODE_TEXT
+        if bytes_data:
+            opcode = websocket.ABNF.OPCODE_BINARY
+        self._client.send(text_data or bytes_data, opcode)

passbook/app_gw/websocket/routing.py

@@ -0,0 +1,17 @@
+"""app_gw websocket proxy"""
+from channels.auth import AuthMiddlewareStack
+from channels.routing import ProtocolTypeRouter, URLRouter
+from django.conf.urls import url
+
+from passbook.app_gw.websocket.consumer import ProxyConsumer
+
+websocket_urlpatterns = [
+    url(r'^(.*)$', ProxyConsumer),
+]
+
+application = ProtocolTypeRouter({
+    # (http->django views is added by default)
+    'websocket': AuthMiddlewareStack(
+        URLRouter(websocket_urlpatterns)
+    ),
+})

passbook/audit/__init__.py

@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.14-beta'
+__version__ = '0.1.30-beta'

passbook/captcha_factor/__init__.py

@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.14-beta'
+__version__ = '0.1.30-beta'

passbook/core/__init__.py

@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.14-beta'
+__version__ = '0.1.30-beta'

passbook/core/asgi.py

@@ -0,0 +1,13 @@
+"""
+ASGI entrypoint. Configures Django and then runs the application
+defined in the ASGI_APPLICATION setting.
+"""
+
+import os
+
+import django
+from channels.routing import get_default_application
+
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.core.settings")
+django.setup()
+application = get_default_application()

passbook/core/celery.py

@@ -3,10 +3,8 @@
 import logging
 import os
 
-import celery
+from celery import Celery, signals
 from django.conf import settings
-from raven import Client
-from raven.contrib.celery import register_logger_signal, register_signal
 
 # set the default Django settings module for the 'celery' program.
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.core.settings")
@@ -14,31 +12,18 @@ os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.core.settings")
 LOGGER = logging.getLogger(__name__)
 
 
-class Celery(celery.Celery):
-    """Custom Celery class with Raven configured"""
-
-    # pylint: disable=method-hidden
-    def on_configure(self):
-        """Update raven client"""
-        try:
-            client = Client(settings.RAVEN_CONFIG.get('dsn'))
-            # register a custom filter to filter out duplicate logs
-            register_logger_signal(client)
-            # hook into the Celery error handler
-            register_signal(client)
-        except RecursionError:  # This error happens when pdoc is running
-            pass
+CELERY_APP = Celery('passbook')
 
 
 # pylint: disable=unused-argument
-@celery.signals.setup_logging.connect
+@signals.setup_logging.connect
 def config_loggers(*args, **kwags):
     """Apply logging settings from settings.py to celery"""
     logging.config.dictConfig(settings.LOGGING)
 
 
 # pylint: disable=unused-argument
-@celery.signals.after_task_publish.connect
+@signals.after_task_publish.connect
 def after_task_publish(sender=None, headers=None, body=None, **kwargs):
     """Log task_id after it was published"""
     info = headers if 'task' in headers else body
@@ -46,22 +31,20 @@ def after_task_publish(sender=None, headers=None, body=None, **kwargs):
 
 
 # pylint: disable=unused-argument
-@celery.signals.task_prerun.connect
+@signals.task_prerun.connect
 def task_prerun(task_id, task, *args, **kwargs):
     """Log task_id on worker"""
     LOGGER.debug('%-40s started (name=%s)', task_id, task.__name__)
 
 
 # pylint: disable=unused-argument
-@celery.signals.task_postrun.connect
+@signals.task_postrun.connect
 def task_postrun(task_id, task, *args, retval=None, state=None, **kwargs):
     """Log task_id on worker"""
     LOGGER.debug('%-40s finished (name=%s, state=%s)',
                  task_id, task.__name__, state)
 
 
-CELERY_APP = Celery('passbook')
-
 # Using a string here means the worker doesn't have to serialize
 # the configuration object to child processes.
 # - namespace='CELERY' means all celery-related configuration keys

passbook/core/forms/policies.py

@@ -7,7 +7,7 @@ from passbook.core.models import (DebugPolicy, FieldMatcherPolicy,
                                   GroupMembershipPolicy, PasswordPolicy,
                                   WebhookPolicy)
 
-GENERAL_FIELDS = ['name', 'action', 'negate', 'order', ]
+GENERAL_FIELDS = ['name', 'action', 'negate', 'order', 'timeout']
 
 class FieldMatcherPolicyForm(forms.ModelForm):
     """FieldMatcherPolicy Form"""

passbook/core/management/commands/web.py

@@ -2,11 +2,11 @@
 
 from logging import getLogger
 
-import cherrypy
-from django.conf import settings
+from daphne.cli import CommandLineInterface
 from django.core.management.base import BaseCommand
+from django.utils import autoreload
 
-from passbook.core.wsgi import application
+from passbook.lib.config import CONFIG
 
 LOGGER = getLogger(__name__)
 
