new release: 0.6.9-beta

LDAP rewrite

See merge request BeryJu.org/passbook!28

.bumpversion.cfg

@@ -1,10 +1,10 @@
 [bumpversion]
-current_version = 0.1.30-beta
+current_version = 0.6.9-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
 serialize = {major}.{minor}.{patch}-{release}
-message = bump version: {current_version} -> {new_version}
+message = new release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:release]
@@ -15,10 +15,6 @@ values =
 	beta
 	stable
 
-[bumpversion:file:client-packages/allauth/setup.py]
-
-[bumpversion:file:client-packages/sentry-auth-passbook/setup.py]
-
 [bumpversion:file:helm/passbook/values.yaml]
 
 [bumpversion:file:helm/passbook/Chart.yaml]
@@ -27,33 +23,5 @@ values =
 
 [bumpversion:file:passbook/__init__.py]
 
-[bumpversion:file:passbook/api/__init__.py]
-
-[bumpversion:file:passbook/core/__init__.py]
-
-[bumpversion:file:passbook/admin/__init__.py]
-
-[bumpversion:file:passbook/captcha_factor/__init__.py]
-
-[bumpversion:file:passbook/oauth_client/__init__.py]
-
-[bumpversion:file:passbook/ldap/__init__.py]
-
-[bumpversion:file:passbook/lib/__init__.py]
-
-[bumpversion:file:passbook/hibp_policy/__init__.py]
-
-[bumpversion:file:passbook/password_expiry_policy/__init__.py]
-
-[bumpversion:file:passbook/saml_idp/__init__.py]
-
-[bumpversion:file:passbook/audit/__init__.py]
-
-[bumpversion:file:passbook/oauth_provider/__init__.py]
-
-[bumpversion:file:passbook/otp/__init__.py]
-
-[bumpversion:file:passbook/app_gw/__init__.py]
-
-[bumpversion:file:passbook/suspicious_policy/__init__.py]
+[bumpversion:file:docker/nginx.conf]
 

.coveragerc

@@ -1,12 +1,10 @@
 [run]
 source = passbook
 omit =
-    env/
     */wsgi.py
     manage.py
     */migrations/*
     */apps.py
-    passbook/management/commands/nexus_upload.py
     passbook/management/commands/web.py
     passbook/management/commands/worker.py
     docs/

.dockerignore

@@ -2,3 +2,4 @@ env
 helm
 passbook-ui
 static
+*.env.yml

.editorconfig

@@ -9,3 +9,6 @@ insert_final_newline = true
 
 [html]
 indent_size = 2
+
+[yaml]
+indent_size = 2

.gitignore

@@ -191,3 +191,4 @@ pip-selfcheck.json
 # End of https://www.gitignore.io/api/python,django
 /static/
 local.env.yml
+.vscode/

.gitlab-ci.yml

@@ -1,157 +1,152 @@
 # Global Variables
-before_script:
-    - "python3 -m pip install -U virtualenv"
-    - "virtualenv env"
-    - "source env/bin/activate"
-    - "pip3 install -U -r requirements-dev.txt"
 stages:
-    - test
-    - build
-    - docs
-    - deploy
-image: python:3.6
-services:
+  - build-base-image
+  - build-dev-image
+  - test
+  - build
+  - package
+  - post-release
+image: docker.beryju.org/passbook/dev:latest
+
+variables:
+  POSTGRES_DB: passbook
+  POSTGRES_USER: passbook
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+
+before_script:
+  - pip install pipenv
+  # Ensure all dependencies are installed, even those not included in passbook/dev
+  # According to pipenv docs, -d outputs all packages, however it actually does not
+  - pipenv lock -r > requirements-all.txt
+  - pipenv lock -rd >> requirements-all.txt
+  - pip install -r requirements-all.txt
+
+create-base-image:
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script:
+    - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
+  script:
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/base.Dockerfile --destination docker.beryju.org/passbook/base:latest
+  stage: build-base-image
+  only:
+    refs:
+      - tags
+      - /^version/.*$/
+
+build-dev-image:
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script:
+    - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
+  script:
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/dev.Dockerfile --destination docker.beryju.org/passbook/dev:latest
+  stage: build-dev-image
+  only:
+    refs:
+      - tags
+      - /^version/.*$/
+
+
+isort:
+  script:
+    - isort -c -sg env
+  stage: test
+  services:
+  - postgres:latest
+  - redis:latest
+migrations:
+  script:
+    - python manage.py migrate
+  stage: test
+  services:
+  - postgres:latest
+  - redis:latest
+# prospector:
+#   script:
+#     - prospector
+#   stage: test
+#   services:
+#   - postgres:latest
+#   - redis:latest
+pylint:
+  script:
+    - pylint passbook
+  stage: test
+  services:
+  - postgres:latest
+  - redis:latest
+coverage:
+  script:
+    - coverage run manage.py test
+    - coverage report
+    - coverage html
+  stage: test
+  services:
+  - postgres:latest
+  - redis:latest
+
+build-passbook-server:
+  stage: build
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script:
+    - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
+  script:
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.6.9-beta
+  only:
+    - tags
+    - /^version/.*$/
+build-passbook-static:
+  stage: build
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script:
+    - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
+  script:
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/static.Dockerfile --destination docker.beryju.org/passbook/static:latest --destination docker.beryju.org/passbook/static:0.6.9-beta
+  only:
+    - tags
+    - /^version/.*$/
+  # running collectstatic fully initialises django, hence we need that databases
+  services:
     - postgres:latest
     - redis:latest
 
-variables:
-    POSTGRES_DB: passbook
-    POSTGRES_USER: passbook
-    POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-include:
-    - /client-packages/allauth/.gitlab-ci.yml
-
-isort:
-    script:
-        - isort -c -sg env
-    stage: test
-migrations:
-    script:
-        - python manage.py migrate
-    stage: test
-prospector:
-    script:
-        - prospector
-    stage: test
-pylint:
-    script:
-        - pylint passbook
-    stage: test
-coverage:
-    script:
-        - python manage.py collectstatic --no-input
-        - coverage run manage.py test
-        - coverage report
-    stage: test
-bandit:
-    script:
-        - bandit -r passbook
-    stage: test
-
-package-docker:
-    image:
-        name: gcr.io/kaniko-project/executor:debug
-        entrypoint: [""]
-    before_script:
-        - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
-    script:
-        - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.30-beta
-    stage: build
-    only:
-        - tags
-        - /^version/.*$/
 package-helm:
-    stage: build
-    script:
-        - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
-        - helm init --client-only
-        - helm package helm/passbook
-        - ./manage.py nexus_upload --method put --url $NEXUS_URL --auth $NEXUS_AUTH --repo helm *.tgz
-    only:
-        - tags
-        - /^version/.*$/
-package-debian:
-    before_script:
-        - apt update
-        - apt install -y --no-install-recommends build-essential debhelper devscripts equivs python3 python3-dev python3-pip libsasl2-dev libldap2-dev
-        - mk-build-deps debian/control
-        - apt install ./*build-deps*deb -f -y
-        - python3 -m pip install -U virtualenv pip
-        - virtualenv env
-        - source env/bin/activate
-        - pip3 install -U -r requirements.txt -r requirements-dev.txt
-        - ./manage.py collectstatic --no-input
-    image: ubuntu:18.04
-    script:
-        - debuild -us -uc
-        - cp ../passbook*.deb .
-        - ./manage.py nexus_upload --method post --url $NEXUS_URL --auth $NEXUS_AUTH --repo apt passbook*deb
-    artifacts:
-        paths:
-            - passbook*deb
-        expire_in: 2 days
-    stage: build
-    only:
-        - tags
-        - /^version/.*$/
+  image: debian:stretch-slim
+  stage: package
+  before_script:
+    - apt update && apt install -y curl
+    - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
+  script:
+    - helm init --client-only
+    - helm dependency update helm/passbook
+    - helm package helm/passbook
+  artifacts:
+    paths:
+      - passbook-*.tgz
+    expire_in: 1 week
+  only:
+    - tags
+    - /^version/.*$/
 
-package-client-package-allauth:
-    script:
-        - cd client-packages/allauth
-        - python setup.py sdist
-        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
-    stage: build
-    only:
-        refs:
-            - tags
-            - /^version/.*$/
-        changes:
-            - client-packages/allauth/**
-
-package-client-package-sentry:
-    script:
-        - cd client-packages/sentry-auth-passbook
-        - python setup.py sdist
-        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
-    stage: build
-    only:
-        refs:
-            - tags
-            - /^version/.*$/
-        changes:
-            - client-packages/sentry-auth-passbook/**
-
-# docs:
-#   stage: docs
-#   only:
-#   - master
-#   - tags
-#   - /^debian/.*$/
-#   environment:
-#     name: docs
-#     url: "https://passbook.beryju.org/docs/"
-#   script:
-#     - apt update
-#     - apt install -y rsync
-#     - "mkdir ~/.ssh"
-#     - "cp .gitlab/known_hosts ~/.ssh/"
-#     - "pip3 install -U -r requirements-docs.txt"
-#     - "eval $(ssh-agent -s)"
-#     - "echo \"${CI_SSH_PRIVATE}\" | ssh-add -"
-#     - mkdocs build
-#     - 'rsync -avh --delete web/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/"'
-#     - 'rsync -avh --delete site/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/docs/"'
-
-# deploy:
-#   environment:
-#     name: production
-#     url: https://passbook-prod.default.k8s.beryju.org/
-#   stage: deploy
-#   only:
-#   - tags
-#   - /^version/.*$/
-#   script:
-#     - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
-#     - helm init
-#     - helm upgrade passbook-prod helm/passbook --devel
+notify-sentry:
+  image: getsentry/sentry-cli
+  stage: post-release
+  variables:
+    SENTRY_URL: https://sentry.beryju.org
+    SENTRY_ORG: beryjuorg
+    SENTRY_PROJECT: passbook
+  before_script:
+    - apk add curl
+  script:
+    - sentry-cli releases new passbook@0.6.9-beta
+    - sentry-cli releases set-commits --auto passbook@0.6.9-beta
+  only:
+    - tags
+    - /^version/.*$/

.prospector.yaml

@@ -3,11 +3,9 @@ test-warnings: true
 doc-warnings: false
 
 ignore-paths:
-  - env
   - migrations
   - docs
   - node_modules
-  - client-packages
 
 uses:
  - django

.pylintrc

@@ -2,9 +2,10 @@
 
 disable=redefined-outer-name,arguments-differ,no-self-use,cyclic-import,fixme,locally-disabled,unpacking-non-sequence,too-many-ancestors,too-many-branches,too-few-public-methods
 load-plugins=pylint_django,pylint.extensions.bad_builtin
-#,pylint.extensions.docparams
 extension-pkg-whitelist=lxml
 const-rgx=[a-zA-Z0-9_]{1,40}$
+ignored-modules=django-otp
+jobs=4
 
 [SIMILARITIES]
 

.vscode/.ropeproject/config.py

@@ -1,114 +0,0 @@
-# The default ``config.py``
-# flake8: noqa
-
-
-def set_prefs(prefs):
-    """This function is called before opening the project"""
-
-    # Specify which files and folders to ignore in the project.
-    # Changes to ignored resources are not added to the history and
-    # VCSs.  Also they are not returned in `Project.get_files()`.
-    # Note that ``?`` and ``*`` match all characters but slashes.
-    # '*.pyc': matches 'test.pyc' and 'pkg/test.pyc'
-    # 'mod*.pyc': matches 'test/mod1.pyc' but not 'mod/1.pyc'
-    # '.svn': matches 'pkg/.svn' and all of its children
-    # 'build/*.o': matches 'build/lib.o' but not 'build/sub/lib.o'
-    # 'build//*.o': matches 'build/lib.o' and 'build/sub/lib.o'
-    prefs['ignored_resources'] = ['*.pyc', '*~', '.ropeproject',
-                                  '.hg', '.svn', '_svn', '.git', '.tox']
-
-    # Specifies which files should be considered python files.  It is
-    # useful when you have scripts inside your project.  Only files
-    # ending with ``.py`` are considered to be python files by
-    # default.
-    # prefs['python_files'] = ['*.py']
-
-    # Custom source folders:  By default rope searches the project
-    # for finding source folders (folders that should be searched
-    # for finding modules).  You can add paths to that list.  Note
-    # that rope guesses project source folders correctly most of the
-    # time; use this if you have any problems.
-    # The folders should be relative to project root and use '/' for
-    # separating folders regardless of the platform rope is running on.
-    # 'src/my_source_folder' for instance.
-    # prefs.add('source_folders', 'src')
-
-    # You can extend python path for looking up modules
-    # prefs.add('python_path', '~/python/')
-
-    # Should rope save object information or not.
-    prefs['save_objectdb'] = True
-    prefs['compress_objectdb'] = False
-
-    # If `True`, rope analyzes each module when it is being saved.
-    prefs['automatic_soa'] = True
-    # The depth of calls to follow in static object analysis
-    prefs['soa_followed_calls'] = 0
-
-    # If `False` when running modules or unit tests "dynamic object
-    # analysis" is turned off.  This makes them much faster.
-    prefs['perform_doa'] = True
-
-    # Rope can check the validity of its object DB when running.
-    prefs['validate_objectdb'] = True
-
-    # How many undos to hold?
-    prefs['max_history_items'] = 32
-
-    # Shows whether to save history across sessions.
-    prefs['save_history'] = True
-    prefs['compress_history'] = False
-
-    # Set the number spaces used for indenting.  According to
-    # :PEP:`8`, it is best to use 4 spaces.  Since most of rope's
-    # unit-tests use 4 spaces it is more reliable, too.
-    prefs['indent_size'] = 4
-
-    # Builtin and c-extension modules that are allowed to be imported
-    # and inspected by rope.
-    prefs['extension_modules'] = []
-
-    # Add all standard c-extensions to extension_modules list.
-    prefs['import_dynload_stdmods'] = True
-
-    # If `True` modules with syntax errors are considered to be empty.
-    # The default value is `False`; When `False` syntax errors raise
-    # `rope.base.exceptions.ModuleSyntaxError` exception.
-    prefs['ignore_syntax_errors'] = False
-
-    # If `True`, rope ignores unresolvable imports.  Otherwise, they
-    # appear in the importing namespace.
-    prefs['ignore_bad_imports'] = False
-
-    # If `True`, rope will insert new module imports as
-    # `from <package> import <module>` by default.
-    prefs['prefer_module_from_imports'] = False
-
-    # If `True`, rope will transform a comma list of imports into
-    # multiple separate import statements when organizing
-    # imports.
-    prefs['split_imports'] = False
-
-    # If `True`, rope will remove all top-level import statements and
-    # reinsert them at the top of the module when making changes.
-    prefs['pull_imports_to_top'] = True
-
-    # If `True`, rope will sort imports alphabetically by module name instead
-    # of alphabetically by import statement, with from imports after normal
-    # imports.
-    prefs['sort_imports_alphabetically'] = False
-
-    # Location of implementation of
-    # rope.base.oi.type_hinting.interfaces.ITypeHintingFactory In general
-    # case, you don't have to change this value, unless you're an rope expert.
-    # Change this value to inject you own implementations of interfaces
-    # listed in module rope.base.oi.type_hinting.providers.interfaces
-    # For example, you can add you own providers for Django Models, or disable
-    # the search type-hinting in a class hierarchy, etc.
-    prefs['type_hinting_factory'] = (
-        'rope.base.oi.type_hinting.factory.default_type_hinting_factory')
-
-
-def project_opened(project):
-    """This function is called after opening the project"""
-    # Do whatever you like here!

