new release: 0.8.15-beta

closes PASSBOOK-44

.bumpversion.cfg

@@ -1,10 +1,10 @@
 [bumpversion]
-current_version = 0.1.23-beta
+current_version = 0.8.15-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
 serialize = {major}.{minor}.{patch}-{release}
-message = bump version: {current_version} -> {new_version}
+message = new release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:release]
@@ -15,41 +15,11 @@ values =
 	beta
 	stable
 
-[bumpversion:file:client-packages/allauth/setup.py]
+[bumpversion:file:helm/values.yaml]
 
-[bumpversion:file:client-packages/sentry-auth-passbook/setup.py]
+[bumpversion:file:helm/Chart.yaml]
 
-[bumpversion:file:helm/passbook/values.yaml]
-
-[bumpversion:file:helm/passbook/Chart.yaml]
-
-[bumpversion:file:.gitlab-ci.yml]
+[bumpversion:file:.github/workflows/release.yml]
 
 [bumpversion:file:passbook/__init__.py]
 
-[bumpversion:file:passbook/api/__init__.py]
-
-[bumpversion:file:passbook/core/__init__.py]
-
-[bumpversion:file:passbook/admin/__init__.py]
-
-[bumpversion:file:passbook/captcha_factor/__init__.py]
-
-[bumpversion:file:passbook/oauth_client/__init__.py]
-
-[bumpversion:file:passbook/ldap/__init__.py]
-
-[bumpversion:file:passbook/lib/__init__.py]
-
-[bumpversion:file:passbook/hibp_policy/__init__.py]
-
-[bumpversion:file:passbook/password_expiry_policy/__init__.py]
-
-[bumpversion:file:passbook/saml_idp/__init__.py]
-
-[bumpversion:file:passbook/audit/__init__.py]
-
-[bumpversion:file:passbook/oauth_provider/__init__.py]
-
-[bumpversion:file:passbook/otp/__init__.py]
-

.coveragerc

@@ -1,12 +1,10 @@
 [run]
 source = passbook
 omit =
-    env/
     */wsgi.py
     manage.py
     */migrations/*
     */apps.py
-    passbook/management/commands/nexus_upload.py
     passbook/management/commands/web.py
     passbook/management/commands/worker.py
     docs/
@@ -23,6 +21,7 @@ exclude_lines =
     def __str__
     def __repr__
     if self\.debug
+    if TYPE_CHECKING
 
     # Don't complain if tests don't hit defensive assertion code:
     raise AssertionError

.dockerignore

@@ -2,3 +2,5 @@ env
 helm
 passbook-ui
 static
+*.env.yml
+node_modules/

.editorconfig

@@ -9,3 +9,6 @@ insert_final_newline = true
 
 [html]
 indent_size = 2
+
+[yaml]
+indent_size = 2

.github/workflows/ci.yml

@@ -0,0 +1,181 @@
+name: passbook-ci
+on:
+  - push
+env:
+  POSTGRES_DB: passbook
+  POSTGRES_USER: passbook
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+
+jobs:
+  # Linting
+  pylint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: '3.8'
+      - name: Install dependencies
+        run: sudo pip install -U wheel pipenv && pipenv install --dev
+      - name: Lint with pylint
+        run: pipenv run pylint passbook
+  black:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: '3.8'
+      - name: Install dependencies
+        run: sudo pip install -U wheel pipenv && pipenv install --dev
+      - name: Lint with black
+        run: pipenv run black --check passbook
+  prospector:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: '3.8'
+      - name: Install dependencies
+        run: sudo pip install -U wheel pipenv && pipenv install --dev && pipenv install --dev prospector --skip-lock
+      - name: Lint with prospector
+        run: pipenv run prospector
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: '3.8'
+      - name: Install dependencies
+        run: sudo pip install -U wheel pipenv && pipenv install --dev
+      - name: Lint with bandit
+        run: pipenv run bandit -r passbook
+  # Actual CI tests
+  migrations:
+    needs:
+      - pylint
+      - black
+      - prospector
+    services:
+      postgres:
+        image: postgres:latest
+        env:
+          POSTGRES_DB: passbook
+          POSTGRES_USER: passbook
+          POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+        ports:
+          - 5432:5432
+      redis:
+        image: redis:latest
+        ports:
+          - 6379:6379
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: '3.8'
+      - name: Install dependencies
+        run: sudo pip install -U wheel pipenv && pipenv install --dev
+      - name: Run migrations
+        run: pipenv run ./manage.py migrate
+  coverage:
+    needs:
+      - pylint
+      - black
+      - prospector
+    services:
+      postgres:
+        image: postgres:latest
+        env:
+          POSTGRES_DB: passbook
+          POSTGRES_USER: passbook
+          POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+        ports:
+          - 5432:5432
+      redis:
+        image: redis:latest
+        ports:
+          - 6379:6379
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: '3.8'
+      - name: Install dependencies
+        run: sudo pip install -U wheel pipenv && pipenv install --dev
+      - name: Run coverage
+        run: pipenv run ./scripts/coverage.sh
+  # Build
+  build-server:
+    needs:
+      - migrations
+      - coverage
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Docker Login Registry
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+      - name: Building Docker Image
+        run: docker build
+          --no-cache
+          -t beryju/passbook:${GITHUB_REF##*/}
+          -f Dockerfile .
+      - name: Push Docker Container to Registry
+        run: docker push beryju/passbook:${GITHUB_REF##*/}
+  build-gatekeeper:
+    needs:
+      - migrations
+      - coverage
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Docker Login Registry
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+      - name: Building Docker Image
+        run: |
+          cd gatekeeper
+          docker build \
+          --no-cache \
+          -t beryju/passbook-gatekeeper:${GITHUB_REF##*/} \
+          -f Dockerfile .
+      - name: Push Docker Container to Registry
+        run: docker push beryju/passbook-gatekeeper:${GITHUB_REF##*/}
+  build-static:
+    needs:
+      - migrations
+      - coverage
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:latest
+        env:
+          POSTGRES_DB: passbook
+          POSTGRES_USER: passbook
+          POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+      redis:
+        image: redis:latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Docker Login Registry
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+      - name: Building Docker Image
+        run: docker build
+          --no-cache
+          --network=$(docker network ls | grep github | awk '{print $1}')
+          -t beryju/passbook-static:${GITHUB_REF##*/}
+          -f static.Dockerfile .
+      - name: Push Docker Container to Registry
+        run: docker push beryju/passbook-static:${GITHUB_REF##*/}

.github/workflows/release.yml

@@ -0,0 +1,89 @@
+name: passbook-release
+on:
+  release
+
+jobs:
+  # Build
+  build-server:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Docker Login Registry
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+      - name: Building Docker Image
+        run: docker build
+          --no-cache
+          -t beryju/passbook:0.8.15-beta
+          -t beryju/passbook:latest
+          -f Dockerfile .
+      - name: Push Docker Container to Registry (versioned)
+        run: docker push beryju/passbook:0.8.15-beta
+      - name: Push Docker Container to Registry (latest)
+        run: docker push beryju/passbook:latest
+  build-gatekeeper:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Docker Login Registry
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+      - name: Building Docker Image
+        run: |
+          cd gatekeeper
+          docker build \
+          --no-cache \
+          -t beryju/passbook-gatekeeper:0.8.15-beta \
+          -t beryju/passbook-gatekeeper:latest \
+          -f Dockerfile .
+      - name: Push Docker Container to Registry (versioned)
+        run: docker push beryju/passbook-gatekeeper:0.8.15-beta
+      - name: Push Docker Container to Registry (latest)
+        run: docker push beryju/passbook-gatekeeper:latest
+  build-static:
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:latest
+        env:
+          POSTGRES_DB: passbook
+          POSTGRES_USER: passbook
+          POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+      redis:
+        image: redis:latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Docker Login Registry
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+      - name: Building Docker Image
+        run: docker build
+          --no-cache
+          --network=$(docker network ls | grep github | awk '{print $1}')
+          -t beryju/passbook-static:0.8.15-beta
+          -t beryju/passbook-static:latest
+          -f static.Dockerfile .
+      - name: Push Docker Container to Registry (versioned)
+        run: docker push beryju/passbook-static:0.8.15-beta
+      - name: Push Docker Container to Registry (latest)
+        run: docker push beryju/passbook-static:latest
+  test-release:
+    needs:
+      - build-server
+      - build-static
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Run test suite in final docker images
+        run: |
+          export PASSBOOK_DOMAIN=localhost
+          docker-compose pull
+          docker-compose up --no-start
+          docker-compose start postgresql redis
+          docker-compose run -u root server bash -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test"

.github/workflows/tag.yml

@@ -0,0 +1,60 @@
+on:
+  push:
+    tags:
+    - 'version/*'
+
+name: passbook-version-tag
+
+jobs:
+  build:
+    name: Create Release from Tag
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Pre-release test
+        run: |
+          export PASSBOOK_DOMAIN=localhost
+          docker-compose pull
+          docker build \
+            --no-cache \
+            -t beryju/passbook:latest \
+            -f Dockerfile .
+          docker-compose up --no-start
+          docker-compose start postgresql redis
+          docker-compose run -u root server bash -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test"
+      - name: Install Helm
+        run: |
+          apt update && apt install -y curl
+          curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+      - name: Helm package
+        run: |
+          helm dependency update helm/
+          helm package helm/
+          mv passbook-*.tgz passbook-chart.tgz
+      - name: Extract verison number
+        id: get_version
+        uses: actions/github-script@0.2.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ steps.get_version.outputs.result }}
+          draft: false
+          prerelease: false
+      - name: Upload packaged Helm Chart
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1.0.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./passbook-chart.tgz
+          asset_name: passbook-chart.tgz
+          asset_content_type: application/gzip

.gitignore

@@ -63,6 +63,7 @@ coverage.xml
 *.cover
 .hypothesis/
 .pytest_cache/
+unittest.xml
 
 # Translations
 *.mo
@@ -184,10 +185,14 @@ dmypy.json
 [Ii]nclude
 [Ll]ib64
 [Ll]ocal
-[Ss]cripts
 pyvenv.cfg
 pip-selfcheck.json
 
 # End of https://www.gitignore.io/api/python,django
 /static/
 local.env.yml
+.vscode/
+
+### Helm ###
+# Chart dependencies
+**/charts/*.tgz

.gitlab-ci.yml

@@ -1,155 +0,0 @@
-# Global Variables
-before_script:
-    - "python3 -m pip install -U virtualenv"
-    - "virtualenv env"
-    - "source env/bin/activate"
-    - "pip3 install -U -r requirements-dev.txt"
-stages:
-    - test
-    - build
-    - docs
-    - deploy
-image: python:3.6
-services:
-    - postgres:latest
-
-variables:
-    POSTGRES_DB: passbook
-    POSTGRES_USER: passbook
-    POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-include:
-    - /client-packages/allauth/.gitlab-ci.yml
-
-isort:
-    script:
-        - isort -c -sg env
-    stage: test
-migrations:
-    script:
-        - python manage.py migrate
-    stage: test
-prospector:
-    script:
-        - prospector
-    stage: test
-pylint:
-    script:
-        - pylint passbook
-    stage: test
-coverage:
-    script:
-        - coverage run manage.py test
-        - coverage report
-    stage: test
-bandit:
-    script:
-        - bandit -r passbook
-    stage: test
-
-package-docker:
-    image:
-        name: gcr.io/kaniko-project/executor:debug
-        entrypoint: [""]
-    before_script:
-        - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
-    script:
-        - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.23-beta
-    stage: build
-    only:
-        - tags
-        - /^version/.*$/
-package-helm:
-    stage: build
-    script:
-        - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
-        - helm init --client-only
-        - helm package helm/passbook
-        - ./manage.py nexus_upload --method put --url $NEXUS_URL --auth $NEXUS_AUTH --repo helm *.tgz
-    only:
-        - tags
-        - /^version/.*$/
-package-debian:
-    before_script:
-        - apt update
-        - apt install -y --no-install-recommends build-essential debhelper devscripts equivs python3 python3-dev python3-pip libsasl2-dev libldap2-dev
-        - mk-build-deps debian/control
-        - apt install ./*build-deps*deb -f -y
-        - python3 -m pip install -U virtualenv pip
-        - virtualenv env
-        - source env/bin/activate
-        - pip3 install -U -r requirements.txt -r requirements-dev.txt
-        - ./manage.py collectstatic --no-input
-    image: ubuntu:18.04
-    script:
-        - debuild -us -uc
-        - cp ../passbook*.deb .
-        - ./manage.py nexus_upload --method post --url $NEXUS_URL --auth $NEXUS_AUTH --repo apt passbook*deb
-    artifacts:
-        paths:
-            - passbook*deb
-        expire_in: 2 days
-    stage: build
-    only:
-        - tags
-        - /^version/.*$/
-
-package-client-package-allauth:
-    script:
-        - cd client-packages/allauth
-        - python setup.py sdist
-        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
-    stage: build
-    only:
-        refs:
-            - tags
-            - /^version/.*$/
-        changes:
-            - client-packages/allauth/**
-
-package-client-package-sentry:
-    script:
-        - cd client-packages/sentry-auth-passbook
-        - python setup.py sdist
-        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
-    stage: build
-    only:
-        refs:
-            - tags
-            - /^version/.*$/
-        changes:
-            - client-packages/sentry-auth-passbook/**
-
-# docs:
-#   stage: docs
-#   only:
-#   - master
-#   - tags
-#   - /^debian/.*$/
-#   environment:
-#     name: docs
-#     url: "https://passbook.beryju.org/docs/"
-#   script:
-#     - apt update
-#     - apt install -y rsync
-#     - "mkdir ~/.ssh"
-#     - "cp .gitlab/known_hosts ~/.ssh/"
-#     - "pip3 install -U -r requirements-docs.txt"
-#     - "eval $(ssh-agent -s)"
-#     - "echo \"${CI_SSH_PRIVATE}\" | ssh-add -"
-#     - mkdocs build
-#     - 'rsync -avh --delete web/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/"'
-#     - 'rsync -avh --delete site/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/docs/"'
-
-# deploy:
-#   environment:
-#     name: production
-#     url: https://passbook-prod.default.k8s.beryju.org/
-#   stage: deploy
-#   only:
-#   - tags
-#   - /^version/.*$/
-#   script:
-#     - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
-#     - helm init
-#     - helm upgrade passbook-prod helm/passbook --devel

