new release: 0.10.6-stable

* ci: test migration test from last released version to current branch

* ci: fix typo

* ci: remove hyphens

* ci: checkout Build.SourceBranchName

* ci: attempt to fix Build.SourceBranchName

https://github.com/microsoft/azure-pipelines-tasks/issues/8793

* ci: fix duplicate variables entry

* ci: fix quoting for docker jobs

* ci: attempt to access branchName directly

* ci: attempt to extract branch name via sed

* ci: fix escaping for Build.SourceBranch

* ci: different bash substitution

* ci: replace /refs/pulls

* ci: attempt to save previous branch as variable

* ci: fix indent

* ci: try compile-time variables for docker

* ci: always use Build.SourceBranch

* ci: use compile-time template expression

* ci: use Build.SourceBranchName

* ci: attempt to get branch name from System.PullRequest.SourceBranch

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.10.0-rc2
+current_version = 0.10.6-stable
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
@@ -15,10 +15,10 @@ values =
 	beta
 	stable
 
-[bumpversion:file:README.md]
-
 [bumpversion:file:docs/installation/docker-compose.md]
 
+[bumpversion:file:docs/installation/kubernetes.md]
+
 [bumpversion:file:docker-compose.yml]
 
 [bumpversion:file:helm/values.yaml]
@@ -28,3 +28,5 @@ values =
 [bumpversion:file:.github/workflows/release.yml]
 
 [bumpversion:file:passbook/__init__.py]
+
+[bumpversion:file:proxy/pkg/version.go]

.coveragerc

@@ -1,5 +1,6 @@
 [run]
 source = passbook
+relative_files = true
 omit =
     */asgi.py
     manage.py

.github/workflows/release.yml

@@ -1,6 +1,8 @@
-name: passbook-release
+name: passbook-on-release
+
 on:
-  release
+  release:
+    types: [published, created]
 
 jobs:
   # Build
@@ -16,17 +18,26 @@ jobs:
       - name: Building Docker Image
         run: docker build
           --no-cache
-          -t beryju/passbook:0.10.0-rc2
+          -t beryju/passbook:0.10.6-stable
           -t beryju/passbook:latest
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook:0.10.0-rc2
+        run: docker push beryju/passbook:0.10.6-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/passbook:latest
   build-proxy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v1
+      - uses: actions/setup-go@v2
+        with:
+          go-version: "^1.15"
+      - name: prepare go api client
+        run: |
+          cd proxy
+          go get -u github.com/go-swagger/go-swagger/cmd/swagger
+          swagger generate client -f ../swagger.yaml -A passbook -t pkg/
+          go build -v .
       - name: Docker Login Registry
         env:
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
@@ -37,11 +48,11 @@ jobs:
           cd proxy
           docker build \
           --no-cache \
-          -t beryju/passbook-proxy:0.10.0-rc2 \
+          -t beryju/passbook-proxy:0.10.6-stable \
           -t beryju/passbook-proxy:latest \
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-proxy:0.10.0-rc2
+        run: docker push beryju/passbook-proxy:0.10.6-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/passbook-proxy:latest
   build-static:
@@ -66,11 +77,11 @@ jobs:
         run: docker build
           --no-cache
           --network=$(docker network ls | grep github | awk '{print $1}')
-          -t beryju/passbook-static:0.10.0-rc2
+          -t beryju/passbook-static:0.10.6-stable
           -t beryju/passbook-static:latest
           -f static.Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-static:0.10.0-rc2
+        run: docker push beryju/passbook-static:0.10.6-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/passbook-static:latest
   test-release:
@@ -82,10 +93,13 @@ jobs:
       - uses: actions/checkout@v1
       - name: Run test suite in final docker images
         run: |
+          sudo apt-get install -y pwgen
+          echo "PG_PASS=$(pwgen 40 1)" >> .env
+          echo "PASSBOOK_SECRET_KEY=$(pwgen 50 1)" >> .env
           docker-compose pull -q
           docker-compose up --no-start
           docker-compose start postgresql redis
-          docker-compose run -u root server bash -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test"
+          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test passbook"
   sentry-release:
     needs:
       - test-release
@@ -100,5 +114,5 @@ jobs:
           SENTRY_PROJECT: passbook
           SENTRY_URL: https://sentry.beryju.org
         with:
-          tagName: 0.10.0-rc2
+          tagName: 0.10.6-stable
           environment: beryjuorg-prod

.github/workflows/tag.yml

@@ -1,10 +1,10 @@
+name: passbook-on-tag
+
 on:
   push:
     tags:
     - 'version/*'
 
-name: passbook-version-tag
-
 jobs:
   build:
     name: Create Release from Tag
@@ -13,7 +13,10 @@ jobs:
       - uses: actions/checkout@master
       - name: Pre-release test
         run: |
-          export PASSBOOK_TAG=latest
+          sudo apt-get install -y pwgen
+          echo "PASSBOOK_TAG=latest" >> .env
+          echo "PG_PASS=$(pwgen 40 1)" >> .env
+          echo "PASSBOOK_SECRET_KEY=$(pwgen 50 1)" >> .env
           docker-compose pull -q
           docker build \
             --no-cache \
@@ -21,7 +24,7 @@ jobs:
             -f Dockerfile .
           docker-compose up --no-start
           docker-compose start postgresql redis
-          docker-compose run -u root server bash -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test"
+          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test passbook"
       - name: Install Helm
         run: |
           apt update && apt install -y curl
@@ -31,7 +34,7 @@ jobs:
           helm dependency update helm/
           helm package helm/
           mv passbook-*.tgz passbook-chart.tgz
-      - name: Extract verison number
+      - name: Extract version number
         id: get_version
         uses: actions/github-script@0.2.0
         with:
@@ -46,7 +49,7 @@ jobs:
         with:
           tag_name: ${{ github.ref }}
           release_name: Release ${{ steps.get_version.outputs.result }}
-          draft: false
+          draft: true
           prerelease: false
       - name: Upload packaged Helm Chart
         id: upload-release-asset

