new release: 0.1.38-beta

Resolve "Rewrite OAuth Client as Factor"

Closes #27

See merge request BeryJu.org/passbook!14

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.35-beta
+current_version = 0.1.38-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.coveragerc

@@ -6,7 +6,6 @@ omit =
     manage.py
     */migrations/*
     */apps.py
-    passbook/management/commands/nexus_upload.py
     passbook/management/commands/web.py
     passbook/management/commands/worker.py
     docs/

.gitlab-ci.yml

@@ -22,7 +22,7 @@ create-build-image:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.build-base --destination docker.beryju.org/passbook/build-base:latest --destination docker.beryju.org/passbook/build-base:0.1.35-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.build-base --destination docker.beryju.org/passbook/build-base:latest --destination docker.beryju.org/passbook/build-base:0.1.38-beta
   stage: build-buildimage
   only:
     refs:
@@ -63,7 +63,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.1.35-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.1.38-beta
   stage: build
   only:
     - tags

client-packages/allauth/setup.py

@@ -3,7 +3,7 @@ from setuptools import setup
 
 setup(
     name='django-allauth-passbook',
-    version='0.1.35-beta',
+    version='0.1.38-beta',
     description='passbook support for django-allauth',
     # long_description='\n'.join(read_simple('docs/index.md')[2:]),
     long_description_content_type='text/markdown',

client-packages/sentry-auth-passbook/setup.py

@@ -18,7 +18,7 @@ tests_require = [
 
 setup(
     name='sentry-auth-passbook',
-    version='0.1.35-beta',
+    version='0.1.38-beta',
     author='BeryJu.org',
     author_email='support@beryju.org',
     url='https://passbook.beryju.org',

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.35-beta"
+appVersion: "0.1.38-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.35-beta"
+version: "0.1.38-beta"
 icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.35-beta
+  tag: 0.1.38-beta
 
 nameOverride: ""
 

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/admin/templates/administration/source/list.html

@@ -36,7 +36,7 @@
             <tr>
                 <td>{{ source.name }}</td>
                 <td>{{ source|fieldtype }}</td>
-                <td>{{ source.additional_info }}</td>
+                <td>{{ source.additional_info|safe }}</td>
                 <td>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:source-update' pk=source.uuid %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>

passbook/admin/views/overview.py

@@ -35,5 +35,4 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
         kwargs['providers_without_application'] = Provider.objects.filter(application=None)
         kwargs['policies_without_attachment'] = len(Policy.objects.filter(policymodel__isnull=True))
         kwargs['cached_policies'] = len(cache.keys('policy_*'))
-        print(cache.keys('*'))
         return super().get_context_data(**kwargs)

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/app_gw/__init__.py

@@ -1,2 +1,2 @@
 """passbook Application Security Gateway Header"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/app_gw/proxy/utils.py

@@ -190,8 +190,6 @@ def cookie_from_string(cookie_string, strict_cookies=False):
         cookie_dict['key'], cookie_dict['value'] = \
             cookie_parts[0].split('=', 1)
         cookie_dict['value'] = cookie_dict['value'].replace('"', '')
-        # print('aaaaaaaaaaaaaaaaaaaaaaaaaaaa')
-        # print(cookie_parts[0].split('=', 1))
     except ValueError:
         logger.warning('Invalid cookie: `%s`', cookie_string)
         return None

passbook/audit/__init__.py

@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/captcha_factor/__init__.py

@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/core/__init__.py

@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/core/auth/view.py

@@ -29,6 +29,7 @@ class AuthenticationView(UserPassesTestMixin, View):
     SESSION_PENDING_FACTORS = 'passbook_pending_factors'
     SESSION_PENDING_USER = 'passbook_pending_user'
     SESSION_USER_BACKEND = 'passbook_user_backend'
+    SESSION_IS_SSO_LOGIN = 'passbook_sso_login'
 
     pending_user = None
     pending_factors = []
@@ -79,6 +80,10 @@ class AuthenticationView(UserPassesTestMixin, View):
         if AuthenticationView.SESSION_FACTOR not in request.session:
             # Case when no factors apply to user, return error denied
             if not self.pending_factors:
+                # Case when user logged in from SSO provider and no more factors apply
+                if AuthenticationView.SESSION_IS_SSO_LOGIN in request.session:
+                    LOGGER.debug("User authenticated with SSO, logging in...")
+                    return self._user_passed()
                 return self.user_invalid()
             factor_uuid, factor_class = self.pending_factors[0]
         else:

