bump version: 0.1.12-beta -> 0.1.13-beta

Resolve "Group Management"

Closes #23

See merge request BeryJu.org/passbook!9

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.6-beta
+current_version = 0.1.13-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.gitlab-ci.yml

@@ -8,6 +8,7 @@ stages:
   - test
   - build
   - docs
+  - deploy
 image: python:3.6
 services:
   - postgres:latest
@@ -53,7 +54,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.6-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.13-beta
   stage: build
   only:
     - tags
@@ -113,3 +114,16 @@ package-debian:
 #     - mkdocs build
 #     - 'rsync -avh --delete web/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/"'
 #     - 'rsync -avh --delete site/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/docs/"'
+
+# deploy:
+#   environment:
+#     name: production
+#     url: https://passbook-prod.default.k8s.beryju.org/
+#   stage: deploy
+#   only:
+#   - tags
+#   - /^version/.*$/
+#   script:
+#     - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
+#     - helm init
+#     - helm upgrade passbook-prod helm/passbook --devel

debian/changelog

@@ -1,3 +1,69 @@
+passbook (0.1.13) stable; urgency=medium
+
+  * bump version: 0.1.11-beta -> 0.1.12-beta
+  * Fix DoesNotExist error when running PolicyEngine against None user
+  * allow custom email server for helm installs
+  * fix UserChangePasswordView not requiring Login
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 10:28:36 +0000
+
+passbook (0.1.12) stable; urgency=medium
+
+  * bump version: 0.1.10-beta -> 0.1.11-beta
+  * rewrite PasswordFactor to use backends setting instead of trying all backends
+  * install updated helm release from local folder
+  * disable automatic k8s deployment for now
+  * fix OAuth Authorization View not requiring authentication
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 08:50:29 +0000
+
+passbook (0.1.11) stable; urgency=medium
+
+  * add group administration
+  * bump version: 0.1.9-beta -> 0.1.10-beta
+  * fix helm labels being on deployments and not pods
+  * automatically deploy after release
+  * use Django's Admin FilteredSelectMultiple for Group Membership
+  * always use FilteredSelectMultiple for many-to-many fields
+  * Add Group Member policy
+  * add LDAP Group Membership Policy
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Sun, 10 Mar 2019 18:55:31 +0000
+
+passbook (0.1.10) stable; urgency=high
+
+  * bump version: 0.1.7-beta -> 0.1.8-beta
+  * consistently using PolicyEngine
+  * add more Verbosity to PolicyEngine, rewrite SAML Authorisation check
+  * slightly refactor Factor View, add more unittests
+  * add impersonation middleware, add to templates
+  * bump version: 0.1.8-beta -> 0.1.9-beta
+  * fix k8s service routing http traffic to workers
+  * Fix button on policy test page
+  * better show loading state when testing a policy
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Sun, 10 Mar 2019 14:52:40 +0000
+
+passbook (0.1.7) stable; urgency=medium
+
+  * bump version: 0.1.3-beta -> 0.1.4-beta
+  * implicitly add kubernetes-healthcheck-host in helm configmap
+  * fix debian build (again)
+  * add PropertyMapping Model, add Subclass for SAML, test with AWS
+  * add custom DynamicArrayField to better handle arrays
+  * format data before inserting it
+  * bump version: 0.1.4-beta -> 0.1.5-beta
+  * fix static files missing for debian package
+  * fix password not getting set on user import
+  * remove audit's login attempt
+  * add passing property to PolicyEngine
+  * fix captcha factor not loading keys from Factor class
+  * bump version: 0.1.5-beta -> 0.1.6-beta
+  * fix MATCH_EXACT not working as intended
+  * Improve access control for saml
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Fri, 08 Mar 2019 20:37:05 +0000
+
 passbook (0.1.4) stable; urgency=medium
 
   * initial debian package release

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.6-beta"
+appVersion: "0.1.13-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.6-beta"
+version: "0.1.13-beta"
 icon: https://passbook.beryju.org/images/logo.png

helm/passbook/templates/passbook-configmap.yaml

@@ -22,7 +22,7 @@ data:
         host: 127.0.0.1
         port: 514
     email:
-      host: localhost
+      host: {{ .Values.config.email.host }}
       port: 25
       user: ''
       password: ''

helm/passbook/templates/passbook-web-deployment.yaml

@@ -18,6 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: web
     spec:
       volumes:
         - name: config-volume

helm/passbook/templates/passbook-web-service.yaml

@@ -17,3 +17,4 @@ spec:
   selector:
     app.kubernetes.io/name: {{ include "passbook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
+    passbook.io/component: web

helm/passbook/templates/passbook-worker-deployment.yaml

@@ -18,6 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: worker
     spec:
       volumes:
         - name: config-volume

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.6-beta
+  tag: 0.1.13-beta
 
 nameOverride: ""
 
@@ -14,6 +14,8 @@ config:
   # secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
   # Enable error reporting
   error_reporting: true
+  email:
+    host: localhost
 
 postgresql:
     postgresqlDatabase: passbook

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/admin/middleware.py

@@ -0,0 +1,25 @@
+"""passbook admin Middleware to impersonate users"""
+
+from passbook.core.models import User
+
+
+def impersonate(get_response):
+    """Middleware to impersonate users"""
+
+    def middleware(request):
+        """Middleware to impersonate users"""
+
+        # User is superuser and has __impersonate ID set
+        if request.user.is_superuser and "__impersonate" in request.GET:
+            request.session['impersonate_id'] = request.GET["__impersonate"]
+        # user wants to stop impersonation
+        elif "__unimpersonate" in request.GET and 'impersonate_id' in request.session:
+            del request.session['impersonate_id']
+
+        # Actually impersonate user
+        if request.user.is_superuser and 'impersonate_id' in request.session:
+            request.user = User.objects.get(pk=request.session['impersonate_id'])
+
+        response = get_response(request)
+        return response
+    return middleware

passbook/admin/settings.py

@@ -0,0 +1,5 @@
+"""passbook admin settings"""
+
+MIDDLEWARE = [
+    'passbook.admin.middleware.impersonate',
+]

passbook/admin/templates/administration/base.html

@@ -39,6 +39,9 @@
     <li class="{% is_active 'passbook_admin:users' 'passbook_admin:user-update' 'passbook_admin:user-delete' %}">
         <a href="{% url 'passbook_admin:users' %}">{% trans 'Users' %}</a>
     </li>
+    <li class="{% is_active 'passbook_admin:groups' 'passbook_admin:group-update' 'passbook_admin:group-delete' %}">
+        <a href="{% url 'passbook_admin:groups' %}">{% trans 'Groups' %}</a>
+    </li>
     <li class="{% is_active 'passbook_admin:audit-log' %}">
         <a href="{% url 'passbook_admin:audit-log' %}">{% trans 'Audit Log' %}</a>
     </li>