.pylintrc

@@ -1,9 +1,16 @@
 [MASTER]
 
 disable=arguments-differ,no-self-use,fixme,locally-disabled,too-many-ancestors,too-few-public-methods,import-outside-toplevel,bad-continuation,signature-differs,similarities,cyclic-import
+
 load-plugins=pylint_django,pylint.extensions.bad_builtin
+
 extension-pkg-whitelist=lxml
+
+# Allow constants to be shorter than normal (and lowercase, for settings.py)
 const-rgx=[a-zA-Z0-9_]{1,40}$
+
 ignored-modules=django-otp
-jobs=12
 ignore=migrations
+max-attributes=12
+
+jobs=12

Makefile

@@ -1,7 +1,7 @@
 all: lint-fix lint coverage gen
 
 coverage:
-	coverage run --concurrency=multiprocessing manage.py test passbook --failfast
+	coverage run --concurrency=multiprocessing manage.py test --failfast -v 3
 	coverage combine
 	coverage html
 	coverage report
@@ -18,3 +18,9 @@ lint:
 
 gen: coverage
 	./manage.py generate_swagger -o swagger.yaml -f yaml
+
+local-stack:
+	export PASSBOOK_TAG=testing
+	docker build -t beryju/passbook:testng .
+	docker-compose up -d
+	docker-compose run --rm server migrate

Pipfile

@@ -59,5 +59,6 @@ docker = "*"
 pylint = "*"
 pylint-django = "*"
 selenium = "*"
-unittest-xml-reporting = "*"
 prospector = "*"
+pytest = "*"
+pytest-django = "*"