passbook/core/forms/factors.py

@@ -27,7 +27,8 @@ class PasswordFactorForm(forms.ModelForm):
             'order': forms.NumberInput(),
             'policies': FilteredSelectMultiple(_('policies'), False),
             'backends': FilteredSelectMultiple(_('backends'), False,
-                                               choices=get_authentication_backends())
+                                               choices=get_authentication_backends()),
+            'password_policies': FilteredSelectMultiple(_('password policies'), False),
         }
 
 class DummyFactorForm(forms.ModelForm):

passbook/core/forms/policies.py

@@ -5,7 +5,7 @@ from django.utils.translation import gettext as _
 
 from passbook.core.models import (DebugPolicy, FieldMatcherPolicy,
                                   GroupMembershipPolicy, PasswordPolicy,
-                                  WebhookPolicy)
+                                  SSOLoginPolicy, WebhookPolicy)
 
 GENERAL_FIELDS = ['name', 'action', 'negate', 'order', 'timeout']
 
@@ -63,6 +63,19 @@ class GroupMembershipPolicyForm(forms.ModelForm):
         fields = GENERAL_FIELDS + ['group', ]
         widgets = {
             'name': forms.TextInput(),
+            'order': forms.NumberInput(),
+        }
+
+class SSOLoginPolicyForm(forms.ModelForm):
+    """Edit SSOLoginPolicy instances"""
+
+    class Meta:
+
+        model = SSOLoginPolicy
+        fields = GENERAL_FIELDS
+        widgets = {
+            'name': forms.TextInput(),
+            'order': forms.NumberInput(),
         }
 
 class PasswordPolicyForm(forms.ModelForm):

passbook/core/management/commands/nexus_upload.py

@@ -1,63 +0,0 @@
-"""passbook nexus_upload management command"""
-from base64 import b64decode
-
-import requests
-from django.core.management.base import BaseCommand
-
-
-class Command(BaseCommand):
-    """Upload debian package to nexus repository"""
-
-    url = None
-    user = None
-    password = None
-
-    def add_arguments(self, parser):
-        parser.add_argument(
-            '--repo',
-            action='store',
-            help='Repository to upload to',
-            required=True)
-        parser.add_argument(
-            '--url',
-            action='store',
-            help='Nexus root URL',
-            required=True)
-        parser.add_argument(
-            '--auth',
-            action='store',
-            help='base64-encoded string of username:password',
-            required=True)
-        parser.add_argument(
-            '--method',
-            action='store',
-            nargs='?',
-            const='post',
-            choices=['post', 'put'],
-            help=('Method used for uploading files to nexus. '
-                  'Apt repositories use post, Helm uses put.'),
-            required=True)
-        # Positional arguments
-        parser.add_argument('file', nargs='+', type=str)
-
-    def handle(self, *args, **options):
-        """Upload debian package to nexus repository"""
-        auth = tuple(b64decode(options.get('auth')).decode('utf-8').split(':', 1))
-        responses = {}
-        url = 'https://%(url)s/repository/%(repo)s/' % options
-        method = options.get('method')
-        exit_code = 0
-        for file in options.get('file'):
-            if method == 'post':
-                responses[file] = requests.post(url, data=open(file, mode='rb'), auth=auth)
-            else:
-                responses[file] = requests.put(url+file, data=open(file, mode='rb'), auth=auth)
-        self.stdout.write('Upload results:\n')
-        sep = '-' * 60
-        self.stdout.write('%s\n' % sep)
-        for path, response in responses.items():
-            self.stdout.write('%-55s: %d\n' % (path, response.status_code))
-            if response.status_code >= 400:
-                exit_code = 1
-        self.stdout.write('%s\n' % sep)
-        exit(exit_code)

passbook/core/management/commands/web.py

@@ -25,5 +25,6 @@ class Command(BaseCommand):
             '-p', str(CONFIG.y('web.port', 8000)),
             '-b', CONFIG.y('web.listen', '0.0.0.0'),  # nosec
             '--access-log', '/dev/null',
+            '--application-close-timeout', '500',
             'passbook.core.asgi:application'
         ])

passbook/core/migrations/0024_ssologinpolicy.py

@@ -0,0 +1,25 @@
+# Generated by Django 2.2 on 2019-04-29 21:14
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0023_remove_user_applications'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SSOLoginPolicy',
+            fields=[
+                ('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
+            ],
+            options={
+                'verbose_name': 'SSO Login Policy',
+                'verbose_name_plural': 'SSO Login Policies',
+            },
+            bases=('passbook_core.policy',),
+        ),
+    ]

passbook/core/models.py

@@ -165,9 +165,10 @@ class Source(PolicyModel):
 
     name = models.TextField()
     slug = models.SlugField()
-    form = '' # ModelForm-based class ued to create/edit instance
     enabled = models.BooleanField(default=True)
 