@@ -15,20 +15,15 @@ class Command(BaseCommand):
     """Run CherryPy webserver"""
 
     def handle(self, *args, **options):
-        """passbook cherrypy server"""
-        config = settings.CHERRYPY_SERVER
-        config.update(**options)
-        cherrypy.config.update(config)
-        cherrypy.tree.graft(application, '/')
-        # Mount NullObject to serve static files
-        cherrypy.tree.mount(None, '/static', config={
-            '/': {
-                'tools.staticdir.on': True,
-                'tools.staticdir.dir': settings.STATIC_ROOT,
-                'tools.expires.on': True,
-                'tools.expires.secs': 86400,
-                'tools.gzip.on': True,
-            }
-        })
-        cherrypy.engine.start()
-        cherrypy.engine.block()
+        """passbook daphne server"""
+        autoreload.run_with_reloader(self.daphne_server)
+
+    def daphne_server(self):
+        """Run daphne server within autoreload"""
+        autoreload.raise_last_exception()
+        CommandLineInterface().run([
+            '-p', str(CONFIG.y('web.port', 8000)),
+            '-b', CONFIG.y('web.listen', '0.0.0.0'),  # nosec
+            '--access-log', '/dev/null',
+            'passbook.core.asgi:application'
+        ])

passbook/core/management/commands/worker.py

@@ -3,6 +3,7 @@
 from logging import getLogger
 
 from django.core.management.base import BaseCommand
+from django.utils import autoreload
 
 from passbook.core.celery import CELERY_APP
 
@@ -14,4 +15,9 @@ class Command(BaseCommand):
 
     def handle(self, *args, **options):
         """celery worker"""
-        CELERY_APP.worker_main(['worker', '--autoscale=10,3', '-E'])
+        autoreload.run_with_reloader(self.celery_worker)
+
+    def celery_worker(self):
+        """Run celery worker within autoreload"""
+        autoreload.raise_last_exception()
+        CELERY_APP.worker_main(['worker', '--autoscale=10,3', '-E', '-B'])

passbook/core/migrations/0021_policy_timeout.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-03-21 12:03
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0020_groupmembershippolicy'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='policy',
+            name='timeout',
+            field=models.IntegerField(default=30),
+        ),
+    ]

passbook/core/migrations/0022_nonce_expiring.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-04-04 19:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0021_policy_timeout'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='nonce',
+            name='expiring',
+            field=models.BooleanField(default=True),
+        ),
+    ]

passbook/core/models.py

@@ -152,11 +152,6 @@ class Application(PolicyModel):
 
     objects = InheritanceManager()
 
-    def user_is_authorized(self, user: User) -> bool:
-        """Check if user is authorized to use this application"""
-        from passbook.core.policies import PolicyEngine
-        return PolicyEngine(self.policies.all()).for_user(user).build().result
-
     def get_provider(self):
         """Get casted provider instance"""
         if not self.provider:
@@ -191,6 +186,12 @@ class Source(PolicyModel):
         """Return additional Info, such as a callback URL. Show in the administration interface."""
         return None
 
+    def has_user_settings(self):
+        """Entrypoint to integrate with User settings. Can either return False if no
+        user settings are available, or a tuple or string, string, string where the first string
+        is the name the item has, the second string is the icon and the third is the view-name."""
+        return False
+
     def __str__(self):
         return self.name
 
@@ -219,6 +220,7 @@ class Policy(UUIDModel, CreatedUpdatedModel):
     action = models.CharField(max_length=20, choices=ACTIONS)
     negate = models.BooleanField(default=False)
     order = models.IntegerField(default=0)
+    timeout = models.IntegerField(default=30)
 
     objects = InheritanceManager()
 
@@ -435,6 +437,7 @@ class Nonce(UUIDModel):
 
     expires = models.DateTimeField(default=default_nonce_duration)
     user = models.ForeignKey('User', on_delete=models.CASCADE)
+    expiring = models.BooleanField(default=True)
 
     def __str__(self):
         return "Nonce %s (expires=%s)" % (self.uuid.hex, self.expires)

passbook/core/policies.py

@@ -1,7 +1,10 @@
 """passbook core policy engine"""
 from logging import getLogger
 
+from amqp.exceptions import UnexpectedFrame
 from celery import group
+from celery.exceptions import TimeoutError as CeleryTimeoutError
+from django.core.cache import cache
 from ipware import get_client_ip
 
 from passbook.core.celery import CELERY_APP
@@ -9,6 +12,9 @@ from passbook.core.models import Policy, User
 
 LOGGER = getLogger(__name__)
 
+def _cache_key(policy, user):
+    return "%s#%s" % (policy.uuid, user.pk)
+
 @CELERY_APP.task()
 def _policy_engine_task(user_pk, policy_pk, **kwargs):
     """Task wrapper to run policy checking"""
@@ -29,58 +35,89 @@ def _policy_engine_task(user_pk, policy_pk, **kwargs):
     if policy_obj.negate:
         policy_result = not policy_result
     LOGGER.debug("Policy %r#%s got %s", policy_obj.name, policy_obj.pk.hex, policy_result)
+    cache_key = _cache_key(policy_obj, user_obj)
+    cache.set(cache_key, (policy_obj.action, policy_result, message))
+    LOGGER.debug("Cached entry as %s", cache_key)
     return policy_obj.action, policy_result, message
 
 class PolicyEngine:
     """Orchestrate policy checking, launch tasks and return result"""
 