passbook/admin/templates/administration/group/list.html

@@ -0,0 +1,45 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block title %}
+{% title %}
+{% endblock %}
+
+{% block content %}
+<div class="container">
+    <h1><span class="pficon-users"></span> {% trans "Groups" %}</h1>
+    <span>{% trans "Group users together and give them permissions based on the membership." %}</span>
+    <hr>
+    <a href="{% url 'passbook_admin:group-create' %}?back={{ request.get_full_path }}" class="btn btn-primary">
+        {% trans 'Create...' %}
+    </a>
+    <hr>
+    <table class="table table-striped table-bordered">
+        <thead>
+            <tr>
+                <th>{% trans 'Name' %}</th>
+                <th>{% trans 'Parent' %}</th>
+                <th>{% trans 'Members' %}</th>
+                <th></th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for group in object_list %}
+            <tr>
+                <td>{{ group.name }}</td>
+                <td>{{ group.parent }}</td>
+                <td>{{ group.user_set.all|length }}</td>
+                <td>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:group-update' pk=group.uuid %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_admin:group-delete' pk=group.uuid %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                </td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+</div>
+{% endblock %}

passbook/admin/templates/administration/groups/list.html

@@ -1,83 +0,0 @@
-{% extends "administration/base.html" %}
-
-{% load i18n %}
-{% load static %}
-{% load utils %}
-
-{% block head %}
-{{ block.super }}
-<link rel="stylesheet" href="{% static 'css/bootstrap-treeview.min.css'%}">
-{% endblock %}
-
-{% block scripts %}
-{{ block.super }}
-<script src="{% static 'js/bootstrap-treeview.min.js' %}"></script>
-<script>
-  var cleanupData = function (obj) {
-    return {
-      text: obj.name,
-      href: '?group=' + obj.uuid,
-      nodes: obj.children.map(cleanupData),
-    };
-  }
- $(function() {
-   var apiUrl = "{% url 'passbook_admin:group-list' %}?format=json";
-   $.ajax({
-      url: apiUrl,
-    }).done(function(data) {
-      $('#treeview1').treeview({
-        collapseIcon: "fa fa-angle-down",
-        data: data.map(cleanupData),
-        expandIcon: "fa fa-angle-right",
-        nodeIcon: "fa pficon-users",
-        showBorder: true,
-        enableLinks: true,
-        onNodeSelected: function (event, node) {
-          window.location.href = node.href;
-        }
-      });
-    });
-  });
-</script>
-{% endblock %}
-
-{% block title %}
-{% title %}
-{% endblock %}
-
-{% block content %}
-<div class="col-md-3">
-  <div id="treeview1" class="treeview">
-  </div>
-</div>
-<div class="col-md-9">
-  <h1>{% trans "Invitations" %}</h1>
-  <a href="{% url 'passbook_admin:invitation-create' %}" class="btn btn-primary">
-    {% trans 'Create...' %}
-  </a>
-  <hr>
-  <table class="table table-striped table-bordered">
-    <thead>
-      <tr>
-        <th>{% trans 'Expiry' %}</th>
-        <th>{% trans 'Link' %}</th>
-        <th></th>
-      </tr>
-    </thead>
-    <tbody>
-      {% for invitation in object_list %}
-      <tr>
-        <td>{{ invitation.expires|default:"Never" }}</td>
-        <td>
-          <pre>{{ invitation.link }}</pre>
-        </td>
-        <td>
-          <a class="btn btn-default btn-sm" href="{% url 'passbook_admin:invitation-delete' pk=invitation.uuid %}?back={{ request.get_full_path }}">{%
-            trans 'Delete' %}</a>
-        </td>
-      </tr>
-      {% endfor %}
-    </tbody>
-  </table>
-</div>
-{% endblock %}

passbook/admin/templates/administration/policy/test.html

@@ -5,3 +5,22 @@
 {% block above_form %}
 <h1>{% blocktrans with policy=policy %}Test policy {{ policy }}{% endblocktrans %}</h1>
 {% endblock %}
+
+{% block action %}
+{% trans 'Test' %}
+{% endblock %}
+
+{% block beneath_form %}
+<p class="loading" style="display: none;">
+  <span class="spinner spinner-xs spinner-inline"></span> {% trans 'Processing, please wait...' %}
+</p>
+{% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+<script>
+  $('form').on('submit', function () {
+    $('p.loading').show();
+  })
+</script>
+{% endblock %}

passbook/admin/templates/administration/user/list.html

@@ -31,6 +31,8 @@
                         href="{% url 'passbook_admin:user-delete' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
                     <a class="btn btn-default btn-sm"
                         href="{% url 'passbook_admin:user-password-reset' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Reset Password' %}</a>
+                    <a class="btn btn-default btn-sm"
+                        href="{% url 'passbook_core:overview' %}?__impersonate={{ user.pk }}">{% trans 'Impersonate' %}</a>
                 </td>
             </tr>
             {% endfor %}

passbook/admin/templates/generic/form.html

@@ -2,10 +2,20 @@
 
 {% load i18n %}
 {% load utils %}
+{% load static %}
 
 {% block head %}
 {{ block.super }}
 {{ form.media.css }}
+<script type="text/javascript" src="{% url 'admin:jsi18n' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/vendor/jquery/jquery.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/jquery.init.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/core.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/actions.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/urlify.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/prepopulate.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/SelectBox.js' %}"></script>
+<script type="text/javascript" src="{% static 'admin/js/SelectFilter2.js' %}"></script>
 {% endblock %}
 
 {% block content %}
@@ -19,6 +29,8 @@
       <input type="submit" class="btn btn-primary" value="{% block action %}{% endblock %}" />
     </form>
   </div>
+  {% block beneath_form %}
+  {% endblock %}
 </div>
 {% endblock %}
 

passbook/admin/urls.py

@@ -67,6 +67,11 @@ urlpatterns = [
          users.UserDeleteView.as_view(), name='user-delete'),
     path('users/<int:pk>/reset/',
          users.UserPasswordResetView.as_view(), name='user-password-reset'),
+    # Groups
+    path('group/', groups.GroupListView.as_view(), name='group'),
+    path('group/create/', groups.GroupCreateView.as_view(), name='group-create'),
+    path('group/<uuid:pk>/update/', groups.GroupUpdateView.as_view(), name='group-update'),
+    path('group/<uuid:pk>/delete/', groups.GroupDeleteView.as_view(), name='group-delete'),
     # Audit Log
     path('audit/', audit.AuditEntryListView.as_view(), name='audit-log'),
     # Groups

passbook/admin/views/groups.py

@@ -1,12 +1,57 @@
 """passbook Group administration"""
-from django.views.generic import ListView
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import ugettext as _
+from django.views.generic import CreateView, DeleteView, ListView, UpdateView
 
 from passbook.admin.mixins import AdminRequiredMixin
+from passbook.core.forms.groups import GroupForm
 from passbook.core.models import Group
 
 
 class GroupListView(AdminRequiredMixin, ListView):
-    """Show list of all invitations"""
+    """Show list of all groups"""
 
     model = Group
-    template_name = 'administration/groups/list.html'
+    ordering = 'name'
+    template_name = 'administration/group/list.html'
+
+
+class GroupCreateView(SuccessMessageMixin, AdminRequiredMixin, CreateView):
+    """Create new Group"""
+
+    form_class = GroupForm
+
+    template_name = 'generic/create.html'
+    success_url = reverse_lazy('passbook_admin:groups')
+    success_message = _('Successfully created Group')
+
+    def get_context_data(self, **kwargs):
+        kwargs['type'] = 'Group'
+        return super().get_context_data(**kwargs)
+
+
+class GroupUpdateView(SuccessMessageMixin, AdminRequiredMixin, UpdateView):
+    """Update group"""
+
+    model = Group
+    form_class = GroupForm
+
+    template_name = 'generic/update.html'
+    success_url = reverse_lazy('passbook_admin:groups')
+    success_message = _('Successfully updated Group')
+
+
+class GroupDeleteView(SuccessMessageMixin, AdminRequiredMixin, DeleteView):
+    """Delete group"""
+
+    model = Group
+
+    template_name = 'generic/delete.html'
+    success_url = reverse_lazy('passbook_admin:groups')
+    success_message = _('Successfully deleted Group')
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)

passbook/admin/views/policy.py

@@ -11,6 +11,7 @@ from django.views.generic.detail import DetailView
 from passbook.admin.forms.policies import PolicyTestForm
 from passbook.admin.mixins import AdminRequiredMixin
 from passbook.core.models import Policy
+from passbook.core.policies import PolicyEngine
 from passbook.lib.utils.reflection import path_to_class
 
