new release: 0.2.3-beta

Move Main Django Project into passbook.root while passbook.core holds core functionality.

passbook.root contains main settings, ASGI & WSGI, celery and URLs.

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.37-beta
+current_version = 0.2.3-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.gitlab-ci.yml

@@ -15,6 +15,10 @@ variables:
   POSTGRES_USER: passbook
   POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
+before_script:
+  # Ensure all dependencies are installed, even those not included in passbook/build-base
+  - pip install -r requirements-dev.txt
+
 create-build-image:
   image:
     name: gcr.io/kaniko-project/executor:debug
@@ -22,7 +26,7 @@ create-build-image:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.build-base --destination docker.beryju.org/passbook/build-base:latest --destination docker.beryju.org/passbook/build-base:0.1.37-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.build-base --destination docker.beryju.org/passbook/build-base:latest --destination docker.beryju.org/passbook/build-base:0.2.3-beta
   stage: build-buildimage
   only:
     refs:
@@ -63,7 +67,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.1.37-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.2.3-beta
   stage: build
   only:
     - tags

client-packages/allauth/setup.py

@@ -3,7 +3,7 @@ from setuptools import setup
 
 setup(
     name='django-allauth-passbook',
-    version='0.1.37-beta',
+    version='0.2.3-beta',
     description='passbook support for django-allauth',
     # long_description='\n'.join(read_simple('docs/index.md')[2:]),
     long_description_content_type='text/markdown',

client-packages/sentry-auth-passbook/setup.py

@@ -18,12 +18,13 @@ tests_require = [
 
 setup(
     name='sentry-auth-passbook',
-    version='0.1.37-beta',
+    version='0.2.3-beta',
     author='BeryJu.org',
     author_email='support@beryju.org',
     url='https://passbook.beryju.org',
     description='passbook authentication provider for Sentry',
     long_description=__doc__,
+    long_description_content_type='text/markdown',
     license='MIT',
     packages=find_packages(exclude=['tests']),
     zip_safe=False,

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.37-beta"
+appVersion: "0.2.3-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.37-beta"
+version: "0.2.3-beta"
 icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/passbook/templates/passbook-appgw-deployment.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: {{ include "passbook.fullname" . }}-appgw
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "passbook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "passbook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: appgw
+    spec:
+      volumes:
+        - name: config-volume
+          configMap:
+            name: {{ include "passbook.fullname" . }}-config
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          command: ["/bin/sh","-c"]
+          args: ["./manage.py migrate && ./manage.py app_gw_web"]
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /etc/passbook
+              name: config-volume
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+              httpHeaders:
+                - name: Host
+                  value: kubernetes-healthcheck-host
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+              httpHeaders:
+                - name: Host
+                  value: kubernetes-healthcheck-host
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}

helm/passbook/templates/passbook-appgw-service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "passbook.fullname" . }}-appgw
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    passbook.io/component: appgw

helm/passbook/templates/passbook-ingress.yaml

@@ -32,7 +32,16 @@ spec:
         paths:
           - path: {{ $ingressPath }}
             backend:
-              serviceName: {{ $fullName }}
+              serviceName: {{ $fullName }}-web
+              servicePort: http
+  {{- end }}
+  {{- range .Values.ingress.app_gw_hosts }}}
+    - host: {{ . | quote }}
+      http:
+        paths:
+          - path: {{ $ingressPath }}
+            backend:
+              serviceName: {{ $fullName }}-appgw
               servicePort: http
   {{- end }}
 {{- end }}

helm/passbook/templates/passbook-web-service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "passbook.fullname" . }}
+  name: {{ include "passbook.fullname" . }}-web
   labels:
     app.kubernetes.io/name: {{ include "passbook.name" . }}
     helm.sh/chart: {{ include "passbook.chart" . }}

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.37-beta
+  tag: 0.2.3-beta
 
 nameOverride: ""
 
@@ -37,6 +37,8 @@ ingress:
   path: /
   hosts:
     - passbook.k8s.local
+  app_gw_hosts:
+    - '*.passbook.k8s.local'
   defaultHost: passbook.k8s.local
   tls: []
   #  - secretName: chart-example-tls

manage.py

@@ -4,7 +4,7 @@ import os
 import sys
 
 if __name__ == '__main__':
-    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'passbook.core.settings')
+    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'passbook.root.settings')
     try:
         from django.core.management import execute_from_command_line
     except ImportError as exc:

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/admin/templates/administration/source/list.html

@@ -36,7 +36,7 @@
             <tr>
                 <td>{{ source.name }}</td>
                 <td>{{ source|fieldtype }}</td>
-                <td>{{ source.additional_info }}</td>
+                <td>{{ source.additional_info|safe }}</td>
                 <td>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:source-update' pk=source.uuid %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>

passbook/admin/views/overview.py

@@ -5,9 +5,9 @@ from django.views.generic import TemplateView
 
 from passbook.admin.mixins import AdminRequiredMixin
 from passbook.core import __version__
-from passbook.core.celery import CELERY_APP
 from passbook.core.models import (Application, Factor, Invitation, Policy,
                                   Provider, Source, User)
+from passbook.root.celery import CELERY_APP
 
 
 class AdministrationOverviewView(AdminRequiredMixin, TemplateView):

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/app_gw/__init__.py

@@ -1,2 +1,2 @@
 """passbook Application Security Gateway Header"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/app_gw/asgi.py

@@ -8,6 +8,6 @@ import os
 import django
 from channels.routing import get_default_application
 
-os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.core.settings")
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.root.settings")
 django.setup()
 application = get_default_application()

passbook/app_gw/management/commands/app_gw_web.py

@@ -0,0 +1,30 @@
+"""passbook app_gw webserver management command"""
+
+from logging import getLogger
+
+from daphne.cli import CommandLineInterface
+from django.core.management.base import BaseCommand
+from django.utils import autoreload
+
+from passbook.lib.config import CONFIG
+
+LOGGER = getLogger(__name__)
+
+
+class Command(BaseCommand):
+    """Run Daphne Webserver for app_gw"""
+
+    def handle(self, *args, **options):
+        """passbook daphne server"""
+        autoreload.run_with_reloader(self.daphne_server)
+
+    def daphne_server(self):
+        """Run daphne server within autoreload"""
+        autoreload.raise_last_exception()
+        CommandLineInterface().run([
+            '-p', str(CONFIG.y('app_gw.port', 8000)),
+            '-b', CONFIG.y('app_gw.listen', '0.0.0.0'),  # nosec
+            '--access-log', '/dev/null',
+            '--application-close-timeout', '500',
+            'passbook.app_gw.asgi:application'
+        ])

passbook/audit/__init__.py

@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/audit/models.py

@@ -22,7 +22,7 @@ class AuditEntry(UUIDModel):
     ACTION_AUTHORIZE_APPLICATION = 'authorize_application'
     ACTION_SUSPICIOUS_REQUEST = 'suspicious_request'
     ACTION_SIGN_UP = 'sign_up'
-    ACTION_PASSWORD_RESET = 'password_reset' # noqa
+    ACTION_PASSWORD_RESET = 'password_reset' # noqa # nosec
     ACTION_INVITE_CREATED = 'invitation_created'
     ACTION_INVITE_USED = 'invitation_used'
     ACTIONS = (

passbook/captcha_factor/__init__.py

@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/core/__init__.py

@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/core/apps.py

@@ -14,6 +14,7 @@ class PassbookCoreConfig(AppConfig):
     name = 'passbook.core'
     label = 'passbook_core'
     verbose_name = 'passbook Core'
+    mountpoint = ''
 
     def ready(self):
         import_module('passbook.core.policies')

passbook/core/auth/view.py

@@ -29,6 +29,7 @@ class AuthenticationView(UserPassesTestMixin, View):
     SESSION_PENDING_FACTORS = 'passbook_pending_factors'
     SESSION_PENDING_USER = 'passbook_pending_user'
     SESSION_USER_BACKEND = 'passbook_user_backend'
+    SESSION_IS_SSO_LOGIN = 'passbook_sso_login'
 
     pending_user = None
     pending_factors = []
@@ -79,6 +80,10 @@ class AuthenticationView(UserPassesTestMixin, View):
         if AuthenticationView.SESSION_FACTOR not in request.session:
             # Case when no factors apply to user, return error denied
             if not self.pending_factors:
+                # Case when user logged in from SSO provider and no more factors apply
+                if AuthenticationView.SESSION_IS_SSO_LOGIN in request.session:
+                    LOGGER.debug("User authenticated with SSO, logging in...")
+                    return self._user_passed()
                 return self.user_invalid()
             factor_uuid, factor_class = self.pending_factors[0]
         else:

passbook/core/forms/factors.py

@@ -27,7 +27,8 @@ class PasswordFactorForm(forms.ModelForm):
             'order': forms.NumberInput(),
             'policies': FilteredSelectMultiple(_('policies'), False),
             'backends': FilteredSelectMultiple(_('backends'), False,
-                                               choices=get_authentication_backends())
+                                               choices=get_authentication_backends()),
+            'password_policies': FilteredSelectMultiple(_('password policies'), False),
         }
 
 class DummyFactorForm(forms.ModelForm):

passbook/core/forms/policies.py

@@ -5,7 +5,7 @@ from django.utils.translation import gettext as _
 
 from passbook.core.models import (DebugPolicy, FieldMatcherPolicy,
                                   GroupMembershipPolicy, PasswordPolicy,
-                                  WebhookPolicy)
+                                  SSOLoginPolicy, WebhookPolicy)
 
 GENERAL_FIELDS = ['name', 'action', 'negate', 'order', 'timeout']
 
@@ -63,6 +63,19 @@ class GroupMembershipPolicyForm(forms.ModelForm):
         fields = GENERAL_FIELDS + ['group', ]
         widgets = {
             'name': forms.TextInput(),
+            'order': forms.NumberInput(),
+        }
+
+class SSOLoginPolicyForm(forms.ModelForm):
+    """Edit SSOLoginPolicy instances"""
+
+    class Meta:
+
+        model = SSOLoginPolicy
+        fields = GENERAL_FIELDS
+        widgets = {
+            'name': forms.TextInput(),
+            'order': forms.NumberInput(),
         }
 
 class PasswordPolicyForm(forms.ModelForm):

passbook/core/management/commands/web.py

@@ -2,11 +2,12 @@
 
 from logging import getLogger
 
-from daphne.cli import CommandLineInterface
+import cherrypy
+from django.conf import settings
 from django.core.management.base import BaseCommand
-from django.utils import autoreload
 
 from passbook.lib.config import CONFIG
+from passbook.root.wsgi import application
 
 LOGGER = getLogger(__name__)
 
@@ -15,15 +16,21 @@ class Command(BaseCommand):
     """Run CherryPy webserver"""
 
     def handle(self, *args, **options):
-        """passbook daphne server"""
+        """passbook cherrypy server"""
-        autoreload.run_with_reloader(self.daphne_server)
+        cherrypy.config.update(CONFIG.get('web'))
-
+        cherrypy.tree.graft(application, '/')
-    def daphne_server(self):
+        # Mount NullObject to serve static files
-        """Run daphne server within autoreload"""
+        cherrypy.tree.mount(None, settings.STATIC_URL, config={
-        autoreload.raise_last_exception()
+            '/': {
-        CommandLineInterface().run([
+                'tools.staticdir.on': True,
-            '-p', str(CONFIG.y('web.port', 8000)),
+                'tools.staticdir.dir': settings.STATIC_ROOT,
-            '-b', CONFIG.y('web.listen', '0.0.0.0'),  # nosec
+                'tools.expires.on': True,
-            '--access-log', '/dev/null',
+                'tools.expires.secs': 86400,
-            'passbook.core.asgi:application'
+                'tools.gzip.on': True,
-        ])
+            }
+        })
+        cherrypy.engine.start()
+        for file in CONFIG.loaded_file:
+            cherrypy.engine.autoreload.files.add(file)
+            LOGGER.info("Added '%s' to autoreload triggers", file)
+        cherrypy.engine.block()

passbook/core/management/commands/worker.py

@@ -5,7 +5,7 @@ from logging import getLogger
 from django.core.management.base import BaseCommand
 from django.utils import autoreload
 
-from passbook.core.celery import CELERY_APP
+from passbook.root.celery import CELERY_APP
 
 LOGGER = getLogger(__name__)
 

passbook/core/migrations/0024_ssologinpolicy.py

@@ -0,0 +1,25 @@
+# Generated by Django 2.2 on 2019-04-29 21:14
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0023_remove_user_applications'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SSOLoginPolicy',
+            fields=[
+                ('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
+            ],
+            options={
+                'verbose_name': 'SSO Login Policy',
+                'verbose_name_plural': 'SSO Login Policies',
+            },
+            bases=('passbook_core.policy',),
+        ),
+    ]

passbook/core/models.py

@@ -165,9 +165,10 @@ class Source(PolicyModel):
 
     name = models.TextField()
     slug = models.SlugField()
-    form = '' # ModelForm-based class ued to create/edit instance
     enabled = models.BooleanField(default=True)
 