+    __group = None
+    __cached = None
+
     policies = None
-    _group = None
-    _request = None
-    _user = None
+    __get_timeout = 0
+    __request = None
+    __user = None
 
     def __init__(self, policies):
         self.policies = policies
-        self._request = None
-        self._user = None
+        self.__request = None
+        self.__user = None
 
     def for_user(self, user):
         """Check policies for user"""
-        self._user = user
+        self.__user = user
         return self
 
     def with_request(self, request):
         """Set request"""
-        self._request = request
+        self.__request = request
         return self
 
     def build(self):
         """Build task group"""
-        if not self._user:
+        if not self.__user:
             raise ValueError("User not set.")
         signatures = []
+        cached_policies = []
         kwargs = {
-            '__password__': getattr(self._user, '__password__', None),
+            '__password__': getattr(self.__user, '__password__', None),
         }
-        if self._request:
-            kwargs['remote_ip'], _ = get_client_ip(self._request)
+        if self.__request:
+            kwargs['remote_ip'], _ = get_client_ip(self.__request)
             if not kwargs['remote_ip']:
                 kwargs['remote_ip'] = '255.255.255.255'
         for policy in self.policies:
-            signatures.append(_policy_engine_task.s(self._user.pk, policy.pk.hex, **kwargs))
-        self._group = group(signatures)()
+            cached_policy = cache.get(_cache_key(policy, self.__user), None)
+            if cached_policy:
+                LOGGER.debug("Taking result from cache for %s", policy.pk.hex)
+                cached_policies.append(cached_policy)
+            else:
+                LOGGER.debug("Evaluating policy %s", policy.pk.hex)
+                signatures.append(_policy_engine_task.signature(
+                    args=(self.__user.pk, policy.pk.hex),
+                    kwargs=kwargs,
+                    time_limit=policy.timeout))
+                self.__get_timeout += policy.timeout
+        LOGGER.debug("Set total policy timeout to %r", self.__get_timeout)
+        # If all policies are cached, we have an empty list here.
+        if signatures:
+            self.__group = group(signatures)()
+            self.__get_timeout += 3
+            self.__get_timeout = (self.__get_timeout / len(self.policies)) * 1.5
+        self.__cached = cached_policies
         return self
 
     @property
     def result(self):
         """Get policy-checking result"""
         messages = []
+        result = []
         try:
-            # ValueError can be thrown from _policy_engine_task when user is None
-            group_result = self._group.get()
+            if self.__group:
+                # ValueError can be thrown from _policy_engine_task when user is None
+                result += self.__group.get(timeout=self.__get_timeout)
+            result += self.__cached
         except ValueError as exc:
-            return False, str(exc)
-        for policy_action, policy_result, policy_message in group_result:
+            # ValueError can be thrown from _policy_engine_task when user is None
+            return False, [str(exc)]
+        except UnexpectedFrame as exc:
+            return False, [str(exc)]
+        except CeleryTimeoutError as exc:
+            return False, [str(exc)]
+        for policy_action, policy_result, policy_message in result:
             passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \
                       (policy_action == Policy.ACTION_DENY and not policy_result)
             LOGGER.debug('Action=%s, Result=%r => %r', policy_action, policy_result, passing)

passbook/core/requirements.txt

@@ -1,13 +1,14 @@
-django>=2.0
-django-model-utils
-django-ipware
-djangorestframework
-PyYAML
-raven
-markdown
-colorlog
 celery
-redis
-psycopg2
+colorlog
+django-ipware
+django-model-utils
+django-redis
+django>=2.0
+djangorestframework
 idna<2.8,>=2.5
-cherrypy
+markdown
+psycopg2
+PyYAML
+sentry-sdk
+pip
+whitenoise

passbook/core/settings.py

@@ -11,10 +11,16 @@ https://docs.djangoproject.com/en/2.1/ref/settings/
 """
 
 import importlib
+import logging
 import os
 import sys
 
+from celery.schedules import crontab
 from django.contrib import messages
+from sentry_sdk import init as sentry_init
+from sentry_sdk.integrations.celery import CeleryIntegration
+from sentry_sdk.integrations.django import DjangoIntegration
+from sentry_sdk.integrations.logging import LoggingIntegration
 
 from passbook import __version__
 from passbook.lib.config import CONFIG
@@ -34,7 +40,9 @@ SECRET_KEY = CONFIG.get('secret_key')
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = CONFIG.get('debug')
 INTERNAL_IPS = ['127.0.0.1']
-ALLOWED_HOSTS = CONFIG.get('domains', [])
+# ALLOWED_HOSTS = CONFIG.get('domains', []) + [CONFIG.get('primary_domain')]
+ALLOWED_HOSTS = ['*']
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
 LOGIN_URL = 'passbook_core:auth-login'
 # CSRF_FAILURE_VIEW = 'passbook.core.views.errors.CSRFErrorView.as_view'
@@ -44,6 +52,9 @@ AUTH_USER_MODEL = 'passbook_core.User'
 
 CSRF_COOKIE_NAME = 'passbook_csrf'
 SESSION_COOKIE_NAME = 'passbook_session'
+SESSION_COOKIE_DOMAIN = CONFIG.get('primary_domain')
+SESSION_ENGINE = "django.contrib.sessions.backends.cache"
+SESSION_CACHE_ALIAS = "default"
 LANGUAGE_COOKIE_NAME = 'passbook_language'
 