 
@@ -100,7 +101,9 @@ class PolicyTestView(AdminRequiredMixin, DetailView, FormView):
     def form_valid(self, form):
         policy = self.get_object()
         user = form.cleaned_data.get('user')
-        result = policy.passes(user)
+        policy_engine = PolicyEngine([policy])
+        policy_engine.for_user(user).with_request(self.request).build()
+        result = policy_engine.passing
         if result:
             messages.success(self.request, _('User successfully passed policy.'))
         else:

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/audit/__init__.py

@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/captcha_factor/__init__.py

@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/core/__init__.py

@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/core/auth/factors/password.py

@@ -1,8 +1,10 @@
 """passbook multi-factor authentication engine"""
+from inspect import Signature
 from logging import getLogger
 
 from django.contrib import messages
-from django.contrib.auth import authenticate
+from django.contrib.auth import _clean_credentials
+from django.contrib.auth.signals import user_login_failed
 from django.core.exceptions import PermissionDenied
 from django.forms.utils import ErrorList
 from django.shortcuts import redirect, reverse
@@ -15,10 +17,40 @@ from passbook.core.forms.authentication import PasswordFactorForm
 from passbook.core.models import Nonce
 from passbook.core.tasks import send_email
 from passbook.lib.config import CONFIG
+from passbook.lib.utils.reflection import path_to_class
 
 LOGGER = getLogger(__name__)
 
 
+def authenticate(request, backends, **credentials):
+    """If the given credentials are valid, return a User object.
+    Customized version of django's authenticate, which accepts a list of backends"""
+    for backend_path in backends:
+        backend = path_to_class(backend_path)()
+        try:
+            signature = Signature.from_callable(backend.authenticate)
+            signature.bind(request, **credentials)
+        except TypeError:
+            LOGGER.debug("Backend %s doesn't accept our arguments", backend)
+            # This backend doesn't accept these credentials as arguments. Try the next one.
+            continue
+        LOGGER.debug('Attempting authentication with %s...', backend)
+        try:
+            user = backend.authenticate(request, **credentials)
+        except PermissionDenied:
+            LOGGER.debug('Backend %r threw PermissionDenied', backend)
+            # This backend says to stop in our tracks - this user should not be allowed in at all.
+            break
+        if user is None:
+            continue
+        # Annotate the user object with the path of the backend.
+        user.backend = backend_path
+        return user
+
+    # The credentials supplied are invalid to all backends, fire signal
+    user_login_failed.send(sender=__name__, credentials=_clean_credentials(
+        credentials), request=request)
+
 class PasswordFactor(FormView, AuthenticationFactor):
     """Authentication factor which authenticates against django's AuthBackend"""
 
@@ -57,7 +89,7 @@ class PasswordFactor(FormView, AuthenticationFactor):
         for uid_field in uid_fields:
             kwargs[uid_field] = getattr(self.authenticator.pending_user, uid_field)
         try:
-            user = authenticate(self.request, **kwargs)
+            user = authenticate(self.request, self.authenticator.current_factor.backends, **kwargs)
             if user:
                 # User instance returned from authenticate() has .backend property set
                 self.authenticator.pending_user = user

passbook/core/auth/view.py

@@ -39,35 +39,41 @@ class AuthenticationView(UserPassesTestMixin, View):
 
     # Allow only not authenticated users to login
     def test_func(self):
-        return self.request.user.is_authenticated is False
+        return AuthenticationView.SESSION_PENDING_USER in self.request.session
 
     def handle_no_permission(self):
         # Function from UserPassesTestMixin
         if 'next' in self.request.GET:
             return redirect(self.request.GET.get('next'))
+        if self.request.user.is_authenticated:
             return _redirect_with_qs('passbook_core:overview', self.request.GET)
+        return _redirect_with_qs('passbook_core:auth-login', self.request.GET)
 
-    def dispatch(self, request, *args, **kwargs):
-        # Extract pending user from session (only remember uid)
-        if AuthenticationView.SESSION_PENDING_USER in request.session:
-            self.pending_user = get_object_or_404(
-                User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])
-        else:
-            # No Pending user, redirect to login screen
-            return _redirect_with_qs('passbook_core:auth-login', request.GET)
+    def get_pending_factors(self):
+        """Loading pending factors from Database or load from session variable"""
         # Write pending factors to session
-        if AuthenticationView.SESSION_PENDING_FACTORS in request.session:
-            self.pending_factors = request.session[AuthenticationView.SESSION_PENDING_FACTORS]
-        else:
+        if AuthenticationView.SESSION_PENDING_FACTORS in self.request.session:
+            return self.request.session[AuthenticationView.SESSION_PENDING_FACTORS]
         # Get an initial list of factors which are currently enabled
         # and apply to the current user. We check policies here and block the request
         _all_factors = Factor.objects.filter(enabled=True).order_by('order').select_subclasses()
-            self.pending_factors = []
+        pending_factors = []
         for factor in _all_factors:
             policy_engine = PolicyEngine(factor.policies.all())
-                policy_engine.for_user(self.pending_user).with_request(request).build()
+            policy_engine.for_user(self.pending_user).with_request(self.request).build()
             if policy_engine.passing:
-                    self.pending_factors.append((factor.uuid.hex, factor.type))
+                pending_factors.append((factor.uuid.hex, factor.type))
+        return pending_factors
+
+    def dispatch(self, request, *args, **kwargs):
+        # Check if user passes test (i.e. SESSION_PENDING_USER is set)
+        user_test_result = self.get_test_func()()
+        if not user_test_result:
+            return self.handle_no_permission()
+        # Extract pending user from session (only remember uid)
+        self.pending_user = get_object_or_404(
+            User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])
+        self.pending_factors = self.get_pending_factors()
         # Read and instantiate factor from session
         factor_uuid, factor_class = None, None
         if AuthenticationView.SESSION_FACTOR not in request.session:
@@ -107,11 +113,11 @@ class AuthenticationView(UserPassesTestMixin, View):
         next_factor = None
         if self.pending_factors:
             next_factor = self.pending_factors.pop()
+            # Save updated pening_factor list to session
             self.request.session[AuthenticationView.SESSION_PENDING_FACTORS] = \
                 self.pending_factors
             self.request.session[AuthenticationView.SESSION_FACTOR] = next_factor
             LOGGER.debug("Rendering Factor is %s", next_factor)
-            # return _redirect_with_qs('passbook_core:auth-process', kwargs={'factor': next_factor})
             return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
         # User passed all factors
         LOGGER.debug("User passed all factors, logging in")
@@ -126,7 +132,6 @@ class AuthenticationView(UserPassesTestMixin, View):
 