.vscode/settings.json

@@ -1,11 +0,0 @@
-{
-  "python.pythonPath": "env/bin/python",
-  "editor.tabSize": 4,
-  "[html]": {
-    "editor.tabSize": 2
-  },
-  "cSpell.words": [
-    "SAML",
-    "passbook"
-  ]
-}

Dockerfile

@@ -1,34 +1,9 @@
-FROM python:3.6-slim-stretch as build
+FROM docker.beryju.org/passbook/base:latest
 
 COPY ./passbook/ /app/passbook
 COPY ./manage.py /app/
-COPY ./requirements.txt /app/
+COPY ./docker/uwsgi.ini /app/
 
 WORKDIR /app/
 
-RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
-    mkdir /app/static/ && \
-    pip install -r requirements.txt && \
-    pip install psycopg2 && \
-    ./manage.py collectstatic --no-input && \
-    apt-get remove --purge -y build-essential && \
-    apt-get autoremove --purge -y
-
-FROM python:3.6-slim-stretch
-
-COPY ./passbook/ /app/passbook
-COPY ./manage.py /app/
-COPY ./requirements.txt /app/
-COPY --from=build /app/static /app/static/
-
-WORKDIR /app/
-
-RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
-    pip install -r requirements.txt && \
-    pip install psycopg2 && \
-    adduser --system --home /app/ passbook && \
-    chown -R passbook /app/ && \
-    apt-get remove --purge -y build-essential && \
-    apt-get autoremove --purge -y
-
 USER passbook

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2018 BeryJu.org
+Copyright (c) 2019 BeryJu.org
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Pipfile

@@ -0,0 +1,54 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[packages]
+celery = "*"
+cherrypy = "*"
+defusedxml = "*"
+django = "*"
+kombu = "==4.5.0"
+django-cors-middleware = "*"
+django-filters = "*"
+django-ipware = "*"
+django-model-utils = "*"
+django-oauth-toolkit = "*"
+django-oidc-provider = "*"
+django-otp = "*"
+django-recaptcha = "*"
+django-redis = "*"
+django-rest-framework = "*"
+drf-yasg = "*"
+ldap3 = "*"
+lxml = "*"
+markdown = "*"
+oauthlib = "*"
+packaging = "*"
+psycopg2-binary = "*"
+pycryptodome = "*"
+pyyaml = "*"
+qrcode = "*"
+requests-oauthlib = "*"
+sentry-sdk = "*"
+service_identity = "*"
+signxml = "*"
+urllib3 = {extras = ["secure"],version = "*"}
+structlog = "*"
+pyuwsgi = "*"
+
+[requires]
+python_version = "3.7"
+
+[dev-packages]
+coverage = "*"
+isort = "*"
+pylint = "==2.3.1"
+pylint-django = "*"
+prospector = "*"
+django-debug-toolbar = "*"
+bumpversion = "*"
+unittest-xml-reporting = "*"
+autopep8 = "*"
+bandit = "*"
+colorama = "*"

README.md

@@ -0,0 +1,11 @@
+# passbook
+
+## Quick instance
+
+```
+export PASSBOOK_DOMAIN=domain.tld
+docker-compose pull
+docker-compose up -d
+docker-compose exec server ./manage.py migrate
+docker-compose exec server ./manage.py createsuperuser
+```

base.Dockerfile

@@ -0,0 +1,20 @@
+FROM python:3.7-slim-buster as locker
+
+COPY ./Pipfile /app/
+COPY ./Pipfile.lock /app/
+
+WORKDIR /app/
+
+RUN pip install pipenv && \
+    pipenv lock -r > requirements.txt && \
+    pipenv lock -rd > requirements-dev.txt
+
+FROM python:3.7-slim-buster
+
+COPY --from=locker /app/requirements.txt /app/
+COPY --from=locker /app/requirements-dev.txt /app/
+
+WORKDIR /app/
+
+RUN pip install -r requirements.txt  --no-cache-dir && \
+    adduser --system --no-create-home --uid 1000 --group --home /app passbook

client-packages/allauth/.gitlab-ci.yml

@@ -1,27 +0,0 @@
-# Global Variables
-before_script:
-  - cd allauth/
-  - "python3 -m pip install -U virtualenv"
-  - "virtualenv env"
-  - "source env/bin/activate"
-  - "pip3 install -U -r requirements-dev.txt"
-stages:
-  - test-allauth
-image: python:3.6
-
-isort:
-  script:
-    - isort -c -sg env
-  stage: test-allauth
-prospector:
-  script:
-    - prospector
-  stage: test-allauth
-pylint:
-  script:
-    - pylint passbook
-  stage: test-allauth
-bandit:
-  script:
-    - bandit -r allauth_passbook
-  stage: test-allauth

client-packages/allauth/allauth_passbook/provider.py

@@ -1,35 +0,0 @@
-"""passbook provider"""
-from allauth.socialaccount.providers.base import ProviderAccount
-from allauth.socialaccount.providers.oauth2.provider import OAuth2Provider
-
-
-class PassbookAccount(ProviderAccount):
-    """passbook account"""
-
-    def to_str(self):
-        dflt = super().to_str()
-        return self.account.extra_data.get('username', dflt)
-
-
-class PassbookProvider(OAuth2Provider):
-    """passbook provider"""
-
-    id = 'passbook'
-    name = 'passbook'
-    account_class = PassbookAccount
-
-    def extract_uid(self, data):
-        return str(data['sub'])
-
-    def extract_common_fields(self, data):
-        return {
-            'email': data.get('email'),
-            'username': data.get('preferred_username'),
-            'name': data.get('name'),
-        }
-
-    def get_default_scope(self):
-        return ['openid:userinfo']
-
-
-provider_classes = [PassbookProvider] # noqa

client-packages/allauth/allauth_passbook/urls.py

@@ -1,6 +0,0 @@
-"""passbook provider"""
-from allauth.socialaccount.providers.oauth2.urls import default_urlpatterns
-
-from allauth_passbook.provider import PassbookProvider
-
-urlpatterns = default_urlpatterns(PassbookProvider)

client-packages/allauth/allauth_passbook/views.py

@@ -1,37 +0,0 @@
-"""passbook adapter"""
-import requests
-from allauth.socialaccount import app_settings
-from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter,
-                                                          OAuth2CallbackView,
-                                                          OAuth2LoginView)
-
-from allauth_passbook.provider import PassbookProvider
-
-
-class PassbookOAuth2Adapter(OAuth2Adapter):
-    """passbook OAuth2 Adapter"""
-    provider_id = PassbookProvider.id
-    # pylint: disable=no-member
-    settings = app_settings.PROVIDERS.get(provider_id, {}) # noqa
-    provider_base_url = settings.get("PASSBOOK_URL", 'https://id.beryju.org')
-
-    access_token_url = '{0}/application/oauth/token/'.format(provider_base_url)
-    authorize_url = '{0}/application/oauth/authorize/'.format(provider_base_url)
-    profile_url = '{0}/api/v1/openid/'.format(
-        provider_base_url)
-
-    def complete_login(self, request, app, access_token, **kwargs):
-        headers = {
-            'Authorization': 'Bearer {0}'.format(access_token.token),
-            'Content-Type': 'application/json',
-        }
-        extra_data = requests.get(self.profile_url, headers=headers)
-
-        return self.get_provider().sociallogin_from_response(
-            request,
-            extra_data.json()
-        )
-
-
-oauth2_login = OAuth2LoginView.adapter_view(PassbookOAuth2Adapter) # noqa
-oauth2_callback = OAuth2CallbackView.adapter_view(PassbookOAuth2Adapter) # noqa

client-packages/allauth/requirements.txt

@@ -1 +0,0 @@
-django-allauth

client-packages/allauth/setup.py

@@ -1,33 +0,0 @@
-"""passbook allauth setup.py"""
-from setuptools import setup
-
-setup(
-    name='django-allauth-passbook',
-    version='0.1.30-beta',
-    description='passbook support for django-allauth',
-    # long_description='\n'.join(read_simple('docs/index.md')[2:]),
-    long_description_content_type='text/markdown',
-    author='BeryJu.org',
-    author_email='hello@beryju.org',
-    packages=['allauth_passbook'],
-    include_package_data=True,
-    install_requires=['django-allauth'],
-    keywords='django allauth passbook',
-    license='MIT',
-    classifiers=[
-        'Intended Audience :: Developers',
-        'Topic :: Software Development :: Libraries :: Python Modules',
-        'Environment :: Web Environment',
-        'Topic :: Internet',
-        'License :: OSI Approved :: MIT License',
-        'Operating System :: OS Independent',
-        'Programming Language :: Python',
-        'Programming Language :: Python :: 3.4',
-        'Programming Language :: Python :: 3.5',
-        'Programming Language :: Python :: 3.6',
-        'Framework :: Django',
-        'Framework :: Django :: 1.11',
-        'Framework :: Django :: 2.0',
-        'Framework :: Django :: 2.1',
-    ],
-)

client-packages/sentry-auth-passbook/.gitignore

@@ -1,5 +0,0 @@
-*.pyc
-*.egg-info/
-*.eggs
-/dist
-/build

client-packages/sentry-auth-passbook/.travis.yml

@@ -1,32 +0,0 @@
-sudo: false
-language: python
-services:
-  - memcached
-  - postgresql
-  - redis-server
-python:
-  - '2.7'
-cache:
-  directories:
-    - node_modules
-    - "$HOME/.cache/pip"
-deploy:
-  provider: pypi
-  user: getsentry
-  password:
-    secure: kVmxKHkBWRLYyZme05p+WZSJmb8GjHV9uyuaSCVMRlqWCW+GXRB7P1xXR2jb9URTlNdcs56Ab/UrwzCbMFGC8LmwCeFVgIR/ltytVZG2FgXZPWaeA4dH25qK2oGWgzJ/xeiMpmuJqN9hRl25MX6jG7FZKvrrOkG7+8tpPd1yO+uYWZQbnebZMjcPBqEpn7CC0hR39GSoyVAbydpMe5hwENGQM26CepcicdrelfawItoUrXrkJzBHkIQQTO/xRSbCtRJOtzI5lwtv3GP0hcbOy5tI5dhG/93pLwZRc5+dZaCaP7oaVeOcBjN0zfINRQobt8d6h2Qgvd/YyFkGi0/xKn1zMmKIVLOG6VsYwEAUq8wNOsP4A/jdm4Y0J/1oEZStCkpaGpx85TYi4kq1hWQdyqaVJSPhh4Tk4roIaS2zOYQl+nIpbHqmJ4FJrg1il+TCdjBXobATQ1mKRBUrjD+RDzH/r4ogbd8+UwvvvevpqS2K+/wgT6UD0MzDInv9S29CUQvuFhPoqyJb5XRddHMRE9EEK/2Z8tFN91sDATnqfXHgwnvu00q/nKP5JnijBPzGmx7ydgUViIukklDrlPvo9BbRJz0Vr2vbAvMTrLMLCXqi5CwTm+v+iaOf/YaCziaG2vx0eVASYjpOLCedSgRZBubPM8z4E/HMXhChN7sVDWk=
-  on:
-    tags: true
-  distributions: sdist bdist_wheel
-env:
-  global:
-    - PIP_DOWNLOAD_CACHE=".pip_download_cache"
-before_install:
-  - pip install codecov
-install:
-  - make develop
-script:
-  - PYFLAKES_NODOCTEST=1 flake8
-  - coverage run --source=. -m py.test tests
-after_success:
-  - codecov

client-packages/sentry-auth-passbook/LICENSE

@@ -1,201 +0,0 @@
-                              Apache License
-                        Version 2.0, January 2004
-                     http://www.apache.org/licenses/
-
-TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-1. Definitions.
-
-   "License" shall mean the terms and conditions for use, reproduction,
-   and distribution as defined by Sections 1 through 9 of this document.
-
-   "Licensor" shall mean the copyright owner or entity authorized by
-   the copyright owner that is granting the License.
-
-   "Legal Entity" shall mean the union of the acting entity and all
-   other entities that control, are controlled by, or are under common
-   control with that entity. For the purposes of this definition,
-   "control" means (i) the power, direct or indirect, to cause the
-   direction or management of such entity, whether by contract or
-   otherwise, or (ii) ownership of fifty percent (50%) or more of the
-   outstanding shares, or (iii) beneficial ownership of such entity.
-
-   "You" (or "Your") shall mean an individual or Legal Entity
-   exercising permissions granted by this License.
-
-   "Source" form shall mean the preferred form for making modifications,
-   including but not limited to software source code, documentation
-   source, and configuration files.
-
-   "Object" form shall mean any form resulting from mechanical
-   transformation or translation of a Source form, including but
-   not limited to compiled object code, generated documentation,
-   and conversions to other media types.
-
-   "Work" shall mean the work of authorship, whether in Source or
-   Object form, made available under the License, as indicated by a
-   copyright notice that is included in or attached to the work
-   (an example is provided in the Appendix below).
-
-   "Derivative Works" shall mean any work, whether in Source or Object
-   form, that is based on (or derived from) the Work and for which the
-   editorial revisions, annotations, elaborations, or other modifications
-   represent, as a whole, an original work of authorship. For the purposes
-   of this License, Derivative Works shall not include works that remain
-   separable from, or merely link (or bind by name) to the interfaces of,
-   the Work and Derivative Works thereof.
-
-   "Contribution" shall mean any work of authorship, including
-   the original version of the Work and any modifications or additions
-   to that Work or Derivative Works thereof, that is intentionally
-   submitted to Licensor for inclusion in the Work by the copyright owner
-   or by an individual or Legal Entity authorized to submit on behalf of
-   the copyright owner. For the purposes of this definition, "submitted"
-   means any form of electronic, verbal, or written communication sent
-   to the Licensor or its representatives, including but not limited to
-   communication on electronic mailing lists, source code control systems,
-   and issue tracking systems that are managed by, or on behalf of, the
-   Licensor for the purpose of discussing and improving the Work, but
-   excluding communication that is conspicuously marked or otherwise
-   designated in writing by the copyright owner as "Not a Contribution."
-
-   "Contributor" shall mean Licensor and any individual or Legal Entity
-   on behalf of whom a Contribution has been received by Licensor and
-   subsequently incorporated within the Work.
-
-2. Grant of Copyright License. Subject to the terms and conditions of
-   this License, each Contributor hereby grants to You a perpetual,
-   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-   copyright license to reproduce, prepare Derivative Works of,
-   publicly display, publicly perform, sublicense, and distribute the
-   Work and such Derivative Works in Source or Object form.
-
-3. Grant of Patent License. Subject to the terms and conditions of
-   this License, each Contributor hereby grants to You a perpetual,
-   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-   (except as stated in this section) patent license to make, have made,
-   use, offer to sell, sell, import, and otherwise transfer the Work,
-   where such license applies only to those patent claims licensable
-   by such Contributor that are necessarily infringed by their
-   Contribution(s) alone or by combination of their Contribution(s)
-   with the Work to which such Contribution(s) was submitted. If You
-   institute patent litigation against any entity (including a
-   cross-claim or counterclaim in a lawsuit) alleging that the Work
-   or a Contribution incorporated within the Work constitutes direct
-   or contributory patent infringement, then any patent licenses
-   granted to You under this License for that Work shall terminate
-   as of the date such litigation is filed.
-
-4. Redistribution. You may reproduce and distribute copies of the
-   Work or Derivative Works thereof in any medium, with or without
-   modifications, and in Source or Object form, provided that You
-   meet the following conditions:
-
-   (a) You must give any other recipients of the Work or
-       Derivative Works a copy of this License; and
-
-   (b) You must cause any modified files to carry prominent notices
-       stating that You changed the files; and
-
-   (c) You must retain, in the Source form of any Derivative Works
-       that You distribute, all copyright, patent, trademark, and
-       attribution notices from the Source form of the Work,
-       excluding those notices that do not pertain to any part of
-       the Derivative Works; and
-
-   (d) If the Work includes a "NOTICE" text file as part of its
-       distribution, then any Derivative Works that You distribute must
-       include a readable copy of the attribution notices contained
-       within such NOTICE file, excluding those notices that do not
-       pertain to any part of the Derivative Works, in at least one
-       of the following places: within a NOTICE text file distributed
-       as part of the Derivative Works; within the Source form or
-       documentation, if provided along with the Derivative Works; or,
-       within a display generated by the Derivative Works, if and
-       wherever such third-party notices normally appear. The contents
-       of the NOTICE file are for informational purposes only and
-       do not modify the License. You may add Your own attribution
-       notices within Derivative Works that You distribute, alongside
-       or as an addendum to the NOTICE text from the Work, provided
-       that such additional attribution notices cannot be construed
-       as modifying the License.
-
-   You may add Your own copyright statement to Your modifications and
-   may provide additional or different license terms and conditions
-   for use, reproduction, or distribution of Your modifications, or
-   for any such Derivative Works as a whole, provided Your use,
-   reproduction, and distribution of the Work otherwise complies with
-   the conditions stated in this License.
-
-5. Submission of Contributions. Unless You explicitly state otherwise,
-   any Contribution intentionally submitted for inclusion in the Work
-   by You to the Licensor shall be under the terms and conditions of
-   this License, without any additional terms or conditions.
-   Notwithstanding the above, nothing herein shall supersede or modify
-   the terms of any separate license agreement you may have executed
-   with Licensor regarding such Contributions.
-
-6. Trademarks. This License does not grant permission to use the trade
-   names, trademarks, service marks, or product names of the Licensor,
-   except as required for reasonable and customary use in describing the
-   origin of the Work and reproducing the content of the NOTICE file.
-
-7. Disclaimer of Warranty. Unless required by applicable law or
-   agreed to in writing, Licensor provides the Work (and each
-   Contributor provides its Contributions) on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-   implied, including, without limitation, any warranties or conditions
-   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-   PARTICULAR PURPOSE. You are solely responsible for determining the
-   appropriateness of using or redistributing the Work and assume any
-   risks associated with Your exercise of permissions under this License.
-
-8. Limitation of Liability. In no event and under no legal theory,
-   whether in tort (including negligence), contract, or otherwise,
-   unless required by applicable law (such as deliberate and grossly
-   negligent acts) or agreed to in writing, shall any Contributor be
-   liable to You for damages, including any direct, indirect, special,
-   incidental, or consequential damages of any character arising as a
-   result of this License or out of the use or inability to use the
-   Work (including but not limited to damages for loss of goodwill,
-   work stoppage, computer failure or malfunction, or any and all
-   other commercial damages or losses), even if such Contributor
-   has been advised of the possibility of such damages.
-
-9. Accepting Warranty or Additional Liability. While redistributing
-   the Work or Derivative Works thereof, You may choose to offer,
-   and charge a fee for, acceptance of support, warranty, indemnity,
-   or other liability obligations and/or rights consistent with this
-   License. However, in accepting such obligations, You may act only
-   on Your own behalf and on Your sole responsibility, not on behalf
-   of any other Contributor, and only if You agree to indemnify,
-   defend, and hold each Contributor harmless for any liability
-   incurred by, or claims asserted against, such Contributor by reason
-   of your accepting any such warranty or additional liability.
-
-END OF TERMS AND CONDITIONS
-
-APPENDIX: How to apply the Apache License to your work.
-
-   To apply the Apache License to your work, attach the following
-   boilerplate notice, with the fields enclosed by brackets "[]"
-   replaced with your own identifying information. (Don't include
-   the brackets!)  The text should be enclosed in the appropriate
-   comment syntax for the file format. We also recommend that a
-   file or class name and description of purpose be included on the
-   same "printed page" as the copyright notice for easier
-   identification within third-party archives.
-
-Copyright 2016 Functional Software, Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.