.isort.cfg

@@ -0,0 +1,6 @@
+[settings]
+multi_line_output=3
+include_trailing_comma=True
+force_grid_wrap=0
+use_parentheses=True
+line_length=88

.prospector.yaml

@@ -3,11 +3,9 @@ test-warnings: true
 doc-warnings: false
 
 ignore-paths:
-  - env
   - migrations
   - docs
   - node_modules
-  - client-packages
 
 uses:
  - django

.pylintrc

@@ -1,12 +1,9 @@
 [MASTER]
 
-disable=redefined-outer-name,arguments-differ,no-self-use,cyclic-import,fixme,locally-disabled,unpacking-non-sequence,too-many-ancestors,too-many-branches,too-few-public-methods
+disable=redefined-outer-name,arguments-differ,no-self-use,cyclic-import,fixme,locally-disabled,unpacking-non-sequence,too-many-ancestors,too-many-branches,too-few-public-methods,import-outside-toplevel,bad-continuation
 load-plugins=pylint_django,pylint.extensions.bad_builtin
-#,pylint.extensions.docparams
 extension-pkg-whitelist=lxml
 const-rgx=[a-zA-Z0-9_]{1,40}$
+ignored-modules=django-otp
+jobs=4
 
-[SIMILARITIES]
-
-# Minimum lines number of a similarity.
-min-similarity-lines=20

.vscode/.ropeproject/config.py

@@ -1,114 +0,0 @@
-# The default ``config.py``
-# flake8: noqa
-
-
-def set_prefs(prefs):
-    """This function is called before opening the project"""
-
-    # Specify which files and folders to ignore in the project.
-    # Changes to ignored resources are not added to the history and
-    # VCSs.  Also they are not returned in `Project.get_files()`.
-    # Note that ``?`` and ``*`` match all characters but slashes.
-    # '*.pyc': matches 'test.pyc' and 'pkg/test.pyc'
-    # 'mod*.pyc': matches 'test/mod1.pyc' but not 'mod/1.pyc'
-    # '.svn': matches 'pkg/.svn' and all of its children
-    # 'build/*.o': matches 'build/lib.o' but not 'build/sub/lib.o'
-    # 'build//*.o': matches 'build/lib.o' and 'build/sub/lib.o'
-    prefs['ignored_resources'] = ['*.pyc', '*~', '.ropeproject',
-                                  '.hg', '.svn', '_svn', '.git', '.tox']
-
-    # Specifies which files should be considered python files.  It is
-    # useful when you have scripts inside your project.  Only files
-    # ending with ``.py`` are considered to be python files by
-    # default.
-    # prefs['python_files'] = ['*.py']
-
-    # Custom source folders:  By default rope searches the project
-    # for finding source folders (folders that should be searched
-    # for finding modules).  You can add paths to that list.  Note
-    # that rope guesses project source folders correctly most of the
-    # time; use this if you have any problems.
-    # The folders should be relative to project root and use '/' for
-    # separating folders regardless of the platform rope is running on.
-    # 'src/my_source_folder' for instance.
-    # prefs.add('source_folders', 'src')
-
-    # You can extend python path for looking up modules
-    # prefs.add('python_path', '~/python/')
-
-    # Should rope save object information or not.
-    prefs['save_objectdb'] = True
-    prefs['compress_objectdb'] = False
-
-    # If `True`, rope analyzes each module when it is being saved.
-    prefs['automatic_soa'] = True
-    # The depth of calls to follow in static object analysis
-    prefs['soa_followed_calls'] = 0
-
-    # If `False` when running modules or unit tests "dynamic object
-    # analysis" is turned off.  This makes them much faster.
-    prefs['perform_doa'] = True
-
-    # Rope can check the validity of its object DB when running.
-    prefs['validate_objectdb'] = True
-
-    # How many undos to hold?
-    prefs['max_history_items'] = 32
-
-    # Shows whether to save history across sessions.
-    prefs['save_history'] = True
-    prefs['compress_history'] = False
-
-    # Set the number spaces used for indenting.  According to
-    # :PEP:`8`, it is best to use 4 spaces.  Since most of rope's
-    # unit-tests use 4 spaces it is more reliable, too.
-    prefs['indent_size'] = 4
-
-    # Builtin and c-extension modules that are allowed to be imported
-    # and inspected by rope.
-    prefs['extension_modules'] = []
-
-    # Add all standard c-extensions to extension_modules list.
-    prefs['import_dynload_stdmods'] = True
-
-    # If `True` modules with syntax errors are considered to be empty.
-    # The default value is `False`; When `False` syntax errors raise
-    # `rope.base.exceptions.ModuleSyntaxError` exception.
-    prefs['ignore_syntax_errors'] = False
-
-    # If `True`, rope ignores unresolvable imports.  Otherwise, they
-    # appear in the importing namespace.
-    prefs['ignore_bad_imports'] = False
-
-    # If `True`, rope will insert new module imports as
-    # `from <package> import <module>` by default.
-    prefs['prefer_module_from_imports'] = False
-
-    # If `True`, rope will transform a comma list of imports into
-    # multiple separate import statements when organizing
-    # imports.
-    prefs['split_imports'] = False
-
-    # If `True`, rope will remove all top-level import statements and
-    # reinsert them at the top of the module when making changes.
-    prefs['pull_imports_to_top'] = True
-
-    # If `True`, rope will sort imports alphabetically by module name instead
-    # of alphabetically by import statement, with from imports after normal
-    # imports.
-    prefs['sort_imports_alphabetically'] = False
-
-    # Location of implementation of
-    # rope.base.oi.type_hinting.interfaces.ITypeHintingFactory In general
-    # case, you don't have to change this value, unless you're an rope expert.
-    # Change this value to inject you own implementations of interfaces
-    # listed in module rope.base.oi.type_hinting.providers.interfaces
-    # For example, you can add you own providers for Django Models, or disable
-    # the search type-hinting in a class hierarchy, etc.
-    prefs['type_hinting_factory'] = (
-        'rope.base.oi.type_hinting.factory.default_type_hinting_factory')
-
-
-def project_opened(project):
-    """This function is called after opening the project"""
-    # Do whatever you like here!

.vscode/settings.json

@@ -1,11 +0,0 @@
-{
-  "python.pythonPath": "env/bin/python",
-  "editor.tabSize": 4,
-  "[html]": {
-    "editor.tabSize": 2
-  },
-  "cSpell.words": [
-    "SAML",
-    "passbook"
-  ]
-}

Dockerfile

@@ -1,34 +1,31 @@
-FROM python:3.6-slim-stretch as build
+FROM python:3.8-slim-buster as locker
 
-COPY ./passbook/ /app/passbook
-COPY ./manage.py /app/
-COPY ./requirements.txt /app/
+COPY ./Pipfile /app/
+COPY ./Pipfile.lock /app/
 
 WORKDIR /app/
 
-RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev -y && \
-    mkdir /app/static/ && \
-    pip install -r requirements.txt && \
-    pip install psycopg2 && \
-    ./manage.py collectstatic --no-input && \
-    apt-get remove --purge -y build-essential && \
-    apt-get autoremove --purge -y
+RUN pip install pipenv && \
+    pipenv lock -r > requirements.txt && \
+    pipenv lock -rd > requirements-dev.txt
 
-FROM python:3.6-slim-stretch
+FROM python:3.8-slim-buster
 
-COPY ./passbook/ /app/passbook
-COPY ./manage.py /app/
-COPY ./requirements.txt /app/
-COPY --from=build /app/static /app/static/
+COPY --from=locker /app/requirements.txt /app/
+COPY --from=locker /app/requirements-dev.txt /app/
 
 WORKDIR /app/
 
-RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev -y && \
-    pip install -r requirements.txt && \
-    pip install psycopg2 && \
-    adduser --system --home /app/ passbook && \
-    chown -R passbook /app/ && \
-    apt-get remove --purge -y build-essential && \
-    apt-get autoremove --purge -y
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends postgresql-client-11 && \
+    rm -rf /var/lib/apt/ && \
+    pip install -r requirements.txt  --no-cache-dir && \
+    adduser --system --no-create-home --uid 1000 --group --home /app passbook
+
+COPY ./passbook/ /app/passbook
+COPY ./manage.py /app/
+COPY ./docker/uwsgi.ini /app/
+
+WORKDIR /app/
 
 USER passbook

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2018 BeryJu.org
+Copyright (c) 2019 BeryJu.org
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Pipfile

@@ -0,0 +1,61 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[packages]
+boto3 = "*"
+celery = "*"
+defusedxml = "*"
+django = "*"
+django-cors-middleware = "*"
+django-dbbackup = "*"
+django-filter = "*"
+django-guardian = "*"
+django-model-utils = "*"
+django-oauth-toolkit = "*"
+django-oidc-provider = "*"
+django-otp = "*"
+django-prometheus = "*"
+django-recaptcha = "*"
+django-redis = "*"
+django-rest-framework = "*"
+django-storages = "*"
+djangorestframework-guardian = "*"
+drf-yasg = "*"
+kombu = "*"
+ldap3 = "*"
+lxml = "*"
+oauthlib = "*"
+packaging = "*"
+psycopg2-binary = "*"
+pycryptodome = "*"
+pyuwsgi = "*"
+pyyaml = "*"
+qrcode = "*"
+requests-oauthlib = "*"
+sentry-sdk = "*"
+service_identity = "*"
+signxml = "*"
+structlog = "*"
+swagger-spec-validator = "*"
+urllib3 = {extras = ["secure"],version = "*"}
+jinja2 = "*"
+
+[requires]
+python_version = "3.8"
+
+[dev-packages]
+autopep8 = "*"
+bandit = "*"
+bumpversion = "*"
+colorama = "*"
+coverage = "*"
+django-debug-toolbar = "*"
+pylint = "*"
+pylint-django = "*"
+unittest-xml-reporting = "*"
+black = "*"
+
+[pipenv]
+allow_prereleases = true

README.md

@@ -0,0 +1,15 @@
+# passbook
+
+![](https://github.com/BeryJu/passbook/workflows/passbook-ci/badge.svg)
+
+## Quick instance
+
+```
+export PASSBOOK_DOMAIN=domain.tld
+# Optionally enable Error-reporting
+# export PASSBOOK_ERROR_REPORTING=true
+docker-compose pull
+docker-compose up -d
+docker-compose exec server ./manage.py migrate
+docker-compose exec server ./manage.py createsuperuser
+```

client-packages/allauth/.gitlab-ci.yml

@@ -1,27 +0,0 @@
-# Global Variables
-before_script:
-  - cd allauth/
-  - "python3 -m pip install -U virtualenv"
-  - "virtualenv env"
-  - "source env/bin/activate"
-  - "pip3 install -U -r requirements-dev.txt"
-stages:
-  - test-allauth
-image: python:3.6
-
-isort:
-  script:
-    - isort -c -sg env
-  stage: test-allauth
-prospector:
-  script:
-    - prospector
-  stage: test-allauth
-pylint:
-  script:
-    - pylint passbook
-  stage: test-allauth
-bandit:
-  script:
-    - bandit -r allauth_passbook
-  stage: test-allauth

client-packages/allauth/allauth_passbook/provider.py

@@ -1,35 +0,0 @@
-"""passbook provider"""
-from allauth.socialaccount.providers.base import ProviderAccount
-from allauth.socialaccount.providers.oauth2.provider import OAuth2Provider
-
-
-class PassbookAccount(ProviderAccount):
-    """passbook account"""
-
-    def to_str(self):
-        dflt = super().to_str()
-        return self.account.extra_data.get('username', dflt)
-
-
-class PassbookProvider(OAuth2Provider):
-    """passbook provider"""
-
-    id = 'passbook'
-    name = 'passbook'
-    account_class = PassbookAccount
-
-    def extract_uid(self, data):
-        return str(data['sub'])
-
-    def extract_common_fields(self, data):
-        return {
-            'email': data.get('email'),
-            'username': data.get('preferred_username'),
-            'name': data.get('name'),
-        }
-
-    def get_default_scope(self):
-        return ['openid:userinfo']
-
-
-provider_classes = [PassbookProvider] # noqa