     def _user_passed(self):
         """User Successfully passed all factors"""
-        # user = authenticate(request=self.request, )
         backend = self.request.session[AuthenticationView.SESSION_USER_BACKEND]
         login(self.request, self.pending_user, backend=backend)
         LOGGER.debug("Logged in user %s", self.pending_user)

passbook/core/forms/applications.py

@@ -1,5 +1,6 @@
 """passbook Core Application forms"""
 from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext_lazy as _
 
 from passbook.core.models import Application, Provider
@@ -20,6 +21,7 @@ class ApplicationForm(forms.ModelForm):
             'name': forms.TextInput(),
             'launch_url': forms.TextInput(),
             'icon_url': forms.TextInput(),
+            'policies': FilteredSelectMultiple(_('policies'), False)
         }
         labels = {
             'launch_url': _('Launch URL'),

passbook/core/forms/factors.py

@@ -1,11 +1,20 @@
 """passbook administration forms"""
 from django import forms
+from django.conf import settings
+from django.contrib.admin.widgets import FilteredSelectMultiple
+from django.utils.translation import gettext as _
 
 from passbook.core.models import DummyFactor, PasswordFactor
-from passbook.lib.fields import DynamicArrayField
+from passbook.lib.utils.reflection import path_to_class
 
 GENERAL_FIELDS = ['name', 'slug', 'order', 'policies', 'enabled']
 
+def get_authentication_backends():
+    """Return all available authentication backends as tuple set"""
+    for backend in settings.AUTHENTICATION_BACKENDS:
+        klass = path_to_class(backend)
+        yield backend, getattr(klass(), 'name', '%s (%s)' % (klass.__name__, klass.__module__))
+
 class PasswordFactorForm(forms.ModelForm):
     """Form to create/edit Password Factors"""
 
@@ -16,9 +25,9 @@ class PasswordFactorForm(forms.ModelForm):
         widgets = {
             'name': forms.TextInput(),
             'order': forms.NumberInput(),
-        }
-        field_classes = {
-            'backends': DynamicArrayField
+            'policies': FilteredSelectMultiple(_('policies'), False),
+            'backends': FilteredSelectMultiple(_('backends'), False,
+                                               choices=get_authentication_backends())
         }
 
 class DummyFactorForm(forms.ModelForm):
@@ -31,4 +40,5 @@ class DummyFactorForm(forms.ModelForm):
         widgets = {
             'name': forms.TextInput(),
             'order': forms.NumberInput(),
+            'policies': FilteredSelectMultiple(_('policies'), False)
         }

passbook/core/forms/groups.py

@@ -0,0 +1,32 @@
+"""passbook Core Group forms"""
+from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
+
+from passbook.core.models import Group, User
+
+
+class GroupForm(forms.ModelForm):
+    """Group Form"""
+
+    members = forms.ModelMultipleChoiceField(
+        User.objects.all(), required=False, widget=FilteredSelectMultiple('users', False))
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        if self.instance.pk:
+            self.initial['members'] = self.instance.user_set.values_list('pk', flat=True)
+
+    def save(self, *args, **kwargs):
+        instance = super().save(*args, **kwargs)
+        if instance.pk:
+            instance.user_set.clear()
+            instance.user_set.add(*self.cleaned_data['members'])
+        return instance
+
+    class Meta:
+
+        model = Group
+        fields = ['name', 'parent', 'members', 'tags']
+        widgets = {
+            'name': forms.TextInput(),
+        }

passbook/core/forms/policies.py

@@ -4,7 +4,8 @@ from django import forms
 from django.utils.translation import gettext as _
 
 from passbook.core.models import (DebugPolicy, FieldMatcherPolicy,
-                                  PasswordPolicy, WebhookPolicy)
+                                  GroupMembershipPolicy, PasswordPolicy,
+                                  WebhookPolicy)
 
 GENERAL_FIELDS = ['name', 'action', 'negate', 'order', ]
 
@@ -53,6 +54,17 @@ class DebugPolicyForm(forms.ModelForm):
         }
 
 
+class GroupMembershipPolicyForm(forms.ModelForm):
+    """GroupMembershipPolicy Form"""
+
+    class Meta:
+
+        model = GroupMembershipPolicy
+        fields = GENERAL_FIELDS + ['group', ]
+        widgets = {
+            'name': forms.TextInput(),
+        }
+
 class PasswordPolicyForm(forms.ModelForm):
     """PasswordPolicy Form"""
 

passbook/core/migrations/0014_auto_20190226_0850.py

@@ -11,7 +11,7 @@ def create_initial_factor(apps, schema_editor):
             name='password',
             slug='password',
             order=0,
-            backends=[]
+            backends=['django.contrib.auth.backends.ModelBackend']
         )
 
 class Migration(migrations.Migration):

passbook/core/migrations/0019_auto_20190310_1615.py

@@ -0,0 +1,25 @@
+# Generated by Django 2.1.7 on 2019-03-10 16:15
+
+import django.contrib.postgres.fields.hstore
+from django.contrib.postgres.operations import HStoreExtension
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0018_provider_property_mappings'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='group',
+            name='extra_data',
+        ),
+        HStoreExtension(),
+        migrations.AddField(
+            model_name='group',
+            name='tags',
+            field=django.contrib.postgres.fields.hstore.HStoreField(default=dict),
+        ),
+    ]

passbook/core/migrations/0020_groupmembershippolicy.py

@@ -0,0 +1,26 @@
+# Generated by Django 2.1.7 on 2019-03-10 18:25
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0019_auto_20190310_1615'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='GroupMembershipPolicy',
+            fields=[
+                ('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
+                ('group', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='passbook_core.Group')),
+            ],
+            options={
+                'verbose_name': 'Group Membership Policy',
+                'verbose_name_plural': 'Group Membership Policies',
+            },
+            bases=('passbook_core.policy',),
+        ),
+    ]

passbook/core/models.py

@@ -8,7 +8,7 @@ from typing import Tuple, Union
 from uuid import uuid4
 
 from django.contrib.auth.models import AbstractUser
-from django.contrib.postgres.fields import ArrayField
+from django.contrib.postgres.fields import ArrayField, HStoreField
 from django.db import models
 from django.urls import reverse_lazy
 from django.utils.timezone import now
@@ -31,7 +31,7 @@ class Group(UUIDModel):
     name = models.CharField(_('name'), max_length=80)
     parent = models.ForeignKey('Group', blank=True, null=True,
                                on_delete=models.SET_NULL, related_name='children')
-    extra_data = models.TextField(blank=True)
+    tags = HStoreField(default=dict)
 
     def __str__(self):
         return "Group %s" % self.name
@@ -288,6 +288,8 @@ class FieldMatcherPolicy(Policy):
         if self.match_action == FieldMatcherPolicy.MATCH_REGEXP:
             pattern = re.compile(self.value)
             passes = bool(pattern.match(user_field_value))
+        if self.match_action == FieldMatcherPolicy.MATCH_EXACT:
+            passes = user_field_value == self.value
 