Pipfile.lock

@@ -1,7 +1,7 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "a798bbd0b97857cac136c1743b8d6ad8bf8c3d95e2760c71d324bb2a7f47f678"
+            "sha256": "80570636236962f4b934a884817292de9f7bb48520aa964afc2959b0f795fb57"
         },
         "pipfile-spec": 6,
         "requires": {
@@ -74,18 +74,18 @@
         },
         "boto3": {
             "hashes": [
-                "sha256:2ab73b0c400ab8c7df84bee7564ef8a0813021da28dd7a05fcbffb77a8ae9de9",
-                "sha256:bb2222fa02fcd09b39e581e532d4f013ea850742d8cd46e9c10a21028b6d2ef5"
+                "sha256:44073b1b1823ffc9edcf9027afbca908dad6bd5000f512ca73f929f6a604ae24",
+                "sha256:888be45e289ba56c4e47cfae5d6b08f097bc981d077fbe6521a6d3dc7a4d757e"
             ],
             "index": "pypi",
-            "version": "==1.14.56"
+            "version": "==1.15.1"
         },
         "botocore": {
             "hashes": [
-                "sha256:37cc3f1013c00dc0f061582198d6b785dadf147bd99307d41c5c0e47debca65c",
-                "sha256:acd2df778a5e12b2a16ac040ce6e91a6c6f2d7ac67bd4f966472ce5c68b5b62d"
+                "sha256:6bdf60281c2e80360fe904851a1a07df3dcfe066fe88dc7fba2b5e626ac05c8c",
+                "sha256:d6bdf51c8880aa9974e6b61d2f7d9d1debe407287e2e9e60f36c789fe8ba6790"
             ],
-            "version": "==1.17.58"
+            "version": "==1.18.1"
         },
         "cachetools": {
             "hashes": [
@@ -111,36 +111,44 @@
         },
         "cffi": {
             "hashes": [
-                "sha256:0da50dcbccd7cb7e6c741ab7912b2eff48e85af217d72b57f80ebc616257125e",
-                "sha256:12a453e03124069b6896107ee133ae3ab04c624bb10683e1ed1c1663df17c13c",
-                "sha256:15419020b0e812b40d96ec9d369b2bc8109cc3295eac6e013d3261343580cc7e",
-                "sha256:15a5f59a4808f82d8ec7364cbace851df591c2d43bc76bcbe5c4543a7ddd1bf1",
-                "sha256:23e44937d7695c27c66a54d793dd4b45889a81b35c0751ba91040fe825ec59c4",
-                "sha256:29c4688ace466a365b85a51dcc5e3c853c1d283f293dfcc12f7a77e498f160d2",
-                "sha256:57214fa5430399dffd54f4be37b56fe22cedb2b98862550d43cc085fb698dc2c",
-                "sha256:577791f948d34d569acb2d1add5831731c59d5a0c50a6d9f629ae1cefd9ca4a0",
-                "sha256:6539314d84c4d36f28d73adc1b45e9f4ee2a89cdc7e5d2b0a6dbacba31906798",
-                "sha256:65867d63f0fd1b500fa343d7798fa64e9e681b594e0a07dc934c13e76ee28fb1",
-                "sha256:672b539db20fef6b03d6f7a14b5825d57c98e4026401fce838849f8de73fe4d4",
-                "sha256:6843db0343e12e3f52cc58430ad559d850a53684f5b352540ca3f1bc56df0731",
-                "sha256:7057613efefd36cacabbdbcef010e0a9c20a88fc07eb3e616019ea1692fa5df4",
-                "sha256:76ada88d62eb24de7051c5157a1a78fd853cca9b91c0713c2e973e4196271d0c",
-                "sha256:837398c2ec00228679513802e3744d1e8e3cb1204aa6ad408b6aff081e99a487",
-                "sha256:8662aabfeab00cea149a3d1c2999b0731e70c6b5bac596d95d13f643e76d3d4e",
-                "sha256:95e9094162fa712f18b4f60896e34b621df99147c2cee216cfa8f022294e8e9f",
-                "sha256:99cc66b33c418cd579c0f03b77b94263c305c389cb0c6972dac420f24b3bf123",
-                "sha256:9b219511d8b64d3fa14261963933be34028ea0e57455baf6781fe399c2c3206c",
-                "sha256:ae8f34d50af2c2154035984b8b5fc5d9ed63f32fe615646ab435b05b132ca91b",
-                "sha256:b9aa9d8818c2e917fa2c105ad538e222a5bce59777133840b93134022a7ce650",
-                "sha256:bf44a9a0141a082e89c90e8d785b212a872db793a0080c20f6ae6e2a0ebf82ad",
-                "sha256:c0b48b98d79cf795b0916c57bebbc6d16bb43b9fc9b8c9f57f4cf05881904c75",
-                "sha256:da9d3c506f43e220336433dffe643fbfa40096d408cb9b7f2477892f369d5f82",
-                "sha256:e4082d832e36e7f9b2278bc774886ca8207346b99f278e54c9de4834f17232f7",
-                "sha256:e4b9b7af398c32e408c00eb4e0d33ced2f9121fd9fb978e6c1b57edd014a7d15",
-                "sha256:e613514a82539fc48291d01933951a13ae93b6b444a88782480be32245ed4afa",
-                "sha256:f5033952def24172e60493b68717792e3aebb387a8d186c43c020d9363ee7281"
+                "sha256:005f2bfe11b6745d726dbb07ace4d53f057de66e336ff92d61b8c7e9c8f4777d",
+                "sha256:09e96138280241bd355cd585148dec04dbbedb4f46128f340d696eaafc82dd7b",
+                "sha256:0b1ad452cc824665ddc682400b62c9e4f5b64736a2ba99110712fdee5f2505c4",
+                "sha256:0ef488305fdce2580c8b2708f22d7785ae222d9825d3094ab073e22e93dfe51f",
+                "sha256:15f351bed09897fbda218e4db5a3d5c06328862f6198d4fb385f3e14e19decb3",
+                "sha256:22399ff4870fb4c7ef19fff6eeb20a8bbf15571913c181c78cb361024d574579",
+                "sha256:23e5d2040367322824605bc29ae8ee9175200b92cb5483ac7d466927a9b3d537",
+                "sha256:2791f68edc5749024b4722500e86303a10d342527e1e3bcac47f35fbd25b764e",
+                "sha256:2f9674623ca39c9ebe38afa3da402e9326c245f0f5ceff0623dccdac15023e05",
+                "sha256:3363e77a6176afb8823b6e06db78c46dbc4c7813b00a41300a4873b6ba63b171",
+                "sha256:33c6cdc071ba5cd6d96769c8969a0531be2d08c2628a0143a10a7dcffa9719ca",
+                "sha256:3b8eaf915ddc0709779889c472e553f0d3e8b7bdf62dab764c8921b09bf94522",
+                "sha256:3cb3e1b9ec43256c4e0f8d2837267a70b0e1ca8c4f456685508ae6106b1f504c",
+                "sha256:3eeeb0405fd145e714f7633a5173318bd88d8bbfc3dd0a5751f8c4f70ae629bc",
+                "sha256:44f60519595eaca110f248e5017363d751b12782a6f2bd6a7041cba275215f5d",
+                "sha256:4d7c26bfc1ea9f92084a1d75e11999e97b62d63128bcc90c3624d07813c52808",
+                "sha256:529c4ed2e10437c205f38f3691a68be66c39197d01062618c55f74294a4a4828",
+                "sha256:6642f15ad963b5092d65aed022d033c77763515fdc07095208f15d3563003869",
+                "sha256:85ba797e1de5b48aa5a8427b6ba62cf69607c18c5d4eb747604b7302f1ec382d",
+                "sha256:8f0f1e499e4000c4c347a124fa6a27d37608ced4fe9f7d45070563b7c4c370c9",
+                "sha256:a624fae282e81ad2e4871bdb767e2c914d0539708c0f078b5b355258293c98b0",
+                "sha256:b0358e6fefc74a16f745afa366acc89f979040e0cbc4eec55ab26ad1f6a9bfbc",