client-packages/allauth/allauth_passbook/urls.py

@@ -1,6 +0,0 @@
-"""passbook provider"""
-from allauth.socialaccount.providers.oauth2.urls import default_urlpatterns
-
-from allauth_passbook.provider import PassbookProvider
-
-urlpatterns = default_urlpatterns(PassbookProvider)

client-packages/allauth/allauth_passbook/views.py

@@ -1,37 +0,0 @@
-"""passbook adapter"""
-import requests
-from allauth.socialaccount import app_settings
-from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter,
-                                                          OAuth2CallbackView,
-                                                          OAuth2LoginView)
-
-from allauth_passbook.provider import PassbookProvider
-
-
-class PassbookOAuth2Adapter(OAuth2Adapter):
-    """passbook OAuth2 Adapter"""
-    provider_id = PassbookProvider.id
-    # pylint: disable=no-member
-    settings = app_settings.PROVIDERS.get(provider_id, {}) # noqa
-    provider_base_url = settings.get("PASSBOOK_URL", 'https://id.beryju.org')
-
-    access_token_url = '{0}/application/oauth/token/'.format(provider_base_url)
-    authorize_url = '{0}/application/oauth/authorize/'.format(provider_base_url)
-    profile_url = '{0}/api/v1/openid/'.format(
-        provider_base_url)
-
-    def complete_login(self, request, app, access_token, **kwargs):
-        headers = {
-            'Authorization': 'Bearer {0}'.format(access_token.token),
-            'Content-Type': 'application/json',
-        }
-        extra_data = requests.get(self.profile_url, headers=headers)
-
-        return self.get_provider().sociallogin_from_response(
-            request,
-            extra_data.json()
-        )
-
-
-oauth2_login = OAuth2LoginView.adapter_view(PassbookOAuth2Adapter) # noqa
-oauth2_callback = OAuth2CallbackView.adapter_view(PassbookOAuth2Adapter) # noqa

client-packages/allauth/requirements.txt

@@ -1 +0,0 @@
-django-allauth

client-packages/allauth/setup.py

@@ -1,33 +0,0 @@
-"""passbook allauth setup.py"""
-from setuptools import setup
-
-setup(
-    name='django-allauth-passbook',
-    version='0.1.23-beta',
-    description='passbook support for django-allauth',
-    # long_description='\n'.join(read_simple('docs/index.md')[2:]),
-    long_description_content_type='text/markdown',
-    author='BeryJu.org',
-    author_email='hello@beryju.org',
-    packages=['allauth_passbook'],
-    include_package_data=True,
-    install_requires=['django-allauth'],
-    keywords='django allauth passbook',
-    license='MIT',
-    classifiers=[
-        'Intended Audience :: Developers',
-        'Topic :: Software Development :: Libraries :: Python Modules',
-        'Environment :: Web Environment',
-        'Topic :: Internet',
-        'License :: OSI Approved :: MIT License',
-        'Operating System :: OS Independent',
-        'Programming Language :: Python',
-        'Programming Language :: Python :: 3.4',
-        'Programming Language :: Python :: 3.5',
-        'Programming Language :: Python :: 3.6',
-        'Framework :: Django',
-        'Framework :: Django :: 1.11',
-        'Framework :: Django :: 2.0',
-        'Framework :: Django :: 2.1',
-    ],
-)

client-packages/sentry-auth-passbook/.gitignore

@@ -1,5 +0,0 @@
-*.pyc
-*.egg-info/
-*.eggs
-/dist
-/build

client-packages/sentry-auth-passbook/.travis.yml

@@ -1,32 +0,0 @@
-sudo: false
-language: python
-services:
-  - memcached
-  - postgresql
-  - redis-server
-python:
-  - '2.7'
-cache:
-  directories:
-    - node_modules
-    - "$HOME/.cache/pip"
-deploy:
-  provider: pypi
-  user: getsentry
-  password:
-    secure: kVmxKHkBWRLYyZme05p+WZSJmb8GjHV9uyuaSCVMRlqWCW+GXRB7P1xXR2jb9URTlNdcs56Ab/UrwzCbMFGC8LmwCeFVgIR/ltytVZG2FgXZPWaeA4dH25qK2oGWgzJ/xeiMpmuJqN9hRl25MX6jG7FZKvrrOkG7+8tpPd1yO+uYWZQbnebZMjcPBqEpn7CC0hR39GSoyVAbydpMe5hwENGQM26CepcicdrelfawItoUrXrkJzBHkIQQTO/xRSbCtRJOtzI5lwtv3GP0hcbOy5tI5dhG/93pLwZRc5+dZaCaP7oaVeOcBjN0zfINRQobt8d6h2Qgvd/YyFkGi0/xKn1zMmKIVLOG6VsYwEAUq8wNOsP4A/jdm4Y0J/1oEZStCkpaGpx85TYi4kq1hWQdyqaVJSPhh4Tk4roIaS2zOYQl+nIpbHqmJ4FJrg1il+TCdjBXobATQ1mKRBUrjD+RDzH/r4ogbd8+UwvvvevpqS2K+/wgT6UD0MzDInv9S29CUQvuFhPoqyJb5XRddHMRE9EEK/2Z8tFN91sDATnqfXHgwnvu00q/nKP5JnijBPzGmx7ydgUViIukklDrlPvo9BbRJz0Vr2vbAvMTrLMLCXqi5CwTm+v+iaOf/YaCziaG2vx0eVASYjpOLCedSgRZBubPM8z4E/HMXhChN7sVDWk=
-  on:
-    tags: true
-  distributions: sdist bdist_wheel
-env:
-  global:
-    - PIP_DOWNLOAD_CACHE=".pip_download_cache"
-before_install:
-  - pip install codecov
-install:
-  - make develop
-script:
-  - PYFLAKES_NODOCTEST=1 flake8
-  - coverage run --source=. -m py.test tests
-after_success:
-  - codecov

client-packages/sentry-auth-passbook/LICENSE

@@ -1,201 +0,0 @@
-                              Apache License
-                        Version 2.0, January 2004
-                     http://www.apache.org/licenses/
-
-TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-1. Definitions.
-
-   "License" shall mean the terms and conditions for use, reproduction,
-   and distribution as defined by Sections 1 through 9 of this document.
-
-   "Licensor" shall mean the copyright owner or entity authorized by
-   the copyright owner that is granting the License.
-
-   "Legal Entity" shall mean the union of the acting entity and all
-   other entities that control, are controlled by, or are under common
-   control with that entity. For the purposes of this definition,
-   "control" means (i) the power, direct or indirect, to cause the
-   direction or management of such entity, whether by contract or
-   otherwise, or (ii) ownership of fifty percent (50%) or more of the
-   outstanding shares, or (iii) beneficial ownership of such entity.
-
-   "You" (or "Your") shall mean an individual or Legal Entity
-   exercising permissions granted by this License.
-
-   "Source" form shall mean the preferred form for making modifications,
-   including but not limited to software source code, documentation
-   source, and configuration files.
-
-   "Object" form shall mean any form resulting from mechanical
-   transformation or translation of a Source form, including but
-   not limited to compiled object code, generated documentation,
-   and conversions to other media types.
-
-   "Work" shall mean the work of authorship, whether in Source or
-   Object form, made available under the License, as indicated by a
-   copyright notice that is included in or attached to the work
-   (an example is provided in the Appendix below).
-
-   "Derivative Works" shall mean any work, whether in Source or Object
-   form, that is based on (or derived from) the Work and for which the
-   editorial revisions, annotations, elaborations, or other modifications
-   represent, as a whole, an original work of authorship. For the purposes
-   of this License, Derivative Works shall not include works that remain
-   separable from, or merely link (or bind by name) to the interfaces of,
-   the Work and Derivative Works thereof.
-
-   "Contribution" shall mean any work of authorship, including
-   the original version of the Work and any modifications or additions
-   to that Work or Derivative Works thereof, that is intentionally
-   submitted to Licensor for inclusion in the Work by the copyright owner
-   or by an individual or Legal Entity authorized to submit on behalf of
-   the copyright owner. For the purposes of this definition, "submitted"
-   means any form of electronic, verbal, or written communication sent
-   to the Licensor or its representatives, including but not limited to
-   communication on electronic mailing lists, source code control systems,
-   and issue tracking systems that are managed by, or on behalf of, the
-   Licensor for the purpose of discussing and improving the Work, but
-   excluding communication that is conspicuously marked or otherwise
-   designated in writing by the copyright owner as "Not a Contribution."
-
-   "Contributor" shall mean Licensor and any individual or Legal Entity
-   on behalf of whom a Contribution has been received by Licensor and
-   subsequently incorporated within the Work.
-
-2. Grant of Copyright License. Subject to the terms and conditions of
-   this License, each Contributor hereby grants to You a perpetual,
-   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-   copyright license to reproduce, prepare Derivative Works of,
-   publicly display, publicly perform, sublicense, and distribute the
-   Work and such Derivative Works in Source or Object form.
-
-3. Grant of Patent License. Subject to the terms and conditions of
-   this License, each Contributor hereby grants to You a perpetual,
-   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-   (except as stated in this section) patent license to make, have made,
-   use, offer to sell, sell, import, and otherwise transfer the Work,
-   where such license applies only to those patent claims licensable
-   by such Contributor that are necessarily infringed by their
-   Contribution(s) alone or by combination of their Contribution(s)
-   with the Work to which such Contribution(s) was submitted. If You
-   institute patent litigation against any entity (including a
-   cross-claim or counterclaim in a lawsuit) alleging that the Work
-   or a Contribution incorporated within the Work constitutes direct
-   or contributory patent infringement, then any patent licenses
-   granted to You under this License for that Work shall terminate
-   as of the date such litigation is filed.
-
-4. Redistribution. You may reproduce and distribute copies of the
-   Work or Derivative Works thereof in any medium, with or without
-   modifications, and in Source or Object form, provided that You
-   meet the following conditions:
-
-   (a) You must give any other recipients of the Work or
-       Derivative Works a copy of this License; and
-
-   (b) You must cause any modified files to carry prominent notices
-       stating that You changed the files; and
-
-   (c) You must retain, in the Source form of any Derivative Works
-       that You distribute, all copyright, patent, trademark, and
-       attribution notices from the Source form of the Work,
-       excluding those notices that do not pertain to any part of
-       the Derivative Works; and
-
-   (d) If the Work includes a "NOTICE" text file as part of its
-       distribution, then any Derivative Works that You distribute must
-       include a readable copy of the attribution notices contained
-       within such NOTICE file, excluding those notices that do not
-       pertain to any part of the Derivative Works, in at least one
-       of the following places: within a NOTICE text file distributed
-       as part of the Derivative Works; within the Source form or
-       documentation, if provided along with the Derivative Works; or,
-       within a display generated by the Derivative Works, if and
-       wherever such third-party notices normally appear. The contents
-       of the NOTICE file are for informational purposes only and
-       do not modify the License. You may add Your own attribution
-       notices within Derivative Works that You distribute, alongside
-       or as an addendum to the NOTICE text from the Work, provided
-       that such additional attribution notices cannot be construed
-       as modifying the License.
-
-   You may add Your own copyright statement to Your modifications and
-   may provide additional or different license terms and conditions
-   for use, reproduction, or distribution of Your modifications, or
-   for any such Derivative Works as a whole, provided Your use,
-   reproduction, and distribution of the Work otherwise complies with
-   the conditions stated in this License.
-
-5. Submission of Contributions. Unless You explicitly state otherwise,
-   any Contribution intentionally submitted for inclusion in the Work
-   by You to the Licensor shall be under the terms and conditions of
-   this License, without any additional terms or conditions.
-   Notwithstanding the above, nothing herein shall supersede or modify
-   the terms of any separate license agreement you may have executed
-   with Licensor regarding such Contributions.
-
-6. Trademarks. This License does not grant permission to use the trade
-   names, trademarks, service marks, or product names of the Licensor,
-   except as required for reasonable and customary use in describing the
-   origin of the Work and reproducing the content of the NOTICE file.
-
-7. Disclaimer of Warranty. Unless required by applicable law or
-   agreed to in writing, Licensor provides the Work (and each
-   Contributor provides its Contributions) on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-   implied, including, without limitation, any warranties or conditions
-   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-   PARTICULAR PURPOSE. You are solely responsible for determining the
-   appropriateness of using or redistributing the Work and assume any
-   risks associated with Your exercise of permissions under this License.
-
-8. Limitation of Liability. In no event and under no legal theory,
-   whether in tort (including negligence), contract, or otherwise,
-   unless required by applicable law (such as deliberate and grossly
-   negligent acts) or agreed to in writing, shall any Contributor be
-   liable to You for damages, including any direct, indirect, special,
-   incidental, or consequential damages of any character arising as a
-   result of this License or out of the use or inability to use the
-   Work (including but not limited to damages for loss of goodwill,
-   work stoppage, computer failure or malfunction, or any and all
-   other commercial damages or losses), even if such Contributor
-   has been advised of the possibility of such damages.
-
-9. Accepting Warranty or Additional Liability. While redistributing
-   the Work or Derivative Works thereof, You may choose to offer,
-   and charge a fee for, acceptance of support, warranty, indemnity,
-   or other liability obligations and/or rights consistent with this
-   License. However, in accepting such obligations, You may act only
-   on Your own behalf and on Your sole responsibility, not on behalf
-   of any other Contributor, and only if You agree to indemnify,
-   defend, and hold each Contributor harmless for any liability
-   incurred by, or claims asserted against, such Contributor by reason
-   of your accepting any such warranty or additional liability.
-
-END OF TERMS AND CONDITIONS
-
-APPENDIX: How to apply the Apache License to your work.
-
-   To apply the Apache License to your work, attach the following
-   boilerplate notice, with the fields enclosed by brackets "[]"
-   replaced with your own identifying information. (Don't include
-   the brackets!)  The text should be enclosed in the appropriate
-   comment syntax for the file format. We also recommend that a
-   file or class name and description of purpose be included on the
-   same "printed page" as the copyright notice for easier
-   identification within third-party archives.
-
-Copyright 2016 Functional Software, Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.