 AUTHENTICATION_BACKENDS = [
@@ -62,7 +73,6 @@ INSTALLED_APPS = [
     'django.contrib.postgres',
     'rest_framework',
     'drf_yasg',
-    'raven.contrib.django.raven_compat',
     'passbook.core.apps.PassbookCoreConfig',
     'passbook.admin.apps.PassbookAdminConfig',
     'passbook.api.apps.PassbookAPIConfig',
@@ -78,6 +88,7 @@ INSTALLED_APPS = [
     'passbook.pretend.apps.PassbookPretendConfig',
     'passbook.password_expiry_policy.apps.PassbookPasswordExpiryPolicyConfig',
     'passbook.suspicious_policy.apps.PassbookSuspiciousPolicyConfig',
+    'passbook.app_gw.apps.PassbookApplicationApplicationGatewayConfig',
 ]
 
 # Message Tag fix for bootstrap CSS Classes
@@ -98,15 +109,26 @@ REST_FRAMEWORK = {
     ]
 }
 
+CACHES = {
+    "default": {
+        "BACKEND": "django_redis.cache.RedisCache",
+        "LOCATION": "redis://%s" % CONFIG.get('redis'),
+        "OPTIONS": {
+            "CLIENT_CLASS": "django_redis.client.DefaultClient",
+        }
+    }
+}
+
 MIDDLEWARE = [
-    'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
+    'whitenoise.middleware.WhiteNoiseMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'passbook.app_gw.middleware.ApplicationGatewayMiddleware',
+    'django.middleware.security.SecurityMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
-    'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
-    'raven.contrib.django.raven_compat.middleware.SentryResponseErrorIdMiddleware',
 ]
 
 ROOT_URLCONF = 'passbook.core.urls'
@@ -184,34 +206,38 @@ CELERY_TIMEZONE = TIME_ZONE
 CELERY_BEAT_SCHEDULE = {}
 CELERY_CREATE_MISSING_QUEUES = True
 CELERY_TASK_DEFAULT_QUEUE = 'passbook'
-CELERY_BROKER_URL = 'redis://%s' % CONFIG.get('redis')
-CELERY_RESULT_BACKEND = 'redis://%s' % CONFIG.get('redis')
-
-# Raven settings
-RAVEN_CONFIG = {
-    'dsn': ('https://55b5dd780bc14f4c96bba69b7a9abbcc:449af483bd0745'
-            '0d83be640d834e5458@sentry.services.beryju.org/8'),
-    'release': VERSION,
-    'environment': 'dev' if DEBUG else 'production',
+CELERY_BROKER_URL = 'amqp://%s' % CONFIG.get('rabbitmq')
+CELERY_RESULT_BACKEND = 'rpc://'
+CELERY_ACKS_LATE = True
+CELERY_BROKER_HEARTBEAT = 0
+CELERY_BEAT_SCHEDULE = {
+    'cleanup-expired-nonces': {
+        'task': 'passbook.core.tasks.clean_nonces',
+        'schedule': crontab(hour=1, minute=1)
+    }
 }
 
-# CherryPY settings
-with CONFIG.cd('web'):
-    CHERRYPY_SERVER = {
-        'server.socket_host': CONFIG.get('listen', '0.0.0.0'),  # nosec
-        'server.socket_port': CONFIG.get('port', 8000),
-        'server.thread_pool': CONFIG.get('threads', 30),
-        'log.screen': False,
-        'log.access_file': '',
-        'log.error_file': '',
-    }
+sentry_init(
+    dsn=("https://55b5dd780bc14f4c96bba69b7a9abbcc:449af483bd0745"
+         "0d83be640d834e5458@sentry.services.beryju.org/8"),
+    integrations=[
+        DjangoIntegration(),
+        CeleryIntegration(),
+        LoggingIntegration(
+            level=logging.INFO,
+            event_level=logging.ERROR
+        )
+    ],
+    send_default_pii=True
+)
 
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 
 STATIC_URL = '/static/'
+STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'
 
-LOG_HANDLERS = ['console', 'syslog', 'file', 'sentry']
+LOG_HANDLERS = ['console', 'syslog', 'file']
 
 with CONFIG.cd('log'):
     LOGGING = {
@@ -242,10 +268,6 @@ with CONFIG.cd('log'):
                 'class': 'logging.StreamHandler',
                 'formatter': 'color',
             },
-            'sentry': {
-                'level': 'ERROR',
-                'class': 'raven.contrib.django.raven_compat.handlers.SentryHandler',
-            },
             'syslog': {
                 'level': CONFIG.get('level').get('file'),
                 'class': 'logging.handlers.SysLogHandler',
@@ -291,6 +313,11 @@ with CONFIG.cd('log'):
                 'level': 'DEBUG',
                 'propagate': True,
             },
+            'daphne': {
+                'handlers': LOG_HANDLERS,
+                'level': 'DEBUG',
+                'propagate': True,
+            }
         }
     }
 

passbook/core/signals.py

@@ -1,10 +1,15 @@
 """passbook core signals"""
+from logging import getLogger
 
+from django.core.cache import cache
 from django.core.signals import Signal
+from django.db.models.signals import post_save
 from django.dispatch import receiver
 