client-packages/sentry-auth-passbook/MANIFEST.in

@@ -1,3 +0,0 @@
-include setup.py package.json webpack.config.js README.rst MANIFEST.in LICENSE AUTHORS
-recursive-include sentry_auth_supervisr/templates *
-global-exclude *~

client-packages/sentry-auth-passbook/Makefile

@@ -1,26 +0,0 @@
-.PHONY: clean develop install-tests lint publish test
-
-develop:
-	pip install "pip>=7"
-	pip install -e .
-	make install-tests
-
-install-tests:
-	pip install .[tests]
-
-lint:
-	@echo "--> Linting python"
-	flake8
-	@echo ""
-
-test:
-	@echo "--> Running Python tests"
-	py.test tests || exit 1
-	@echo ""
-
-publish:
-	python setup.py sdist bdist_wheel upload
-
-clean:
-	rm -rf *.egg-info src/*.egg-info
-	rm -rf dist build

client-packages/sentry-auth-passbook/README.rst

@@ -1,55 +0,0 @@
-GitHub Auth for Sentry
-======================
-
-An SSO provider for Sentry which enables GitHub organization-restricted authentication.
-
-Install
--------
-
-::
-
-    $ pip install https://github.com/getsentry/sentry-auth-github/archive/master.zip
-
-Setup
------
-
-Create a new application under your organization in GitHub. Enter the **Authorization
-callback URL** as the prefix to your Sentry installation:
-
-::
-
-    https://example.sentry.com
-
-
-Once done, grab your API keys and drop them in your ``sentry.conf.py``:
-
-.. code-block:: python
-
-    GITHUB_APP_ID = ""
-
-    GITHUB_API_SECRET = ""
-
-
-Verified email addresses can optionally be required:
-
-.. code-block:: python
-
-    GITHUB_REQUIRE_VERIFIED_EMAIL = True
-
-
-Optionally you may also specify the domain (for GHE users):
-
-.. code-block:: python
-
-    GITHUB_BASE_DOMAIN = "git.example.com"
-
-    GITHUB_API_DOMAIN = "api.git.example.com"
-
-
-If Subdomain isolation is disabled in GHE:
-
-.. code-block:: python
-
-    GITHUB_BASE_DOMAIN = "git.example.com"
-
-    GITHUB_API_DOMAIN = "git.example.com/api/v3"

client-packages/sentry-auth-passbook/conftest.py

@@ -1,14 +0,0 @@
-from __future__ import absolute_import
-
-# Run tests against sqlite for simplicity
-import os
-import os.path
-import sys
-
-sys.path.insert(0, os.path.join(os.path.dirname(__file__)))
-
-os.environ.setdefault('DB', 'sqlite')
-
-pytest_plugins = [
-    'sentry.utils.pytest'
-]

client-packages/sentry-auth-passbook/sentry_auth_passbook/__init__.py

@@ -1,7 +0,0 @@
-from __future__ import absolute_import
-
-from sentry.auth import register
-
-from .provider import PassbookOAuth2Provider
-
-register('passbook', PassbookOAuth2Provider)

client-packages/sentry-auth-passbook/sentry_auth_passbook/client.py

@@ -1,45 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from requests.exceptions import RequestException
-
-from sentry import http
-from sentry.utils import json
-
-from .constants import BASE_DOMAIN
-
-
-class PassbookApiError(Exception):
-    def __init__(self, message='', status=0):
-        super(PassbookApiError, self).__init__(message)
-        self.status = status
-
-
-class PassbookClient(object):
-    def __init__(self, client_id, client_secret):
-        self.client_id = client_id
-        self.client_secret = client_secret
-        self.http = http.build_session()
-
-    def _request(self, path, access_token):
-        params = {
-            'client_id': self.client_id,
-            'client_secret': self.client_secret,
-        }
-
-        headers = {
-            'Authorization': 'Bearer {0}'.format(access_token),
-        }
-
-        try:
-            req = self.http.get('https://{0}/{1}'.format(BASE_DOMAIN, path.lstrip('/')),
-                params=params,
-                headers=headers,
-            )
-        except RequestException as e:
-            raise PassbookApiError(unicode(e), status=getattr(e, 'status_code', 0))
-        if req.status_code < 200 or req.status_code >= 300:
-            raise PassbookApiError(req.content, status=req.status_code)
-        return json.loads(req.content)
-
-    def get_user(self, access_token):
-        return self._request('/api/v1/openid/', access_token)

client-packages/sentry-auth-passbook/sentry_auth_passbook/constants.py

@@ -1,14 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from django.conf import settings
-
-CLIENT_ID = getattr(settings, 'PASSBOOK_APP_ID', None)
-
-CLIENT_SECRET = getattr(settings, 'PASSBOOK_API_SECRET', None)
-
-SCOPE = 'openid:userinfo'
-
-BASE_DOMAIN = getattr(settings, 'PASSBOOK_BASE_DOMAIN', 'id.beryju.org')
-
-ACCESS_TOKEN_URL = 'https://{0}/application/oauth/token/'.format(BASE_DOMAIN)
-AUTHORIZE_URL = 'https://{0}/application/oauth/authorize/'.format(BASE_DOMAIN)

client-packages/sentry-auth-passbook/sentry_auth_passbook/provider.py

@@ -1,62 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from sentry.auth.exceptions import IdentityNotValid
-from sentry.auth.providers.oauth2 import (OAuth2Callback, OAuth2Login,
-                                          OAuth2Provider)
-
-from .client import PassbookApiError, PassbookClient
-from .constants import (ACCESS_TOKEN_URL, AUTHORIZE_URL, CLIENT_ID,
-                        CLIENT_SECRET, SCOPE)
-from .views import FetchUser, PassbookConfigureView
-
-
-class PassbookOAuth2Provider(OAuth2Provider):
-    access_token_url = ACCESS_TOKEN_URL
-    authorize_url = AUTHORIZE_URL
-    name = 'Passbook'
-    client_id = CLIENT_ID
-    client_secret = CLIENT_SECRET
-
-    def __init__(self, **config):
-        super(PassbookOAuth2Provider, self).__init__(**config)
-
-    def get_configure_view(self):
-        return PassbookConfigureView.as_view()
-
-    def get_auth_pipeline(self):
-        return [
-            OAuth2Login(
-                authorize_url=self.authorize_url,
-                client_id=self.client_id,
-                scope=SCOPE,
-            ),
-            OAuth2Callback(
-                access_token_url=self.access_token_url,
-                client_id=self.client_id,
-                client_secret=self.client_secret,
-            ),
-            FetchUser(
-                client_id=self.client_id,
-                client_secret=self.client_secret,
-            ),
-        ]
-
-    def get_refresh_token_url(self):
-        return ACCESS_TOKEN_URL
-
-    def build_identity(self, state):
-        data = state['data']
-        user_data = state['user']
-        return {
-            'id': user_data['email'],
-            'email': user_data['email'],
-            'name': user_data['name'],
-            'data': self.get_oauth_data(data),
-        }
-
-    def build_config(self, state):
-        return {}
-
-    def refresh_identity(self, auth_identity):
-        client = PassbookClient(self.client_id, self.client_secret)
-        access_token = auth_identity.data['access_token']

client-packages/sentry-auth-passbook/sentry_auth_passbook/views.py

@@ -1,75 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from django import forms
-
-from sentry.auth.view import AuthView, ConfigureView
-from sentry.models import AuthIdentity
-
-from .client import PassbookClient
-
-
-def _get_name_from_email(email):
-    """
-    Given an email return a capitalized name. Ex. john.smith@example.com would return John Smith.
-    """
-    name = email.rsplit('@', 1)[0]
-    name = ' '.join([n_part.capitalize() for n_part in name.split('.')])
-    return name
-
-
-class FetchUser(AuthView):
-    def __init__(self, client_id, client_secret, *args, **kwargs):
-        self.client = PassbookClient(client_id, client_secret)
-        super(FetchUser, self).__init__(*args, **kwargs)
-
-    def handle(self, request, helper):
-        access_token = helper.fetch_state('data')['access_token']
-
-        user = self.client.get_user(access_token)
-
-        # A user hasn't set their name in their Passbook profile so it isn't
-        # populated in the response
-        if not user.get('name'):
-            user['name'] = _get_name_from_email(user['email'])
-
-        helper.bind_state('user', user)
-
-        return helper.next_step()
-
-
-class ConfirmEmailForm(forms.Form):
-    email = forms.EmailField(label='Email')
-
-
-class ConfirmEmail(AuthView):
-    def handle(self, request, helper):
-        user = helper.fetch_state('user')
-
-        # TODO(dcramer): this isnt ideal, but our current flow doesnt really
-        # support this behavior;
-        try:
-            auth_identity = AuthIdentity.objects.select_related('user').get(
-                auth_provider=helper.auth_provider,
-                ident=user['id'],
-            )
-        except AuthIdentity.DoesNotExist:
-            pass
-        else:
-            user['email'] = auth_identity.user.email
-
-        if user.get('email'):
-            return helper.next_step()
-
-        form = ConfirmEmailForm(request.POST or None)
-        if form.is_valid():
-            user['email'] = form.cleaned_data['email']
-            helper.bind_state('user', user)
-            return helper.next_step()
-
-        return self.respond('sentry_auth_passbook/enter-email.html', {
-            'form': form,
-        })
-
-class PassbookConfigureView(ConfigureView):
-    def dispatch(self, request, organization, auth_provider):
-        return self.render('sentry_auth_passbook/configure.html')

client-packages/sentry-auth-passbook/setup.cfg

@@ -1,12 +0,0 @@
-[wheel]
-universal = 1
-
-[pytest]
-python_files = test*.py
-addopts = --tb=native -p no:doctest
-norecursedirs = bin dist docs htmlcov script hooks node_modules .* {args}
-
-[flake8]
-ignore = F999,E501,E128,E124,E402,W503,E731,C901
-max-line-length = 100
-exclude = .tox,.git,*/migrations/*,node_modules/*,docs/*

client-packages/sentry-auth-passbook/setup.py

@@ -1,45 +0,0 @@
-#!/usr/bin/env python
-"""
-sentry-auth-passbook
-==================
-
-:copyright: (c) 2016 Functional Software, Inc
-"""
-from setuptools import find_packages, setup
-
-install_requires = [
-    'sentry>=7.0.0',
-]
-
-tests_require = [
-    'mock',
-    'flake8>=2.0,<2.1',
-]
-
-setup(
-    name='sentry-auth-passbook',
-    version='0.1.30-beta',
-    author='BeryJu.org',
-    author_email='support@beryju.org',
-    url='https://passbook.beryju.org',
-    description='passbook authentication provider for Sentry',
-    long_description=__doc__,
-    license='MIT',
-    packages=find_packages(exclude=['tests']),
-    zip_safe=False,
-    install_requires=install_requires,
-    tests_require=tests_require,
-    extras_require={'tests': tests_require},
-    include_package_data=True,
-    entry_points={
-        'sentry.apps': [
-            'auth_passbook = sentry_auth_passbook',
-        ],
-    },
-    classifiers=[
-        'Intended Audience :: Developers',
-        'Intended Audience :: System Administrators',
-        'Operating System :: OS Independent',
-        'Topic :: Software Development'
-    ],
-)

client-packages/sentry-auth-passbook/tests/test_provider.py

@@ -1,6 +0,0 @@
-from sentry.testutils import TestCase
-
-
-class GitHubOAuth2ProviderTest(TestCase):
-    def test_simple(self):
-        pass

client-packages/sentry-auth-passbook/tests/test_views.py

@@ -1,17 +0,0 @@
-from __future__ import absolute_import, print_function
-
-import pytest
-from sentry_auth_sentry.views import _get_name_from_email
-
-expected_data = [
-    ('john.smith@example.com', 'John Smith'),
-    ('john@example.com', 'John'),
-    ('XYZ-234=3523@example.com', 'Xyz-234=3523'),
-    ('XYZ.1111@example.com', 'Xyz 1111'),
-    ('JOHN@example.com', 'John'),
-]
-
-
-@pytest.mark.parametrize("email,expected_name", expected_data)
-def test_get_name_from_email(email, expected_name):
-    assert _get_name_from_email(email) == expected_name