client-packages/sentry-auth-passbook/MANIFEST.in

@@ -1,3 +0,0 @@
-include setup.py package.json webpack.config.js README.rst MANIFEST.in LICENSE AUTHORS
-recursive-include sentry_auth_supervisr/templates *
-global-exclude *~

client-packages/sentry-auth-passbook/Makefile

@@ -1,26 +0,0 @@
-.PHONY: clean develop install-tests lint publish test
-
-develop:
-	pip install "pip>=7"
-	pip install -e .
-	make install-tests
-
-install-tests:
-	pip install .[tests]
-
-lint:
-	@echo "--> Linting python"
-	flake8
-	@echo ""
-
-test:
-	@echo "--> Running Python tests"
-	py.test tests || exit 1
-	@echo ""
-
-publish:
-	python setup.py sdist bdist_wheel upload
-
-clean:
-	rm -rf *.egg-info src/*.egg-info
-	rm -rf dist build

client-packages/sentry-auth-passbook/README.rst

@@ -1,55 +0,0 @@
-GitHub Auth for Sentry
-======================
-
-An SSO provider for Sentry which enables GitHub organization-restricted authentication.
-
-Install
--------
-
-::
-
-    $ pip install https://github.com/getsentry/sentry-auth-github/archive/master.zip
-
-Setup
------
-
-Create a new application under your organization in GitHub. Enter the **Authorization
-callback URL** as the prefix to your Sentry installation:
-
-::
-
-    https://example.sentry.com
-
-
-Once done, grab your API keys and drop them in your ``sentry.conf.py``:
-
-.. code-block:: python
-
-    GITHUB_APP_ID = ""
-
-    GITHUB_API_SECRET = ""
-
-
-Verified email addresses can optionally be required:
-
-.. code-block:: python
-
-    GITHUB_REQUIRE_VERIFIED_EMAIL = True
-
-
-Optionally you may also specify the domain (for GHE users):
-
-.. code-block:: python
-
-    GITHUB_BASE_DOMAIN = "git.example.com"
-
-    GITHUB_API_DOMAIN = "api.git.example.com"
-
-
-If Subdomain isolation is disabled in GHE:
-
-.. code-block:: python
-
-    GITHUB_BASE_DOMAIN = "git.example.com"
-
-    GITHUB_API_DOMAIN = "git.example.com/api/v3"

client-packages/sentry-auth-passbook/conftest.py

@@ -1,14 +0,0 @@
-from __future__ import absolute_import
-
-# Run tests against sqlite for simplicity
-import os
-import os.path
-import sys
-
-sys.path.insert(0, os.path.join(os.path.dirname(__file__)))
-
-os.environ.setdefault('DB', 'sqlite')
-
-pytest_plugins = [
-    'sentry.utils.pytest'
-]

client-packages/sentry-auth-passbook/sentry_auth_passbook/__init__.py

@@ -1,7 +0,0 @@
-from __future__ import absolute_import
-
-from sentry.auth import register
-
-from .provider import PassbookOAuth2Provider
-
-register('passbook', PassbookOAuth2Provider)

client-packages/sentry-auth-passbook/sentry_auth_passbook/client.py

@@ -1,45 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from requests.exceptions import RequestException
-
-from sentry import http
-from sentry.utils import json
-
-from .constants import BASE_DOMAIN
-
-
-class PassbookApiError(Exception):
-    def __init__(self, message='', status=0):
-        super(PassbookApiError, self).__init__(message)
-        self.status = status
-
-
-class PassbookClient(object):
-    def __init__(self, client_id, client_secret):
-        self.client_id = client_id
-        self.client_secret = client_secret
-        self.http = http.build_session()
-
-    def _request(self, path, access_token):
-        params = {
-            'client_id': self.client_id,
-            'client_secret': self.client_secret,
-        }
-
-        headers = {
-            'Authorization': 'Bearer {0}'.format(access_token),
-        }
-
-        try:
-            req = self.http.get('https://{0}/{1}'.format(BASE_DOMAIN, path.lstrip('/')),
-                params=params,
-                headers=headers,
-            )
-        except RequestException as e:
-            raise PassbookApiError(unicode(e), status=getattr(e, 'status_code', 0))
-        if req.status_code < 200 or req.status_code >= 300:
-            raise PassbookApiError(req.content, status=req.status_code)
-        return json.loads(req.content)
-
-    def get_user(self, access_token):
-        return self._request('/api/v1/openid/', access_token)

client-packages/sentry-auth-passbook/sentry_auth_passbook/constants.py

@@ -1,14 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from django.conf import settings
-
-CLIENT_ID = getattr(settings, 'PASSBOOK_APP_ID', None)
-
-CLIENT_SECRET = getattr(settings, 'PASSBOOK_API_SECRET', None)
-
-SCOPE = 'openid:userinfo'
-
-BASE_DOMAIN = getattr(settings, 'PASSBOOK_BASE_DOMAIN', 'id.beryju.org')
-
-ACCESS_TOKEN_URL = 'https://{0}/application/oauth/token/'.format(BASE_DOMAIN)
-AUTHORIZE_URL = 'https://{0}/application/oauth/authorize/'.format(BASE_DOMAIN)

client-packages/sentry-auth-passbook/sentry_auth_passbook/provider.py

@@ -1,62 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from sentry.auth.exceptions import IdentityNotValid
-from sentry.auth.providers.oauth2 import (OAuth2Callback, OAuth2Login,
-                                          OAuth2Provider)
-
-from .client import PassbookApiError, PassbookClient
-from .constants import (ACCESS_TOKEN_URL, AUTHORIZE_URL, CLIENT_ID,
-                        CLIENT_SECRET, SCOPE)
-from .views import FetchUser, PassbookConfigureView
-
-
-class PassbookOAuth2Provider(OAuth2Provider):
-    access_token_url = ACCESS_TOKEN_URL
-    authorize_url = AUTHORIZE_URL
-    name = 'Passbook'
-    client_id = CLIENT_ID
-    client_secret = CLIENT_SECRET
-
-    def __init__(self, **config):
-        super(PassbookOAuth2Provider, self).__init__(**config)
-
-    def get_configure_view(self):
-        return PassbookConfigureView.as_view()
-
-    def get_auth_pipeline(self):
-        return [
-            OAuth2Login(
-                authorize_url=self.authorize_url,
-                client_id=self.client_id,
-                scope=SCOPE,
-            ),
-            OAuth2Callback(
-                access_token_url=self.access_token_url,
-                client_id=self.client_id,
-                client_secret=self.client_secret,
-            ),
-            FetchUser(
-                client_id=self.client_id,
-                client_secret=self.client_secret,
-            ),
-        ]
-
-    def get_refresh_token_url(self):
-        return ACCESS_TOKEN_URL
-
-    def build_identity(self, state):
-        data = state['data']
-        user_data = state['user']
-        return {
-            'id': user_data['email'],
-            'email': user_data['email'],
-            'name': user_data['name'],
-            'data': self.get_oauth_data(data),
-        }
-
-    def build_config(self, state):
-        return {}
-
-    def refresh_identity(self, auth_identity):
-        client = PassbookClient(self.client_id, self.client_secret)
-        access_token = auth_identity.data['access_token']

client-packages/sentry-auth-passbook/sentry_auth_passbook/views.py

@@ -1,75 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from django import forms
-
-from sentry.auth.view import AuthView, ConfigureView
-from sentry.models import AuthIdentity
-
-from .client import PassbookClient
-
-
-def _get_name_from_email(email):
-    """
-    Given an email return a capitalized name. Ex. john.smith@example.com would return John Smith.
-    """
-    name = email.rsplit('@', 1)[0]
-    name = ' '.join([n_part.capitalize() for n_part in name.split('.')])
-    return name
-
-
-class FetchUser(AuthView):
-    def __init__(self, client_id, client_secret, *args, **kwargs):
-        self.client = PassbookClient(client_id, client_secret)
-        super(FetchUser, self).__init__(*args, **kwargs)
-
-    def handle(self, request, helper):
-        access_token = helper.fetch_state('data')['access_token']
-
-        user = self.client.get_user(access_token)
-
-        # A user hasn't set their name in their Passbook profile so it isn't
-        # populated in the response
-        if not user.get('name'):
-            user['name'] = _get_name_from_email(user['email'])
-
-        helper.bind_state('user', user)
-
-        return helper.next_step()
-
-
-class ConfirmEmailForm(forms.Form):
-    email = forms.EmailField(label='Email')
-
-
-class ConfirmEmail(AuthView):
-    def handle(self, request, helper):
-        user = helper.fetch_state('user')
-
-        # TODO(dcramer): this isnt ideal, but our current flow doesnt really
-        # support this behavior;
-        try:
-            auth_identity = AuthIdentity.objects.select_related('user').get(
-                auth_provider=helper.auth_provider,
-                ident=user['id'],
-            )
-        except AuthIdentity.DoesNotExist:
-            pass
-        else:
-            user['email'] = auth_identity.user.email
-
-        if user.get('email'):
-            return helper.next_step()
-
-        form = ConfirmEmailForm(request.POST or None)
-        if form.is_valid():
-            user['email'] = form.cleaned_data['email']
-            helper.bind_state('user', user)
-            return helper.next_step()
-
-        return self.respond('sentry_auth_passbook/enter-email.html', {
-            'form': form,
-        })
-
-class PassbookConfigureView(ConfigureView):
-    def dispatch(self, request, organization, auth_provider):
-        return self.render('sentry_auth_passbook/configure.html')

client-packages/sentry-auth-passbook/setup.cfg

@@ -1,12 +0,0 @@
-[wheel]
-universal = 1
-
-[pytest]
-python_files = test*.py
-addopts = --tb=native -p no:doctest
-norecursedirs = bin dist docs htmlcov script hooks node_modules .* {args}
-
-[flake8]
-ignore = F999,E501,E128,E124,E402,W503,E731,C901
-max-line-length = 100
-exclude = .tox,.git,*/migrations/*,node_modules/*,docs/*

client-packages/sentry-auth-passbook/setup.py

@@ -1,45 +0,0 @@
-#!/usr/bin/env python
-"""
-sentry-auth-passbook
-==================
-
-:copyright: (c) 2016 Functional Software, Inc
-"""
-from setuptools import find_packages, setup
-
-install_requires = [
-    'sentry>=7.0.0',
-]
-
-tests_require = [
-    'mock',
-    'flake8>=2.0,<2.1',
-]
-
-setup(
-    name='sentry-auth-passbook',
-    version='0.1.23-beta',
-    author='BeryJu.org',
-    author_email='support@beryju.org',
-    url='https://passbook.beryju.org',
-    description='passbook authentication provider for Sentry',
-    long_description=__doc__,
-    license='MIT',
-    packages=find_packages(exclude=['tests']),
-    zip_safe=False,
-    install_requires=install_requires,
-    tests_require=tests_require,
-    extras_require={'tests': tests_require},
-    include_package_data=True,
-    entry_points={
-        'sentry.apps': [
-            'auth_passbook = sentry_auth_passbook',
-        ],
-    },
-    classifiers=[
-        'Intended Audience :: Developers',
-        'Intended Audience :: System Administrators',
-        'Operating System :: OS Independent',
-        'Topic :: Software Development'
-    ],
-)

client-packages/sentry-auth-passbook/tests/test_provider.py

@@ -1,6 +0,0 @@
-from sentry.testutils import TestCase
-
-
-class GitHubOAuth2ProviderTest(TestCase):
-    def test_simple(self):
-        pass

client-packages/sentry-auth-passbook/tests/test_views.py

@@ -1,17 +0,0 @@
-from __future__ import absolute_import, print_function
-
-import pytest
-from sentry_auth_sentry.views import _get_name_from_email
-
-expected_data = [
-    ('john.smith@example.com', 'John Smith'),
-    ('john@example.com', 'John'),
-    ('XYZ-234=3523@example.com', 'Xyz-234=3523'),
-    ('XYZ.1111@example.com', 'Xyz 1111'),
-    ('JOHN@example.com', 'John'),
-]
-
-
-@pytest.mark.parametrize("email,expected_name", expected_data)
-def test_get_name_from_email(email, expected_name):
-    assert _get_name_from_email(email) == expected_name