 from passbook.core.exceptions import PasswordPolicyInvalid
 
+LOGGER = getLogger(__name__)
+
 user_signed_up = Signal(providing_args=['request', 'user'])
 invitation_created = Signal(providing_args=['request', 'invitation'])
 invitation_used = Signal(providing_args=['request', 'invitation', 'user'])
@@ -24,3 +29,14 @@ def password_policy_checker(sender, password, **kwargs):
         passing, messages = policy_engine.result
         if not passing:
             raise PasswordPolicyInvalid(*messages)
+
+@receiver(post_save)
+# pylint: disable=unused-argument
+def invalidate_policy_cache(sender, instance, **kwargs):
+    """Invalidate Policy cache when policy is updated"""
+    from passbook.core.models import Policy
+    if isinstance(instance, Policy):
+        LOGGER.debug("Invalidating cache for %s", instance.pk)
+        keys = cache.keys("%s#*" % instance.pk)
+        cache.delete_many(keys)
+        LOGGER.debug("Deleted %d keys", len(keys))

passbook/core/static/css/passbook.css

@@ -195,3 +195,7 @@ form .form-row p.datetime {
 .selector-remove {
     background: url(../admin/img/selector-icons.svg) 0 -64px no-repeat;
 }
+
+input[data-is-monospace] {
+    font-family: monospace;
+}