+    form = '' # ModelForm-based class ued to create/edit instance
+
     objects = InheritanceManager()
 
     @property
@@ -409,6 +410,21 @@ class GroupMembershipPolicy(Policy):
         verbose_name = _('Group Membership Policy')
         verbose_name_plural = _('Group Membership Policies')
 
+class SSOLoginPolicy(Policy):
+    """Policy that applies to users that have authenticated themselves through SSO"""
+
+    form = 'passbook.core.forms.policies.SSOLoginPolicyForm'
+
+    def passes(self, user):
+        """Check if user instance passes this policy"""
+        from passbook.core.auth.view import AuthenticationView
+        return user.session.get(AuthenticationView.SESSION_IS_SSO_LOGIN, False), ""
+
+    class Meta:
+
+        verbose_name = _('SSO Login Policy')
+        verbose_name_plural = _('SSO Login Policies')
+
 class Invitation(UUIDModel):
     """Single-use invitation link"""
 

passbook/core/policies.py

@@ -7,8 +7,8 @@ from celery.exceptions import TimeoutError as CeleryTimeoutError
 from django.core.cache import cache
 from ipware import get_client_ip
 
-from passbook.core.celery import CELERY_APP
 from passbook.core.models import Policy, User
+from passbook.root.celery import CELERY_APP
 
 LOGGER = getLogger(__name__)
 
@@ -74,6 +74,7 @@ class PolicyEngine:
         cached_policies = []
         kwargs = {
             '__password__': getattr(self.__user, '__password__', None),
+            'session': dict(getattr(self.__request, 'session', {}).items()),
         }
         if self.__request:
             kwargs['remote_ip'], _ = get_client_ip(self.__request)

passbook/core/tasks.py

@@ -6,9 +6,9 @@ from django.core.mail import EmailMultiAlternatives
 from django.template.loader import render_to_string
 from django.utils.html import strip_tags
 
-from passbook.core.celery import CELERY_APP
 from passbook.core.models import Nonce
 from passbook.lib.config import CONFIG
+from passbook.root.celery import CELERY_APP
 
 LOGGER = getLogger(__name__)
 

passbook/core/urls.py

@@ -1,25 +1,14 @@
 """passbook URL Configuration"""
 from logging import getLogger
 
-from django.conf import settings
+from django.urls import path
-from django.contrib import admin
-from django.urls import include, path
-from django.views.generic import RedirectView
 
 from passbook.core.auth import view
-from passbook.core.views import authentication, error, overview, user
+from passbook.core.views import authentication, overview, user
-from passbook.lib.utils.reflection import get_apps
 
 LOGGER = getLogger(__name__)
-admin.autodiscover()
-admin.site.login = RedirectView.as_view(pattern_name='passbook_core:auth-login')
 
-handler400 = error.BadRequestView.as_view()
+urlpatterns = [
-handler403 = error.ForbiddenView.as_view()
-handler404 = error.NotFoundView.as_view()
-handler500 = error.ServerErrorView.as_view()
-
-core_urls = [
     # Authentication views
     path('auth/login/', authentication.LoginView.as_view(), name='auth-login'),
     path('auth/logout/', authentication.LogoutView.as_view(), name='auth-logout'),
@@ -39,27 +28,3 @@ core_urls = [
     # Overview
     path('', overview.OverviewView.as_view(), name='overview'),
 ]
-
-urlpatterns = [
-    # Core (include our own URLs so namespaces are used everywhere)
-    path('', include((core_urls, 'passbook_core'), namespace='passbook_core')),
-]
-
-for _passbook_app in get_apps():
-    if hasattr(_passbook_app, 'mountpoint'):
-        _path = path(_passbook_app.mountpoint, include((_passbook_app.name+'.urls',
-                                                        _passbook_app.label),
-                                                       namespace=_passbook_app.label))
-        urlpatterns.append(_path)
-        LOGGER.debug("Loaded %s's URLs", _passbook_app.name)
-
-urlpatterns += [
-    # Administration
-    path('administration/django/', admin.site.urls),
-]
-
-if settings.DEBUG:
-    import debug_toolbar
-    urlpatterns = [
-        path('__debug__/', include(debug_toolbar.urls)),
-    ] + urlpatterns

passbook/core/views/authentication.py

@@ -71,7 +71,7 @@ class LoginView(UserPassesTestMixin, FormView):
         if not pre_user:
             # No user found
             return self.invalid_login(self.request)
-        self.request.session.flush()
+        # self.request.session.flush()
         self.request.session[AuthenticationView.SESSION_PENDING_USER] = pre_user.pk
         return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
 

passbook/hibp_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/ldap/__init__.py