debian/changelog

@@ -1,137 +0,0 @@
-passbook (0.1.23) stable; urgency=medium
-
-  * add support for OpenID-Connect Discovery
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 18 Mar 2019 20:19:27 +0000
-
-passbook (0.1.22) stable; urgency=medium
-
-  * bump version: 0.1.20-beta -> 0.1.21-beta
-  * fix missing debug template
-  * move icons to single folder, cleanup
-  * fix layout when on mobile viewport and scrolling
-  * fix delete form not working
-  * point to correct icons
-  * add Azure AD Source
-  * Fix OAuth Client's disconnect view having invalid URL names
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 14 Mar 2019 20:19:27 +0000
-
-passbook (0.1.21) stable; urgency=medium
-
-  * bump version: 0.1.19-beta -> 0.1.20-beta
-  * add request debug view
-  * detect HTTPS from reverse proxy
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 14 Mar 2019 17:01:49 +0000
-
-passbook (0.1.20) stable; urgency=medium
-
-  * bump version: 0.1.18-beta -> 0.1.19-beta
-  * fix GitHub Pretend again
-  * add user settings for Sources
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 13 Mar 2019 15:49:44 +0000
-
-passbook (0.1.18) stable; urgency=medium
-
-  * bump version: 0.1.16-beta -> 0.1.17-beta
-  * fix Server Error when downloading metadata
-  * add sentry client
-  * fix included yaml file
-  * adjust versions for client packages, auto build client-packages
-  * bump version: 0.1.17-beta -> 0.1.18-beta
-  * fix API Call for sentry-client, add missing template
-  * fix GitHub Pretend throwing a 500 error
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 13 Mar 2019 14:14:10 +0000
-
-passbook (0.1.17) stable; urgency=medium
-
-  * bump version: 0.1.15-beta -> 0.1.16-beta
-  * remove Application.user_is_authorized
-  * don't use celery heartbeat, use TCP keepalive instead
-  * switch to vertical navigation
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Tue, 12 Mar 2019 14:54:27 +0000
-
-passbook (0.1.16) stable; urgency=medium
-
-  * Replace redis with RabbitMQ
-  * updated debian package to suggest RabbitMQ
-  * update helm chart to require RabbitMQ
-  * fix invalid default config in debian package
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 10:28:36 +0000
-
-passbook (0.1.14) stable; urgency=medium
-
-  * bump version: 0.1.11-beta -> 0.1.12-beta
-  * Fix DoesNotExist error when running PolicyEngine against None user
-  * allow custom email server for helm installs
-  * fix UserChangePasswordView not requiring Login
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 10:28:36 +0000
-
-passbook (0.1.12) stable; urgency=medium
-
-  * bump version: 0.1.10-beta -> 0.1.11-beta
-  * rewrite PasswordFactor to use backends setting instead of trying all backends
-  * install updated helm release from local folder
-  * disable automatic k8s deployment for now
-  * fix OAuth Authorization View not requiring authentication
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 08:50:29 +0000
-
-passbook (0.1.11) stable; urgency=medium
-
-  * add group administration
-  * bump version: 0.1.9-beta -> 0.1.10-beta
-  * fix helm labels being on deployments and not pods
-  * automatically deploy after release
-  * use Django's Admin FilteredSelectMultiple for Group Membership
-  * always use FilteredSelectMultiple for many-to-many fields
-  * Add Group Member policy
-  * add LDAP Group Membership Policy
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Sun, 10 Mar 2019 18:55:31 +0000
-
-passbook (0.1.10) stable; urgency=high
-
-  * bump version: 0.1.7-beta -> 0.1.8-beta
-  * consistently using PolicyEngine
-  * add more Verbosity to PolicyEngine, rewrite SAML Authorisation check
-  * slightly refactor Factor View, add more unittests
-  * add impersonation middleware, add to templates
-  * bump version: 0.1.8-beta -> 0.1.9-beta
-  * fix k8s service routing http traffic to workers
-  * Fix button on policy test page
-  * better show loading state when testing a policy
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Sun, 10 Mar 2019 14:52:40 +0000
-
-passbook (0.1.7) stable; urgency=medium
-
-  * bump version: 0.1.3-beta -> 0.1.4-beta
-  * implicitly add kubernetes-healthcheck-host in helm configmap
-  * fix debian build (again)
-  * add PropertyMapping Model, add Subclass for SAML, test with AWS
-  * add custom DynamicArrayField to better handle arrays
-  * format data before inserting it
-  * bump version: 0.1.4-beta -> 0.1.5-beta
-  * fix static files missing for debian package
-  * fix password not getting set on user import
-  * remove audit's login attempt
-  * add passing property to PolicyEngine
-  * fix captcha factor not loading keys from Factor class
-  * bump version: 0.1.5-beta -> 0.1.6-beta
-  * fix MATCH_EXACT not working as intended
-  * Improve access control for saml
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 08 Mar 2019 20:37:05 +0000
-
-passbook (0.1.4) stable; urgency=medium
-
-  * initial debian package release
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 06 Mar 2019 18:22:41 +0000

debian/compat

@@ -1 +0,0 @@
-10

debian/config

@@ -1,20 +0,0 @@
-#!/bin/sh
-# config maintainer script for passbook
-set -e
-
-# source debconf stuff
-. /usr/share/debconf/confmodule
-
-dbc_first_version=1.0.0
-dbc_dbuser=passbook
-dbc_dbname=passbook
-
-# source dbconfig-common shell library, and call the hook function
-if [ -f /usr/share/dbconfig-common/dpkg/config.pgsql ]; then
-    . /usr/share/dbconfig-common/dpkg/config.pgsql
-    dbc_go passbook "$@"
-fi
-
-#DEBHELPER#
-
-exit 0

debian/control

@@ -1,14 +0,0 @@
-Source: passbook
-Section: admin
-Priority: optional
-Maintainer: BeryJu.org <support@beryju.org>
-Uploaders: Jens Langhammer <jens@beryju.org>, BeryJu.org <support@beryju.org>
-Build-Depends: debhelper (>= 10), dh-systemd (>= 1.5), dh-exec, wget, dh-exec, python3 (>= 3.5) | python3.6 | python3.7
-Standards-Version: 3.9.6
-
-Package: passbook
-Architecture: all
-Recommends: mysql-server, rabbitmq-server
-Pre-Depends: adduser, libldap2-dev, libsasl2-dev
-Depends: python3 (>= 3.5) | python3.6 | python3.7, python3-pip, dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends}
-Description: Authentication Provider/Proxy supporting protocols like SAML, OAuth, LDAP and more.

debian/copyright

@@ -1,22 +0,0 @@
-MIT License
-
-Copyright (c) 2019 BeryJu.org
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-

debian/dirs

@@ -1,4 +0,0 @@
-etc/passbook/
-etc/passbook/config.d/
-var/log/passbook/
-usr/share/passbook/

debian/etc/passbook/config.yml

@@ -1,77 +0,0 @@
-http:
-    host: 0.0.0.0
-    port: 8000
-secret_key_file: /etc/passbook/secret_key
-log:
-    level:
-        console: INFO
-        file: DEBUG
-    file: /var/log/passbook/passbook.log
-debug: false
-secure_proxy_header:
-  HTTP_X_FORWARDED_PROTO: https
-rabbitmq: guest:guest@localhost/passbook
-# Error reporting, sends stacktrace to sentry.services.beryju.org
-error_report_enabled: true
-
-passbook:
-  sign_up:
-    # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true
-    enabled: true
-  password_reset:
-    # Enable password reset, passwords are reset in internal Database and in LDAP if ldap.reset_password is true
-    enabled: true
-    # Verification the user has to provide in order to be able to reset passwords. Can be any combination of `email`, `2fa`, `security_questions`
-    verification:
-      - email
-  # Text used in title, on login page and multiple other places
-  branding: passbook
-  login:
-    # Override URL used for logo
-    logo_url: null
-    # Override URL used for Background on Login page
-    bg_url: null
-    # Optionally add a subtext, placed below logo on the login page
-    subtext: null
-  footer:
-    links:
-      # Optionally add links to the footer on the login page
-      #  - name: test
-      #    href: https://test
-  # Specify which fields can be used to authenticate. Can be any combination of `username` and `email`
-  uid_fields:
-    - username
-    - email
-  session:
-    remember_age: 2592000 # 60 * 60 * 24 * 30, one month
-# Provider-specific settings
-ldap:
-  # Which field from `uid_fields` maps to which LDAP Attribute
-  login_field_map:
-    username: sAMAccountName
-    email: mail # or userPrincipalName
-  user_attribute_map:
-    active_directory:
-      username: "%(sAMAccountName)s"
-      email: "%(mail)s"
-      name: "%(displayName)"
-oauth_client:
-  # List of python packages with sources types to load.
-  types:
-    - passbook.oauth_client.source_types.discord
-    - passbook.oauth_client.source_types.facebook
-    - passbook.oauth_client.source_types.github
-    - passbook.oauth_client.source_types.google
-    - passbook.oauth_client.source_types.reddit
-    - passbook.oauth_client.source_types.supervisr
-    - passbook.oauth_client.source_types.twitter
-saml_idp:
-  # List of python packages with provider types to load.
-  types:
-    - passbook.saml_idp.processors.generic
-    - passbook.saml_idp.processors.aws
-    - passbook.saml_idp.processors.gitlab
-    - passbook.saml_idp.processors.nextcloud
-    - passbook.saml_idp.processors.salesforce
-    - passbook.saml_idp.processors.shibboleth
-    - passbook.saml_idp.processors.wordpress_orange

debian/gbp.conf

@@ -1,2 +0,0 @@
-[buildpackage]
-export-dir=../build-area

debian/install

@@ -1,8 +0,0 @@
-passbook		/usr/share/passbook/
-static			/usr/share/passbook/
-manage.py		/usr/share/passbook/
-passbook.sh		/usr/share/passbook/
-vendor			/usr/share/passbook/
-
-debian/etc/passbook								/etc/
-debian/templates/database.yml					/usr/share/passbook/

debian/passbook-worker.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=passbook - Authentication Provider/Proxy (Background worker)
-After=network.target
-Requires=network.target
-
-[Service]
-User=passbook
-Group=passbook
-WorkingDirectory=/usr/share/passbook
-Type=simple
-ExecStart=/usr/share/passbook/passbook.sh worker
-
-[Install]
-WantedBy=multi-user.target

debian/passbook.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=passbook - Authentication Provider/Proxy
-After=network.target
-Requires=network.target
-
-[Service]
-User=passbook
-Group=passbook
-WorkingDirectory=/usr/share/passbook
-Type=simple
-ExecStart=/usr/share/passbook/passbook.sh web
-
-[Install]
-WantedBy=multi-user.target

debian/postinst

@@ -1,36 +0,0 @@
-#!/bin/bash
-
-set -e
-
-. /usr/share/debconf/confmodule
-. /usr/share/dbconfig-common/dpkg/postinst.pgsql
-
-# you can set the default database encoding to something else
-dbc_pgsql_createdb_encoding="UTF8"
-dbc_generate_include=template:/etc/passbook/config.d/database.yml
-dbc_generate_include_args="-o template_infile=/usr/share/passbook/database.yml"
-dbc_go passbook "$@"
-
-if [ -z "`getent group passbook`" ]; then
-	addgroup --quiet --system passbook
-fi
-if [ -z "`getent passwd passbook`" ]; then
-	echo " * Creating user and group passbook..."
-	adduser --quiet --system --home /usr/share/passbook --shell /bin/false --ingroup passbook --disabled-password --disabled-login --gecos "passbook User" passbook  >> /var/log/passbook/passbook.log 2>&1
-fi
-echo " * Updating binary packages (psycopg2)"
-python3 -m pip install --target=/usr/share/passbook/vendor/ --no-cache-dir --upgrade --force-reinstall psycopg2 >> /var/log/passbook/passbook.log 2>&1
-if [ ! -f '/etc/passbook/secret_key' ]; then
-	echo " * Generating Secret Key"
-	python3 -c 'import random; result = "".join([random.choice("abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)") for i in range(50)]); print(result)' > /etc/passbook/secret_key 2> /dev/null
-fi
-chown -R passbook: /usr/share/passbook/
-chown -R passbook: /etc/passbook/
-chown -R passbook: /var/log/passbook/
-chmod 440 /etc/passbook/secret_key
-echo " * Running Database Migration"
-/usr/share/passbook/passbook.sh migrate
-echo " * A superuser can be created with this command '/usr/share/passbook/passbook.sh createsuperuser'"
-echo " * You should probably also adjust your settings in '/etc/passbook/config.yml'"
-
-#DEBHELPER#

debian/postrm

@@ -1,24 +0,0 @@
-#!/bin/sh
-
-set -e
-
-if [ -f /usr/share/debconf/confmodule ]; then
-    . /usr/share/debconf/confmodule
-fi
-if [ -f /usr/share/dbconfig-common/dpkg/postrm.pgsql ]; then
-    . /usr/share/dbconfig-common/dpkg/postrm.pgsql
-    dbc_go passbook "$@"
-fi
-
-
-if [ "$1" = "purge" ]; then
-    if which ucf >/dev/null 2>&1; then
-        ucf --purge /etc/passbook/config.d/database.yml
-        ucfr --purge passbook /etc/passbook/config.d/database.yml
-    fi
-    rm -rf /etc/passbook/
-    rm -rf /usr/share/passbook/
-fi
-
-#DEBHELPER#
-

debian/prerm

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-set -e
-
-. /usr/share/debconf/confmodule
-. /usr/share/dbconfig-common/dpkg/prerm.pgsql
-dbc_go passbook "$@"
-
-#DEBHELPER#
-