passbook/core/static/img/brand.svg

@@ -1,2 +1,2 @@
 <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-  width="270px" height="10px" viewBox="0 0 270 10" enable-background="new 0 0 270 10" xml:space="preserve"><defs><style>.cls-1{isolation:isolate;}.cls-2{fill:#fff;}</style></defs><g class="cls-1"><path class="cls-2" d="M1.65,11V2.45H2.87V3a2.81,2.81,0,0,1,.47-.45A1.13,1.13,0,0,1,4,2.38,1.11,1.11,0,0,1,5.1,3a1.55,1.55,0,0,1,.16.5,5.61,5.61,0,0,1,0,.81V6.58c0,.45,0,.77,0,1a1.17,1.17,0,0,1-.55.9,1.23,1.23,0,0,1-.7.16,1.35,1.35,0,0,1-.64-.16A1.53,1.53,0,0,1,2.89,8h0v3ZM4.08,4.43a1.21,1.21,0,0,0-.14-.6.51.51,0,0,0-.46-.22A.54.54,0,0,0,3,3.82a.8.8,0,0,0-.17.54V6.73A.68.68,0,0,0,3,7.2a.6.6,0,0,0,.44.18A.53.53,0,0,0,4,7.17a1,1,0,0,0,.12-.5Z"/><path class="cls-2" d="M8.63,8.54V7.91h0a2.24,2.24,0,0,1-.48.52,1.13,1.13,0,0,1-.69.18A1.39,1.39,0,0,1,7,8.54a1.09,1.09,0,0,1-.43-.24,1.32,1.32,0,0,1-.33-.49A2.33,2.33,0,0,1,6.11,7a4.89,4.89,0,0,1,.08-.91,1.51,1.51,0,0,1,.31-.65,1.44,1.44,0,0,1,.59-.38A3.19,3.19,0,0,1,8,4.93h.59V4.33a1,1,0,0,0-.13-.52A.52.52,0,0,0,8,3.61a.71.71,0,0,0-.44.15.78.78,0,0,0-.26.46H6.13A2,2,0,0,1,6.69,2.9a1.73,1.73,0,0,1,.57-.38A2,2,0,0,1,8,2.38a2.18,2.18,0,0,1,.72.12,1.71,1.71,0,0,1,.59.36,2,2,0,0,1,.38.6,2.18,2.18,0,0,1,.14.84V8.54Zm0-2.62-.34,0a1.2,1.2,0,0,0-.67.18.76.76,0,0,0-.29.68.89.89,0,0,0,.17.56A.55.55,0,0,0,8,7.53a.63.63,0,0,0,.49-.2.91.91,0,0,0,.17-.58Z"/><path class="cls-2" d="M13,4.16a.59.59,0,0,0-.2-.47.65.65,0,0,0-.42-.16.59.59,0,0,0-.45.19.66.66,0,0,0-.15.43.8.8,0,0,0,.08.33.85.85,0,0,0,.44.29l.71.29a1.73,1.73,0,0,1,.95.72,2,2,0,0,1,.26,1,1.85,1.85,0,0,1-.52,1.3,1.56,1.56,0,0,1-.58.39,1.88,1.88,0,0,1-2-.32,1.58,1.58,0,0,1-.4-.57,1.81,1.81,0,0,1-.17-.8h1.15a1.11,1.11,0,0,0,.17.47.56.56,0,0,0,.49.22.71.71,0,0,0,.47-.18A.59.59,0,0,0,13,6.8a.69.69,0,0,0-.13-.43,1.08,1.08,0,0,0-.48-.32l-.59-.21a2.08,2.08,0,0,1-.9-.64,1.66,1.66,0,0,1-.33-1,1.89,1.89,0,0,1,.14-.72,1.78,1.78,0,0,1,.4-.57,1.5,1.5,0,0,1,.56-.36,1.82,1.82,0,0,1,.7-.13,1.93,1.93,0,0,1,.69.13,1.6,1.6,0,0,1,.54.38,1.85,1.85,0,0,1,.36.57,1.82,1.82,0,0,1,.13.7Z"/><path class="cls-2" d="M17.2,4.16a.63.63,0,0,0-.2-.47.69.69,0,0,0-.43-.16.55.55,0,0,0-.44.19.62.62,0,0,0-.16.43.68.68,0,0,0,.09.33.81.81,0,0,0,.43.29l.72.29a1.7,1.7,0,0,1,.94.72,2,2,0,0,1,.26,1,1.85,1.85,0,0,1-.52,1.3,1.61,1.61,0,0,1-.57.39,1.81,1.81,0,0,1-.74.15,1.76,1.76,0,0,1-1.24-.47,1.61,1.61,0,0,1-.41-.57,2,2,0,0,1-.17-.8h1.15a1.12,1.12,0,0,0,.18.47.53.53,0,0,0,.48.22.72.72,0,0,0,.48-.18.59.59,0,0,0,.21-.48.69.69,0,0,0-.14-.43,1,1,0,0,0-.48-.32l-.58-.21a2.06,2.06,0,0,1-.91-.64,1.66,1.66,0,0,1-.33-1A1.89,1.89,0,0,1,15,3.44a1.78,1.78,0,0,1,.4-.57,1.58,1.58,0,0,1,.56-.36,1.82,1.82,0,0,1,.7-.13,1.93,1.93,0,0,1,.69.13,1.75,1.75,0,0,1,.55.38,1.85,1.85,0,0,1,.36.57,2,2,0,0,1,.13.7Z"/><path class="cls-2" d="M19.2,8.54V0h1.22V3h0a1.53,1.53,0,0,1,.48-.47,1.39,1.39,0,0,1,.65-.16,1.26,1.26,0,0,1,.69.16,1.35,1.35,0,0,1,.4.39,1.18,1.18,0,0,1,.15.51,7.72,7.72,0,0,1,0,1V6.73a5.56,5.56,0,0,1-.05.8,1.56,1.56,0,0,1-.15.5,1.12,1.12,0,0,1-1.07.58,1.15,1.15,0,0,1-.7-.18A3.79,3.79,0,0,1,20.42,8v.55Zm2.44-4.21a1,1,0,0,0-.13-.51A.5.5,0,0,0,21,3.61a.57.57,0,0,0-.44.18.66.66,0,0,0-.18.48V6.63a.83.83,0,0,0,.17.54.52.52,0,0,0,.45.21.49.49,0,0,0,.45-.22,1.11,1.11,0,0,0,.15-.6Z"/><path class="cls-2" d="M23.76,4.49a4.83,4.83,0,0,1,0-.68A1.55,1.55,0,0,1,24,3.26a1.59,1.59,0,0,1,.62-.64,1.84,1.84,0,0,1,1-.24,1.87,1.87,0,0,1,1,.24,1.59,1.59,0,0,1,.62.64,1.55,1.55,0,0,1,.18.55,4.83,4.83,0,0,1,.05.68v2a4.72,4.72,0,0,1-.05.68,1.55,1.55,0,0,1-.18.55,1.59,1.59,0,0,1-.62.64,1.87,1.87,0,0,1-1,.24,1.84,1.84,0,0,1-1-.24A1.59,1.59,0,0,1,24,7.73a1.55,1.55,0,0,1-.18-.55,4.72,4.72,0,0,1,0-.68ZM25,6.69a.72.72,0,0,0,.17.52.53.53,0,0,0,.43.17A.55.55,0,0,0,26,7.21a.72.72,0,0,0,.16-.52V4.3A.74.74,0,0,0,26,3.78a.55.55,0,0,0-.44-.17.53.53,0,0,0-.43.17A.74.74,0,0,0,25,4.3Z"/><path class="cls-2" d="M28.2,4.49a4.83,4.83,0,0,1,.05-.68,1.55,1.55,0,0,1,.18-.55,1.59,1.59,0,0,1,.62-.64,1.84,1.84,0,0,1,1-.24,1.87,1.87,0,0,1,1,.24,1.59,1.59,0,0,1,.62.64,1.55,1.55,0,0,1,.18.55,4.83,4.83,0,0,1,.05.68v2a4.72,4.72,0,0,1-.05.68,1.55,1.55,0,0,1-.18.55,1.59,1.59,0,0,1-.62.64,1.87,1.87,0,0,1-1,.24,1.84,1.84,0,0,1-1-.24,1.59,1.59,0,0,1-.62-.64,1.55,1.55,0,0,1-.18-.55,4.72,4.72,0,0,1-.05-.68Zm1.22,2.2a.72.72,0,0,0,.17.52.53.53,0,0,0,.43.17.55.55,0,0,0,.44-.17.72.72,0,0,0,.16-.52V4.3a.74.74,0,0,0-.16-.52A.55.55,0,0,0,30,3.61a.53.53,0,0,0-.43.17.74.74,0,0,0-.17.52Z"/><path class="cls-2" d="M32.75,8.54V0H34V5.11h0l1.47-2.66H36.7L35.24,4.93,37,8.54H35.66l-1.1-2.63L34,6.83V8.54Z"/></g></svg>