@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/lib/__init__.py

@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/lib/config.py

@@ -137,4 +137,6 @@ def signal_handler(sender, **kwargs):
     """Add all loaded config files to autoreload watcher"""
     for path in CONFIG.loaded_file:
         sender.watch_file(path)
+
+
 autoreload_started.connect(signal_handler)

passbook/lib/default.yml

@@ -23,9 +23,13 @@ email:
   use_ssl: false
   from: passbook <passbook@domain.tld>
 web:
-  listen: 0.0.0.0
+  server.socket_host: 0.0.0.0
-  port: 8000
+  server.socket_port: 8000
-  threads: 30
+  server.thread_pool: 20
+  log.screen: false
+  log.access_file: ''
+  log.error_file: ''
+
 debug: false
 secure_proxy_header:
   HTTP_X_FORWARDED_PROTO: https
@@ -96,3 +100,6 @@ saml_idp:
   types:
     - passbook.saml_idp.processors.generic
     - passbook.saml_idp.processors.salesforce
+app_gw:
+  listen: 0.0.0.0
+  port: 8000

passbook/lib/sentry.py

@@ -1,17 +1,29 @@
 """passbook sentry integration"""
+from logging import getLogger
+
+LOGGER = getLogger(__name__)
 
 
 def before_send(event, hint):
     """Check if error is database error, and ignore if so"""
-    from django.db import OperationalError
     from django_redis.exceptions import ConnectionInterrupted
-
+    from django.db import OperationalError, InternalError
-    ignored_classes = [
+    from rest_framework.exceptions import APIException
+    from billiard.exceptions import WorkerLostError
+    from django.core.exceptions import DisallowedHost
+    ignored_classes = (
         OperationalError,
         ConnectionInterrupted,
-    ]
+        APIException,
+        InternalError,
+        ConnectionResetError,
+        WorkerLostError,
+        DisallowedHost,
+        ConnectionResetError,
+    )
     if 'exc_info' in hint:
         _exc_type, exc_value, _ = hint['exc_info']
         if isinstance(exc_value, ignored_classes):
+            LOGGER.info("Supressing error %r", exc_value)
             return None
     return event

passbook/oauth_client/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/oauth_client/models.py

@@ -29,13 +29,12 @@ class OAuthSource(Source):
     def get_login_button(self):
         url = reverse_lazy('passbook_oauth_client:oauth-client-login',
                            kwargs={'source_slug': self.slug})
-        # if self.provider_type == 'github':
-        #     return url, 'github-logo', _('GitHub')
         return url, self.provider_type, self.name
 
     @property
     def additional_info(self):
-        return "Callback URL: '%s'" % reverse_lazy('passbook_oauth_client:oauth-client-callback',
+        return "Callback URL: <pre>%s</pre>" % \
+            reverse_lazy('passbook_oauth_client:oauth-client-callback',
                          kwargs={'source_slug': self.slug})
 
     def has_user_settings(self):

passbook/oauth_client/views/core.py

@@ -4,7 +4,7 @@ from logging import getLogger
 
 from django.conf import settings
 from django.contrib import messages
-from django.contrib.auth import authenticate, login
+from django.contrib.auth import authenticate
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect, render
@@ -12,6 +12,7 @@ from django.urls import reverse
 from django.utils.translation import ugettext as _
 from django.views.generic import RedirectView, View
 
+from passbook.core.auth.view import AuthenticationView, _redirect_with_qs
 from passbook.lib.utils.reflection import app
 from passbook.oauth_client.clients import get_client
 from passbook.oauth_client.models import OAuthSource, UserOAuthSourceConnection
@@ -128,11 +129,6 @@ class OAuthCallback(OAuthClientMixin, View):
         "Return url to redirect on login failure."
         return settings.LOGIN_URL
 