         LOGGER.debug("User got '%r'", passes)
         return passes
@@ -391,6 +393,21 @@ class DebugPolicy(Policy):
         verbose_name = _('Debug Policy')
         verbose_name_plural = _('Debug Policies')
 
+class GroupMembershipPolicy(Policy):
+    """Policy to check if the user is member in a certain group"""
+
+    group = models.ForeignKey('Group', on_delete=models.CASCADE)
+
+    form = 'passbook.core.forms.policies.GroupMembershipPolicyForm'
+
+    def passes(self, user: User) -> Union[bool, Tuple[bool, str]]:
+        return self.group.user_set.filter(pk=user.pk).exists()
+
+    class Meta:
+
+        verbose_name = _('Group Membership Policy')
+        verbose_name_plural = _('Group Membership Policies')
+
 class Invitation(UUIDModel):
     """Single-use invitation link"""
 

passbook/core/policies.py

@@ -12,6 +12,8 @@ LOGGER = getLogger(__name__)
 @CELERY_APP.task()
 def _policy_engine_task(user_pk, policy_pk, **kwargs):
     """Task wrapper to run policy checking"""
+    if not user_pk:
+        raise ValueError()
     policy_obj = Policy.objects.filter(pk=policy_pk).select_subclasses().first()
     user_obj = User.objects.get(pk=user_pk)
     for key, value in kwargs.items():
@@ -54,6 +56,8 @@ class PolicyEngine:
 
     def build(self):
         """Build task group"""
+        if not self._user:
+            raise ValueError("User not set.")
         signatures = []
         kwargs = {
             '__password__': getattr(self._user, '__password__', None),
@@ -71,9 +75,15 @@ class PolicyEngine:
     def result(self):
         """Get policy-checking result"""
         messages = []
-        for policy_action, policy_result, policy_message in self._group.get():
+        try:
+            # ValueError can be thrown from _policy_engine_task when user is None
+            group_result = self._group.get()
+        except ValueError as exc:
+            return False, str(exc)
+        for policy_action, policy_result, policy_message in group_result:
             passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \
                       (policy_action == Policy.ACTION_DENY and not policy_result)
+            LOGGER.debug('Action=%s, Result=%r => %r', policy_action, policy_result, passing)
             if policy_message:
                 messages.append(policy_message)
             if not passing:

passbook/core/settings.py

@@ -47,8 +47,7 @@ SESSION_COOKIE_NAME = 'passbook_session'
 LANGUAGE_COOKIE_NAME = 'passbook_language'
 
 AUTHENTICATION_BACKENDS = [
-    'django.contrib.auth.backends.ModelBackend',
-    'passbook.oauth_client.backends.AuthorizedServiceBackend'
+    'django.contrib.auth.backends.ModelBackend'
 ]
 
 # Application definition
@@ -60,6 +59,7 @@ INSTALLED_APPS = [
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
+    'django.contrib.postgres',
     'rest_framework',
     'drf_yasg',
     'raven.contrib.django.raven_compat',

passbook/core/static/css/passbook.css

@@ -21,3 +21,177 @@
 .dynamic-array-widget .remove:hover {
   cursor: pointer;
 }
+
+/* Selector */
+
+.selector {
+    display: flex;
+    width: 100%;
+    height: 45vh;
+}
+
+.selector .selector-filter {
+    display: flex;
+    align-items: center;
+}
+
+.selector .selector-filter label {
+    margin: 0 8px 0 0;
+}
+
+.selector .selector-filter input {
+    width: auto;
+    min-height: 0;
+    flex: 1 1;
+}
+
+.selector-available, .selector-chosen {
+    width: auto;
+    flex: 1 1;
+    display: flex;
+    flex-direction: column;
+}
+
+.selector select {
+    width: 100%;
+    flex: 1 0 auto;
+    margin-bottom: 5px;
+}
+
+.selector ul.selector-chooser {
+    width: 26px;
+    height: 52px;
+    padding: 2px 0;
+    margin: auto 15px;
+    border-radius: 20px;
+    transform: translateY(-10px);
+    list-style: none;
+}
+
+.selector-add, .selector-remove {
+    width: 20px;
+    height: 20px;
+    background-size: 20px auto;
+}
+
+.selector-add {
+    background-position: 0 -120px;
+}
+
+.selector-remove {
+    background-position: 0 -80px;
+}
+
+a.selector-chooseall, a.selector-clearall {
+    align-self: center;
+}
+
+.stacked {
+    flex-direction: column;
+    max-width: 480px;
+}
+
+.stacked > * {
+    flex: 0 1 auto;
+}
+
+.stacked select {
+    margin-bottom: 0;
+}
+
+.stacked .selector-available, .stacked .selector-chosen {
+    width: auto;
+}
+
+.stacked ul.selector-chooser {
+    width: 52px;
+    height: 26px;
+    padding: 0 2px;
+    margin: 15px auto;
+    transform: none;
+}
+
+.stacked .selector-chooser li {
+    padding: 3px;
+}
+
+.stacked .selector-add, .stacked .selector-remove {
+    background-size: 20px auto;
+}
+
+.stacked .selector-add {
+    background-position: 0 -40px;
+}
+
+.stacked .active.selector-add {
+    background-position: 0 -60px;
+}
+
+.stacked .selector-remove {
+    background-position: 0 0;
+}
+
+.stacked .active.selector-remove {
+    background-position: 0 -20px;
+}
+
+.help-tooltip, .selector .help-icon {
+    display: none;
+}
+
+form .form-row p.datetime {
+    width: 100%;
+}
+
+.datetime input {
+    width: 50%;
+    max-width: 120px;
+}
+
+.datetime span {
+    font-size: 13px;
+}
+
+.datetime .timezonewarning {
+    display: block;
+    font-size: 11px;
+    color: #999;
+}
+
+.datetimeshortcuts {
+    color: #ccc;
+}
+
+.inline-group {
+    overflow: auto;
+}
+
+.selector-add, .selector-remove {
+    width: 16px;
+    height: 16px;
+    display: block;
+    text-indent: -3000px;
+    overflow: hidden;
+    cursor: default;
+    opacity: 0.3;
+}
+
+.active.selector-add, .active.selector-remove {
+    opacity: 1;
+}
+
+.active.selector-add:hover, .active.selector-remove:hover {
+    cursor: pointer;
+}
+
+.selector-add {
+    background: url(../admin/img/selector-icons.svg) 0 -96px no-repeat;
+}
+
+.active.selector-add:focus, .active.selector-add:hover {
+    background-position: 0 -112px;
+}
+
+.selector-remove {
+    background: url(../admin/img/selector-icons.svg) 0 -64px no-repeat;
+}