debian/changelog

@@ -1,220 +0,0 @@
-passbook (0.1.30) stable; urgency=medium
-
-  * bump version: 0.1.28-beta -> 0.1.29-beta
-  * don't use context manager in web command
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 11 Apr 2019 12:21:58 +0000
-
-passbook (0.1.29) stable; urgency=medium
-
-  * bump version: 0.1.27-beta -> 0.1.28-beta
-  * Add libpq-dev dependency so psycopg2 build works
-  * switch to whitenoise for static files
-  * replace cherrypy with daphne
-  * Run collectstatic before coverage, use autoreload on celery worker
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 11 Apr 2019 12:00:27 +0000
-
-passbook (0.1.28) stable; urgency=medium
-
-  * bump version: 0.1.26-beta -> 0.1.27-beta
-  * fix allauth client's formatting
-  * switch from raven to sentry_sdk
-  * add ability to have non-expiring nonces, clean up expired nonces
-  * fully remove raven and switch WSGI and logging to sentry_sdk
-  * fix failing CI
-  * trigger autoreload from config files
-  * Choose upstream more cleverly
-  * Move code from django-revproxy to app_gw to fix cookie bug
-  * Implement websocket proxy
-  * switch kubernetes deployment to daphne server
-  * set default log level to warn, fix clean_nonces not working
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 11 Apr 2019 08:46:44 +0000
-
-passbook (0.1.27) stable; urgency=medium
-
-  * bump version: 0.1.25-beta -> 0.1.26-beta
-  * fix broken app_gw
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 22 Mar 2019 13:50:31 +0000
-
-passbook (0.1.26) stable; urgency=medium
-
-  * bump version: 0.1.24-beta -> 0.1.25-beta
-  * always parse url instead of once
-  * validate upstream in form
-  * add custom template views
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 22 Mar 2019 11:47:08 +0000
-
-passbook (0.1.25) stable; urgency=medium
-
-  * initial implementation of reverse proxy, using django-revproxy from within a middleware
-  * fix TypeError: can only concatenate list (not "str") to list
-  * bump version: 0.1.23-beta -> 0.1.24-beta
-  * add redis dependency back in for caching
-  * utilise cache in PolicyEngine
-  * explicitly use redis db
-  * invalidate cache when policy is saved
-  * add redis as service in CI for unittests
-  * add timeout field to policy to prevent stuck policies
-  * Don't use LoginRequired for PermissionDenied View
-  * Check for policies in app_gw
-  * Better handle policy timeouts
-  * cleanup post-migration mess
-  * prevent ZeroDivisionError
-  * Redirect to login on reverse proxy
-  * cleanup property_mapping list
-  * add compiled regex to RewriteRule
-  * implement actual Rewriting logic
-  * Invalidate cache when ApplicationGateway instance is saved
-  * validate server_name in form
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 21 Mar 2019 15:47:58 +0000
-
-passbook (0.1.24) stable; urgency=medium
-
-  * bump version: 0.1.22-beta -> 0.1.23-beta
-  * add modal for OAuth Providers showing the URLs
-  * remove user field from form. Closes #32
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 20 Mar 2019 21:59:21 +0000
-
-passbook (0.1.23) stable; urgency=medium
-
-  * add support for OpenID-Connect Discovery
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 18 Mar 2019 20:19:27 +0000
-
-passbook (0.1.22) stable; urgency=medium
-
-  * bump version: 0.1.20-beta -> 0.1.21-beta
-  * fix missing debug template
-  * move icons to single folder, cleanup
-  * fix layout when on mobile viewport and scrolling
-  * fix delete form not working
-  * point to correct icons
-  * add Azure AD Source
-  * Fix OAuth Client's disconnect view having invalid URL names
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 14 Mar 2019 20:19:27 +0000
-
-passbook (0.1.21) stable; urgency=medium
-
-  * bump version: 0.1.19-beta -> 0.1.20-beta
-  * add request debug view
-  * detect HTTPS from reverse proxy
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 14 Mar 2019 17:01:49 +0000
-
-passbook (0.1.20) stable; urgency=medium
-
-  * bump version: 0.1.18-beta -> 0.1.19-beta
-  * fix GitHub Pretend again
-  * add user settings for Sources
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 13 Mar 2019 15:49:44 +0000
-
-passbook (0.1.18) stable; urgency=medium
-
-  * bump version: 0.1.16-beta -> 0.1.17-beta
-  * fix Server Error when downloading metadata
-  * add sentry client
-  * fix included yaml file
-  * adjust versions for client packages, auto build client-packages
-  * bump version: 0.1.17-beta -> 0.1.18-beta
-  * fix API Call for sentry-client, add missing template
-  * fix GitHub Pretend throwing a 500 error
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 13 Mar 2019 14:14:10 +0000
-
-passbook (0.1.17) stable; urgency=medium
-
-  * bump version: 0.1.15-beta -> 0.1.16-beta
-  * remove Application.user_is_authorized
-  * don't use celery heartbeat, use TCP keepalive instead
-  * switch to vertical navigation
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Tue, 12 Mar 2019 14:54:27 +0000
-
-passbook (0.1.16) stable; urgency=medium
-
-  * Replace redis with RabbitMQ
-  * updated debian package to suggest RabbitMQ
-  * update helm chart to require RabbitMQ
-  * fix invalid default config in debian package
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 10:28:36 +0000
-
-passbook (0.1.14) stable; urgency=medium
-
-  * bump version: 0.1.11-beta -> 0.1.12-beta
-  * Fix DoesNotExist error when running PolicyEngine against None user
-  * allow custom email server for helm installs
-  * fix UserChangePasswordView not requiring Login
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 10:28:36 +0000
-
-passbook (0.1.12) stable; urgency=medium
-
-  * bump version: 0.1.10-beta -> 0.1.11-beta
-  * rewrite PasswordFactor to use backends setting instead of trying all backends
-  * install updated helm release from local folder
-  * disable automatic k8s deployment for now
-  * fix OAuth Authorization View not requiring authentication
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 08:50:29 +0000
-
-passbook (0.1.11) stable; urgency=medium
-
-  * add group administration
-  * bump version: 0.1.9-beta -> 0.1.10-beta
-  * fix helm labels being on deployments and not pods
-  * automatically deploy after release
-  * use Django's Admin FilteredSelectMultiple for Group Membership
-  * always use FilteredSelectMultiple for many-to-many fields
-  * Add Group Member policy
-  * add LDAP Group Membership Policy
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Sun, 10 Mar 2019 18:55:31 +0000
-
-passbook (0.1.10) stable; urgency=high
-
-  * bump version: 0.1.7-beta -> 0.1.8-beta
-  * consistently using PolicyEngine
-  * add more Verbosity to PolicyEngine, rewrite SAML Authorisation check
-  * slightly refactor Factor View, add more unittests
-  * add impersonation middleware, add to templates
-  * bump version: 0.1.8-beta -> 0.1.9-beta
-  * fix k8s service routing http traffic to workers
-  * Fix button on policy test page
-  * better show loading state when testing a policy
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Sun, 10 Mar 2019 14:52:40 +0000
-
-passbook (0.1.7) stable; urgency=medium
-
-  * bump version: 0.1.3-beta -> 0.1.4-beta
-  * implicitly add kubernetes-healthcheck-host in helm configmap
-  * fix debian build (again)
-  * add PropertyMapping Model, add Subclass for SAML, test with AWS
-  * add custom DynamicArrayField to better handle arrays
-  * format data before inserting it
-  * bump version: 0.1.4-beta -> 0.1.5-beta
-  * fix static files missing for debian package
-  * fix password not getting set on user import
-  * remove audit's login attempt
-  * add passing property to PolicyEngine
-  * fix captcha factor not loading keys from Factor class
-  * bump version: 0.1.5-beta -> 0.1.6-beta
-  * fix MATCH_EXACT not working as intended
-  * Improve access control for saml
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 08 Mar 2019 20:37:05 +0000
-
-passbook (0.1.4) stable; urgency=medium
-
-  * initial debian package release
-
- -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 06 Mar 2019 18:22:41 +0000

debian/compat

@@ -1 +0,0 @@
-10

debian/config

@@ -1,20 +0,0 @@
-#!/bin/sh
-# config maintainer script for passbook
-set -e
-
-# source debconf stuff
-. /usr/share/debconf/confmodule
-
-dbc_first_version=1.0.0
-dbc_dbuser=passbook
-dbc_dbname=passbook
-
-# source dbconfig-common shell library, and call the hook function
-if [ -f /usr/share/dbconfig-common/dpkg/config.pgsql ]; then
-    . /usr/share/dbconfig-common/dpkg/config.pgsql
-    dbc_go passbook "$@"
-fi
-
-#DEBHELPER#
-
-exit 0

debian/control

@@ -1,14 +0,0 @@
-Source: passbook
-Section: admin
-Priority: optional
-Maintainer: BeryJu.org <support@beryju.org>
-Uploaders: Jens Langhammer <jens@beryju.org>, BeryJu.org <support@beryju.org>
-Build-Depends: debhelper (>= 10), dh-systemd (>= 1.5), dh-exec, wget, dh-exec, python3 (>= 3.5) | python3.6 | python3.7, libpq-dev
-Standards-Version: 3.9.6
-
-Package: passbook
-Architecture: all
-Recommends: mysql-server, rabbitmq-server, redis-server
-Pre-Depends: adduser, libldap2-dev, libsasl2-dev
-Depends: python3 (>= 3.5) | python3.6 | python3.7, python3-pip, dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends}
-Description: Authentication Provider/Proxy supporting protocols like SAML, OAuth, LDAP and more.

debian/copyright

@@ -1,22 +0,0 @@
-MIT License
-
-Copyright (c) 2019 BeryJu.org
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-

debian/dirs

@@ -1,4 +0,0 @@
-etc/passbook/
-etc/passbook/config.d/
-var/log/passbook/
-usr/share/passbook/

debian/etc/passbook/config.yml

@@ -1,81 +0,0 @@
-http:
-    host: 0.0.0.0
-    port: 8000
-secret_key_file: /etc/passbook/secret_key
-log:
-    level:
-        console: INFO
-        file: DEBUG
-    file: /var/log/passbook/passbook.log
-debug: false
-secure_proxy_header:
-  HTTP_X_FORWARDED_PROTO: https
-rabbitmq: guest:guest@localhost/passbook
-redis: localhost/0
-
-# Error reporting, sends stacktrace to sentry.services.beryju.org
-error_report_enabled: true
-
-primary_domain: passbook.local
-
-passbook:
-  sign_up:
-    # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true
-    enabled: true
-  password_reset:
-    # Enable password reset, passwords are reset in internal Database and in LDAP if ldap.reset_password is true
-    enabled: true
-    # Verification the user has to provide in order to be able to reset passwords. Can be any combination of `email`, `2fa`, `security_questions`
-    verification:
-      - email
-  # Text used in title, on login page and multiple other places
-  branding: passbook
-  login:
-    # Override URL used for logo
-    logo_url: null
-    # Override URL used for Background on Login page
-    bg_url: null
-    # Optionally add a subtext, placed below logo on the login page
-    subtext: null
-  footer:
-    links:
-      # Optionally add links to the footer on the login page
-      #  - name: test
-      #    href: https://test
-  # Specify which fields can be used to authenticate. Can be any combination of `username` and `email`
-  uid_fields:
-    - username
-    - email
-  session:
-    remember_age: 2592000 # 60 * 60 * 24 * 30, one month
-# Provider-specific settings
-ldap:
-  # Which field from `uid_fields` maps to which LDAP Attribute
-  login_field_map:
-    username: sAMAccountName
-    email: mail # or userPrincipalName
-  user_attribute_map:
-    active_directory:
-      username: "%(sAMAccountName)s"
-      email: "%(mail)s"
-      name: "%(displayName)"
-oauth_client:
-  # List of python packages with sources types to load.
-  types:
-    - passbook.oauth_client.source_types.discord
-    - passbook.oauth_client.source_types.facebook
-    - passbook.oauth_client.source_types.github
-    - passbook.oauth_client.source_types.google
-    - passbook.oauth_client.source_types.reddit
-    - passbook.oauth_client.source_types.supervisr
-    - passbook.oauth_client.source_types.twitter
-saml_idp:
-  # List of python packages with provider types to load.
-  types:
-    - passbook.saml_idp.processors.generic
-    - passbook.saml_idp.processors.aws
-    - passbook.saml_idp.processors.gitlab
-    - passbook.saml_idp.processors.nextcloud
-    - passbook.saml_idp.processors.salesforce
-    - passbook.saml_idp.processors.shibboleth
-    - passbook.saml_idp.processors.wordpress_orange

debian/gbp.conf

@@ -1,2 +0,0 @@
-[buildpackage]
-export-dir=../build-area

debian/install

@@ -1,8 +0,0 @@
-passbook		/usr/share/passbook/
-static			/usr/share/passbook/
-manage.py		/usr/share/passbook/
-passbook.sh		/usr/share/passbook/
-vendor			/usr/share/passbook/
-
-debian/etc/passbook								/etc/
-debian/templates/database.yml					/usr/share/passbook/

debian/passbook-worker.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=passbook - Authentication Provider/Proxy (Background worker)
-After=network.target
-Requires=network.target
-
-[Service]
-User=passbook
-Group=passbook
-WorkingDirectory=/usr/share/passbook
-Type=simple
-ExecStart=/usr/share/passbook/passbook.sh worker
-
-[Install]
-WantedBy=multi-user.target

debian/passbook.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=passbook - Authentication Provider/Proxy
-After=network.target
-Requires=network.target
-
-[Service]
-User=passbook
-Group=passbook
-WorkingDirectory=/usr/share/passbook
-Type=simple
-ExecStart=/usr/share/passbook/passbook.sh web
-
-[Install]
-WantedBy=multi-user.target

debian/postinst

@@ -1,36 +0,0 @@
-#!/bin/bash
-
-set -e
-
-. /usr/share/debconf/confmodule
-. /usr/share/dbconfig-common/dpkg/postinst.pgsql
-
-# you can set the default database encoding to something else
-dbc_pgsql_createdb_encoding="UTF8"
-dbc_generate_include=template:/etc/passbook/config.d/database.yml
-dbc_generate_include_args="-o template_infile=/usr/share/passbook/database.yml"
-dbc_go passbook "$@"
-
-if [ -z "`getent group passbook`" ]; then
-	addgroup --quiet --system passbook
-fi
-if [ -z "`getent passwd passbook`" ]; then
-	echo " * Creating user and group passbook..."
-	adduser --quiet --system --home /usr/share/passbook --shell /bin/false --ingroup passbook --disabled-password --disabled-login --gecos "passbook User" passbook  >> /var/log/passbook/passbook.log 2>&1
-fi
-echo " * Updating binary packages (psycopg2)"
-python3 -m pip install --target=/usr/share/passbook/vendor/ --no-cache-dir --upgrade --force-reinstall psycopg2 >> /var/log/passbook/passbook.log 2>&1
-if [ ! -f '/etc/passbook/secret_key' ]; then
-	echo " * Generating Secret Key"
-	python3 -c 'import random; result = "".join([random.choice("abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)") for i in range(50)]); print(result)' > /etc/passbook/secret_key 2> /dev/null
-fi
-chown -R passbook: /usr/share/passbook/
-chown -R passbook: /etc/passbook/
-chown -R passbook: /var/log/passbook/
-chmod 440 /etc/passbook/secret_key
-echo " * Running Database Migration"
-/usr/share/passbook/passbook.sh migrate
-echo " * A superuser can be created with this command '/usr/share/passbook/passbook.sh createsuperuser'"
-echo " * You should probably also adjust your settings in '/etc/passbook/config.yml'"
-
-#DEBHELPER#

debian/postrm

@@ -1,24 +0,0 @@
-#!/bin/sh
-
-set -e
-
-if [ -f /usr/share/debconf/confmodule ]; then
-    . /usr/share/debconf/confmodule
-fi
-if [ -f /usr/share/dbconfig-common/dpkg/postrm.pgsql ]; then
-    . /usr/share/dbconfig-common/dpkg/postrm.pgsql
-    dbc_go passbook "$@"
-fi
-
-
-if [ "$1" = "purge" ]; then
-    if which ucf >/dev/null 2>&1; then
-        ucf --purge /etc/passbook/config.d/database.yml
-        ucfr --purge passbook /etc/passbook/config.d/database.yml
-    fi
-    rm -rf /etc/passbook/
-    rm -rf /usr/share/passbook/
-fi
-
-#DEBHELPER#
-

debian/prerm

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-set -e
-
-. /usr/share/debconf/confmodule
-. /usr/share/dbconfig-common/dpkg/prerm.pgsql
-dbc_go passbook "$@"
-
-#DEBHELPER#
-

debian/rules

@@ -1,27 +0,0 @@
-#!/usr/bin/make -f
-
-# Uncomment this to turn on verbose mode.
-# export DH_VERBOSE=1
-
-%:
-	dh $@ --with=systemd
-
-build-arch:
-	python3 -m pip install setuptools
-	python3 -m pip install --target=vendor/ -r requirements.txt
-
-override_dh_strip:
-	dh_strip --exclude=psycopg2
-
-override_dh_shlibdeps:
-	dh_shlibdeps --exclude=psycopg2
-
-override_dh_installinit:
-	dh_installinit --name=passbook
-	dh_installinit --name=passbook-worker
-	dh_systemd_enable --name=passbook
-	dh_systemd_enable --name=passbook-worker
-	dh_systemd_start
-
-# override_dh_usrlocal to do nothing
-override_dh_usrlocal:

debian/source/format

@@ -1 +0,0 @@
-3.0 (native)

debian/templates/database.yml

@@ -1,8 +0,0 @@
-databases:
-  default:
-    engine: django.db.backends.postgresql
-    name: _DBC_DBNAME_
-    user: _DBC_DBUSER_
-    password: _DBC_DBPASS_
-    host: _DBC_DBSERVER_
-    port: _DBC_DBPORT_