-    # pylint: disable=unused-argument
-    def get_login_redirect(self, source, user, access, new=False):
-        "Return url to redirect authenticated users."
-        return 'passbook_core:overview'
-
     def get_or_create_user(self, source, access, info):
         "Create a shell auth.User."
         raise NotImplementedError()
@@ -149,14 +145,22 @@ class OAuthCallback(OAuthClientMixin, View):
         except KeyError:
             return None
 
+    def handle_login(self, user, source, access):
+        """Prepare AuthenticationView, redirect users to remaining Factors"""
+        user = authenticate(source=access.source,
+                            identifier=access.identifier, request=self.request)
+        self.request.session[AuthenticationView.SESSION_PENDING_USER] = user.pk
+        self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend
+        self.request.session[AuthenticationView.SESSION_IS_SSO_LOGIN] = True
+        return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
+
     # pylint: disable=unused-argument
     def handle_existing_user(self, source, user, access, info):
         "Login user and redirect."
-        login(self.request, user)
         messages.success(self.request, _("Successfully authenticated with %(source)s!" % {
             'source': self.source.name
         }))
-        return redirect(self.get_login_redirect(source, user, access))
+        return self.handle_login(user, source, access)
 
     def handle_login_failure(self, source, reason):
         "Message user and redirect on error."
@@ -176,12 +180,9 @@ class OAuthCallback(OAuthClientMixin, View):
         access.user = user
         access.save()
         UserOAuthSourceConnection.objects.filter(pk=access.pk).update(user=user)
-        if not was_authenticated:
-            user = authenticate(source=access.source,
-                                identifier=access.identifier, request=self.request)
-            login(self.request, user)
         if app('passbook_audit'):
             pass
+            # TODO: Create audit entry
             # from passbook.audit.models import something
             # something.event(user=user,)
             # Event.create(
@@ -197,10 +198,13 @@ class OAuthCallback(OAuthClientMixin, View):
             return redirect(reverse('passbook_oauth_client:oauth-client-user', kwargs={
                 'source_slug': self.source.slug
             }))
+        # User was not authenticated, new user has been created
+        user = authenticate(source=access.source,
+                            identifier=access.identifier, request=self.request)
         messages.success(self.request, _("Successfully authenticated with %(source)s!" % {
             'source': self.source.name
         }))
-        return redirect(self.get_login_redirect(source, user, access, True))
+        return self.handle_login(user, source, access)
 
 
 class DisconnectView(LoginRequiredMixin, View):

passbook/oauth_provider/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/oauth_provider/settings.py

@@ -20,6 +20,7 @@ OAUTH2_PROVIDER_APPLICATION_MODEL = 'passbook_oauth_provider.OAuth2Provider'
 OAUTH2_PROVIDER = {
     # this is the list of available scopes
     'SCOPES': {
+        'openid': 'Access OpenID Userinfo',
         'openid:userinfo': 'Access OpenID Userinfo',
         # 'write': 'Write scope',
         # 'groups': 'Access to your groups',

passbook/oauth_provider/views/openid.py

@@ -8,16 +8,21 @@ from django.views.generic import View
 class OpenIDConfigurationView(View):
     """Return OpenID Configuration"""
 
+    def get_issuer_url(self, request):
+        """Get correct issuer URL"""
+        full_url = request.build_absolute_uri(reverse('passbook_oauth_provider:openid-discovery'))
+        return full_url.replace(".well-known/openid-configuration", "")
+
     def get(self, request: HttpRequest):
         """Get Response conform to https://openid.net/specs/openid-connect-discovery-1_0.html"""
         return JsonResponse({
-            'issuer': request.build_absolute_uri(reverse('passbook_core:overview')),
+            'issuer': self.get_issuer_url(request),
             'authorization_endpoint': request.build_absolute_uri(
                 reverse('passbook_oauth_provider:oauth2-authorize')),
             'token_endpoint': request.build_absolute_uri(reverse('passbook_oauth_provider:token')),
             "jwks_uri": request.build_absolute_uri(reverse('passbook_oauth_provider:openid-jwks')),
             "scopes_supported": [
-                "openid:userinfo",
+                "openid",
             ],
         })
 

passbook/otp/__init__.py

@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/password_expiry_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/root/celery.py