+    form = '' # ModelForm-based class ued to create/edit instance
+
     objects = InheritanceManager()
 
     @property
@@ -409,6 +410,21 @@ class GroupMembershipPolicy(Policy):
         verbose_name = _('Group Membership Policy')
         verbose_name_plural = _('Group Membership Policies')
 
+class SSOLoginPolicy(Policy):
+    """Policy that applies to users that have authenticated themselves through SSO"""
+
+    form = 'passbook.core.forms.policies.SSOLoginPolicyForm'
+
+    def passes(self, user):
+        """Check if user instance passes this policy"""
+        from passbook.core.auth.view import AuthenticationView
+        return user.session.get(AuthenticationView.SESSION_IS_SSO_LOGIN, False), ""
+
+    class Meta:
+
+        verbose_name = _('SSO Login Policy')
+        verbose_name_plural = _('SSO Login Policies')
+
 class Invitation(UUIDModel):
     """Single-use invitation link"""
 

passbook/core/policies.py

@@ -74,6 +74,7 @@ class PolicyEngine:
         cached_policies = []
         kwargs = {
             '__password__': getattr(self.__user, '__password__', None),
+            'session': dict(getattr(self.__request, 'session', {}).items()),
         }
         if self.__request:
             kwargs['remote_ip'], _ = get_client_ip(self.__request)

passbook/core/settings.py

@@ -60,7 +60,6 @@ LANGUAGE_COOKIE_NAME = 'passbook_language'
 
 AUTHENTICATION_BACKENDS = [
     'django.contrib.auth.backends.ModelBackend',
-    'guardian.backends.ObjectPermissionBackend',
 ]
 
 # Application definition
@@ -75,7 +74,6 @@ INSTALLED_APPS = [
     'django.contrib.postgres',
     'rest_framework',
     'drf_yasg',
-    'guardian',
     'passbook.core.apps.PassbookCoreConfig',
     'passbook.admin.apps.PassbookAdminConfig',
     'passbook.api.apps.PassbookAPIConfig',

passbook/hibp_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/ldap/__init__.py

@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/lib/__init__.py

@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/oauth_client/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/oauth_client/models.py

@@ -29,14 +29,13 @@ class OAuthSource(Source):
     def get_login_button(self):
         url = reverse_lazy('passbook_oauth_client:oauth-client-login',
                            kwargs={'source_slug': self.slug})
-        # if self.provider_type == 'github':
-        #     return url, 'github-logo', _('GitHub')
         return url, self.provider_type, self.name
 
     @property
     def additional_info(self):
-        return "Callback URL: '%s'" % reverse_lazy('passbook_oauth_client:oauth-client-callback',
+        return "Callback URL: <pre>%s</pre>" % \
-                                                   kwargs={'source_slug': self.slug})
+            reverse_lazy('passbook_oauth_client:oauth-client-callback',
+                         kwargs={'source_slug': self.slug})
 
     def has_user_settings(self):
         """Entrypoint to integrate with User settings. Can either return False if no

passbook/oauth_client/views/core.py

@@ -4,7 +4,7 @@ from logging import getLogger
 
 from django.conf import settings
 from django.contrib import messages
-from django.contrib.auth import authenticate, login
+from django.contrib.auth import authenticate
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect, render
@@ -12,6 +12,7 @@ from django.urls import reverse
 from django.utils.translation import ugettext as _
 from django.views.generic import RedirectView, View
 
+from passbook.core.auth.view import AuthenticationView, _redirect_with_qs
 from passbook.lib.utils.reflection import app
 from passbook.oauth_client.clients import get_client
 from passbook.oauth_client.models import OAuthSource, UserOAuthSourceConnection
@@ -128,11 +129,6 @@ class OAuthCallback(OAuthClientMixin, View):
         "Return url to redirect on login failure."
         return settings.LOGIN_URL
 
-    # pylint: disable=unused-argument
-    def get_login_redirect(self, source, user, access, new=False):
-        "Return url to redirect authenticated users."
-        return 'passbook_core:overview'
-
     def get_or_create_user(self, source, access, info):
         "Create a shell auth.User."
         raise NotImplementedError()
@@ -149,14 +145,22 @@ class OAuthCallback(OAuthClientMixin, View):
         except KeyError:
             return None
 