debian/rules

@@ -1,27 +0,0 @@
-#!/usr/bin/make -f
-
-# Uncomment this to turn on verbose mode.
-# export DH_VERBOSE=1
-
-%:
-	dh $@ --with=systemd
-
-build-arch:
-	python3 -m pip install setuptools
-	python3 -m pip install --target=vendor/ -r requirements.txt
-
-override_dh_strip:
-	dh_strip --exclude=psycopg2
-
-override_dh_shlibdeps:
-	dh_shlibdeps --exclude=psycopg2
-
-override_dh_installinit:
-	dh_installinit --name=passbook
-	dh_installinit --name=passbook-worker
-	dh_systemd_enable --name=passbook
-	dh_systemd_enable --name=passbook-worker
-	dh_systemd_start
-
-# override_dh_usrlocal to do nothing
-override_dh_usrlocal:

debian/source/format

@@ -1 +0,0 @@
-3.0 (native)

debian/templates/database.yml

@@ -1,8 +0,0 @@
-databases:
-  default:
-    engine: django.db.backends.postgresql
-    name: _DBC_DBNAME_
-    user: _DBC_DBUSER_
-    password: _DBC_DBPASS_
-    host: _DBC_DBSERVER_
-    port: _DBC_DBPORT_

docker-compose.yml

@@ -0,0 +1,91 @@
+---
+version: '3.2'
+
+services:
+  postgresql:
+    image: postgres
+    volumes:
+      - database:/var/lib/postgresql/data
+    networks:
+      - internal
+    environment:
+      - POSTGRES_PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+      - POSTGRES_USER=passbook
+      - POSTGRES_DB=passbook
+    labels:
+      - traefik.enable=false
+  redis:
+    image: redis
+    networks:
+      - internal
+    labels:
+      - traefik.enable=false
+  server:
+    image: beryju/passbook:${SERVER_TAG:-latest}
+    command:
+      - ./manage.py
+      - bootstrap
+      - uwsgi
+      - uwsgi.ini
+    environment:
+      - PASSBOOK_DOMAIN=${PASSBOOK_DOMAIN}
+      - PASSBOOK_REDIS__HOST=redis
+      - PASSBOOK_ERROR_REPORTING=${PASSBOOK_ERROR_REPORTING:-false}
+      - PASSBOOK_POSTGRESQL__HOST=postgresql
+      - PASSBOOK_POSTGRESQL__PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+    ports:
+      - 8000
+    networks:
+      - internal
+    labels:
+      - traefik.port=8000
+      - traefik.docker.network=internal
+      - traefik.frontend.rule=PathPrefix:/
+  worker:
+    image: beryju/passbook:${SERVER_TAG:-latest}
+    command:
+      - ./manage.py
+      - bootstrap
+      - celery
+      - worker
+      - --autoscale=10,3
+      - -E
+      - -B
+      - -A=passbook.root.celery
+      - -s=/tmp/celerybeat-schedule
+    networks:
+      - internal
+    labels:
+      - traefik.enable=false
+    environment:
+      - PASSBOOK_DOMAIN=${PASSBOOK_DOMAIN}
+      - PASSBOOK_REDIS__HOST=redis
+      - PASSBOOK_ERROR_REPORTING=${PASSBOOK_ERROR_REPORTING:-false}
+      - PASSBOOK_POSTGRESQL__HOST=postgresql
+      - PASSBOOK_POSTGRESQL__PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+  static:
+    image: beryju/passbook-static:latest
+    networks:
+      - internal
+    labels:
+      - traefik.frontend.rule=PathPrefix:/static, /robots.txt
+      - traefik.port=8080
+      - traefik.docker.network=internal
+  traefik:
+    image: traefik:1.7
+    command: --api --docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    ports:
+      - "0.0.0.0:80:80"
+      - "0.0.0.0:443:443"
+      - "0.0.0.0:8080:8080"
+    networks:
+      - internal
+
+volumes:
+  database:
+    driver: local
+
+networks:
+  internal: {}

docker/uwsgi.ini

@@ -0,0 +1,10 @@
+[uwsgi]
+http = 0.0.0.0:8000
+wsgi-file = passbook/root/wsgi.py
+processes = 2
+master = true
+threads = 2
+enable-threads = true
+uid = passbook
+gid = passbook
+disable-logging = True

docs/Dockerfile

@@ -0,0 +1,14 @@
+FROM python:3.8-slim-buster as builder
+
+WORKDIR /mkdocs
+
+RUN pip install mkdocs mkdocs-material
+
+COPY docs/ docs
+COPY mkdocs.yml .
+
+RUN mkdocs build
+
+FROM nginx
+
+COPY --from=builder /mkdocs/site /usr/share/nginx/html

docs/factors.md

@@ -0,0 +1,23 @@
+# Factors
+
+A factor represents a single authenticating factor for a user. Common examples of this would be a password or an OTP. These factors can be combined in any order, and can be dynamically enabled using policies.
+
+## Password Factor
+
+This is the standard Password Factor. It allows you to select which Backend the password is checked with. here you can also specify which Policies are used to check the password. You can also specify which Factors a User has to pass to recover their account.
+
+## Dummy Factor
+
+This factor waits a random amount of time. Mostly used for debugging.
+
+## E-Mail Factor
+
+This factor is mostly for recovery, and used in conjunction with the Password Factor.
+
+## OTP Factor
+
+This is your typical One-Time Password implementation, compatible with Authy and Google Authenticator. You can enfore this Factor so that every user has to configure it, or leave it optional.
+
+## Captcha Factor
+
+While this factor doesn't really authenticate a user, it is part of the Authentication Flow. passbook uses Google's reCaptcha implementation.

docs/index.md

@@ -0,0 +1,31 @@
+# Welcome
+
+Welcome to the passbook Documentation. passbook is an open-source Identity Provider and Usermanagement software. It can be used as a central directory for users or customers and it can integrate with your existing Directory.
+
+passbook can also be used as part of an Application to facilitate User Enrollment, Password recovery and Social Login.
+
+passbook uses the following Terminology:
+
+### Policy
+
+A Policy is at a base level a yes/no gate. It will either evaluate to True or False depending on the Policy Kind and settings. For example, a "Group Membership Policy" evaluates to True if the User is member of the specified Group and False if not. This can be used to conditionally apply Factors and grant/deny access.
+
+### Provider
+
+A Provider is a way for other Applications to authenticate against passbook. Common Providers are OpenID Connect (OIDC) and SAML.
+
+### Source
+
+Sources are ways to get users into passbook. This might be an LDAP Connection to import Users from Active Directory, or an OAuth2 Connection to allow Social Logins.
+
+### Application
+
+An application links together Policies with a Provider, allowing you to control access. It also holds Information like UI Name, Icon and more.
+
+### Factors
+
+Factors represent Authentication Factors, like a Password or OTP. These Factors can be dynamically enabled using policies. This allows you to, for example, force users from a certain IP ranges to complete a Captcha to authenticate.
+
+### Property Mappings
+
+Property Mappings allow you to make Information available for external Applications. For example, if you want to login to AWS with passbook, you'd use Property Mappings to set the User's Roles based on their Groups.

docs/installation/docker-compose.md

@@ -0,0 +1,26 @@
+# docker-compose
+
+This installation Method is for test-setups and small-scale productive setups.
+
+## Prerequisites
+
+-   docker
+-   docker-compose
+
+## Install
+
+Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml). Place it in a directory of your choice.
+
+passbook needs to know it's primary URL to create links in E-Mails and set cookies, so you have to run the following command:
+
+```
+export PASSBOOK_DOMAIN=domain.tld # this can be any domain or IP, it just needs to point to passbook.
+```
+
+The compose file references the current latest version, which can be overridden with the `SERVER_TAG` Environment variable.
+
+If you plan to use this setup for production, it is also advised to change the PostgreSQL Password by setting `PG_PASS` to a password of your choice.
+
+Now you can pull the Docker images needed by running `docker-compose pull`. After this has finished, run `docker-compose up -d` to start passbook.
+
+passbook will then be reachable on Port 80. You can optionally configure the packaged traefik to use Let's Encrypt for TLS Encryption.

docs/installation/install.md

@@ -0,0 +1,6 @@
+# Installation
+
+There are two supported ways to install passbook:
+
+-   [docker-compose](docker-compose.md) for test- or small productive setups
+-   [Kubernetes](./kubernetes.md) for larger Productive setups

docs/installation/kubernetes.md

@@ -0,0 +1,3 @@
+# Kubernetes
+
+For a mid to high-load Installation, Kubernetes is recommended. passbook is installed using a helm-chart.

docs/integrations/services/aws/index.md

@@ -0,0 +1,32 @@
+# Amazon Web Services Integration
+
+## What is AWS
+
+!!! note ""
+    Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform, offering over 175 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `passbook.company` is the FQDN of the passbook Install
+
+Create an application in passbook and note the slug, as this will be used later. Create a SAML Provider with the following Parameters:
+
+-   ACS URL: `https://signin.aws.amazon.com/saml`
+-   Audience: `urn:amazon:webservices`
+-   Issuer: `passbook`
+
+You can of course use a custom Signing Certificate, and adjust durations.
+
+## AWS
+
+Create a Role with the Permissions you desire, and note the ARN.
+
+AWS requires two custom PropertyMappings; `Role` and `RoleSessionName`. Create them as following:
+
+![](./property-mapping-role.png)
+
+![](./property-mapping-role-session-name.png)
+
+Afterwards export the Metadata from passbook, and create an Identity Provider [here](https://console.aws.amazon.com/iam/home#/providers).

docs/integrations/services/gitlab/index.md

@@ -0,0 +1,58 @@
+# GitLab Integration
+
+## What is GitLab
+
+From https://about.gitlab.com/what-is-gitlab/
+
+!!! note ""
+    GitLab is a complete DevOps platform, delivered as a single application. This makes GitLab unique and makes Concurrent DevOps possible, unlocking your organization from the constraints of a pieced together toolchain. Join us for a live Q&A to learn how GitLab can give you unmatched visibility and higher levels of efficiency in a single application across the DevOps lifecycle.
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `gitlab.company` is the FQDN of the GitLab Install
+-   `passbook.company` is the FQDN of the passbook Install
+
+Create an application in passbook and note the slug, as this will be used later. Create a SAML Provider with the following Parameters:
+
+-   ACS URL: `https://gitlab.company/users/auth/saml/callback`
+-   Audience: `https://gitlab.company`
+-   Issuer: `https://gitlab.company`
+
+You can of course use a custom Signing Certificate, and adjust durations. To get the value for `idp_cert_fingerprint`, you can use a tool like [this](https://www.samltool.com/fingerprint.php).
+
+## GitLab Configuration
+
+Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
+
+```ruby
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
+gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
+gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
+gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_auto_link_saml_user'] = true
+gitlab_rails['omniauth_providers'] = [
+  {
+    name: 'saml',
+    args: {
+      assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
+      idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
+      idp_sso_target_url: 'https://passbook.company/application/saml/<passbook application slug>/login/',
+      issuer: 'https://gitlab.company',
+      name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+      attribute_statements: {
+        email: ['urn:oid:1.3.6.1.4.1.5923.1.1.1.6'],
+        first_name: ['urn:oid:2.5.4.3'],
+        nickname: ['urn:oid:2.16.840.1.113730.3.1.241']
+      }
+    },
+    label: 'passbook'
+  }
+]
+```
+
+Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus, or restart the container if you're using the container.