@@ -7,7 +7,7 @@ from celery import Celery, signals
 from django.conf import settings
 
 # set the default Django settings module for the 'celery' program.
-os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.core.settings")
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.root.settings")
 
 LOGGER = logging.getLogger(__name__)
 

passbook/root/requirements.txt

@@ -1,5 +1,6 @@
 celery
 colorlog
+cherrypy
 django-ipware
 django-model-utils
 django-redis
@@ -11,5 +12,4 @@ psycopg2
 PyYAML
 sentry-sdk
 pip
-whitenoise
 urllib3<1.25,>=1.21.1

passbook/root/settings.py

@@ -122,7 +122,6 @@ CACHES = {
 
 MIDDLEWARE = [
     'django.contrib.sessions.middleware.SessionMiddleware',
-    'whitenoise.middleware.WhiteNoiseMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'passbook.app_gw.middleware.ApplicationGatewayMiddleware',
     'django.middleware.security.SecurityMiddleware',
@@ -132,7 +131,7 @@ MIDDLEWARE = [
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 ]
 
-ROOT_URLCONF = 'passbook.core.urls'
+ROOT_URLCONF = 'passbook.root.urls'
 
 TEMPLATES = [
     {
@@ -221,7 +220,7 @@ CELERY_BEAT_SCHEDULE = {
 
 if not DEBUG:
     sentry_init(
-        dsn="https://55b5dd780bc14f4c96bba69b7a9abbcc@sentry.services.beryju.org/8",
+        dsn="https://33cdbcb23f8b436dbe0ee06847410b67@sentry.beryju.org/3",
         integrations=[
             DjangoIntegration(),
             CeleryIntegration(),
@@ -239,7 +238,6 @@ if not DEBUG:
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 
 STATIC_URL = '/static/'
-STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'
 
 with CONFIG.cd('log'):
     LOGGING = {

passbook/root/urls.py

@@ -0,0 +1,41 @@
+"""passbook URL Configuration"""
+from logging import getLogger
+
+from django.conf import settings
+from django.contrib import admin
+from django.urls import include, path
+from django.views.generic import RedirectView
+
+from passbook.core.views import error
+from passbook.lib.utils.reflection import get_apps
+
+LOGGER = getLogger(__name__)
+admin.autodiscover()
+admin.site.login = RedirectView.as_view(pattern_name='passbook_core:auth-login')
+
+handler400 = error.BadRequestView.as_view()
+handler403 = error.ForbiddenView.as_view()
+handler404 = error.NotFoundView.as_view()
+handler500 = error.ServerErrorView.as_view()
+
+urlpatterns = [
+]
+
+for _passbook_app in get_apps():
+    if hasattr(_passbook_app, 'mountpoint'):
+        _path = path(_passbook_app.mountpoint, include((_passbook_app.name+'.urls',
+                                                        _passbook_app.label),
+                                                       namespace=_passbook_app.label))
+        urlpatterns.append(_path)
+        LOGGER.debug("Loaded %s's URLs", _passbook_app.name)
+
+urlpatterns += [
+    # Administration
+    path('administration/django/', admin.site.urls),
+]
+
+if settings.DEBUG:
+    import debug_toolbar
+    urlpatterns = [
+        path('__debug__/', include(debug_toolbar.urls)),
+    ] + urlpatterns

passbook/saml_idp/__init__.py

@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

passbook/saml_idp/forms.py

@@ -54,3 +54,6 @@ class SAMLPropertyMappingForm(forms.ModelForm):
         field_classes = {
             'values': DynamicArrayField
         }
+        help_texts = {
+            'values': 'String substitution uses a syntax like "{variable} test}".'
+        }

passbook/suspicious_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook suspicious_policy"""
-__version__ = '0.1.37-beta'
+__version__ = '0.2.3-beta'

requirements-dev.txt

@@ -5,7 +5,7 @@ isort
 astroid==2.0.4
 pylint==2.1.1
 pylint-django==2.0.2
-prospector
+prospector==1.1.5
 django-debug-toolbar
 pycodestyle<2.4.0,>=2.0.0
 bumpversion

requirements.txt

@@ -1,4 +1,4 @@
--r passbook/core/requirements.txt
+-r passbook/root/requirements.txt
 -r passbook/oauth_client/requirements.txt
 -r passbook/ldap/requirements.txt
 -r passbook/saml_idp/requirements.txt