+                "sha256:bbd2f4dfee1079f76943767fce837ade3087b578aeb9f69aec7857d5bf25db15",
+                "sha256:bf39a9e19ce7298f1bd6a9758fa99707e9e5b1ebe5e90f2c3913a47bc548747c",
+                "sha256:c11579638288e53fc94ad60022ff1b67865363e730ee41ad5e6f0a17188b327a",
+                "sha256:c150eaa3dadbb2b5339675b88d4573c1be3cb6f2c33a6c83387e10cc0bf05bd3",
+                "sha256:c53af463f4a40de78c58b8b2710ade243c81cbca641e34debf3396a9640d6ec1",
+                "sha256:cb763ceceae04803adcc4e2d80d611ef201c73da32d8f2722e9d0ab0c7f10768",
+                "sha256:cc75f58cdaf043fe6a7a6c04b3b5a0e694c6a9e24050967747251fb80d7bce0d",
+                "sha256:d80998ed59176e8cba74028762fbd9b9153b9afc71ea118e63bbf5d4d0f9552b",
+                "sha256:de31b5164d44ef4943db155b3e8e17929707cac1e5bd2f363e67a56e3af4af6e",
+                "sha256:e66399cf0fc07de4dce4f588fc25bfe84a6d1285cc544e67987d22663393926d",
+                "sha256:f0620511387790860b249b9241c2f13c3a80e21a73e0b861a2df24e9d6f56730",
+                "sha256:f4eae045e6ab2bb54ca279733fe4eb85f1effda392666308250714e01907f394",
+                "sha256:f92cdecb618e5fa4658aeb97d5eb3d2f47aa94ac6477c6daf0f306c5a3b9e6b1",
+                "sha256:f92f789e4f9241cd262ad7a555ca2c648a98178a953af117ef7fad46aa1d5591"
             ],
-            "version": "==1.14.2"
+            "version": "==1.14.3"
         },
         "channels": {
             "hashes": [
@@ -327,11 +335,11 @@
         },
         "django-storages": {
             "hashes": [
-                "sha256:1e37da57678e6cf1e9914f84099a305323e4e1f261afe54fdb703cae7aa6fbc3",
-                "sha256:36ed8dab33d761954498189592ce005920095fcbc02dab4184eb51393c370991"
+                "sha256:12de8fb2605b9b57bfaf54b075280d7cbb3b3ee1ca4bc9b9add147af87fe3a2c",
+                "sha256:652275ab7844538c462b62810276c0244866f345878256a9e0e86f5b1283ae18"
             ],
             "index": "pypi",
-            "version": "==1.10"
+            "version": "==1.10.1"
         },
         "djangorestframework": {
             "hashes": [
@@ -348,14 +356,6 @@
             "index": "pypi",
             "version": "==0.3.0"
         },
-        "docutils": {
-            "hashes": [
-                "sha256:6c4f696463b79f1fb8ba0c594b63840ebd41f059e92b31957c46b74a4599b6d0",
-                "sha256:9e4d7ecfc600058e07ba661411a2b7de2fd0fafa17d1a7f7361cd47b1175c827",
-                "sha256:a2aeea129088da402665e92e0b25b04b073c04b2dce4ab65caaa38b7ce2e1a99"
-            ],
-            "version": "==0.15.2"
-        },
         "drf-yasg": {
             "hashes": [
                 "sha256:5572e9d5baab9f6b49318169df9789f7399d0e3c7bdac8fdb8dfccf1d5d2b1ca",
@@ -387,10 +387,10 @@
         },
         "google-auth": {
             "hashes": [
-                "sha256:bcbd9f970e7144fe933908aa286d7a12c44b7deb6d78a76871f0377a29d09789",
-                "sha256:f4d5093f13b1b1c0a434ab1dc851cd26a983f86a4d75c95239974e33ed406a87"
+                "sha256:7084c50c03f7a8a5696ef4500e65df0c525a0f6909f3c70b9ee65900a230c755",
+                "sha256:dcf86c5adc3a8a7659be190b12bb8912ae019cfd9ee2a571ea881e289fafbe39"
             ],
-            "version": "==1.21.1"
+            "version": "==1.21.2"
         },
         "gunicorn": {
             "hashes": [
@@ -749,20 +749,25 @@
                 "sha256:54bdedd28476dea8a3cd86cb67c0df1f0e3d71cae8022354b0f879c41a3d27b2",
                 "sha256:55eb61aca2c883db770999f50d091ff7c14016f2769ad7bca3d9b75d1d7c1b68",
                 "sha256:6276478ada411aca97c0d5104916354b3d740d368407912722bd4d11aa9ee4c2",
+                "sha256:663f8de2b3df2e744d6e1610506e0ea4e213bde906795953c1e82279c169f0a7",
                 "sha256:67dcad1b8b201308586a8ca2ffe89df1e4f731d5a4cdd0610cc4ea790351c739",
                 "sha256:709b9f144d23e290b9863121d1ace14a72e01f66ea9c903fbdc690520dfdfcf0",
                 "sha256:8063a712fba642f78d3c506b0896846601b6de7f5c3d534e388ad0cc07f5a149",
                 "sha256:80d57177a0b7c14d4594c62bbb47fe2f6309ad3b0a34348a291d570925c97a82",
+                "sha256:87006cf0d81505408f1ae4f55cf8a5d95a8e029a4793360720ae17c6500f7ecc",
+                "sha256:9f62d21bc693f3d7d444f17ed2ad7a913b4c37c15cd807895d013c39c0517dfd",
                 "sha256:a207231a52426de3ff20f5608f0687261a3329d97a036c51f7d4c606a6f30c23",
                 "sha256:abc2e126c9490e58a36a0f83516479e781d83adfb134576a5cbe5c6af2a3e93c",
                 "sha256:b56638d58a3a4be13229c6a815cd448f9e3ce40c00880a5398471b42ee86f50e",
                 "sha256:bcd5b8416e73e4b0d48afba3704d8c826414764dafaed7a1a93c442188d90ccc",
                 "sha256:bec2bcdf7c9ce7f04d718e51887f3b05dc5c1cfaf5d2c2e9065ecddd1b2f6c9a",
                 "sha256:c8bf40cf6e281a4378e25846924327e728a887e8bf0ee83b2604a0f4b61692e8",
+                "sha256:cecbf67e81d6144a50dc615629772859463b2e4f815d0c082fa421db362f040e",
                 "sha256:d8074c8448cfd0705dfa71ca333277fce9786d0b9cac75d120545de6253f996a",
                 "sha256:dd302b6ae3965afeb5ef1b0d92486f986c0e65183cd7835973f0b593800590e6",
                 "sha256:de6e1cd75677423ff64712c337521e62e3a7a4fc84caabbd93207752e831a85a",
                 "sha256:ef39c98d9b8c0736d91937d193653e47c3b19ddf4fc3bccdc5e09aaa4b0c5d21",
+                "sha256:f2e045224074d5664dc9cbabbf4f4d4d46f1ee90f24780e3a9a668fd096ff17f",
                 "sha256:f521178e5a991ffd04182ed08f552daca1affcb826aeda0e1945cd989a9d4345",
                 "sha256:f78a68c2c820e4731e510a2df3eef0322f24fde1781ced970bf497b6c7d92982",
                 "sha256:fbe65d5cfe04ff2f7684160d50f5118bdefb01e3af4718eeb618bfed40f19d94"
@@ -835,9 +840,9 @@
         },
         "pyrsistent": {
             "hashes": [
-                "sha256:27515d2d5db0629c7dadf6fbe76973eb56f098c1b01d36de42eb69220d2c19e4"
+                "sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e"
             ],
-            "version": "==0.17.2"
+            "version": "==0.17.3"
         },
         "python-dateutil": {
             "hashes": [
@@ -952,11 +957,11 @@
         },
         "sentry-sdk": {
             "hashes": [