+  width="270px" height="20px" viewBox="0 0 270 10" enable-background="new 0 0 270 10" xml:space="preserve"><defs><style>.cls-1{isolation:isolate;}.cls-2{fill:#fff;}</style></defs><g class="cls-1"><path class="cls-2" d="M1.65,11V2.45H2.87V3a2.81,2.81,0,0,1,.47-.45A1.13,1.13,0,0,1,4,2.38,1.11,1.11,0,0,1,5.1,3a1.55,1.55,0,0,1,.16.5,5.61,5.61,0,0,1,0,.81V6.58c0,.45,0,.77,0,1a1.17,1.17,0,0,1-.55.9,1.23,1.23,0,0,1-.7.16,1.35,1.35,0,0,1-.64-.16A1.53,1.53,0,0,1,2.89,8h0v3ZM4.08,4.43a1.21,1.21,0,0,0-.14-.6.51.51,0,0,0-.46-.22A.54.54,0,0,0,3,3.82a.8.8,0,0,0-.17.54V6.73A.68.68,0,0,0,3,7.2a.6.6,0,0,0,.44.18A.53.53,0,0,0,4,7.17a1,1,0,0,0,.12-.5Z"/><path class="cls-2" d="M8.63,8.54V7.91h0a2.24,2.24,0,0,1-.48.52,1.13,1.13,0,0,1-.69.18A1.39,1.39,0,0,1,7,8.54a1.09,1.09,0,0,1-.43-.24,1.32,1.32,0,0,1-.33-.49A2.33,2.33,0,0,1,6.11,7a4.89,4.89,0,0,1,.08-.91,1.51,1.51,0,0,1,.31-.65,1.44,1.44,0,0,1,.59-.38A3.19,3.19,0,0,1,8,4.93h.59V4.33a1,1,0,0,0-.13-.52A.52.52,0,0,0,8,3.61a.71.71,0,0,0-.44.15.78.78,0,0,0-.26.46H6.13A2,2,0,0,1,6.69,2.9a1.73,1.73,0,0,1,.57-.38A2,2,0,0,1,8,2.38a2.18,2.18,0,0,1,.72.12,1.71,1.71,0,0,1,.59.36,2,2,0,0,1,.38.6,2.18,2.18,0,0,1,.14.84V8.54Zm0-2.62-.34,0a1.2,1.2,0,0,0-.67.18.76.76,0,0,0-.29.68.89.89,0,0,0,.17.56A.55.55,0,0,0,8,7.53a.63.63,0,0,0,.49-.2.91.91,0,0,0,.17-.58Z"/><path class="cls-2" d="M13,4.16a.59.59,0,0,0-.2-.47.65.65,0,0,0-.42-.16.59.59,0,0,0-.45.19.66.66,0,0,0-.15.43.8.8,0,0,0,.08.33.85.85,0,0,0,.44.29l.71.29a1.73,1.73,0,0,1,.95.72,2,2,0,0,1,.26,1,1.85,1.85,0,0,1-.52,1.3,1.56,1.56,0,0,1-.58.39,1.88,1.88,0,0,1-2-.32,1.58,1.58,0,0,1-.4-.57,1.81,1.81,0,0,1-.17-.8h1.15a1.11,1.11,0,0,0,.17.47.56.56,0,0,0,.49.22.71.71,0,0,0,.47-.18A.59.59,0,0,0,13,6.8a.69.69,0,0,0-.13-.43,1.08,1.08,0,0,0-.48-.32l-.59-.21a2.08,2.08,0,0,1-.9-.64,1.66,1.66,0,0,1-.33-1,1.89,1.89,0,0,1,.14-.72,1.78,1.78,0,0,1,.4-.57,1.5,1.5,0,0,1,.56-.36,1.82,1.82,0,0,1,.7-.13,1.93,1.93,0,0,1,.69.13,1.6,1.6,0,0,1,.54.38,1.85,1.85,0,0,1,.36.57,1.82,1.82,0,0,1,.13.7Z"/><path class="cls-2" d="M17.2,4.16a.63.63,0,0,0-.2-.47.69.69,0,0,0-.43-.16.55.55,0,0,0-.44.19.62.62,0,0,0-.16.43.68.68,0,0,0,.09.33.81.81,0,0,0,.43.29l.72.29a1.7,1.7,0,0,1,.94.72,2,2,0,0,1,.26,1,1.85,1.85,0,0,1-.52,1.3,1.61,1.61,0,0,1-.57.39,1.81,1.81,0,0,1-.74.15,1.76,1.76,0,0,1-1.24-.47,1.61,1.61,0,0,1-.41-.57,2,2,0,0,1-.17-.8h1.15a1.12,1.12,0,0,0,.18.47.53.53,0,0,0,.48.22.72.72,0,0,0,.48-.18.59.59,0,0,0,.21-.48.69.69,0,0,0-.14-.43,1,1,0,0,0-.48-.32l-.58-.21a2.06,2.06,0,0,1-.91-.64,1.66,1.66,0,0,1-.33-1A1.89,1.89,0,0,1,15,3.44a1.78,1.78,0,0,1,.4-.57,1.58,1.58,0,0,1,.56-.36,1.82,1.82,0,0,1,.7-.13,1.93,1.93,0,0,1,.69.13,1.75,1.75,0,0,1,.55.38,1.85,1.85,0,0,1,.36.57,2,2,0,0,1,.13.7Z"/><path class="cls-2" d="M19.2,8.54V0h1.22V3h0a1.53,1.53,0,0,1,.48-.47,1.39,1.39,0,0,1,.65-.16,1.26,1.26,0,0,1,.69.16,1.35,1.35,0,0,1,.4.39,1.18,1.18,0,0,1,.15.51,7.72,7.72,0,0,1,0,1V6.73a5.56,5.56,0,0,1-.05.8,1.56,1.56,0,0,1-.15.5,1.12,1.12,0,0,1-1.07.58,1.15,1.15,0,0,1-.7-.18A3.79,3.79,0,0,1,20.42,8v.55Zm2.44-4.21a1,1,0,0,0-.13-.51A.5.5,0,0,0,21,3.61a.57.57,0,0,0-.44.18.66.66,0,0,0-.18.48V6.63a.83.83,0,0,0,.17.54.52.52,0,0,0,.45.21.49.49,0,0,0,.45-.22,1.11,1.11,0,0,0,.15-.6Z"/><path class="cls-2" d="M23.76,4.49a4.83,4.83,0,0,1,0-.68A1.55,1.55,0,0,1,24,3.26a1.59,1.59,0,0,1,.62-.64,1.84,1.84,0,0,1,1-.24,1.87,1.87,0,0,1,1,.24,1.59,1.59,0,0,1,.62.64,1.55,1.55,0,0,1,.18.55,4.83,4.83,0,0,1,.05.68v2a4.72,4.72,0,0,1-.05.68,1.55,1.55,0,0,1-.18.55,1.59,1.59,0,0,1-.62.64,1.87,1.87,0,0,1-1,.24,1.84,1.84,0,0,1-1-.24A1.59,1.59,0,0,1,24,7.73a1.55,1.55,0,0,1-.18-.55,4.72,4.72,0,0,1,0-.68ZM25,6.69a.72.72,0,0,0,.17.52.53.53,0,0,0,.43.17A.55.55,0,0,0,26,7.21a.72.72,0,0,0,.16-.52V4.3A.74.74,0,0,0,26,3.78a.55.55,0,0,0-.44-.17.53.53,0,0,0-.43.17A.74.74,0,0,0,25,4.3Z"/><path class="cls-2" d="M28.2,4.49a4.83,4.83,0,0,1,.05-.68,1.55,1.55,0,0,1,.18-.55,1.59,1.59,0,0,1,.62-.64,1.84,1.84,0,0,1,1-.24,1.87,1.87,0,0,1,1,.24,1.59,1.59,0,0,1,.62.64,1.55,1.55,0,0,1,.18.55,4.83,4.83,0,0,1,.05.68v2a4.72,4.72,0,0,1-.05.68,1.55,1.55,0,0,1-.18.55,1.59,1.59,0,0,1-.62.64,1.87,1.87,0,0,1-1,.24,1.84,1.84,0,0,1-1-.24,1.59,1.59,0,0,1-.62-.64,1.55,1.55,0,0,1-.18-.55,4.72,4.72,0,0,1-.05-.68Zm1.22,2.2a.72.72,0,0,0,.17.52.53.53,0,0,0,.43.17.55.55,0,0,0,.44-.17.72.72,0,0,0,.16-.52V4.3a.74.74,0,0,0-.16-.52A.55.55,0,0,0,30,3.61a.53.53,0,0,0-.43.17.74.74,0,0,0-.17.52Z"/><path class="cls-2" d="M32.75,8.54V0H34V5.11h0l1.47-2.66H36.7L35.24,4.93,37,8.54H35.66l-1.1-2.63L34,6.83V8.54Z"/></g></svg>