+    def handle_login(self, user, source, access):
+        """Prepare AuthenticationView, redirect users to remaining Factors"""
+        user = authenticate(source=access.source,
+                            identifier=access.identifier, request=self.request)
+        self.request.session[AuthenticationView.SESSION_PENDING_USER] = user.pk
+        self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend
+        self.request.session[AuthenticationView.SESSION_IS_SSO_LOGIN] = True
+        return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
+
     # pylint: disable=unused-argument
     def handle_existing_user(self, source, user, access, info):
         "Login user and redirect."
-        login(self.request, user)
         messages.success(self.request, _("Successfully authenticated with %(source)s!" % {
             'source': self.source.name
         }))
-        return redirect(self.get_login_redirect(source, user, access))
+        return self.handle_login(user, source, access)
 
     def handle_login_failure(self, source, reason):
         "Message user and redirect on error."
@@ -176,12 +180,9 @@ class OAuthCallback(OAuthClientMixin, View):
         access.user = user
         access.save()
         UserOAuthSourceConnection.objects.filter(pk=access.pk).update(user=user)
-        if not was_authenticated:
-            user = authenticate(source=access.source,
-                                identifier=access.identifier, request=self.request)
-            login(self.request, user)
         if app('passbook_audit'):
             pass
+            # TODO: Create audit entry
             # from passbook.audit.models import something
             # something.event(user=user,)
             # Event.create(
@@ -197,10 +198,13 @@ class OAuthCallback(OAuthClientMixin, View):
             return redirect(reverse('passbook_oauth_client:oauth-client-user', kwargs={
                 'source_slug': self.source.slug
             }))
+        # User was not authenticated, new user has been created
+        user = authenticate(source=access.source,
+                            identifier=access.identifier, request=self.request)
         messages.success(self.request, _("Successfully authenticated with %(source)s!" % {
             'source': self.source.name
         }))
-        return redirect(self.get_login_redirect(source, user, access, True))
+        return self.handle_login(user, source, access)
 
 
 class DisconnectView(LoginRequiredMixin, View):

passbook/oauth_provider/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/otp/__init__.py

@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/password_expiry_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/saml_idp/__init__.py

@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'

passbook/saml_idp/base.py

@@ -33,6 +33,8 @@ class Processor:
     """Base SAML 2.0 AuthnRequest to Response Processor.
     Sub-classes should provide Service Provider-specific functionality."""
 
+    is_idp_initiated = False
+
     _audience = ''
     _assertion_params = None
     _assertion_xml = None
@@ -291,7 +293,10 @@ class Processor:
     def generate_response(self):
         """Processes request and returns template variables suitable for a response."""
         # Build the assertion and response.
-        self.can_handle(self._django_request)
+        # Only call can_handle if SP initiated Request, otherwise we have no Request
+        if not self.is_idp_initiated:
+            self.can_handle(self._django_request)
+
         self._validate_user()
         self._build_assertion()
         self._format_assertion()

passbook/saml_idp/forms.py

@@ -54,3 +54,6 @@ class SAMLPropertyMappingForm(forms.ModelForm):
         field_classes = {
             'values': DynamicArrayField
         }
+        help_texts = {
+            'values': 'String substitution uses a syntax like "{variable} test}".'
+        }

passbook/saml_idp/models.py

@@ -1,4 +1,5 @@
 """passbook saml_idp Models"""
+from logging import getLogger
 
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
@@ -9,6 +10,8 @@ from passbook.core.models import PropertyMapping, Provider
 from passbook.lib.utils.reflection import class_to_path, path_to_class
 from passbook.saml_idp.base import Processor
 
+LOGGER = getLogger(__name__)
+
 
 class SAMLProvider(Provider):
     """Model to save information about a Remote SAML Endpoint"""
@@ -36,7 +39,8 @@ class SAMLProvider(Provider):
         if not self._processor:
             try:
                 self._processor = path_to_class(self.processor_path)(self)
-            except ModuleNotFoundError:
+            except ModuleNotFoundError as exc:
+                LOGGER.warning(exc)
                 self._processor = None
         return self._processor
 

passbook/saml_idp/views.py

@@ -231,4 +231,5 @@ class InitiateLoginView(AccessRequiredView):
     def get(self, request, application):
         """Initiates an IdP-initiated link to a simple SP resource/target URL."""
         self.provider.processor.init_deep_link(request, '')
+        self.provider.processor.is_idp_initiated = True
         return _generate_response(request, self.provider)

passbook/suspicious_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook suspicious_policy"""
-__version__ = '0.1.35-beta'
+__version__ = '0.1.38-beta'