passbook/core/templates/base/skeleton.html

@@ -4,6 +4,7 @@
 
 <!DOCTYPE html>
 <html lang="en">
+
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -27,7 +28,16 @@
   {% block head %}
   {% endblock %}
 </head>
+
 <body {% if is_login %} class="login-pf" {% endif %}>
+  {% if 'impersonate_id' in request.session %}
+  <div class="experimental-pf-bar">
+    <span id="experimentalBar" class="experimental-pf-text">
+      {% blocktrans with user=user %}You're currently impersonating {{ user }}.{% endblocktrans %}
+      <a href="?__unimpersonate=True" id="acceptMessage">{% trans 'Stop impersonation' %}</a>
+    </span>
+  </div>
+  {% endif %}
   {% block body %}
   {% endblock %}
   <script src="{% static 'js/jquery.min.js' %}"></script>
@@ -40,4 +50,5 @@
     {% include 'partials/about_modal.html' %}
   </div>
 </body>
+
 </html>

passbook/core/tests/test_auth_view.py

@@ -0,0 +1,133 @@
+"""passbook Core Authentication Test"""
+import string
+from random import SystemRandom
+
+from django.contrib.auth.models import AnonymousUser
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.test import RequestFactory, TestCase
+from django.urls import reverse
+
+from passbook.core.auth.view import AuthenticationView
+from passbook.core.models import DummyFactor, PasswordFactor, User
+
+
+class TestFactorAuthentication(TestCase):
+    """passbook Core Authentication Test"""
+
+    def setUp(self):
+        super().setUp()
+        self.password = ''.join(SystemRandom().choice(
+            string.ascii_uppercase + string.digits) for _ in range(8))
+        self.factor, _ = PasswordFactor.objects.get_or_create(slug='password', defaults={
+            'name': 'password',
+            'slug': 'password',
+            'order': 0,
+            'backends': ['django.contrib.auth.backends.ModelBackend']
+        })
+        self.user = User.objects.create_user(username='test',
+                                             email='test@test.test',
+                                             password=self.password)
+
+    def test_unauthenticated_raw(self):
+        """test direct call to AuthenticationView"""
+        response = self.client.get(reverse('passbook_core:auth-process'))
+        # Response should be 302 since no pending user is set
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:auth-login'))
+
+    def test_unauthenticated_prepared(self):
+        """test direct call but with pending_uesr in session"""
+        request = RequestFactory().get(reverse('passbook_core:auth-process'))
+        request.user = AnonymousUser()
+        request.session = {}
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 200)
+
+    def test_no_factors(self):
+        """Test with all factors disabled"""
+        self.factor.enabled = False
+        self.factor.save()
+        request = RequestFactory().get(reverse('passbook_core:auth-process'))
+        request.user = AnonymousUser()
+        request.session = {}
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:auth-denied'))
+        self.factor.enabled = True
+        self.factor.save()
+
+    def test_authenticated(self):
+        """Test with already logged in user"""
+        self.client.force_login(self.user)
+        response = self.client.get(reverse('passbook_core:auth-process'))
+        # Response should be 302 since no pending user is set
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:overview'))
+        self.client.logout()
+
+    def test_unauthenticated_post(self):
+        """Test post request as unauthenticated user"""
+        request = RequestFactory().post(reverse('passbook_core:auth-process'), data={
+            'password': self.password
+        })
+        request.user = AnonymousUser()
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        request.session.save()
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:overview'))
+        self.client.logout()
+
+    def test_unauthenticated_post_invalid(self):
+        """Test post request as unauthenticated user"""
+        request = RequestFactory().post(reverse('passbook_core:auth-process'), data={
+            'password': self.password + 'a'
+        })
+        request.user = AnonymousUser()
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        request.session.save()
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 200)
+        self.client.logout()
+
+    def test_multifactor(self):
+        """Test view with multiple active factors"""
+        DummyFactor.objects.get_or_create(name='dummy',
+                                          slug='dummy',
+                                          order=1)
+        request = RequestFactory().post(reverse('passbook_core:auth-process'), data={
+            'password': self.password
+        })
+        request.user = AnonymousUser()
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        request.session.save()
+        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
+
+        response = AuthenticationView.as_view()(request)
+        session_copy = request.session.items()
+        self.assertEqual(response.status_code, 302)
+        # Verify view redirects to itself after auth
+        self.assertEqual(response.url, reverse('passbook_core:auth-process'))
+
+        # Run another request with same session which should result in a logged in user
+        request = RequestFactory().post(reverse('passbook_core:auth-process'))
+        request.user = AnonymousUser()
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        for key, value in session_copy:
+            request.session[key] = value
+        request.session.save()
+        response = AuthenticationView.as_view()(request)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse('passbook_core:overview'))

passbook/core/views/user.py

@@ -1,6 +1,7 @@
 """passbook core user views"""
 from django.contrib import messages
 from django.contrib.auth import logout, update_session_auth_hash
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.messages.views import SuccessMessageMixin
 from django.forms.utils import ErrorList
 from django.shortcuts import redirect, reverse
@@ -13,7 +14,7 @@ from passbook.core.forms.users import PasswordChangeForm, UserDetailForm
 from passbook.lib.config import CONFIG
 
 
-class UserSettingsView(SuccessMessageMixin, UpdateView):
+class UserSettingsView(SuccessMessageMixin, LoginRequiredMixin, UpdateView):
     """Update User settings"""
 
     template_name = 'user/settings.html'
@@ -25,7 +26,8 @@ class UserSettingsView(SuccessMessageMixin, UpdateView):
     def get_object(self):
         return self.request.user
 
-class UserDeleteView(DeleteView):
+
+class UserDeleteView(LoginRequiredMixin, DeleteView):
     """Delete user account"""
 
     template_name = 'generic/delete.html'
@@ -38,7 +40,8 @@ class UserDeleteView(DeleteView):
         logout(self.request)
         return reverse('passbook_core:auth-login')
 
-class UserChangePasswordView(FormView):
+
+class UserChangePasswordView(LoginRequiredMixin, FormView):
     """View for users to update their password"""
 
     form_class = PasswordChangeForm

passbook/core/views/utils.py

@@ -1,5 +1,5 @@
 """passbook core utils view"""
-
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.utils.translation import ugettext as _
 from django.views.generic import TemplateView
 
@@ -21,7 +21,7 @@ class LoadingView(TemplateView):
         kwargs['target_url'] = self.get_url()
         return super().get_context_data(**kwargs)
 
-class PermissionDeniedView(TemplateView):
+class PermissionDeniedView(LoginRequiredMixin, TemplateView):
     """Generic Permission denied view"""
 
     template_name = 'login/denied.html'

passbook/hibp_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/hibp_policy/forms.py

@@ -1,6 +1,8 @@
 """passbook HaveIBeenPwned Policy forms"""
 
 from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
+from django.utils.translation import gettext as _
 
 from passbook.core.forms.policies import GENERAL_FIELDS
 from passbook.hibp_policy.models import HaveIBeenPwendPolicy
@@ -16,4 +18,5 @@ class HaveIBeenPwnedPolicyForm(forms.ModelForm):
         widgets = {
             'name': forms.TextInput(),
             'order': forms.NumberInput(),
+            'policies': FilteredSelectMultiple(_('policies'), False)
         }

passbook/ldap/__init__.py

@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/ldap/forms.py

@@ -1,10 +1,12 @@
 """passbook LDAP Forms"""
 
 from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext_lazy as _
 
 from passbook.admin.forms.source import SOURCE_FORM_FIELDS
-from passbook.ldap.models import LDAPSource
+from passbook.core.forms.policies import GENERAL_FIELDS
+from passbook.ldap.models import LDAPGroupMembershipPolicy, LDAPSource
 
 
 class LDAPSourceForm(forms.ModelForm):
@@ -23,6 +25,7 @@ class LDAPSourceForm(forms.ModelForm):
             'bind_password': forms.TextInput(),
             'domain': forms.TextInput(),
             'base_dn': forms.TextInput(),
+            'policies': FilteredSelectMultiple(_('policies'), False)
         }
         labels = {
             'server_uri': _('Server URI'),
@@ -30,58 +33,18 @@ class LDAPSourceForm(forms.ModelForm):
             'base_dn': _('Base DN'),
         }
 