passbook/core/static/img/google-logo.svg

@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Generator: Adobe Illustrator 22.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 width="20px" height="20px" viewBox="0 0 20 20" style="enable-background:new 0 0 20 20;" xml:space="preserve">
-<style type="text/css">
-	.st0{fill:#FBBB00;}
-	.st1{fill:#518EF8;}
-	.st2{fill:#28B446;}
-	.st3{fill:#F14336;}
-</style>
-<path class="st0" d="M4.4,12.1l-0.7,2.6l-2.5,0.1C0.4,13.3,0,11.7,0,10c0-1.7,0.4-3.2,1.1-4.6h0l2.3,0.4l1,2.3
-	C4.2,8.7,4.1,9.3,4.1,10C4.1,10.7,4.2,11.4,4.4,12.1z"/>
-<path class="st1" d="M19.8,8.1C19.9,8.7,20,9.4,20,10c0,0.7-0.1,1.4-0.2,2.1c-0.5,2.3-1.8,4.3-3.5,5.7l0,0l-2.9-0.1L13,15.1
-	c1.2-0.7,2.1-1.8,2.6-3h-5.3v-4h5.4H19.8L19.8,8.1z"/>
-<path class="st2" d="M16.3,17.8L16.3,17.8C14.5,19.2,12.4,20,10,20c-3.8,0-7.1-2.1-8.8-5.3l3.2-2.7c0.8,2.3,3,3.9,5.6,3.9
-	c1.1,0,2.1-0.3,3-0.8L16.3,17.8z"/>
-<path class="st3" d="M16.4,2.3L13.1,5c-0.9-0.6-2-0.9-3.1-0.9c-2.6,0-4.8,1.7-5.6,4L1.1,5.4h0C2.8,2.2,6.1,0,10,0
-	C12.4,0,14.7,0.9,16.4,2.3z"/>
-</svg>

passbook/core/static/img/logos/azure ad.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="21" height="21" viewBox="0 0 21 21"><title>MS-SymbolLockup</title><rect x="1" y="1" width="9" height="9" fill="#f25022"/><rect x="1" y="11" width="9" height="9" fill="#00a4ef"/><rect x="11" y="1" width="9" height="9" fill="#7fba00"/><rect x="11" y="11" width="9" height="9" fill="#ffb900"/></svg>