-                "sha256:97bff68e57402ad39674e6fe2545df0d5eea41c3d51e280c170761705c8c20ff",
-                "sha256:a16caf9ce892623081cbb9a95f6c1f892778bb123909b0ed7afdfb52ce7a58a1"
+                "sha256:1a086486ff9da15791f294f6e9915eb3747d161ef64dee2d038a4d0b4a369b24",
+                "sha256:45486deb031cea6bbb25a540d7adb4dd48cd8a1cc31e6a5ce9fb4f792a572e9a"
             ],
             "index": "pypi",
-            "version": "==0.17.4"
+            "version": "==0.17.6"
         },
         "service-identity": {
             "hashes": [
@@ -1269,43 +1274,43 @@
         },
         "coverage": {
             "hashes": [
-                "sha256:098a703d913be6fbd146a8c50cc76513d726b022d170e5e98dc56d958fd592fb",
-                "sha256:16042dc7f8e632e0dcd5206a5095ebd18cb1d005f4c89694f7f8aafd96dd43a3",
-                "sha256:1adb6be0dcef0cf9434619d3b892772fdb48e793300f9d762e480e043bd8e716",
-                "sha256:27ca5a2bc04d68f0776f2cdcb8bbd508bbe430a7bf9c02315cd05fb1d86d0034",
-                "sha256:28f42dc5172ebdc32622a2c3f7ead1b836cdbf253569ae5673f499e35db0bac3",
-                "sha256:2fcc8b58953d74d199a1a4d633df8146f0ac36c4e720b4a1997e9b6327af43a8",
-                "sha256:304fbe451698373dc6653772c72c5d5e883a4aadaf20343592a7abb2e643dae0",
-                "sha256:30bc103587e0d3df9e52cd9da1dd915265a22fad0b72afe54daf840c984b564f",
-                "sha256:40f70f81be4d34f8d491e55936904db5c527b0711b2a46513641a5729783c2e4",
-                "sha256:4186fc95c9febeab5681bc3248553d5ec8c2999b8424d4fc3a39c9cba5796962",
-                "sha256:46794c815e56f1431c66d81943fa90721bb858375fb36e5903697d5eef88627d",
-                "sha256:4869ab1c1ed33953bb2433ce7b894a28d724b7aa76c19b11e2878034a4e4680b",
-                "sha256:4f6428b55d2916a69f8d6453e48a505c07b2245653b0aa9f0dee38785939f5e4",
-                "sha256:52f185ffd3291196dc1aae506b42e178a592b0b60a8610b108e6ad892cfc1bb3",
-                "sha256:538f2fd5eb64366f37c97fdb3077d665fa946d2b6d95447622292f38407f9258",
-                "sha256:64c4f340338c68c463f1b56e3f2f0423f7b17ba6c3febae80b81f0e093077f59",
-                "sha256:675192fca634f0df69af3493a48224f211f8db4e84452b08d5fcebb9167adb01",
-                "sha256:700997b77cfab016533b3e7dbc03b71d33ee4df1d79f2463a318ca0263fc29dd",
-                "sha256:8505e614c983834239f865da2dd336dcf9d72776b951d5dfa5ac36b987726e1b",
-                "sha256:962c44070c281d86398aeb8f64e1bf37816a4dfc6f4c0f114756b14fc575621d",
-                "sha256:9e536783a5acee79a9b308be97d3952b662748c4037b6a24cbb339dc7ed8eb89",
-                "sha256:9ea749fd447ce7fb1ac71f7616371f04054d969d412d37611716721931e36efd",
-                "sha256:a34cb28e0747ea15e82d13e14de606747e9e484fb28d63c999483f5d5188e89b",
-                "sha256:a3ee9c793ffefe2944d3a2bd928a0e436cd0ac2d9e3723152d6fd5398838ce7d",
-                "sha256:aab75d99f3f2874733946a7648ce87a50019eb90baef931698f96b76b6769a46",
-                "sha256:b1ed2bdb27b4c9fc87058a1cb751c4df8752002143ed393899edb82b131e0546",
-                "sha256:b360d8fd88d2bad01cb953d81fd2edd4be539df7bfec41e8753fe9f4456a5082",
-                "sha256:b8f58c7db64d8f27078cbf2a4391af6aa4e4767cc08b37555c4ae064b8558d9b",
-                "sha256:c1bbb628ed5192124889b51204de27c575b3ffc05a5a91307e7640eff1d48da4",
-                "sha256:c2ff24df02a125b7b346c4c9078c8936da06964cc2d276292c357d64378158f8",
-                "sha256:c890728a93fffd0407d7d37c1e6083ff3f9f211c83b4316fae3778417eab9811",
-                "sha256:c96472b8ca5dc135fb0aa62f79b033f02aa434fb03a8b190600a5ae4102df1fd",
-                "sha256:ce7866f29d3025b5b34c2e944e66ebef0d92e4a4f2463f7266daa03a1332a651",
-                "sha256:e26c993bd4b220429d4ec8c1468eca445a4064a61c74ca08da7429af9bc53bb0"
+                "sha256:0203acd33d2298e19b57451ebb0bed0ab0c602e5cf5a818591b4918b1f97d516",
+                "sha256:0f313707cdecd5cd3e217fc68c78a960b616604b559e9ea60cc16795c4304259",
+                "sha256:1c6703094c81fa55b816f5ae542c6ffc625fec769f22b053adb42ad712d086c9",
+                "sha256:1d44bb3a652fed01f1f2c10d5477956116e9b391320c94d36c6bf13b088a1097",
+                "sha256:280baa8ec489c4f542f8940f9c4c2181f0306a8ee1a54eceba071a449fb870a0",
+                "sha256:29a6272fec10623fcbe158fdf9abc7a5fa032048ac1d8631f14b50fbfc10d17f",
+                "sha256:2b31f46bf7b31e6aa690d4c7a3d51bb262438c6dcb0d528adde446531d0d3bb7",
+                "sha256:2d43af2be93ffbad25dd959899b5b809618a496926146ce98ee0b23683f8c51c",
+                "sha256:381ead10b9b9af5f64646cd27107fb27b614ee7040bb1226f9c07ba96625cbb5",
+                "sha256:47a11bdbd8ada9b7ee628596f9d97fbd3851bd9999d398e9436bd67376dbece7",
+                "sha256:4d6a42744139a7fa5b46a264874a781e8694bb32f1d76d8137b68138686f1729",
+                "sha256:50691e744714856f03a86df3e2bff847c2acede4c191f9a1da38f088df342978",
+                "sha256:530cc8aaf11cc2ac7430f3614b04645662ef20c348dce4167c22d99bec3480e9",
+                "sha256:582ddfbe712025448206a5bc45855d16c2e491c2dd102ee9a2841418ac1c629f",
+                "sha256:63808c30b41f3bbf65e29f7280bf793c79f54fb807057de7e5238ffc7cc4d7b9",
+                "sha256:71b69bd716698fa62cd97137d6f2fdf49f534decb23a2c6fc80813e8b7be6822",
+                "sha256:7858847f2d84bf6e64c7f66498e851c54de8ea06a6f96a32a1d192d846734418",
+                "sha256:78e93cc3571fd928a39c0b26767c986188a4118edc67bc0695bc7a284da22e82",
+                "sha256:7f43286f13d91a34fadf61ae252a51a130223c52bfefb50310d5b2deb062cf0f",
+                "sha256:86e9f8cd4b0cdd57b4ae71a9c186717daa4c5a99f3238a8723f416256e0b064d",
+                "sha256:8f264ba2701b8c9f815b272ad568d555ef98dfe1576802ab3149c3629a9f2221",
+                "sha256:9342dd70a1e151684727c9c91ea003b2fb33523bf19385d4554f7897ca0141d4",
+                "sha256:9361de40701666b034c59ad9e317bae95c973b9ff92513dd0eced11c6adf2e21",
+                "sha256:9669179786254a2e7e57f0ecf224e978471491d660aaca833f845b72a2df3709",
+                "sha256:aac1ba0a253e17889550ddb1b60a2063f7474155465577caa2a3b131224cfd54",
+                "sha256:aef72eae10b5e3116bac6957de1df4d75909fc76d1499a53fb6387434b6bcd8d",