dev.Dockerfile

@@ -0,0 +1,3 @@
+FROM docker.beryju.org/passbook/base:latest
+
+RUN pip install -r /app/requirements-dev.txt  --no-cache-dir

docker-compose.yml

@@ -0,0 +1,90 @@
+---
+version: '3.2'
+
+services:
+  postgresql:
+    image: postgres
+    volumes:
+      - database:/var/lib/postgresql/data
+    networks:
+      - internal
+    environment:
+      - POSTGRES_PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+      - POSTGRES_USER=passbook
+      - POSTGRES_DB=passbook
+    labels:
+      - traefik.enable=false
+  redis:
+    image: redis
+    networks:
+      - internal
+    labels:
+      - traefik.enable=false
+  server:
+    build:
+      context: .
+    image: docker.beryju.org/passbook/server:${SERVER_TAG:-latest}
+    command:
+      - uwsgi
+      - uwsgi.ini
+    environment:
+      - PASSBOOK_DOMAIN=${PASSBOOK_DOMAIN}
+      - PASSBOOK_REDIS__HOST=redis
+      - PASSBOOK_POSTGRESQL__HOST=postgresql
+      - PASSBOOK_POSTGRESQL__PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+    ports:
+      - 8000
+    networks:
+      - internal
+    labels:
+      - traefik.port=8000
+      - traefik.docker.network=internal
+      - traefik.frontend.rule=PathPrefix:/
+  worker:
+    image: docker.beryju.org/passbook/server:${SERVER_TAG:-latest}
+    command:
+      - celery
+      - worker
+      - --autoscale=10,3
+      - -E
+      - -B
+      - -A=passbook.root.celery
+      - -s=/tmp/celerybeat-schedule
+    networks:
+      - internal
+    labels:
+      - traefik.enable=false
+    environment:
+      - PASSBOOK_DOMAIN=${PASSBOOK_DOMAIN}
+      - PASSBOOK_REDIS__HOST=redis
+      - PASSBOOK_POSTGRESQL__HOST=postgresql
+      - PASSBOOK_POSTGRESQL__PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+  static:
+    build:
+      context: .
+      dockerfile: static.Dockerfile
+    image: docker.beryju.org/passbook/static:latest
+    networks:
+      - internal
+    labels:
+      - traefik.frontend.rule=PathPrefix:/static, /robots.txt
+      - traefik.port=80
+      - traefik.docker.network=internal
+  traefik:
+    image: traefik:1.7
+    command: --api --docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    ports:
+      - "0.0.0.0:80:80"
+      - "0.0.0.0:443:443"
+      - "0.0.0.0:8080:8080"
+    networks:
+      - internal
+
+volumes:
+  database:
+    driver: local
+
+networks:
+  internal: {}

docker/nginx.conf

@@ -0,0 +1,66 @@
+user  nginx;
+worker_processes  1;
+
+error_log  stderr warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format json_combined escape=json
+        '{'
+            '"time_local":"$time_local",'
+            '"remote_addr":"$remote_addr",'
+            '"remote_user":"$remote_user",'
+            '"request":"$request",'
+            '"status": "$status",'
+            '"body_bytes_sent":"$body_bytes_sent",'
+            '"request_time":"$request_time",'
+            '"http_referrer":"$http_referer",'
+            '"http_user_agent":"$http_user_agent"'
+        '}';
+
+    access_log /dev/stdout json_combined;
+
+    sendfile        on;
+    tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    server {
+
+        server_name _;
+
+        gzip on;
+        gzip_types application/javascript image/* text/css;
+        gunzip on;
+        add_header X-passbook-Version 0.6.9-beta;
+        add_header Vary X-passbook-Version;
+        root /data/;
+
+        location /_/healthz {
+            return 204;
+        }
+        location ~* \.(jpg|jpeg|png|gif|ico)$ {
+            expires 30d;
+        }
+        location ~* \.(css|js)$ {
+            expires 7d;
+        }
+
+    }
+
+    server {
+
+        listen 8080;
+
+        location = /stub_status {
+            stub_status;
+        }
+    }
+}

docker/uwsgi.ini

@@ -0,0 +1,10 @@
+[uwsgi]
+http = 0.0.0.0:8000
+chdir = /app
+wsgi-file = passbook/root/wsgi.py
+processes = 2
+master = true
+threads = 2
+enable-threads = true
+uid = passbook
+gid = passbook

helm/passbook/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 6.3.10
+- name: redis
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 9.2.1
+digest: sha256:bdde250e1401dccdd5161e39c807f9e88b05e3e8e72e74df767a1bbb5fc39a4a
+generated: "2019-10-01T10:46:06.542706+02:00"

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.30-beta"
+appVersion: "0.6.9-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.30-beta"
-icon: https://passbook.beryju.org/images/logo.png
+version: "0.6.9-beta"
+icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/passbook/requirements.lock

@@ -1,12 +1,9 @@
 dependencies:
-- name: rabbitmq
-  repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 4.3.2
 - name: postgresql
   repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 3.10.1
+  version: 4.2.2
 - name: redis
   repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 5.1.0
-digest: sha256:8bf68bc928a2e3c0f05139635be05fa0840554c7bde4cecd624fac78fb5fa5a3
-generated: 2019-03-21T11:06:51.553379+01:00
+  version: 9.2.1
+digest: sha256:8782e974a1094eaeecf1d68f093ca4fb84977217b2bd38b09790a05ec289aec2
+generated: "2019-10-02T21:03:25.90491153Z"

helm/passbook/requirements.yaml

@@ -1,10 +1,7 @@
 dependencies:
-- name: rabbitmq
-  version: 4.3.2
-  repository: https://kubernetes-charts.storage.googleapis.com/
 - name: postgresql
-  version: 3.10.1
+  version: 4.2.2
   repository: https://kubernetes-charts.storage.googleapis.com/
 - name: redis
-  version: 5.1.0
+  version: 9.2.1
   repository: https://kubernetes-charts.storage.googleapis.com/

helm/passbook/templates/configmap.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "passbook.fullname" . }}-config
+data:
+  config.yml: |
+    postgresql:
+      host: "{{ .Release.Name }}-postgresql"
+      name: "{{ .Values.postgresql.postgresqlDatabase }}"
+      user: postgres
+    redis:
+      host: "{{ .Release.Name }}-redis-master"
+      cache_db: 0
+      message_queue_db: 1
+    error_report_enabled: {{ .Values.config.error_reporting }}
+    domain: ".{{ index .Values.ingress.hosts 0 }}"

helm/passbook/templates/ingress.yaml

@@ -1,6 +1,5 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "passbook.fullname" . -}}
-{{- $ingressPath := .Values.ingress.path -}}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
@@ -30,9 +29,17 @@ spec:
     - host: {{ . | quote }}
       http:
         paths:
-          - path: {{ $ingressPath }}
+          - path: /
             backend:
-              serviceName: {{ $fullName }}
+              serviceName: {{ $fullName }}-web
+              servicePort: http
+          - path: /static/
+            backend:
+              serviceName: {{ $fullName }}-static
+              servicePort: http
+          - path: /robots.txt
+            backend:
+              serviceName: {{ $fullName }}-static
               servicePort: http
   {{- end }}
 {{- end }}

helm/passbook/templates/passbook-configmap.yaml

@@ -1,142 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "passbook.fullname" . }}-config
-data:
-  config.yml: |
-    # Env for Docker images
-    databases:
-      default:
-        engine: django.db.backends.postgresql
-        name: {{ .Values.postgresql.postgresqlDatabase }}
-        user: postgres
-        password: {{ .Values.postgresql.postgresqlPassword }}
-        host: {{ .Release.Name }}-postgresql
-        port: ''
-    log:
-      level:
-        console: WARNING
-        file: WARNING
-      file: /dev/null
-      syslog:
-        host: 127.0.0.1
-        port: 514
-    email:
-      host: {{ .Values.config.email.host }}
-      port: 25
-      user: ''
-      password: ''
-      use_tls: false
-      use_ssl: false
-      from: passbook <passbook@domain.tld>
-    web:
-      listen: 0.0.0.0
-      port: 8000
-      threads: 30
-    debug: false
-    secure_proxy_header:
-      HTTP_X_FORWARDED_PROTO: https
-    rabbitmq: "user:{{ .Values.rabbitmq.rabbitmq.password }}@{{ .Release.Name }}-rabbitmq"
-    redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master/0"
-    # Error reporting, sends stacktrace to sentry.services.beryju.org
-    error_report_enabled: {{ .Values.config.error_reporting }}
-
-    {{- if .Values.config.secret_key }}
-    secret_key: {{ .Values.config.secret_key }}
-    {{- else }}
-    secret_key: {{ randAlphaNum 50 }}
-    {{- end }}
-
-    primary_domain: {{ .Values.primary_domain }}
-    domains:
-        {{- range .Values.ingress.hosts }}
-        - {{ . | quote }}
-        {{- end }}
-        - kubernetes-healthcheck-host
-
-    passbook:
-      sign_up:
-        # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true
-        enabled: true
-      password_reset:
-        # Enable password reset, passwords are reset in internal Database and in LDAP if ldap.reset_password is true
-        enabled: true
-        # Verification the user has to provide in order to be able to reset passwords. Can be any combination of `email`, `2fa`, `security_questions`
-        verification:
-          - email
-      # Text used in title, on login page and multiple other places
-      branding: passbook
-      login:
-        # Override URL used for logo
-        logo_url: null
-        # Override URL used for Background on Login page
-        bg_url: null
-        # Optionally add a subtext, placed below logo on the login page
-        subtext: null
-      footer:
-        links:
-          # Optionally add links to the footer on the login page
-          #  - name: test
-          #    href: https://test
-      # Specify which fields can be used to authenticate. Can be any combination of `username` and `email`
-      uid_fields:
-        - username
-        - email
-      session:
-        remember_age: 2592000 # 60 * 60 * 24 * 30, one month
-    # Provider-specific settings
-    ldap:
-      # # Completely enable or disable LDAP provider
-      # enabled: false
-      # # AD Domain, used to generate `userPrincipalName`
-      # domain: corp.contoso.com
-      # # Base DN in which passbook should look for users
-      # base_dn: dn=corp,dn=contoso,dn=com
-      # # LDAP field which is used to set the django username
-      # username_field: sAMAccountName
-      # # LDAP server to connect to, can be set to `<domain_name>`
-      # server:
-      #   name: corp.contoso.com
-      #   use_tls: false
-      # # Bind credentials, used for account creation
-      # bind:
-      #   username: Administraotr@corp.contoso.com
-      #   password: VerySecurePassword!
-      # Which field from `uid_fields` maps to which LDAP Attribute
-      login_field_map:
-        username: sAMAccountName
-        email: mail # or userPrincipalName
-      user_attribute_map:
-        active_directory:
-          username: "%(sAMAccountName)s"
-          email: "%(mail)s"
-          name: "%(displayName)"
-      # # Create new users in LDAP upon sign-up
-      # create_users: true
-      # # Reset LDAP password when user reset their password
-      # reset_password: true
-    oauth_client:
-      # List of python packages with sources types to load.
-      types:
-        - passbook.oauth_client.source_types.discord
-        - passbook.oauth_client.source_types.facebook
-        - passbook.oauth_client.source_types.github
-        - passbook.oauth_client.source_types.google
-        - passbook.oauth_client.source_types.reddit
-        - passbook.oauth_client.source_types.supervisr
-        - passbook.oauth_client.source_types.twitter
-        - passbook.oauth_client.source_types.azure_ad
-    saml_idp:
-      signing: true
-      autosubmit: false
-      issuer: passbook
-      assertion_valid_for: 86400
-      # List of python packages with provider types to load.
-      types:
-        - passbook.saml_idp.processors.generic
-        - passbook.saml_idp.processors.aws
-        - passbook.saml_idp.processors.gitlab
-        - passbook.saml_idp.processors.nextcloud
-        - passbook.saml_idp.processors.salesforce
-        - passbook.saml_idp.processors.shibboleth
-        - passbook.saml_idp.processors.wordpress_orange

helm/passbook/templates/passbook-web-deployment.yaml

@@ -1,67 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: {{ include "passbook.fullname" . }}-web
-  labels:
-    app.kubernetes.io/name: {{ include "passbook.name" . }}
-    helm.sh/chart: {{ include "passbook.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "passbook.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: {{ include "passbook.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        passbook.io/component: web
-    spec:
-      volumes:
-        - name: config-volume
-          configMap:
-            name: {{ include "passbook.fullname" . }}-config
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "docker.pkg.beryju.org/passbook:{{ .Values.image.tag }}"
-          imagePullPolicy: IfNotPresent
-          command: ["/bin/sh","-c"]
-          args: ["./manage.py migrate && ./manage.py web"]
-          ports:
-            - name: http
-              containerPort: 8000
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /etc/passbook
-              name: config-volume
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-              httpHeaders:
-                - name: Host
-                  value: kubernetes-healthcheck-host
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
-              httpHeaders:
-                - name: Host
-                  value: kubernetes-healthcheck-host
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}

helm/passbook/templates/passbook-worker-deployment.yaml

@@ -1,52 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: {{ include "passbook.fullname" . }}-worker
-  labels:
-    app.kubernetes.io/name: {{ include "passbook.name" . }}
-    helm.sh/chart: {{ include "passbook.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "passbook.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: {{ include "passbook.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        passbook.io/component: worker
-    spec:
-      volumes:
-        - name: config-volume
-          configMap:
-            name: {{ include "passbook.fullname" . }}-config
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "docker.pkg.beryju.org/passbook:{{ .Values.image.tag }}"
-          imagePullPolicy: IfNotPresent
-          command: ["./manage.py", "worker"]
-          ports:
-            - name: http
-              containerPort: 8000
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /etc/passbook
-              name: config-volume
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}

helm/passbook/templates/secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "passbook.fullname" . }}-secret-key
+data:
+  {{- if .Values.config.secret_key }}
+  secret_key: {{ .Values.config.secret_key | b64enc | quote }}
+  {{- else }}
+  secret_key: {{ randAlphaNum 50 | b64enc | quote}}
+  {{- end }}

helm/passbook/templates/static-deployment.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: {{ include "passbook.fullname" . }}-static
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "passbook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "passbook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        k8s.passbook.io/component: static
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: '9113'
+        field.cattle.io/workloadMetrics: '[{"path":"/metrics","port":9113,"schema":"HTTP"}]'
+    spec:
+      containers:
+        - name: {{ .Chart.Name }}-static
+          image: "docker.beryju.org/passbook/static:{{ .Values.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            initialDelaySeconds: 10
+            timeoutSeconds: 5
+            httpGet:
+              path: /_/healthz
+              port: http
+          readinessProbe:
+            initialDelaySeconds: 10
+            timeoutSeconds: 5
+            httpGet:
+              path: /_/healthz
+              port: http
+          resources:
+            requests:
+              cpu: 10m
+              memory: 10M
+            limits:
+              cpu: 20m
+              memory: 20M
+        - name: {{ .Chart.Name }}-static-prometheus
+          image: nginx/nginx-prometheus-exporter:0.4.1
+          imagePullPolicy: IfNotPresent

helm/passbook/templates/static-service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "passbook.fullname" . }}-static
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    k8s.passbook.io/component: static
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    k8s.passbook.io/component: static

helm/passbook/templates/web-deployment.yaml

@@ -0,0 +1,112 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: {{ include "passbook.fullname" . }}-web
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "passbook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "passbook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: web
+    spec:
+      volumes:
+        - name: config-volume
+          configMap:
+            name: {{ include "passbook.fullname" . }}-config
+      initContainers:
+        - name: passbook-database-migrations
+          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
+          command:
+            - ./manage.py
+          args:
+            - migrate
+          volumeMounts:
+            - mountPath: /etc/passbook
+              name: config-volume
+          envFrom:
+            - configMapRef:
+                name: {{ include "passbook.fullname" . }}-config
+              prefix: PASSBOOK_
+          env:
+            - name: PASSBOOK_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "passbook.fullname" . }}-secret-key
+                  key: secret_key
+            - name: PASSBOOK_REDIS__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-redis"
+                  key: redis-password
+            - name: PASSBOOK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-postgresql"
+                  key: postgresql-password
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          command:
+            - uwsgi
+          args:
+            - uwsgi.ini
+          volumeMounts:
+            - mountPath: /etc/passbook
+              name: config-volume
+          envFrom:
+            - configMapRef:
+                name: {{ include "passbook.fullname" . }}-config
+              prefix: PASSBOOK_
+          env:
+            - name: PASSBOOK_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "passbook.fullname" . }}-secret-key
+                  key: secret_key
+            - name: PASSBOOK_REDIS__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-redis"
+                  key: redis-password
+            - name: PASSBOOK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-postgresql"
+                  key: postgresql-password
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+              httpHeaders:
+                - name: Host
+                  value: kubernetes-healthcheck-host
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+              httpHeaders:
+                - name: Host
+                  value: kubernetes-healthcheck-host
+          resources:
+            requests:
+              cpu: 100m
+              memory: 200M
+            limits:
+              cpu: 300m
+              memory: 350M

helm/passbook/templates/web-service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "passbook.fullname" . }}
+  name: {{ include "passbook.fullname" . }}-web
   labels:
     app.kubernetes.io/name: {{ include "passbook.name" . }}
     helm.sh/chart: {{ include "passbook.chart" . }}

helm/passbook/templates/worker-deployment.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: {{ include "passbook.fullname" . }}-worker
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "passbook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "passbook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: worker
+    spec:
+      volumes:
+        - name: config-volume
+          configMap:
+            name: {{ include "passbook.fullname" . }}-config
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          command:
+            - celery
+          args:
+            - worker
+            - --autoscale=10,3
+            - -E
+            - -B
+            - -A=passbook.root.celery
+            - -s=/tmp/celerybeat-schedule
+          volumeMounts:
+            - mountPath: /etc/passbook
+              name: config-volume
+          envFrom:
+            - configMapRef:
+                name: {{ include "passbook.fullname" . }}-config
+              prefix: PASSBOOK_
+          env:
+            - name: PASSBOOK_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "passbook.fullname" . }}-secret-key
+                  key: secret_key
+            - name: PASSBOOK_REDIS__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-redis"
+                  key: redis-password
+            - name: PASSBOOK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-postgresql"
+                  key: postgresql-password
+          resources:
+            requests:
+              cpu: 150m
+              memory: 300M
+            limits:
+              cpu: 300m
+              memory: 500M

helm/passbook/values.yaml

@@ -1,11 +1,8 @@
 # Default values for passbook.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
-
-replicaCount: 1
-
 image:
-  tag: 0.1.30-beta
+  tag: 0.6.9-beta
 
 nameOverride: ""
 