-# class GeneralSettingsForm(SettingsForm):
-#     """general settings form"""
-#     MODE_AUTHENTICATION_BACKEND = 'auth_backend'
-#     MODE_CREATE_USERS = 'create_users'
-#     MODE_CHOICES = (
-#         (MODE_AUTHENTICATION_BACKEND, _('Authentication Backend')),
-#         (MODE_CREATE_USERS, _('Create Users'))
-#     )
 
-#     namespace = 'passbook.ldap'
-#     settings = ['enabled', 'mode']
+class LDAPGroupMembershipPolicyForm(forms.ModelForm):
+    """LDAPGroupMembershipPolicy Form"""
 
-#     widgets = {
-#         'enabled': forms.BooleanField(required=False),
-#         'mode': forms.ChoiceField(widget=forms.RadioSelect, choices=MODE_CHOICES),
-#     }
+    class Meta:
 
-
-# class ConnectionSettings(SettingsForm):
-#     """Connection settings form"""
-
-#     namespace = 'passbook.ldap'
-#     settings = ['server', 'server:tls', 'bind:user', 'bind:password', 'domain']
-
-#     attrs_map = {
-#         'server': {'placeholder': 'dc1.corp.exmaple.com'},
-#         'bind:user': {'placeholder': 'Administrator'},
-#         'domain': {'placeholder': 'corp.example.com'},
-#     }
-
-#     widgets = {
-#         'server:tls': forms.BooleanField(required=False, label=_('Server TLS')),
-#     }
-
-
-# class AuthenticationBackendSettings(SettingsForm):
-#     """Authentication backend settings"""
-
-#     namespace = 'passbook.ldap'
-#     settings = ['base']
-
-#     attrs_map = {
-#         'base': {'placeholder': 'DN in which to search for users'},
-#     }
-
-
-# class CreateUsersSettings(SettingsForm):
-#     """Create users settings"""
-
-#     namespace = 'passbook.ldap'
-#     settings = ['create_base']
-
-#     attrs_map = {
-#         'create_base': {'placeholder': 'DN in which to create users'},
-#     }
+        model = LDAPGroupMembershipPolicy
+        fields = GENERAL_FIELDS + ['dn', ]
+        widgets = {
+            'name': forms.TextInput(),
+            'dn': forms.TextInput(),
+        }
+        labels = {
+            'dn': _('DN')
+        }

passbook/ldap/migrations/0002_ldapgroupmembershippolicy.py

@@ -0,0 +1,28 @@
+# Generated by Django 2.1.7 on 2019-03-10 18:38
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0020_groupmembershippolicy'),
+        ('passbook_ldap', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='LDAPGroupMembershipPolicy',
+            fields=[
+                ('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
+                ('dn', models.TextField()),
+                ('source', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='passbook_ldap.LDAPSource')),
+            ],
+            options={
+                'verbose_name': 'LDAP Group Membership Policy',
+                'verbose_name_plural': 'LDAP Group Membership Policys',
+            },
+            bases=('passbook_core.policy',),
+        ),
+    ]

passbook/ldap/models.py

@@ -3,7 +3,7 @@
 from django.db import models
 from django.utils.translation import gettext as _
 
-from passbook.core.models import Source
+from passbook.core.models import Policy, Source, User
 
 
 class LDAPSource(Source):
@@ -37,30 +37,19 @@ class LDAPSource(Source):
         verbose_name = _('LDAP Source')
         verbose_name_plural = _('LDAP Sources')
 
+class LDAPGroupMembershipPolicy(Policy):
+    """Policy to check if a user is in a certain LDAP Group"""
 
-# class LDAPModification(UUIDModel, CreatedUpdatedModel):
-#     """Store LDAP Data in DB if LDAP Server is unavailable"""
-#     ACTION_ADD = 'ADD'
-#     ACTION_MODIFY = 'MODIFY'
+    dn = models.TextField()
+    source = models.ForeignKey('LDAPSource', on_delete=models.CASCADE)
 
-#     ACTIONS = (
-#         (ACTION_ADD, 'ADD'),
-#         (ACTION_MODIFY, 'MODIFY'),
-#     )
+    form = 'passbook.ldap.forms.LDAPGroupMembershipPolicyForm'
 
-#     dn = models.CharField(max_length=255)
-#     action = models.CharField(max_length=17, choices=ACTIONS, default=ACTION_MODIFY)
-#     data = JSONField()
+    def passes(self, user: User):
+        """Check if user instance passes this policy"""
+        raise NotImplementedError()
 
-#     def __str__(self):
-#         return "LDAPModification %d from %s" % (self.pk, self.created)
+    class Meta:
 
-
-# class LDAPGroupMapping(UUIDModel, CreatedUpdatedModel):
-#     """Model to map an LDAP Group to a passbook group"""
-
-#     ldap_dn = models.TextField()
-#     group = models.ForeignKey(Group, on_delete=models.CASCADE)
-
-#     def __str__(self):
-#         return "LDAPGroupMapping %s -> %s" % (self.ldap_dn, self.group.name)
+        verbose_name = _('LDAP Group Membership Policy')
+        verbose_name_plural = _('LDAP Group Membership Policys')

passbook/lib/__init__.py

@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/oauth_client/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/oauth_client/forms.py

@@ -1,6 +1,7 @@
 """passbook oauth_client forms"""
 
 from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext as _
 
 from passbook.admin.forms.source import SOURCE_FORM_FIELDS
@@ -29,6 +30,7 @@ class OAuthSourceForm(forms.ModelForm):
             'consumer_key': forms.TextInput(),
             'consumer_secret': forms.TextInput(),
             'provider_type': forms.Select(choices=MANAGER.get_name_tuple()),
+            'policies': FilteredSelectMultiple(_('policies'), False)
         }
         labels = {
             'request_token_url': _('Request Token URL'),

passbook/oauth_provider/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/oauth_provider/views/oauth2.py

@@ -2,6 +2,7 @@
 from logging import getLogger
 from urllib.parse import urlencode
 
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.shortcuts import get_object_or_404, redirect, reverse
 from django.utils.translation import ugettext as _
 from oauth2_provider.views.base import AuthorizationView
@@ -15,7 +16,7 @@ from passbook.oauth_provider.models import OAuth2Provider
 LOGGER = getLogger(__name__)
 
 
-class PassbookAuthorizationLoadingView(LoadingView):
+class PassbookAuthorizationLoadingView(LoginRequiredMixin, LoadingView):
     """Show loading view for permission checks"""
 
     title = _('Checking permissions...')