docs/integrations/services/harbor/index.md

@@ -0,0 +1,27 @@
+# Harbor Integration
+
+## What is Harbor
+
+From https://goharbor.io
+
+!!! note ""
+    Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. A CNCF Incubating project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage images across cloud native compute platforms like Kubernetes and Docker.
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `harbor.company` is the FQDN of the Harbor Install
+-   `passbook.company` is the FQDN of the passbook Install
+
+Create an application in passbook. Create an OpenID Provider with the following Parameters:
+
+-   Client Type: `Confidential`
+-   Response types: `code (Authorization Code Flow)`
+-   JWT Algorithm: `RS256`
+-   Redirect URIs: `https://harbor.company/c/oidc/callback`
+-   Scopes: `openid`
+
+## Harbor
+
+![](./harbor.png)

docs/integrations/services/rancher/index.md

@@ -0,0 +1,28 @@
+# Rancher Integration
+
+## What is Rancher
+
+From https://rancher.com/products/rancher
+
+!!! note ""
+    An Enterprise Platform for Managing Kubernetes Everywhere
+    Rancher is a platform built to address the needs of the DevOps teams deploying applications with Kubernetes, and the IT staff responsible for delivering an enterprise-critical service.
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `rancher.company` is the FQDN of the Rancher Install
+-   `passbook.company` is the FQDN of the passbook Install
+
+Create an application in passbook and note the slug, as this will be used later. Create a SAML Provider with the following Parameters:
+
+-   ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs`
+-   Audience: `https://rancher.company/v1-saml/adfs/saml/metadata`
+-   Issuer: `passbook`
+
+You can of course use a custom Signing Certificate, and adjust durations.
+
+## Rancher
+
+![](./rancher.png)

docs/integrations/services/sentry/index.md

@@ -0,0 +1,41 @@
+# Sentry Integration
+
+## What is Sentry
+
+From https://sentry.io
+
+!!! note ""
+    Sentry provides self-hosted and cloud-based error monitoring that helps all software
+    teams discover, triage, and prioritize errors in real-time.
+
+    One million developers at over fifty thousand companies already ship
+    better software faster with Sentry. Won’t you join them?
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `sentry.company` is the FQDN of the Sentry Install
+-   `passbook.company` is the FQDN of the passbook Install
+
+Create an application in passbook. Create an OpenID Provider with the following Parameters:
+
+-   Client Type: `Confidential`
+-   Response types: `code (Authorization Code Flow)`
+-   JWT Algorithm: `RS256`
+-   Redirect URIs: `https://sentry.company/auth/sso/`
+-   Scopes: `openid email`
+
+## Sentry
+
+**This guide assumes you've installed Sentry using [getsentry/onpremise](https://github.com/getsentry/onpremise)**
+
+- Add `sentry-auth-oidc` to `onpremise/sentry/requirements.txt` (Create the file if it doesn't exist yet)
+- Add the following block to your `onpremise/sentry/sentry.conf.py`:
+```
+OIDC_ISSUER = "passbook"
+OIDC_CLIENT_ID = "<Client ID from passbook>"
+OIDC_CLIENT_SECRET = "<Client Secret from passbook>"
+OIDC_SCOPE = "openid email"
+OIDC_DOMAIN = "https://passbook.company/application/oidc/"
+```

docs/integrations/services/tower-awx/index.md

@@ -0,0 +1,74 @@
+# Ansible Tower / AWX Integration
+
+## What is Tower
+
+From https://docs.ansible.com/ansible/2.5/reference_appendices/tower.html
+
+!!! note ""
+    Ansible Tower (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks.
+
+    Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.
+
+!!! note
+    AWX is the Open-Source version of Tower, and AWX will be used interchangeably throughout this document.
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `awx.company` is the FQDN of the AWX/Tower Install
+-   `passbook.company` is the FQDN of the passbook Install
+
+Create an application in passbook and note the slug, as this will be used later. Create a SAML Provider with the following Parameters:
+
+-   ACS URL: `https://awx.company/sso/complete/saml/`
+-   Audience: `awx`
+-   Issuer: `https://awx.company/sso/metadata/saml/`
+
+You can of course use a custom Signing Certificate, and adjust durations.
+
+## AWX Configuration
+
+Navigate to `https://awx.company/#/settings/auth` to configure SAML. Set the Field `SAML SERVICE PROVIDER ENTITY ID` to `awx`.
+
+For the fields `SAML SERVICE PROVIDER PUBLIC CERTIFICATE` and `SAML SERVICE PROVIDER PRIVATE KEY`, you can either use custom Certificates, or use the self-signed Pair generated by Passbook.
+
+Provide Metadata in the `SAML Service Provider Organization Info` Field:
+
+```json
+{
+ "en-US": {
+  "name": "passbook",
+  "url": "https://passbook.company",
+  "displayname": "passbook"
+ }
+}
+```
+
+Provide Metadata in the  `SAML Service Provider Technical Contact` and `SAML Service Provider Technical Contact` Fields:
+
+```json
+{
+ "givenName": "Admin Name",
+ "emailAddress": "admin@company"
+}
+```
+
+In the `SAML Enabled Identity Providers` paste the following configuration:
+
+```json
+{
+ "passbook": {
+  "attr_username": "urn:oid:2.16.840.1.113730.3.1.241",
+  "attr_user_permanent_id": "urn:oid:0.9.2342.19200300.100.1.1",
+  "x509cert": "MIIDEjCCAfqgAwIBAgIRAJZ9pOZ1g0xjiHtQAAejsMEwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UEAwwlcGFzc2Jvb2sgU2VsZi1zaWduZWQgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xOTEyMjYyMDEwNDFaFw0yMDEyMjYyMDEwNDFaMFkxLjAsBgNVBAMMJXBhc3Nib29rIFNlbGYtc2lnbmVkIFNBTUwgQ2VydGlmaWNhdGUxETAPBgNVBAoMCHBhc3Nib29rMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/ktBYZkY9xAijF4acvzX6Q1K8KoIZeyde8fVgcWBz4L5FgDQ4/dni4k2YAcPdwteGL4nKVzetUzjbRCBUNuO6lqU4J4WNNX4Xg4Ir7XLRoAQeo+omTPBdpJ1p02HjtN5jT01umN3bK2yto1e37CJhK6WJiaXqRewPxh4lI4aqdj3BhFkJ3I3r2qxaWOAXQ6X7fg3w/ny7QP53//ouZo7hSLY3GIcRKgvdjjVM3OW5C3WLpOq5Dez5GWVJ17aeFCfGQ8bwFKde6qfYqyGcU9xHB36TtVHB9hSFP/tUFhkiSOxtsrYwCgCyXm4UTSpP+wiNyjKfFw7qGLBvA2hGTNw8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh9PeAqPRQk1/SSygIFADZBi08O/DPCshFwEHvJATIcTzcDD8UGAjXh+H5OlkDyX7KyrcaNvYaafCUo63A+WprdtdY5Ty6SBEwTYyiQyQfwM9BfK+imCoif1Ai7xAelD7p9lNazWq7JU+H/Ep7U7Q7LvpxAbK0JArt+IWTb2NcMb3OWE1r0gFbs44O1l6W9UbJTbyLMzbGbe5i+NHlgnwPwuhtRMh0NUYabGHKcHbhwyFhfGAQv2dAp5KF1E5gu6ZzCiFePzc0FrqXQyb2zpFYcJHXquiqaOeG7cZxRHYcjrl10Vxzki64XVA9BpdELgKSnupDGUEJsRUt3WVOmvZuA==",
+  "url": "https://passbook.company/application/saml/awx/login/",
+  "attr_last_name": "User.LastName",
+  "entity_id": "https://awx.company/sso/metadata/saml/",
+  "attr_email": "urn:oid:0.9.2342.19200300.100.1.3",
+  "attr_first_name": "urn:oid:2.5.4.3"
+ }
+}
+```
+
+`x509cert` is the Certificate configured in passbook. Remove the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- headers, then enter the cert as one non-breaking string.

docs/k8s/deployment.yml

@@ -0,0 +1,33 @@
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: passbook-docs
+  namespace: prod-passbook-docs
+  labels:
+    app.kubernetes.io/name: passbook-docs
+    app.kubernetes.io/managed-by: passbook-docs
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: passbook-docs
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: passbook-docs
+    spec:
+      containers:
+        - name: passbook-docs
+          image: "beryju/passbook-docs:latest"
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 10m
+              memory: 20Mi
+            requests:
+              cpu: 10m
+              memory: 20Mi

docs/k8s/ingress.yml

@@ -0,0 +1,21 @@
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  labels:
+    app.kubernetes.io/name: passbook-docs
+  name: passbook-docs
+  namespace: prod-passbook-docs
+spec:
+  rules:
+    - host: docs.passbook.beryju.org
+      http:
+        paths:
+          - backend:
+              serviceName: passbook-docs-http
+              servicePort: http
+            path: /
+  tls:
+    - hosts:
+        - docs.passbook.beryju.org
+      secretName: passbook-docs-acme

docs/k8s/service.yml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: passbook-docs-http
+  namespace: prod-passbook-docs
+  labels:
+    app.kubernetes.io/name: passbook-docs
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: passbook-docs

docs/policies/expression/index.md

@@ -0,0 +1,21 @@
+# Expression Policy
+
+Expression Policies allows you to write custom Policy Logic using Jinja2 Templating language.
+
+For a language reference, see [here](https://jinja.palletsprojects.com/en/2.11.x/templates/).
+
+The following objects are passed into the variable:
+
+- `request`: A PolicyRequest object, which has the following properties:
+    - `request.user`: The current User, which the Policy is applied against. ([ref](../../property-mappings/reference/user-object.md))
+    - `request.http_request`: The Django HTTP Request, as documented [here](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects).
+    - `request.obj`: A Django Model instance. This is only set if the Policy is ran against an object.
+- `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external Provider.
+- `pb_is_group_member(user, group_name)`: Function which checks if `user` is member of a Group with Name `gorup_name`.
+- `pb_logger`: Standard Python Logger Object, which can be used to debug expressions.
+- `pb_client_ip`: Client's IP Address.
+
+There are also the following custom filters available:
+
+- `regex_match(regex)`: Return True if value matches `regex`
+- `regex_replace(regex, repl)`: Replace string matched by `regex` with `repl`

docs/policies/index.md

@@ -0,0 +1,50 @@
+# Policies
+
+## Kinds
+
+There are two different Kind of policies, a Standard Policy and a Password Policy. Normal Policies just evaluate to True or False, and can be used everywhere. Password Policies apply when a Password is set (during User enrollment, Recovery or anywhere else). These policies can be used to apply Password Rules like length, etc. The can also be used to expire passwords after a certain amount of time.
+
+## Standard Policies
+
+---
+
+### Group-Membership Policy
+
+This policy evaluates to True if the current user is a Member of the selected group.
+
+### Reputation Policy
+
+passbook keeps track of failed login attempts by Source IP and Attempted Username. These values are saved as scores. Each failed login decreases the Score for the Client IP as well as the targeted Username by one.
+
+This policy can be used to for example prompt Clients with a low score to pass a Captcha before they can continue.
+
+## Expression Policy
+
+See [Expression Policy](expression/index.md).
+
+### Webhook Policy
+
+This policy allows you to send an arbitrary HTTP Request to any URL. You can then use JSONPath to extract the result you need.
+
+## Password Policies
+
+---
+
+### Password Policy
+
+This Policy allows you to specify Password rules, like Length and required Characters.
+The following rules can be set:
+
+-   Minimum amount of Uppercase Characters
+-   Minimum amount of Lowercase Characters
+-   Minimum amount of Symbols Characters
+-   Minimum Length
+-   Symbol charset (define which characters are counted as symbols)
+
+### Have I Been Pwned Policy
+
+This Policy checks the hashed Password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within passbook.
+
+### Password-Expiry Policy
+
+This policy can enforce regular password rotation by expiring set Passwords after a finite amount of time. This forces users to set a new password.

docs/property-mappings/index.md

@@ -0,0 +1,21 @@
+# Property Mappings
+
+Property Mappings allow you to pass information to external Applications. For example, pass the current user's Groups as a SAML Parameter. Property Mappings are also used to map Source fields to passbook fields, for example when using LDAP.
+
+## SAML Property Mapping
+
+SAML Property Mappings allow you embed Information into the SAML AuthN Request. THis Information can then be used by the Application to assign permissions for example.
+
+You can find examples [here](integrations/)
+
+## LDAP Property Mapping
+
+LDAP Property Mappings are used when you define a LDAP Source. These Mappings define which LDAP Property maps to which passbook Property. By default, these mappings are created:
+
+-   Autogenerated LDAP Mapping: givenName -> first_name
+-   Autogenerated LDAP Mapping: mail -> email
+-   Autogenerated LDAP Mapping: name -> name
+-   Autogenerated LDAP Mapping: sAMAccountName -> username
+-   Autogenerated LDAP Mapping: sn -> last_name
+
+These are configured for the most common LDAP Setups.

docs/property-mappings/reference/user-object.md

@@ -0,0 +1,20 @@
+# Passbook User Object
+
+The User object has the following attributes:
+
+ - `username`: User's Username
+ - `email` User's E-Mail
+ - `name` User's Display Name
+ - `is_staff` Boolean field if user is staff
+ - `is_active` Boolean field if user is active
+ - `date_joined` Date User joined/was created
+ - `password_change_date` Date Password was last changed
+ - `attributes` Dynamic Attributes
+
+## Examples
+
+List all the User's Group Names
+
+```jinja2
+[{% for group in user.groups.all() %}'{{ group.name }}',{% endfor %}]
+```

docs/providers.md

@@ -0,0 +1,17 @@
+# Providers
+
+Providers allow external Applications to authenticate against passbook and use its User Information.
+
+## OpenID Provider
+
+This provider uses the commonly used OpenID Connect variation of OAuth2.
+
+## OAuth2 Provider
+
+This provider is slightly different than the OpenID Provider. While it uses the same basic OAuth2 Protocol, it provides a GitHub-compatible Endpoint. This allows you to integrate Applications, which don't support Custom OpenID Providers.
+The API exposes Username, E-Mail, Name and Groups in a GitHub-compatible format.
+
+## SAML Provider
+
+This provider allows you to integrate Enterprise Software using the SAML2 Protocol. It supports signed Requests. This Provider uses [Property Mappings](property-mappings/index.md#saml-property-mapping) to determine which fields are exposed and what values they return. This makes it possible to expose Vendor-specific Fields.
+Default fields are exposed through Auto-generated Property Mappings, which are prefixed with "Autogenerated..."