@@ -19,11 +16,13 @@ config:
 
 postgresql:
   postgresqlDatabase: passbook
-  postgresqlPassword: foo
 
-rabbitmq:
-  rabbitmq:
-    password: foo
+redis:
+  cluster:
+    enabled: false
+  master:
+    persistence:
+      enabled: false
 
 service:
   type: ClusterIP
@@ -37,26 +36,7 @@ ingress:
   path: /
   hosts:
     - passbook.k8s.local
-  defaultHost: passbook.k8s.local
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
   #      - passbook.k8s.local
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #  cpu: 100m
-  #  memory: 128Mi
-  # requests:
-  #  cpu: 100m
-  #  memory: 128Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}

manage.py

@@ -4,7 +4,7 @@ import os
 import sys
 
 if __name__ == '__main__':
-    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'passbook.core.settings')
+    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'passbook.root.settings')
     try:
         from django.core.management import execute_from_command_line
     except ImportError as exc:

passbook.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-# Check if this file is a symlink, if so, read real base dir
-BASE_DIR=$(dirname $(readlink -f ${BASH_SOURCE[0]}))
-
-cd $BASE_DIR
-PYTHONPATH="${BASE_DIR}/vendor/" python3 manage.py $@

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.30-beta'
+__version__ = '0.6.9-beta'

passbook/admin/__init__.py

@@ -1,2 +0,0 @@
-"""passbook admin"""
-__version__ = '0.1.30-beta'

passbook/admin/fields.py

@@ -0,0 +1,61 @@
+"""YAML fields"""
+import yaml
+from django import forms
+from django.utils.translation import gettext_lazy as _
+
+
+class InvalidYAMLInput(str):
+    """Invalid YAML String type"""
+
+
+class YAMLString(str):
+    """YAML String type"""
+
+
+class YAMLField(forms.CharField):
+    """Django's JSON Field converted to YAML"""
+
+    default_error_messages = {
+        'invalid': _("'%(value)s' value must be valid YAML."),
+    }
+    widget = forms.Textarea
+
+    def to_python(self, value):
+        if self.disabled:
+            return value
+        if value in self.empty_values:
+            return None
+        if isinstance(value, (list, dict, int, float, YAMLString)):
+            return value
+        try:
+            converted = yaml.safe_load(value)
+        except yaml.YAMLError:
+            raise forms.ValidationError(
+                self.error_messages['invalid'],
+                code='invalid',
+                params={'value': value},
+            )
+        if isinstance(converted, str):
+            return YAMLString(converted)
+        return converted
+
+    def bound_data(self, data, initial):
+        if self.disabled:
+            return initial
+        try:
+            return yaml.safe_load(data)
+        except yaml.YAMLError:
+            return InvalidYAMLInput(data)
+
+    def prepare_value(self, value):
+        if isinstance(value, InvalidYAMLInput):
+            return value
+        return yaml.dump(value, explicit_start=True)
+
+    def has_changed(self, initial, data):
+        if super().has_changed(initial, data):
+            return True
+        # For purposes of seeing whether something has changed, True isn't the
+        # same as 1 and the order of keys doesn't matter.
+        data = self.to_python(data)
+        return yaml.dump(initial, sort_keys=True) != yaml.dump(data, sort_keys=True)

passbook/admin/forms/base.py

@@ -0,0 +1,37 @@
+"""p2 form helpers"""
+from django import forms
+
+from passbook.admin.fields import YAMLField
+
+
+class TagModelForm(forms.ModelForm):
+    """Base form for models that have attributes"""
+
+    def __init__(self, *args, **kwargs):
+        # Check if we have an instance, load tags otherwise use an empty dict
+        instance = kwargs.get('instance', None)
+        tags = instance.tags if instance else {}
+        # Make sure all predefined tags exist in tags, and set default if they don't
+        predefined_tags = self._meta.model().get_predefined_tags()  # pylint: disable=no-member
+        for key, value in predefined_tags.items():
+            if key not in tags:
+                tags[key] = value
+        # Format JSON
+        kwargs['initial']['tags'] = tags
+        super().__init__(*args, **kwargs)
+
+    def clean_tags(self):
+        """Make sure all required tags are set"""
+        if hasattr(self.instance, 'get_required_keys') and hasattr(self.instance, 'tags'):
+            for key in self.instance.get_required_keys():
+                if key not in self.cleaned_data.get('tags'):
+                    raise forms.ValidationError("Tag %s missing." % key)
+        return self.cleaned_data.get('tags')
+
+# pylint: disable=too-few-public-methods
+class TagModelFormMeta:
+    """Base Meta class that uses the YAMLField"""
+
+    field_classes = {
+        'tags': YAMLField
+    }

passbook/admin/forms/users.py

@@ -2,6 +2,7 @@
 
 from django import forms
 
+from passbook.admin.fields import YAMLField
 from passbook.core.models import User
 
 
@@ -11,7 +12,10 @@ class UserForm(forms.ModelForm):
     class Meta:
 
         model = User
-        fields = ['username', 'name', 'email', 'is_staff', 'is_active']
+        fields = ['username', 'name', 'email', 'is_staff', 'is_active', 'attributes']
         widgets = {
-            'name': forms.TextInput
+            'name': forms.TextInput,
+        }
+        field_classes = {
+            'attributes': YAMLField,
         }

passbook/admin/requirements.txt

@@ -1,2 +0,0 @@
-django-rest-framework
-drf_yasg

passbook/admin/static/codemirror/addon/comment/comment.js

@@ -0,0 +1,209 @@
+// CodeMirror, copyright (c) by Marijn Haverbeke and others
+// Distributed under an MIT license: https://codemirror.net/LICENSE
+
+(function(mod) {
+  if (typeof exports == "object" && typeof module == "object") // CommonJS
+    mod(require("../../lib/codemirror"));
+  else if (typeof define == "function" && define.amd) // AMD
+    define(["../../lib/codemirror"], mod);
+  else // Plain browser env
+    mod(CodeMirror);
+})(function(CodeMirror) {
+  "use strict";
+
+  var noOptions = {};
+  var nonWS = /[^\s\u00a0]/;
+  var Pos = CodeMirror.Pos;
+
+  function firstNonWS(str) {
+    var found = str.search(nonWS);
+    return found == -1 ? 0 : found;
+  }
+
+  CodeMirror.commands.toggleComment = function(cm) {
+    cm.toggleComment();
+  };
+
+  CodeMirror.defineExtension("toggleComment", function(options) {
+    if (!options) options = noOptions;
+    var cm = this;
+    var minLine = Infinity, ranges = this.listSelections(), mode = null;
+    for (var i = ranges.length - 1; i >= 0; i--) {
+      var from = ranges[i].from(), to = ranges[i].to();
+      if (from.line >= minLine) continue;
+      if (to.line >= minLine) to = Pos(minLine, 0);
+      minLine = from.line;
+      if (mode == null) {
+        if (cm.uncomment(from, to, options)) mode = "un";
+        else { cm.lineComment(from, to, options); mode = "line"; }
+      } else if (mode == "un") {
+        cm.uncomment(from, to, options);
+      } else {
+        cm.lineComment(from, to, options);
+      }
+    }
+  });
+
+  // Rough heuristic to try and detect lines that are part of multi-line string
+  function probablyInsideString(cm, pos, line) {
+    return /\bstring\b/.test(cm.getTokenTypeAt(Pos(pos.line, 0))) && !/^[\'\"\`]/.test(line)
+  }
+
+  function getMode(cm, pos) {
+    var mode = cm.getMode()
+    return mode.useInnerComments === false || !mode.innerMode ? mode : cm.getModeAt(pos)
+  }
+
+  CodeMirror.defineExtension("lineComment", function(from, to, options) {
+    if (!options) options = noOptions;
+    var self = this, mode = getMode(self, from);
+    var firstLine = self.getLine(from.line);
+    if (firstLine == null || probablyInsideString(self, from, firstLine)) return;
+
+    var commentString = options.lineComment || mode.lineComment;
+    if (!commentString) {
+      if (options.blockCommentStart || mode.blockCommentStart) {
+        options.fullLines = true;
+        self.blockComment(from, to, options);
+      }
+      return;
+    }
+
+    var end = Math.min(to.ch != 0 || to.line == from.line ? to.line + 1 : to.line, self.lastLine() + 1);
+    var pad = options.padding == null ? " " : options.padding;
+    var blankLines = options.commentBlankLines || from.line == to.line;
+
+    self.operation(function() {
+      if (options.indent) {
+        var baseString = null;
+        for (var i = from.line; i < end; ++i) {
+          var line = self.getLine(i);
+          var whitespace = line.slice(0, firstNonWS(line));
+          if (baseString == null || baseString.length > whitespace.length) {
+            baseString = whitespace;
+          }
+        }
+        for (var i = from.line; i < end; ++i) {
+          var line = self.getLine(i), cut = baseString.length;
+          if (!blankLines && !nonWS.test(line)) continue;
+          if (line.slice(0, cut) != baseString) cut = firstNonWS(line);
+          self.replaceRange(baseString + commentString + pad, Pos(i, 0), Pos(i, cut));
+        }
+      } else {
+        for (var i = from.line; i < end; ++i) {
+          if (blankLines || nonWS.test(self.getLine(i)))
+            self.replaceRange(commentString + pad, Pos(i, 0));
+        }
+      }
+    });
+  });
+
+  CodeMirror.defineExtension("blockComment", function(from, to, options) {
+    if (!options) options = noOptions;
+    var self = this, mode = getMode(self, from);
+    var startString = options.blockCommentStart || mode.blockCommentStart;
+    var endString = options.blockCommentEnd || mode.blockCommentEnd;
+    if (!startString || !endString) {
+      if ((options.lineComment || mode.lineComment) && options.fullLines != false)
+        self.lineComment(from, to, options);
+      return;
+    }
+    if (/\bcomment\b/.test(self.getTokenTypeAt(Pos(from.line, 0)))) return
+
+    var end = Math.min(to.line, self.lastLine());
+    if (end != from.line && to.ch == 0 && nonWS.test(self.getLine(end))) --end;
+
+    var pad = options.padding == null ? " " : options.padding;
+    if (from.line > end) return;
+
+    self.operation(function() {
+      if (options.fullLines != false) {
+        var lastLineHasText = nonWS.test(self.getLine(end));
+        self.replaceRange(pad + endString, Pos(end));
+        self.replaceRange(startString + pad, Pos(from.line, 0));
+        var lead = options.blockCommentLead || mode.blockCommentLead;
+        if (lead != null) for (var i = from.line + 1; i <= end; ++i)
+          if (i != end || lastLineHasText)
+            self.replaceRange(lead + pad, Pos(i, 0));
+      } else {
+        self.replaceRange(endString, to);
+        self.replaceRange(startString, from);
+      }
+    });
+  });
+
+  CodeMirror.defineExtension("uncomment", function(from, to, options) {
+    if (!options) options = noOptions;
+    var self = this, mode = getMode(self, from);
+    var end = Math.min(to.ch != 0 || to.line == from.line ? to.line : to.line - 1, self.lastLine()), start = Math.min(from.line, end);
+
+    // Try finding line comments
+    var lineString = options.lineComment || mode.lineComment, lines = [];
+    var pad = options.padding == null ? " " : options.padding, didSomething;
+    lineComment: {
+      if (!lineString) break lineComment;
+      for (var i = start; i <= end; ++i) {
+        var line = self.getLine(i);
+        var found = line.indexOf(lineString);
+        if (found > -1 && !/comment/.test(self.getTokenTypeAt(Pos(i, found + 1)))) found = -1;
+        if (found == -1 && nonWS.test(line)) break lineComment;
+        if (found > -1 && nonWS.test(line.slice(0, found))) break lineComment;
+        lines.push(line);
+      }
+      self.operation(function() {
+        for (var i = start; i <= end; ++i) {
+          var line = lines[i - start];
+          var pos = line.indexOf(lineString), endPos = pos + lineString.length;
+          if (pos < 0) continue;
+          if (line.slice(endPos, endPos + pad.length) == pad) endPos += pad.length;
+          didSomething = true;
+          self.replaceRange("", Pos(i, pos), Pos(i, endPos));
+        }
+      });
+      if (didSomething) return true;
+    }
+
+    // Try block comments
+    var startString = options.blockCommentStart || mode.blockCommentStart;
+    var endString = options.blockCommentEnd || mode.blockCommentEnd;
+    if (!startString || !endString) return false;
+    var lead = options.blockCommentLead || mode.blockCommentLead;
+    var startLine = self.getLine(start), open = startLine.indexOf(startString)
+    if (open == -1) return false
+    var endLine = end == start ? startLine : self.getLine(end)
+    var close = endLine.indexOf(endString, end == start ? open + startString.length : 0);
+    var insideStart = Pos(start, open + 1), insideEnd = Pos(end, close + 1)
+    if (close == -1 ||
+        !/comment/.test(self.getTokenTypeAt(insideStart)) ||
+        !/comment/.test(self.getTokenTypeAt(insideEnd)) ||
+        self.getRange(insideStart, insideEnd, "\n").indexOf(endString) > -1)
+      return false;
+
+    // Avoid killing block comments completely outside the selection.
+    // Positions of the last startString before the start of the selection, and the first endString after it.
+    var lastStart = startLine.lastIndexOf(startString, from.ch);
+    var firstEnd = lastStart == -1 ? -1 : startLine.slice(0, from.ch).indexOf(endString, lastStart + startString.length);
+    if (lastStart != -1 && firstEnd != -1 && firstEnd + endString.length != from.ch) return false;
+    // Positions of the first endString after the end of the selection, and the last startString before it.
+    firstEnd = endLine.indexOf(endString, to.ch);
+    var almostLastStart = endLine.slice(to.ch).lastIndexOf(startString, firstEnd - to.ch);
+    lastStart = (firstEnd == -1 || almostLastStart == -1) ? -1 : to.ch + almostLastStart;
+    if (firstEnd != -1 && lastStart != -1 && lastStart != to.ch) return false;
+
+    self.operation(function() {
+      self.replaceRange("", Pos(end, close - (pad && endLine.slice(close - pad.length, close) == pad ? pad.length : 0)),
+                        Pos(end, close + endString.length));
+      var openEnd = open + startString.length;
+      if (pad && startLine.slice(openEnd, openEnd + pad.length) == pad) openEnd += pad.length;
+      self.replaceRange("", Pos(start, open), Pos(start, openEnd));
+      if (lead) for (var i = start + 1; i <= end; ++i) {
+        var line = self.getLine(i), found = line.indexOf(lead);
+        if (found == -1 || nonWS.test(line.slice(0, found))) continue;
+        var foundEnd = found + lead.length;
+        if (pad && line.slice(foundEnd, foundEnd + pad.length) == pad) foundEnd += pad.length;
+        self.replaceRange("", Pos(i, found), Pos(i, foundEnd));
+      }
+    });
+    return true;
+  });
+});