passbook/otp/__init__.py

@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/otp/forms.py

@@ -1,6 +1,7 @@
 """passbook OTP Forms"""
 
 from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.core.validators import RegexValidator
 from django.utils.safestring import mark_safe
 from django.utils.translation import ugettext_lazy as _
@@ -63,4 +64,5 @@ class OTPFactorForm(forms.ModelForm):
         widgets = {
             'name': forms.TextInput(),
             'order': forms.NumberInput(),
+            'policies': FilteredSelectMultiple(_('policies'), False)
         }

passbook/password_expiry_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/password_expiry_policy/forms.py

@@ -1,6 +1,7 @@
 """passbook PasswordExpiry Policy forms"""
 
 from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext as _
 
 from passbook.core.forms.policies import GENERAL_FIELDS
@@ -18,6 +19,7 @@ class PasswordExpiryPolicyForm(forms.ModelForm):
             'name': forms.TextInput(),
             'order': forms.NumberInput(),
             'days': forms.NumberInput(),
+            'policies': FilteredSelectMultiple(_('policies'), False)
         }
         labels = {
             'deny_only': _("Only fail the policy, don't set user's password.")

passbook/saml_idp/__init__.py

@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.6-beta'
+__version__ = '0.1.13-beta'

passbook/saml_idp/forms.py

@@ -1,6 +1,8 @@
 """passbook SAML IDP Forms"""
 
 from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
+from django.utils.translation import gettext as _
 
 from passbook.lib.fields import DynamicArrayField
 from passbook.saml_idp.models import (SAMLPropertyMapping, SAMLProvider,
@@ -32,6 +34,7 @@ class SAMLProviderForm(forms.ModelForm):
         widgets = {
             'name': forms.TextInput(),
             'issuer': forms.TextInput(),
+            'property_mappings': FilteredSelectMultiple(_('Property Mappings'), False)
         }
 
 

passbook/saml_idp/templates/saml/idp/login.html

@@ -18,7 +18,7 @@
     <input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
     <div class="login-group">
         <h3>
-            {% blocktrans with remote=remote.name %}
+            {% blocktrans with remote=remote.application.name %}
             You're about to sign into {{ remote }}
             {% endblocktrans %}
         </h3>

passbook/saml_idp/views.py

@@ -2,13 +2,14 @@
 from logging import getLogger
 
 from django.contrib.auth import logout
-from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import AccessMixin
 from django.core.exceptions import ValidationError
 from django.core.validators import URLValidator
 from django.http import HttpResponse, HttpResponseBadRequest
 from django.shortcuts import get_object_or_404, redirect, render, reverse
 from django.utils.datastructures import MultiValueDictKeyError
 from django.utils.decorators import method_decorator
+from django.utils.translation import gettext as _
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from signxml.util import strip_pem_header
@@ -45,7 +46,7 @@ def render_xml(request, template, ctx):
     return render(request, template, context=ctx, content_type="application/xml")
 
 
-class ProviderMixin:
+class AccessRequiredView(AccessMixin, View):
     """Mixin class for Views using a provider instance"""
 
     _provider = None
@@ -58,8 +59,24 @@ class ProviderMixin:
             self._provider = get_object_or_404(SAMLProvider, pk=application.provider_id)
         return self._provider
 
+    def _has_access(self):
+        """Check if user has access to application"""
+        policy_engine = PolicyEngine(self.provider.application.policies.all())
+        policy_engine.for_user(self.request.user).with_request(self.request).build()
+        return policy_engine.passing
 
-class LoginBeginView(LoginRequiredMixin, View):
+    def dispatch(self, request, *args, **kwargs):
+        if not request.user.is_authenticated:
+            return self.handle_no_permission()
+        if not self._has_access():
+            return render(request, 'login/denied.html', {
+                'title': _("You don't have access to this application"),
+                'is_login': True
+            })
+        return super().dispatch(request, *args, **kwargs)
+
+
+class LoginBeginView(AccessRequiredView):
     """Receives a SAML 2.0 AuthnRequest from a Service Provider and
     stores it in the session prior to enforcing login."""
 
@@ -82,7 +99,7 @@ class LoginBeginView(LoginRequiredMixin, View):
         }))
 
 
-class RedirectToSPView(LoginRequiredMixin, View):
+class RedirectToSPView(AccessRequiredView):
     """Return autosubmit form"""
 
     def get(self, request, acs_url, saml_response, relay_state):
@@ -96,22 +113,15 @@ class RedirectToSPView(LoginRequiredMixin, View):
         })
 
 
-
-class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
+class LoginProcessView(AccessRequiredView):
     """Processor-based login continuation.
     Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
 
-    def _has_access(self):
-        """Check if user has access to application"""
-        policy_engine = PolicyEngine(self.provider.application.policies.all())
-        policy_engine.for_user(self.request.user).with_request(self.request).build()
-        return policy_engine.passing
-
     def get(self, request, application):
         """Handle get request, i.e. render form"""
         LOGGER.debug("Request: %s", request)
         # Check if user has access
-        if self.provider.application.skip_authorization and self._has_access():
+        if self.provider.application.skip_authorization:
             ctx = self.provider.processor.generate_response()
             # Log Application Authorization
             AuditEntry.create(
@@ -134,7 +144,7 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
         """Handle post request, return back to ACS"""
         LOGGER.debug("Request: %s", request)
         # Check if user has access
-        if request.POST.get('ACSUrl', None) and self._has_access():
+        if request.POST.get('ACSUrl', None):
             # User accepted request
             AuditEntry.create(
                 action=AuditEntry.ACTION_AUTHORIZE_APPLICATION,
@@ -153,7 +163,7 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
             LOGGER.debug(exc)
 
 
-class LogoutView(CSRFExemptMixin, LoginRequiredMixin, View):
+class LogoutView(CSRFExemptMixin, AccessRequiredView):
     """Allows a non-SAML 2.0 URL to log out the user and
     returns a standard logged-out page. (SalesForce and others use this method,
     though it's technically not SAML 2.0)."""
@@ -174,7 +184,7 @@ class LogoutView(CSRFExemptMixin, LoginRequiredMixin, View):
         return render(request, 'saml/idp/logged_out.html')
 
 
-class SLOLogout(CSRFExemptMixin, LoginRequiredMixin, View):
+class SLOLogout(CSRFExemptMixin, AccessRequiredView):
     """Receives a SAML 2.0 LogoutRequest from a Service Provider,
     logs out the user and returns a standard logged-out page."""
 
@@ -190,7 +200,7 @@ class SLOLogout(CSRFExemptMixin, LoginRequiredMixin, View):
         return render(request, 'saml/idp/logged_out.html')
 
 
-class DescriptorDownloadView(ProviderMixin, View):
+class DescriptorDownloadView(AccessRequiredView):
     """Replies with the XML Metadata IDSSODescriptor."""
 
     def get(self, request, application):
@@ -214,10 +224,10 @@ class DescriptorDownloadView(ProviderMixin, View):
         return response
 
 
-class InitiateLoginView(ProviderMixin, LoginRequiredMixin, View):
+class InitiateLoginView(AccessRequiredView):
     """IdP-initiated Login"""
 
-    def dispatch(self, request, application):
+    def get(self, request, application):
         """Initiates an IdP-initiated link to a simple SP resource/target URL."""
         self.provider.processor.init_deep_link(request, '')
         return _generate_response(request, self.provider)