+                "sha256:bd3166bb3b111e76a4f8e2980fa1addf2920a4ca9b2b8ca36a3bc3dedc618270",
+                "sha256:c1b78fb9700fc961f53386ad2fd86d87091e06ede5d118b8a50dea285a071c24",
+                "sha256:c3888a051226e676e383de03bf49eb633cd39fc829516e5334e69b8d81aae751",
+                "sha256:c5f17ad25d2c1286436761b462e22b5020d83316f8e8fcb5deb2b3151f8f1d3a",
+                "sha256:c851b35fc078389bc16b915a0a7c1d5923e12e2c5aeec58c52f4aa8085ac8237",
+                "sha256:cb7df71de0af56000115eafd000b867d1261f786b5eebd88a0ca6360cccfaca7",
+                "sha256:cedb2f9e1f990918ea061f28a0f0077a07702e3819602d3507e2ff98c8d20636",
+                "sha256:e8caf961e1b1a945db76f1b5fa9c91498d15f545ac0ababbe575cfab185d3bd8"
             ],
             "index": "pypi",
-            "version": "==5.2.1"
+            "version": "==5.3"
         },
         "django": {
             "hashes": [
@@ -1317,11 +1322,11 @@
         },
         "django-debug-toolbar": {
             "hashes": [
-                "sha256:eabbefe89881bbe4ca7c980ff102e3c35c8e8ad6eb725041f538988f2f39a943",
-                "sha256:ff94725e7aae74b133d0599b9bf89bd4eb8f5d2c964106e61d11750228c8774c"
+                "sha256:23129b4f771605c7ccf8733cc53558a68c5d463d60cdc83408d34b713acf4f5f",
+                "sha256:7c9bf93eabb1e745fe1fca830242d49f3c839d35163e5b53914009ed111209b1"
             ],
             "index": "pypi",
-            "version": "==2.2"
+            "version": "==3.0"
         },
         "docker": {
             "hashes": [
@@ -1373,6 +1378,13 @@
             ],
             "version": "==2.10"
         },
+        "iniconfig": {
+            "hashes": [
+                "sha256:80cf40c597eb564e86346103f609d74efce0f6b4d4f30ec8ce9e2c26411ba437",
+                "sha256:e5f92f89355a67de0595932a6c6c02ab4afddc6fcdc0bfc5becd0d60884d3f69"
+            ],
+            "version": "==1.0.1"
+        },
         "isort": {
             "hashes": [
                 "sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1",
@@ -1413,6 +1425,21 @@
             ],
             "version": "==0.6.1"
         },
+        "more-itertools": {
+            "hashes": [
+                "sha256:6f83822ae94818eae2612063a5101a7311e68ae8002005b5e05f03fd74a86a20",
+                "sha256:9b30f12df9393f0d28af9210ff8efe48d10c94f73e5daf886f10c4b0b0b4f03c"
+            ],
+            "version": "==8.5.0"
+        },
+        "packaging": {
+            "hashes": [
+                "sha256:4357f74f47b9c12db93624a82154e9b120fa8293699949152b22065d556079f8",
+                "sha256:998416ba6962ae7fbd6596850b80e17859a5753ba17c32284f67bfff33784181"
+            ],
+            "index": "pypi",
+            "version": "==20.4"
+        },
         "pathspec": {
             "hashes": [
                 "sha256:7d91249d21749788d07a2d0f94147accd8f845507400749ea19c1ec9054a12b0",
@@ -1434,6 +1461,13 @@
             ],
             "version": "==0.10.0"
         },
+        "pluggy": {
+            "hashes": [
+                "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
+                "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
+            ],
+            "version": "==0.13.1"
+        },
         "prospector": {
             "hashes": [
                 "sha256:43e5e187c027336b0e4c4aa6a82d66d3b923b5ec5b51968126132e32f9d14a2f"
@@ -1441,6 +1475,13 @@
             "index": "pypi",
             "version": "==1.3.0"
         },
+        "py": {
+            "hashes": [
+                "sha256:366389d1db726cd2fcfc79732e75410e5fe4d31db13692115529d34069a043c2",
+                "sha256:9ca6883ce56b4e8da7e79ac18787889fa5206c79dcc67fb065376cd2fe03f342"
+            ],
+            "version": "==1.9.0"
+        },
         "pycodestyle": {
             "hashes": [
                 "sha256:2295e7b2f6b5bd100585ebcb1f616591b652db8a741695b3d8f5d28bdc934367",
@@ -1497,6 +1538,29 @@
             ],
             "version": "==0.6"
         },
+        "pyparsing": {
+            "hashes": [
+                "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
+                "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
+            ],
+            "version": "==2.4.7"
+        },
+        "pytest": {
+            "hashes": [
+                "sha256:0e37f61339c4578776e090c3b8f6b16ce4db333889d65d0efb305243ec544b40",
+                "sha256:c8f57c2a30983f469bf03e68cdfa74dc474ce56b8f280ddcb080dfd91df01043"
+            ],
+            "index": "pypi",
+            "version": "==6.0.2"
+        },
+        "pytest-django": {
+            "hashes": [
+                "sha256:4de6dbd077ed8606616958f77655fed0d5e3ee45159475671c7fa67596c6dba6",
+                "sha256:c33e3d3da14d8409b125d825d4e74da17bb252191bf6fc3da6856e27a8b73ea4"
+            ],
+            "index": "pypi",
+            "version": "==3.10.0"
+        },
         "pytz": {
             "hashes": [
                 "sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed",
@@ -1604,10 +1668,10 @@
         },
         "stevedore": {
             "hashes": [
-                "sha256:a34086819e2c7a7f86d5635363632829dab8014e5fd7be2454c7cba84ac7514e",
-                "sha256:ddc09a744dc224c84ec8e8efcb70595042d21c97c76df60daee64c9ad53bc7ee"
+                "sha256:5e1ab03eaae06ef6ce23859402de785f08d97780ed774948ef16c4652c41bc62",
+                "sha256:f845868b3a3a77a2489d226568abe7328b5c2d4f6a011cc759dfa99144a521f0"
             ],
-            "version": "==3.2.1"
+            "version": "==3.2.2"
         },
         "toml": {
             "hashes": [
@@ -1642,14 +1706,6 @@
             ],
             "version": "==1.4.1"
         },
-        "unittest-xml-reporting": {
-            "hashes": [
-                "sha256:7bf515ea8cb244255a25100cd29db611a73f8d3d0aaf672ed3266307e14cc1ca",
-                "sha256:984cebba69e889401bfe3adb9088ca376b3a1f923f0590d005126c1bffd1a695"
-            ],
-            "index": "pypi",
-            "version": "==3.0.4"
-        },
         "urllib3": {
             "extras": [
                 "secure"