passbook/admin/static/codemirror/addon/comment/continuecomment.js

@@ -0,0 +1,78 @@
+// CodeMirror, copyright (c) by Marijn Haverbeke and others
+// Distributed under an MIT license: https://codemirror.net/LICENSE
+
+(function(mod) {
+  if (typeof exports == "object" && typeof module == "object") // CommonJS
+    mod(require("../../lib/codemirror"));
+  else if (typeof define == "function" && define.amd) // AMD
+    define(["../../lib/codemirror"], mod);
+  else // Plain browser env
+    mod(CodeMirror);
+})(function(CodeMirror) {
+  function continueComment(cm) {
+    if (cm.getOption("disableInput")) return CodeMirror.Pass;
+    var ranges = cm.listSelections(), mode, inserts = [];
+    for (var i = 0; i < ranges.length; i++) {
+      var pos = ranges[i].head
+      if (!/\bcomment\b/.test(cm.getTokenTypeAt(pos))) return CodeMirror.Pass;
+      var modeHere = cm.getModeAt(pos)
+      if (!mode) mode = modeHere;
+      else if (mode != modeHere) return CodeMirror.Pass;
+
+      var insert = null;
+      if (mode.blockCommentStart && mode.blockCommentContinue) {
+        var line = cm.getLine(pos.line).slice(0, pos.ch)
+        var end = line.lastIndexOf(mode.blockCommentEnd), found
+        if (end != -1 && end == pos.ch - mode.blockCommentEnd.length) {
+          // Comment ended, don't continue it
+        } else if ((found = line.lastIndexOf(mode.blockCommentStart)) > -1 && found > end) {
+          insert = line.slice(0, found)
+          if (/\S/.test(insert)) {
+            insert = ""
+            for (var j = 0; j < found; ++j) insert += " "
+          }
+        } else if ((found = line.indexOf(mode.blockCommentContinue)) > -1 && !/\S/.test(line.slice(0, found))) {
+          insert = line.slice(0, found)
+        }
+        if (insert != null) insert += mode.blockCommentContinue
+      }
+      if (insert == null && mode.lineComment && continueLineCommentEnabled(cm)) {
+        var line = cm.getLine(pos.line), found = line.indexOf(mode.lineComment);
+        if (found > -1) {
+          insert = line.slice(0, found);
+          if (/\S/.test(insert)) insert = null;
+          else insert += mode.lineComment + line.slice(found + mode.lineComment.length).match(/^\s*/)[0];
+        }
+      }
+      if (insert == null) return CodeMirror.Pass;
+      inserts[i] = "\n" + insert;
+    }
+
+    cm.operation(function() {
+      for (var i = ranges.length - 1; i >= 0; i--)
+        cm.replaceRange(inserts[i], ranges[i].from(), ranges[i].to(), "+insert");
+    });
+  }
+
+  function continueLineCommentEnabled(cm) {
+    var opt = cm.getOption("continueComments");
+    if (opt && typeof opt == "object")
+      return opt.continueLineComment !== false;
+    return true;
+  }
+
+  CodeMirror.defineOption("continueComments", null, function(cm, val, prev) {
+    if (prev && prev != CodeMirror.Init)
+      cm.removeKeyMap("continueComment");
+    if (val) {
+      var key = "Enter";
+      if (typeof val == "string")
+        key = val;
+      else if (typeof val == "object" && val.key)
+        key = val.key;
+      var map = {name: "continueComment"};
+      map[key] = continueComment;
+      cm.addKeyMap(map);
+    }
+  });
+});

passbook/admin/static/codemirror/addon/dialog/dialog.css

@@ -0,0 +1,32 @@
+.CodeMirror-dialog {
+  position: absolute;
+  left: 0; right: 0;
+  background: inherit;
+  z-index: 15;
+  padding: .1em .8em;
+  overflow: hidden;
+  color: inherit;
+}
+
+.CodeMirror-dialog-top {
+  border-bottom: 1px solid #eee;
+  top: 0;
+}
+
+.CodeMirror-dialog-bottom {
+  border-top: 1px solid #eee;
+  bottom: 0;
+}
+
+.CodeMirror-dialog input {
+  border: none;
+  outline: none;
+  background: transparent;
+  width: 20em;
+  color: inherit;
+  font-family: monospace;
+}
+
+.CodeMirror-dialog button {
+  font-size: 70%;
+}

passbook/admin/static/codemirror/addon/dialog/dialog.js

@@ -0,0 +1,161 @@
+// CodeMirror, copyright (c) by Marijn Haverbeke and others
+// Distributed under an MIT license: https://codemirror.net/LICENSE
+
+// Open simple dialogs on top of an editor. Relies on dialog.css.
+
+(function(mod) {
+  if (typeof exports == "object" && typeof module == "object") // CommonJS
+    mod(require("../../lib/codemirror"));
+  else if (typeof define == "function" && define.amd) // AMD
+    define(["../../lib/codemirror"], mod);
+  else // Plain browser env
+    mod(CodeMirror);
+})(function(CodeMirror) {
+  function dialogDiv(cm, template, bottom) {
+    var wrap = cm.getWrapperElement();
+    var dialog;
+    dialog = wrap.appendChild(document.createElement("div"));
+    if (bottom)
+      dialog.className = "CodeMirror-dialog CodeMirror-dialog-bottom";
+    else
+      dialog.className = "CodeMirror-dialog CodeMirror-dialog-top";
+
+    if (typeof template == "string") {
+      dialog.innerHTML = template;
+    } else { // Assuming it's a detached DOM element.
+      dialog.appendChild(template);
+    }
+    CodeMirror.addClass(wrap, 'dialog-opened');
+    return dialog;
+  }
+
+  function closeNotification(cm, newVal) {
+    if (cm.state.currentNotificationClose)
+      cm.state.currentNotificationClose();
+    cm.state.currentNotificationClose = newVal;
+  }
+
+  CodeMirror.defineExtension("openDialog", function(template, callback, options) {
+    if (!options) options = {};
+
+    closeNotification(this, null);
+
+    var dialog = dialogDiv(this, template, options.bottom);
+    var closed = false, me = this;
+    function close(newVal) {
+      if (typeof newVal == 'string') {
+        inp.value = newVal;
+      } else {
+        if (closed) return;
+        closed = true;
+        CodeMirror.rmClass(dialog.parentNode, 'dialog-opened');
+        dialog.parentNode.removeChild(dialog);
+        me.focus();
+
+        if (options.onClose) options.onClose(dialog);
+      }
+    }
+
+    var inp = dialog.getElementsByTagName("input")[0], button;
+    if (inp) {
+      inp.focus();
+
+      if (options.value) {
+        inp.value = options.value;
+        if (options.selectValueOnOpen !== false) {
+          inp.select();
+        }
+      }
+
+      if (options.onInput)
+        CodeMirror.on(inp, "input", function(e) { options.onInput(e, inp.value, close);});
+      if (options.onKeyUp)
+        CodeMirror.on(inp, "keyup", function(e) {options.onKeyUp(e, inp.value, close);});
+
+      CodeMirror.on(inp, "keydown", function(e) {
+        if (options && options.onKeyDown && options.onKeyDown(e, inp.value, close)) { return; }
+        if (e.keyCode == 27 || (options.closeOnEnter !== false && e.keyCode == 13)) {
+          inp.blur();
+          CodeMirror.e_stop(e);
+          close();
+        }
+        if (e.keyCode == 13) callback(inp.value, e);
+      });
+
+      if (options.closeOnBlur !== false) CodeMirror.on(inp, "blur", close);
+    } else if (button = dialog.getElementsByTagName("button")[0]) {
+      CodeMirror.on(button, "click", function() {
+        close();
+        me.focus();
+      });
+
+      if (options.closeOnBlur !== false) CodeMirror.on(button, "blur", close);
+
+      button.focus();
+    }
+    return close;
+  });
+
+  CodeMirror.defineExtension("openConfirm", function(template, callbacks, options) {
+    closeNotification(this, null);
+    var dialog = dialogDiv(this, template, options && options.bottom);
+    var buttons = dialog.getElementsByTagName("button");
+    var closed = false, me = this, blurring = 1;
+    function close() {
+      if (closed) return;
+      closed = true;
+      CodeMirror.rmClass(dialog.parentNode, 'dialog-opened');
+      dialog.parentNode.removeChild(dialog);
+      me.focus();
+    }
+    buttons[0].focus();
+    for (var i = 0; i < buttons.length; ++i) {
+      var b = buttons[i];
+      (function(callback) {
+        CodeMirror.on(b, "click", function(e) {
+          CodeMirror.e_preventDefault(e);
+          close();
+          if (callback) callback(me);
+        });
+      })(callbacks[i]);
+      CodeMirror.on(b, "blur", function() {
+        --blurring;
+        setTimeout(function() { if (blurring <= 0) close(); }, 200);
+      });
+      CodeMirror.on(b, "focus", function() { ++blurring; });
+    }
+  });
+
+  /*
+   * openNotification
+   * Opens a notification, that can be closed with an optional timer
+   * (default 5000ms timer) and always closes on click.
+   *
+   * If a notification is opened while another is opened, it will close the
+   * currently opened one and open the new one immediately.
+   */
+  CodeMirror.defineExtension("openNotification", function(template, options) {
+    closeNotification(this, close);
+    var dialog = dialogDiv(this, template, options && options.bottom);
+    var closed = false, doneTimer;
+    var duration = options && typeof options.duration !== "undefined" ? options.duration : 5000;
+
+    function close() {
+      if (closed) return;
+      closed = true;
+      clearTimeout(doneTimer);
+      CodeMirror.rmClass(dialog.parentNode, 'dialog-opened');
+      dialog.parentNode.removeChild(dialog);
+    }
+
+    CodeMirror.on(dialog, 'click', function(e) {
+      CodeMirror.e_preventDefault(e);
+      close();
+    });
+
+    if (duration)
+      doneTimer = setTimeout(close, duration);
+
+    return close;
+  });
+});

passbook/admin/static/codemirror/addon/display/autorefresh.js

@@ -0,0 +1,47 @@
+// CodeMirror, copyright (c) by Marijn Haverbeke and others
+// Distributed under an MIT license: https://codemirror.net/LICENSE
+
+(function(mod) {
+  if (typeof exports == "object" && typeof module == "object") // CommonJS
+    mod(require("../../lib/codemirror"))
+  else if (typeof define == "function" && define.amd) // AMD
+    define(["../../lib/codemirror"], mod)
+  else // Plain browser env
+    mod(CodeMirror)
+})(function(CodeMirror) {
+  "use strict"
+
+  CodeMirror.defineOption("autoRefresh", false, function(cm, val) {
+    if (cm.state.autoRefresh) {
+      stopListening(cm, cm.state.autoRefresh)
+      cm.state.autoRefresh = null
+    }
+    if (val && cm.display.wrapper.offsetHeight == 0)
+      startListening(cm, cm.state.autoRefresh = {delay: val.delay || 250})
+  })
+
+  function startListening(cm, state) {
+    function check() {
+      if (cm.display.wrapper.offsetHeight) {
+        stopListening(cm, state)
+        if (cm.display.lastWrapHeight != cm.display.wrapper.clientHeight)
+          cm.refresh()
+      } else {
+        state.timeout = setTimeout(check, state.delay)
+      }
+    }
+    state.timeout = setTimeout(check, state.delay)
+    state.hurry = function() {
+      clearTimeout(state.timeout)
+      state.timeout = setTimeout(check, 50)
+    }
+    CodeMirror.on(window, "mouseup", state.hurry)
+    CodeMirror.on(window, "keyup", state.hurry)
+  }
+
+  function stopListening(_cm, state) {
+    clearTimeout(state.timeout)
+    CodeMirror.off(window, "mouseup", state.hurry)
+    CodeMirror.off(window, "keyup", state.hurry)
+  }
+});

passbook/admin/static/codemirror/addon/display/fullscreen.css

@@ -0,0 +1,6 @@
+.CodeMirror-fullscreen {
+  position: fixed;
+  top: 0; left: 0; right: 0; bottom: 0;
+  height: auto;
+  z-index: 9;
+}

passbook/admin/static/codemirror/addon/display/fullscreen.js

@@ -0,0 +1,41 @@
+// CodeMirror, copyright (c) by Marijn Haverbeke and others
+// Distributed under an MIT license: https://codemirror.net/LICENSE
+
+(function(mod) {
+  if (typeof exports == "object" && typeof module == "object") // CommonJS
+    mod(require("../../lib/codemirror"));
+  else if (typeof define == "function" && define.amd) // AMD
+    define(["../../lib/codemirror"], mod);
+  else // Plain browser env
+    mod(CodeMirror);
+})(function(CodeMirror) {
+  "use strict";
+
+  CodeMirror.defineOption("fullScreen", false, function(cm, val, old) {
+    if (old == CodeMirror.Init) old = false;
+    if (!old == !val) return;
+    if (val) setFullscreen(cm);
+    else setNormal(cm);
+  });
+
+  function setFullscreen(cm) {
+    var wrap = cm.getWrapperElement();
+    cm.state.fullScreenRestore = {scrollTop: window.pageYOffset, scrollLeft: window.pageXOffset,
+                                  width: wrap.style.width, height: wrap.style.height};
+    wrap.style.width = "";
+    wrap.style.height = "auto";
+    wrap.className += " CodeMirror-fullscreen";
+    document.documentElement.style.overflow = "hidden";
+    cm.refresh();
+  }
+
+  function setNormal(cm) {
+    var wrap = cm.getWrapperElement();
+    wrap.className = wrap.className.replace(/\s*CodeMirror-fullscreen\b/, "");
+    document.documentElement.style.overflow = "";
+    var info = cm.state.fullScreenRestore;
+    wrap.style.width = info.width; wrap.style.height = info.height;
+    window.scrollTo(info.scrollLeft, info.scrollTop);
+    cm.refresh();
+  }
+});