docs/sources.md

@@ -0,0 +1,39 @@
+# Sources
+
+Sources allow you to connect passbook to an existing User directory. They can also be used for Social-Login, using external Providers like Facebook, Twitter, etc.
+
+## Generic OAuth Source
+
+**All Integration-specific Sources are documented in the Integrations Section**
+
+This source allows users to enroll themselves with an External OAuth-based Identity Provider. The Generic Provider expects the Endpoint to return OpenID-Connect compatible Information. Vendor specific Implementations have their own OAuth Source.
+
+-   Policies: Allow/Forbid Users from linking their Accounts with this Provider
+-   Request Token URL: This field is used for OAuth v1 Implementations and will be provided by the Provider.
+-   Authorization URL: This value will be provided by the Provider.
+-   Access Token URL: This value will be provided by the Provider.
+-   Profile URL: This URL is called by passbook to retrieve User information upon successful authentication.
+-   Consumer key/Consumer secret: These values will be provided by the Provider.
+
+## SAML Source
+
+This source allows passbook to act as a SAML Service Provider. Just like the SAML Provider, it supports signed Requests. Vendor specific documentation can be found in the Integrations Section
+
+## LDAP Source
+
+This source allows you to import Users and Groups from an LDAP Server
+
+-   Server URI: URI to your LDAP Server/Domain Controller
+-   Bind CN: CN to bind as, this can also be a UPN in the format of `user@domain.tld`
+-   Bind password: Password used during the bind process
+-   Enable Start TLS: Enables StartTLS functionality. To use SSL instead, use port `636`
+-   Base DN: Base DN used for all LDAP queries
+-   Addition User DN: Prepended to Base DN for User-queries.
+-   Addition Group DN: Prepended to Base DN for Group-queries.
+-   User object filter: Consider Objects matching this filter to be Users.
+-   Group object filter: Consider Objects matching this filter to be Groups.
+-   User group membership field: Field which contains Groups of user.
+-   Object uniqueness field: Field which contains a unique Identifier.
+-   Sync groups: Enable/disable Group synchronization. Groups are synced in the background every 5 minutes.
+-   Sync parent group: Optionally set this Group as parent Group for all synced Groups (allows you to, for example, import AD Groups under a root `imported-from-ad` group.)
+-   Property mappings: Define which LDAP Properties map to which passbook Properties. The default set of Property Mappings is generated for Active Directory. See also [LDAP Property Mappings](property-mappings/index.md#ldap-property-mapping)

gatekeeper/Dockerfile

@@ -0,0 +1,8 @@
+FROM quay.io/pusher/oauth2_proxy
+
+COPY templates /templates
+
+ENV OAUTH2_PROXY_EMAIL_DOMAINS=*
+ENV OAUTH2_PROXY_PROVIDER=oidc
+ENV OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR=/templates
+ENV OAUTH2_PROXY_HTTP_ADDRESS=:4180

gatekeeper/templates/error.html

@@ -0,0 +1,18 @@
+{{define "error.html"}}
+<!DOCTYPE html>
+<html lang="en" charset="utf-8">
+
+<head>
+    <title>{{.Title}}</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
+</head>
+
+<body>
+    <h2>{{.Title}}</h2>
+    <p>{{.Message}}</p>
+    <hr>
+    <p><a href="{{.ProxyPrefix}}/sign_in">Sign In</a></p>
+</body>
+
+</html>
+{{end}}

gatekeeper/templates/sign_in.html

@@ -0,0 +1,119 @@
+{{define "sign_in.html"}}
+<!DOCTYPE html>
+<html lang="en" charset="utf-8">
+<head>
+    <title>Sign In with passbook</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
+    <style>
+        body {
+            font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+            font-size: 14px;
+            line-height: 1.42857143;
+            color: #333;
+            background: #f0f0f0;
+        }
+
+        .signin {
+            display: block;
+            margin: 20px auto;
+            max-width: 400px;
+            background: #fff;
+            border: 1px solid #ccc;
+            border-radius: 10px;
+            padding: 20px;
+        }
+
+        .center {
+            text-align: center;
+        }
+
+        .btn {
+            color: #fff;
+            background-color: #428bca;
+            border: 1px solid #357ebd;
+            -webkit-border-radius: 4;
+            -moz-border-radius: 4;
+            border-radius: 4px;
+            font-size: 14px;
+            padding: 6px 12px;
+            text-decoration: none;
+            cursor: pointer;
+        }
+
+        .btn:hover {
+            background-color: #3071a9;
+            border-color: #285e8e;
+            text-decoration: none;
+        }
+
+        label {
+            display: inline-block;
+            max-width: 100%;
+            margin-bottom: 5px;
+            font-weight: 700;
+        }
+
+        input {
+            display: block;
+            width: 100%;
+            height: 34px;
+            padding: 6px 12px;
+            font-size: 14px;
+            line-height: 1.42857143;
+            color: #555;
+            background-color: #fff;
+            background-image: none;
+            border: 1px solid #ccc;
+            border-radius: 4px;
+            -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);
+            box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075);
+            -webkit-transition: border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;
+            -o-transition: border-color ease-in-out .15s, box-shadow ease-in-out .15s;
+            transition: border-color ease-in-out .15s, box-shadow ease-in-out .15s;
+            margin: 0;
+            box-sizing: border-box;
+        }
+
+        footer {
+            display: block;
+            font-size: 10px;
+            color: #aaa;
+            text-align: center;
+            margin-bottom: 10px;
+        }
+
+        footer a {
+            display: inline-block;
+            height: 25px;
+            line-height: 25px;
+            color: #aaa;
+            text-decoration: underline;
+        }
+
+        footer a:hover {
+            color: #aaa;
+        }
+    </style>
+</head>
+
+<body>
+    <div class="signin center">
+        <form method="GET" action="{{.ProxyPrefix}}/start">
+            <input type="hidden" name="rd" value="{{.Redirect}}">
+            <button type="submit" class="btn">Sign in with passbook</button><br />
+        </form>
+    </div>
+    <script>
+        if (window.location.hash) {
+            (function () {
+                var inputs = document.getElementsByName('rd');
+                for (var i = 0; i < inputs.length; i++) {
+                    inputs[i].value += window.location.hash;
+                }
+            })();
+        }
+    </script>
+</body>
+
+</html>
+{{end}}

helm/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 6.5.8
+- name: redis
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 9.5.1
+digest: sha256:f18b5dc8d0be13d584407405c60d10b6b84d25f7fa8aaa3dd0e5385c38f5c516
+generated: "2019-12-14T13:33:48.4341939Z"

helm/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+appVersion: "0.8.15-beta"
+description: A Helm chart for passbook.
+name: passbook
+version: "0.8.15-beta"
+icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/passbook/Chart.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-appVersion: "0.1.23-beta"
-description: A Helm chart for passbook.
-name: passbook
-version: "0.1.23-beta"
-icon: https://passbook.beryju.org/images/logo.png

helm/passbook/requirements.lock

@@ -1,9 +0,0 @@
-dependencies:
-- name: rabbitmq
-  repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 4.3.2
-- name: postgresql
-  repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 3.10.1
-digest: sha256:c36e054785f7d706d7d3f525eb1b167dbc89b42f84da7fc167a18bbb6542c999
-generated: 2019-03-11T20:36:35.125079+01:00

helm/passbook/templates/passbook-configmap.yaml

@@ -1,140 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "passbook.fullname" . }}-config
-data:
-  config.yml: |
-    # Env for Docker images
-    databases:
-      default:
-        engine: django.db.backends.postgresql
-        name: {{ .Values.postgresql.postgresqlDatabase }}
-        user: postgres
-        password: {{ .Values.postgresql.postgresqlPassword }}
-        host: {{ .Release.Name }}-postgresql
-        port: ''
-    log:
-      level:
-        console: DEBUG
-        file: DEBUG
-      file: /dev/null
-      syslog:
-        host: 127.0.0.1
-        port: 514
-    email:
-      host: {{ .Values.config.email.host }}
-      port: 25
-      user: ''
-      password: ''
-      use_tls: false
-      use_ssl: false
-      from: passbook <passbook@domain.tld>
-    web:
-      listen: 0.0.0.0
-      port: 8000
-      threads: 30
-    debug: false
-    secure_proxy_header:
-      HTTP_X_FORWARDED_PROTO: https
-    rabbitmq: "user:{{ .Values.rabbitmq.rabbitmq.password }}@{{ .Release.Name }}-rabbitmq"
-    # Error reporting, sends stacktrace to sentry.services.beryju.org
-    error_report_enabled: {{ .Values.config.error_reporting }}
-
-    {{- if .Values.config.secret_key }}
-    secret_key: {{ .Values.config.secret_key }}
-    {{- else }}
-    secret_key: {{ randAlphaNum 50 }}
-    {{- end }}
-
-    domains:
-        {{- range .Values.ingress.hosts }}
-        - {{ . | quote }}
-        {{- end }}
-        - kubernetes-healthcheck-host
-
-    passbook:
-      sign_up:
-        # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true
-        enabled: true
-      password_reset:
-        # Enable password reset, passwords are reset in internal Database and in LDAP if ldap.reset_password is true
-        enabled: true
-        # Verification the user has to provide in order to be able to reset passwords. Can be any combination of `email`, `2fa`, `security_questions`
-        verification:
-          - email
-      # Text used in title, on login page and multiple other places
-      branding: passbook
-      login:
-        # Override URL used for logo
-        logo_url: null
-        # Override URL used for Background on Login page
-        bg_url: null
-        # Optionally add a subtext, placed below logo on the login page
-        subtext: null
-      footer:
-        links:
-          # Optionally add links to the footer on the login page
-          #  - name: test
-          #    href: https://test
-      # Specify which fields can be used to authenticate. Can be any combination of `username` and `email`
-      uid_fields:
-        - username
-        - email
-      session:
-        remember_age: 2592000 # 60 * 60 * 24 * 30, one month
-    # Provider-specific settings
-    ldap:
-      # # Completely enable or disable LDAP provider
-      # enabled: false
-      # # AD Domain, used to generate `userPrincipalName`
-      # domain: corp.contoso.com
-      # # Base DN in which passbook should look for users
-      # base_dn: dn=corp,dn=contoso,dn=com
-      # # LDAP field which is used to set the django username
-      # username_field: sAMAccountName
-      # # LDAP server to connect to, can be set to `<domain_name>`
-      # server:
-      #   name: corp.contoso.com
-      #   use_tls: false
-      # # Bind credentials, used for account creation
-      # bind:
-      #   username: Administraotr@corp.contoso.com
-      #   password: VerySecurePassword!
-      # Which field from `uid_fields` maps to which LDAP Attribute
-      login_field_map:
-        username: sAMAccountName
-        email: mail # or userPrincipalName
-      user_attribute_map:
-        active_directory:
-          username: "%(sAMAccountName)s"
-          email: "%(mail)s"
-          name: "%(displayName)"
-      # # Create new users in LDAP upon sign-up
-      # create_users: true
-      # # Reset LDAP password when user reset their password
-      # reset_password: true
-    oauth_client:
-      # List of python packages with sources types to load.
-      types:
-        - passbook.oauth_client.source_types.discord
-        - passbook.oauth_client.source_types.facebook
-        - passbook.oauth_client.source_types.github
-        - passbook.oauth_client.source_types.google
-        - passbook.oauth_client.source_types.reddit
-        - passbook.oauth_client.source_types.supervisr
-        - passbook.oauth_client.source_types.twitter
-        - passbook.oauth_client.source_types.azure_ad
-    saml_idp:
-      signing: true
-      autosubmit: false
-      issuer: passbook
-      assertion_valid_for: 86400
-      # List of python packages with provider types to load.
-      types:
-        - passbook.saml_idp.processors.generic
-        - passbook.saml_idp.processors.aws
-        - passbook.saml_idp.processors.gitlab
-        - passbook.saml_idp.processors.nextcloud
-        - passbook.saml_idp.processors.salesforce
-        - passbook.saml_idp.processors.shibboleth
-        - passbook.saml_idp.processors.wordpress_orange

helm/passbook/templates/passbook-web-deployment.yaml

@@ -1,67 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: {{ include "passbook.fullname" . }}-web
-  labels:
-    app.kubernetes.io/name: {{ include "passbook.name" . }}
-    helm.sh/chart: {{ include "passbook.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "passbook.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: {{ include "passbook.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        passbook.io/component: web
-    spec:
-      volumes:
-        - name: config-volume
-          configMap:
-            name: {{ include "passbook.fullname" . }}-config
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "docker.pkg.beryju.org/passbook:{{ .Values.image.tag }}"
-          imagePullPolicy: IfNotPresent
-          command: ["/bin/sh","-c"]
-          args: ["./manage.py migrate && ./manage.py web"]
-          ports:
-            - name: http
-              containerPort: 8000
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /etc/passbook
-              name: config-volume
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-              httpHeaders:
-                - name: Host
-                  value: kubernetes-healthcheck-host
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
-              httpHeaders:
-                - name: Host
-                  value: kubernetes-healthcheck-host
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}

helm/passbook/templates/passbook-worker-deployment.yaml

@@ -1,52 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: {{ include "passbook.fullname" . }}-worker
-  labels:
-    app.kubernetes.io/name: {{ include "passbook.name" . }}
-    helm.sh/chart: {{ include "passbook.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "passbook.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: {{ include "passbook.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        passbook.io/component: worker
-    spec:
-      volumes:
-        - name: config-volume
-          configMap:
-            name: {{ include "passbook.fullname" . }}-config
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "docker.pkg.beryju.org/passbook:{{ .Values.image.tag }}"
-          imagePullPolicy: IfNotPresent
-          command: ["./manage.py", "worker"]
-          ports:
-            - name: http
-              containerPort: 8000
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /etc/passbook
-              name: config-volume
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}