README.md

@@ -1,4 +1,4 @@
-<img src="passbook/static/static/passbook/logo.svg" height="50" alt="passbook logo"><img src="passbook/static/static/passbook/brand_inverted.svg" height="50" alt="passbook">
+<img src="docs/images/logo.svg" height="50" alt="passbook logo"><img src="docs/images/brand_inverted.svg" height="50" alt="passbook">
 
 [![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/passbook/1?style=flat-square)](https://dev.azure.com/beryjuorg/passbook/_build?definitionId=1)
 ![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/passbook/1?compact_message&style=flat-square)
@@ -13,20 +13,7 @@ passbook is an open-source Identity Provider focused on flexibility and versatil
 
 ## Installation
 
-For small/test setups it is recommended to use docker-compose.
-
-```
-wget https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml
-# Optionally enable Error-reporting
-# export PASSBOOK_ERROR_REPORTING=true
-# Optionally deploy a different version
-# export PASSBOOK_TAG=0.10.0-rc2
-# If this is a productive installation, set a different PostgreSQL Password
-# export PG_PASS=$(pwgen 40 1)
-docker-compose pull
-docker-compose up -d
-docker-compose run --rm server migrate
-```
+For small/test setups it is recommended to use docker-compose, see the [documentation](https://passbook.beryju.org/installation/docker-compose/)
 
 For bigger setups, there is a Helm Chart in the `helm/` directory. This is documented [here](https://passbook.beryju.org//installation/kubernetes/)
 

SECURITY.md

@@ -6,7 +6,8 @@ As passbook is currently in a pre-stable, only the latest "stable" version is su
 
 | Version  | Supported          |
 | -------- | ------------------ |
-| 0.8.15   | :white_check_mark: |
+| 0.9.x    | :white_check_mark: |
+| 0.10.x   | :white_check_mark: |
 
 ## Reporting a Vulnerability
 

azure-pipelines.yml

@@ -8,6 +8,10 @@ variables:
   POSTGRES_DB: passbook
   POSTGRES_USER: passbook
   POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+  ${{ if startsWith(variables['Build.SourceBranch'], 'refs/heads/') }}:
+    branchName: ${{ replace(variables['Build.SourceBranchName'], 'refs/heads/', '') }}
+  ${{ if startsWith(variables['Build.SourceBranch'], 'refs/pull/') }}:
+    branchName: ${{ replace(variables['System.PullRequest.SourceBranch'], 'refs/heads/', '') }}
 