passbook/admin/static/codemirror/addon/display/panel.js

@@ -0,0 +1,127 @@
+// CodeMirror, copyright (c) by Marijn Haverbeke and others
+// Distributed under an MIT license: https://codemirror.net/LICENSE
+
+(function(mod) {
+  if (typeof exports == "object" && typeof module == "object") // CommonJS
+    mod(require("../../lib/codemirror"));
+  else if (typeof define == "function" && define.amd) // AMD
+    define(["../../lib/codemirror"], mod);
+  else // Plain browser env
+    mod(CodeMirror);
+})(function(CodeMirror) {
+  CodeMirror.defineExtension("addPanel", function(node, options) {
+    options = options || {};
+
+    if (!this.state.panels) initPanels(this);
+
+    var info = this.state.panels;
+    var wrapper = info.wrapper;
+    var cmWrapper = this.getWrapperElement();
+    var replace = options.replace instanceof Panel && !options.replace.cleared;
+
+    if (options.after instanceof Panel && !options.after.cleared) {
+      wrapper.insertBefore(node, options.before.node.nextSibling);
+    } else if (options.before instanceof Panel && !options.before.cleared) {
+      wrapper.insertBefore(node, options.before.node);
+    } else if (replace) {
+      wrapper.insertBefore(node, options.replace.node);
+      info.panels++;
+      options.replace.clear();
+    } else if (options.position == "bottom") {
+      wrapper.appendChild(node);
+    } else if (options.position == "before-bottom") {
+      wrapper.insertBefore(node, cmWrapper.nextSibling);
+    } else if (options.position == "after-top") {
+      wrapper.insertBefore(node, cmWrapper);
+    } else {
+      wrapper.insertBefore(node, wrapper.firstChild);
+    }
+
+    var height = (options && options.height) || node.offsetHeight;
+    this._setSize(null, info.heightLeft -= height);
+    if (!replace) {
+      info.panels++;
+    }
+    if (options.stable && isAtTop(this, node))
+      this.scrollTo(null, this.getScrollInfo().top + height)
+
+    return new Panel(this, node, options, height);
+  });
+
+  function Panel(cm, node, options, height) {
+    this.cm = cm;
+    this.node = node;
+    this.options = options;
+    this.height = height;
+    this.cleared = false;
+  }
+
+  Panel.prototype.clear = function() {
+    if (this.cleared) return;
+    this.cleared = true;
+    var info = this.cm.state.panels;
+    this.cm._setSize(null, info.heightLeft += this.height);
+    if (this.options.stable && isAtTop(this.cm, this.node))
+      this.cm.scrollTo(null, this.cm.getScrollInfo().top - this.height)
+    info.wrapper.removeChild(this.node);
+    if (--info.panels == 0) removePanels(this.cm);
+  };
+
+  Panel.prototype.changed = function(height) {
+    var newHeight = height == null ? this.node.offsetHeight : height;
+    var info = this.cm.state.panels;
+    this.cm._setSize(null, info.heightLeft -= (newHeight - this.height));
+    this.height = newHeight;
+  };
+
+  function initPanels(cm) {
+    var wrap = cm.getWrapperElement();
+    var style = window.getComputedStyle ? window.getComputedStyle(wrap) : wrap.currentStyle;
+    var height = parseInt(style.height);
+    var info = cm.state.panels = {
+      setHeight: wrap.style.height,
+      heightLeft: height,
+      panels: 0,
+      wrapper: document.createElement("div")
+    };
+    wrap.parentNode.insertBefore(info.wrapper, wrap);
+    var hasFocus = cm.hasFocus();
+    info.wrapper.appendChild(wrap);
+    if (hasFocus) cm.focus();
+
+    cm._setSize = cm.setSize;
+    if (height != null) cm.setSize = function(width, newHeight) {
+      if (newHeight == null) return this._setSize(width, newHeight);
+      info.setHeight = newHeight;
+      if (typeof newHeight != "number") {
+        var px = /^(\d+\.?\d*)px$/.exec(newHeight);
+        if (px) {
+          newHeight = Number(px[1]);
+        } else {
+          info.wrapper.style.height = newHeight;
+          newHeight = info.wrapper.offsetHeight;
+          info.wrapper.style.height = "";
+        }
+      }
+      cm._setSize(width, info.heightLeft += (newHeight - height));
+      height = newHeight;
+    };
+  }
+
+  function removePanels(cm) {
+    var info = cm.state.panels;
+    cm.state.panels = null;
+
+    var wrap = cm.getWrapperElement();
+    info.wrapper.parentNode.replaceChild(wrap, info.wrapper);
+    wrap.style.height = info.setHeight;
+    cm.setSize = cm._setSize;
+    cm.setSize();
+  }
+
+  function isAtTop(cm, dom) {
+    for (var sibling = dom.nextSibling; sibling; sibling = sibling.nextSibling)
+      if (sibling == cm.getWrapperElement()) return true
+    return false
+  }
+});

passbook/admin/static/codemirror/addon/display/placeholder.js

@@ -0,0 +1,63 @@
+// CodeMirror, copyright (c) by Marijn Haverbeke and others
+// Distributed under an MIT license: https://codemirror.net/LICENSE
+
+(function(mod) {
+  if (typeof exports == "object" && typeof module == "object") // CommonJS
+    mod(require("../../lib/codemirror"));
+  else if (typeof define == "function" && define.amd) // AMD
+    define(["../../lib/codemirror"], mod);
+  else // Plain browser env
+    mod(CodeMirror);
+})(function(CodeMirror) {
+  CodeMirror.defineOption("placeholder", "", function(cm, val, old) {
+    var prev = old && old != CodeMirror.Init;
+    if (val && !prev) {
+      cm.on("blur", onBlur);
+      cm.on("change", onChange);
+      cm.on("swapDoc", onChange);
+      onChange(cm);
+    } else if (!val && prev) {
+      cm.off("blur", onBlur);
+      cm.off("change", onChange);
+      cm.off("swapDoc", onChange);
+      clearPlaceholder(cm);
+      var wrapper = cm.getWrapperElement();
+      wrapper.className = wrapper.className.replace(" CodeMirror-empty", "");
+    }
+
+    if (val && !cm.hasFocus()) onBlur(cm);
+  });
+
+  function clearPlaceholder(cm) {
+    if (cm.state.placeholder) {
+      cm.state.placeholder.parentNode.removeChild(cm.state.placeholder);
+      cm.state.placeholder = null;
+    }
+  }
+  function setPlaceholder(cm) {
+    clearPlaceholder(cm);
+    var elt = cm.state.placeholder = document.createElement("pre");
+    elt.style.cssText = "height: 0; overflow: visible";
+    elt.style.direction = cm.getOption("direction");
+    elt.className = "CodeMirror-placeholder CodeMirror-line-like";
+    var placeHolder = cm.getOption("placeholder")
+    if (typeof placeHolder == "string") placeHolder = document.createTextNode(placeHolder)
+    elt.appendChild(placeHolder)
+    cm.display.lineSpace.insertBefore(elt, cm.display.lineSpace.firstChild);
+  }
+
+  function onBlur(cm) {
+    if (isEmpty(cm)) setPlaceholder(cm);
+  }
+  function onChange(cm) {
+    var wrapper = cm.getWrapperElement(), empty = isEmpty(cm);
+    wrapper.className = wrapper.className.replace(" CodeMirror-empty", "") + (empty ? " CodeMirror-empty" : "");
+
+    if (empty) setPlaceholder(cm);
+    else clearPlaceholder(cm);
+  }
+
+  function isEmpty(cm) {
+    return (cm.lineCount() === 1) && (cm.getLine(0) === "");
+  }
+});

passbook/admin/static/codemirror/addon/display/rulers.js

@@ -0,0 +1,51 @@
+// CodeMirror, copyright (c) by Marijn Haverbeke and others
+// Distributed under an MIT license: https://codemirror.net/LICENSE
+
+(function(mod) {
+  if (typeof exports == "object" && typeof module == "object") // CommonJS
+    mod(require("../../lib/codemirror"));
+  else if (typeof define == "function" && define.amd) // AMD
+    define(["../../lib/codemirror"], mod);
+  else // Plain browser env
+    mod(CodeMirror);
+})(function(CodeMirror) {
+  "use strict";
+
+  CodeMirror.defineOption("rulers", false, function(cm, val) {
+    if (cm.state.rulerDiv) {
+      cm.state.rulerDiv.parentElement.removeChild(cm.state.rulerDiv)
+      cm.state.rulerDiv = null
+      cm.off("refresh", drawRulers)
+    }
+    if (val && val.length) {
+      cm.state.rulerDiv = cm.display.lineSpace.parentElement.insertBefore(document.createElement("div"), cm.display.lineSpace)
+      cm.state.rulerDiv.className = "CodeMirror-rulers"
+      drawRulers(cm)
+      cm.on("refresh", drawRulers)
+    }
+  });
+
+  function drawRulers(cm) {
+    cm.state.rulerDiv.textContent = ""
+    var val = cm.getOption("rulers");
+    var cw = cm.defaultCharWidth();
+    var left = cm.charCoords(CodeMirror.Pos(cm.firstLine(), 0), "div").left;
+    cm.state.rulerDiv.style.minHeight = (cm.display.scroller.offsetHeight + 30) + "px";
+    for (var i = 0; i < val.length; i++) {
+      var elt = document.createElement("div");
+      elt.className = "CodeMirror-ruler";
+      var col, conf = val[i];
+      if (typeof conf == "number") {
+        col = conf;
+      } else {
+        col = conf.column;
+        if (conf.className) elt.className += " " + conf.className;
+        if (conf.color) elt.style.borderColor = conf.color;
+        if (conf.lineStyle) elt.style.borderLeftStyle = conf.lineStyle;
+        if (conf.width) elt.style.borderLeftWidth = conf.width;
+      }
+      elt.style.left = (left + col * cw) + "px";
+      cm.state.rulerDiv.appendChild(elt)
+    }
+  }
+});

passbook/admin/static/codemirror/addon/edit/closebrackets.js

@@ -0,0 +1,191 @@
+// CodeMirror, copyright (c) by Marijn Haverbeke and others
+// Distributed under an MIT license: https://codemirror.net/LICENSE
+
+(function(mod) {
+  if (typeof exports == "object" && typeof module == "object") // CommonJS
+    mod(require("../../lib/codemirror"));
+  else if (typeof define == "function" && define.amd) // AMD
+    define(["../../lib/codemirror"], mod);
+  else // Plain browser env
+    mod(CodeMirror);
+})(function(CodeMirror) {
+  var defaults = {
+    pairs: "()[]{}''\"\"",
+    closeBefore: ")]}'\":;>",
+    triples: "",
+    explode: "[]{}"
+  };
+
+  var Pos = CodeMirror.Pos;
+
+  CodeMirror.defineOption("autoCloseBrackets", false, function(cm, val, old) {
+    if (old && old != CodeMirror.Init) {
+      cm.removeKeyMap(keyMap);
+      cm.state.closeBrackets = null;
+    }
+    if (val) {
+      ensureBound(getOption(val, "pairs"))
+      cm.state.closeBrackets = val;
+      cm.addKeyMap(keyMap);
+    }
+  });
+
+  function getOption(conf, name) {
+    if (name == "pairs" && typeof conf == "string") return conf;
+    if (typeof conf == "object" && conf[name] != null) return conf[name];
+    return defaults[name];
+  }
+
+  var keyMap = {Backspace: handleBackspace, Enter: handleEnter};
+  function ensureBound(chars) {
+    for (var i = 0; i < chars.length; i++) {
+      var ch = chars.charAt(i), key = "'" + ch + "'"
+      if (!keyMap[key]) keyMap[key] = handler(ch)
+    }
+  }
+  ensureBound(defaults.pairs + "`")
+
+  function handler(ch) {
+    return function(cm) { return handleChar(cm, ch); };
+  }
+
+  function getConfig(cm) {
+    var deflt = cm.state.closeBrackets;
+    if (!deflt || deflt.override) return deflt;
+    var mode = cm.getModeAt(cm.getCursor());
+    return mode.closeBrackets || deflt;
+  }
+
+  function handleBackspace(cm) {
+    var conf = getConfig(cm);
+    if (!conf || cm.getOption("disableInput")) return CodeMirror.Pass;
+
+    var pairs = getOption(conf, "pairs");
+    var ranges = cm.listSelections();
+    for (var i = 0; i < ranges.length; i++) {
+      if (!ranges[i].empty()) return CodeMirror.Pass;
+      var around = charsAround(cm, ranges[i].head);
+      if (!around || pairs.indexOf(around) % 2 != 0) return CodeMirror.Pass;
+    }
+    for (var i = ranges.length - 1; i >= 0; i--) {
+      var cur = ranges[i].head;
+      cm.replaceRange("", Pos(cur.line, cur.ch - 1), Pos(cur.line, cur.ch + 1), "+delete");
+    }
+  }
+
+  function handleEnter(cm) {
+    var conf = getConfig(cm);
+    var explode = conf && getOption(conf, "explode");
+    if (!explode || cm.getOption("disableInput")) return CodeMirror.Pass;
+
+    var ranges = cm.listSelections();
+    for (var i = 0; i < ranges.length; i++) {
+      if (!ranges[i].empty()) return CodeMirror.Pass;
+      var around = charsAround(cm, ranges[i].head);
+      if (!around || explode.indexOf(around) % 2 != 0) return CodeMirror.Pass;
+    }
+    cm.operation(function() {
+      var linesep = cm.lineSeparator() || "\n";
+      cm.replaceSelection(linesep + linesep, null);
+      cm.execCommand("goCharLeft");
+      ranges = cm.listSelections();
+      for (var i = 0; i < ranges.length; i++) {
+        var line = ranges[i].head.line;
+        cm.indentLine(line, null, true);
+        cm.indentLine(line + 1, null, true);
+      }
+    });
+  }
+
+  function contractSelection(sel) {
+    var inverted = CodeMirror.cmpPos(sel.anchor, sel.head) > 0;
+    return {anchor: new Pos(sel.anchor.line, sel.anchor.ch + (inverted ? -1 : 1)),
+            head: new Pos(sel.head.line, sel.head.ch + (inverted ? 1 : -1))};
+  }
+
+  function handleChar(cm, ch) {
+    var conf = getConfig(cm);
+    if (!conf || cm.getOption("disableInput")) return CodeMirror.Pass;
+
+    var pairs = getOption(conf, "pairs");
+    var pos = pairs.indexOf(ch);
+    if (pos == -1) return CodeMirror.Pass;
+
+    var closeBefore = getOption(conf,"closeBefore");
+
+    var triples = getOption(conf, "triples");
+
+    var identical = pairs.charAt(pos + 1) == ch;
+    var ranges = cm.listSelections();
+    var opening = pos % 2 == 0;
+
+    var type;
+    for (var i = 0; i < ranges.length; i++) {
+      var range = ranges[i], cur = range.head, curType;
+      var next = cm.getRange(cur, Pos(cur.line, cur.ch + 1));
+      if (opening && !range.empty()) {
+        curType = "surround";
+      } else if ((identical || !opening) && next == ch) {
+        if (identical && stringStartsAfter(cm, cur))
+          curType = "both";
+        else if (triples.indexOf(ch) >= 0 && cm.getRange(cur, Pos(cur.line, cur.ch + 3)) == ch + ch + ch)
+          curType = "skipThree";
+        else
+          curType = "skip";
+      } else if (identical && cur.ch > 1 && triples.indexOf(ch) >= 0 &&
+                 cm.getRange(Pos(cur.line, cur.ch - 2), cur) == ch + ch) {
+        if (cur.ch > 2 && /\bstring/.test(cm.getTokenTypeAt(Pos(cur.line, cur.ch - 2)))) return CodeMirror.Pass;
+        curType = "addFour";
+      } else if (identical) {
+        var prev = cur.ch == 0 ? " " : cm.getRange(Pos(cur.line, cur.ch - 1), cur)
+        if (!CodeMirror.isWordChar(next) && prev != ch && !CodeMirror.isWordChar(prev)) curType = "both";
+        else return CodeMirror.Pass;
+      } else if (opening && (next.length === 0 || /\s/.test(next) || closeBefore.indexOf(next) > -1)) {
+        curType = "both";
+      } else {
+        return CodeMirror.Pass;
+      }
+      if (!type) type = curType;
+      else if (type != curType) return CodeMirror.Pass;
+    }
+
+    var left = pos % 2 ? pairs.charAt(pos - 1) : ch;
+    var right = pos % 2 ? ch : pairs.charAt(pos + 1);
+    cm.operation(function() {
+      if (type == "skip") {
+        cm.execCommand("goCharRight");
+      } else if (type == "skipThree") {
+        for (var i = 0; i < 3; i++)
+          cm.execCommand("goCharRight");
+      } else if (type == "surround") {
+        var sels = cm.getSelections();
+        for (var i = 0; i < sels.length; i++)
+          sels[i] = left + sels[i] + right;
+        cm.replaceSelections(sels, "around");
+        sels = cm.listSelections().slice();
+        for (var i = 0; i < sels.length; i++)
+          sels[i] = contractSelection(sels[i]);
+        cm.setSelections(sels);
+      } else if (type == "both") {
+        cm.replaceSelection(left + right, null);
+        cm.triggerElectric(left + right);
+        cm.execCommand("goCharLeft");
+      } else if (type == "addFour") {
+        cm.replaceSelection(left + left + left + left, "before");
+        cm.execCommand("goCharRight");
+      }
+    });
+  }
+
+  function charsAround(cm, pos) {
+    var str = cm.getRange(Pos(pos.line, pos.ch - 1),
+                          Pos(pos.line, pos.ch + 1));
+    return str.length == 2 ? str : null;
+  }
+
+  function stringStartsAfter(cm, pos) {
+    var token = cm.getTokenAt(Pos(pos.line, pos.ch + 1))
+    return /\bstring/.test(token.type) && token.start == pos.ch &&
+      (pos.ch == 0 || !/\bstring/.test(cm.getTokenTypeAt(pos)))
+  }
+});