 stages:
   - stage: Lint
@@ -117,6 +121,41 @@ stages:
           - task: CmdLine@2
             inputs:
               script: pipenv run ./manage.py migrate
+      - job: migrations_from_previous_release
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - task: UsePythonVersion@0
+            inputs:
+              versionSpec: '3.8'
+          - task: DockerCompose@0
+            displayName: Run services
+            inputs:
+              dockerComposeFile: 'scripts/ci.docker-compose.yml'
+              action: 'Run services'
+              buildImages: false
+          - task: CmdLine@2
+            displayName: Prepare Last tagged release
+            inputs:
+              script: |
+                git checkout $(git describe --abbrev=0 --match 'version/*')
+                sudo pip install -U wheel pipenv
+                pipenv install --dev
+          - task: CmdLine@2
+            displayName: Migrate to last tagged release
+            inputs:
+              script: pipenv run ./manage.py migrate
+          - task: CmdLine@2
+            displayName: Install current branch
+            inputs:
+              script: |
+                set -x
+                git checkout ${{ variables.branchName }}
+                pipenv sync --dev
+          - task: CmdLine@2
+            displayName: Migrate to current branch
+            inputs:
+              script: pipenv run ./manage.py migrate
       - job: coverage_unittest
         pool:
           vmImage: 'ubuntu-latest'
@@ -139,7 +178,7 @@ stages:
             displayName: Run full test suite
             inputs:
               script: |
-                pipenv run coverage run ./manage.py test passbook
+                pipenv run coverage run ./manage.py test passbook -v 3
                 mkdir output-unittest
                 mv unittest.xml output-unittest/unittest.xml
                 mv .coverage output-unittest/coverage
@@ -150,7 +189,7 @@ stages:
               publishLocation: 'pipeline'
       - job: coverage_e2e
         pool:
-          vmImage: 'ubuntu-latest'
+          name: coventry
         steps:
           - task: UsePythonVersion@0
             inputs:
@@ -181,7 +220,14 @@ stages:
           - task: CmdLine@2
             displayName: Run full test suite
             inputs:
-              script: pipenv run coverage run ./manage.py test e2e
+              script: |
+                pipenv run coverage run ./manage.py test e2e -v 3
+          - task: CmdLine@2
+            condition: always()
+            displayName: Cleanup
+            inputs:
+              script: |
+                docker stop $(docker ps -aq)
           - task: CmdLine@2
             displayName: Prepare unittests and coverage for upload
             inputs:
@@ -225,11 +271,9 @@ stages:
               script: |
                 sudo pip install -U wheel pipenv
                 pipenv install --dev
-                find .
                 pipenv run coverage combine coverage-e2e/coverage coverage-unittest/coverage
                 pipenv run coverage xml
                 pipenv run coverage html
-                find .
           - task: PublishCodeCoverageResults@1
             inputs:
               codeCoverageTool: 'Cobertura'
@@ -260,7 +304,7 @@ stages:
             repository: 'beryju/passbook'
             command: 'buildAndPush'
             Dockerfile: 'Dockerfile'
-            tags: 'gh-$(Build.SourceBranchName)'
+            tags: "gh-${{ variables.branchName }}"
       - job: build_static
         pool:
           vmImage: 'ubuntu-latest'
@@ -277,14 +321,14 @@ stages:
             repository: 'beryju/passbook-static'
             command: 'build'
             Dockerfile: 'static.Dockerfile'
-            tags: 'gh-$(Build.SourceBranchName)'
+            tags: "gh-${{ variables.branchName }}"
             arguments: "--network=beryjupassbook_default"
         - task: Docker@2
           inputs:
             containerRegistry: 'dockerhub'
             repository: 'beryju/passbook-static'
             command: 'push'
-            tags: 'gh-$(Build.SourceBranchName)'
+            tags: "gh-${{ variables.branchName }}"
   - stage: Deploy
     jobs:
       - job: deploy_dev

docker-compose.yml

@@ -14,6 +14,8 @@ services:
       - POSTGRES_DB=passbook
     labels:
       - traefik.enable=false
+    env_file:
+      - .env
   redis:
     image: redis
     networks:
@@ -21,13 +23,12 @@ services:
     labels:
       - traefik.enable=false
   server:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.10.0-rc2}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.10.6-stable}
     command: server
     environment:
       PASSBOOK_REDIS__HOST: redis
-      PASSBOOK_ERROR_REPORTING: ${PASSBOOK_ERROR_REPORTING:-false}
       PASSBOOK_POSTGRESQL__HOST: postgresql
-      PASSBOOK_POSTGRESQL__PASSWORD: ${PG_PASS:-thisisnotagoodpassword}
+      PASSBOOK_POSTGRESQL__PASSWORD: ${PG_PASS}
       PASSBOOK_LOG_LEVEL: debug
     ports:
       - 8000
@@ -37,8 +38,10 @@ services:
       - traefik.port=8000
       - traefik.docker.network=internal
       - traefik.frontend.rule=PathPrefix:/
+    env_file:
+      - .env
   worker:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.10.0-rc2}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.10.6-stable}
     command: worker
     networks:
       - internal
@@ -46,12 +49,13 @@ services:
       - traefik.enable=false
     environment:
       PASSBOOK_REDIS__HOST: redis
-      PASSBOOK_ERROR_REPORTING: ${PASSBOOK_ERROR_REPORTING:-false}
       PASSBOOK_POSTGRESQL__HOST: postgresql
-      PASSBOOK_POSTGRESQL__PASSWORD: ${PG_PASS:-thisisnotagoodpassword}
+      PASSBOOK_POSTGRESQL__PASSWORD: ${PG_PASS}
       PASSBOOK_LOG_LEVEL: debug
+    env_file:
+      - .env
   static:
-    image: beryju/passbook-static:0.10.0-rc2
+    image: beryju/passbook-static:${PASSBOOK_TAG:-0.10.6-stable}
     networks:
       - internal
     labels:

docs/flow/examples/enrollment-email-verification.json

@@ -84,15 +84,6 @@
             }
         },
         {
-            "identifiers": {
-                "pk": "9922212c-47a2-475a-9905-abeb5e621652"
-            },
-            "model": "passbook_policies_expression.expressionpolicy",
-            "attrs": {
-                "name": "policy-enrollment-password-equals",
-                "expression": "# Verifies that the passwords are equal\r\nreturn request.context['password'] == request.context['password_repeat']"
-            }
-        },{
             "identifiers": {
                 "pk": "096e6282-6b30-4695-bd03-3b143eab5580",
                 "name": "default-enrollment-email-verficiation"
@@ -135,9 +126,6 @@
                     "cb954fd4-65a5-4ad9-b1ee-180ee9559cf4",
                     "7db91ee8-4290-4e08-8d39-63f132402515",
                     "d30b5eb4-7787-4072-b1ba-65b46e928920"
-                ],
-                "validation_policies": [
-                    "9922212c-47a2-475a-9905-abeb5e621652"
                 ]
             }
         },

docs/flow/examples/recovery-email-verification.json

@@ -55,16 +55,6 @@
                 "order": 1
             }
         },
-        {
-            "identifiers": {
-                "pk": "cd042fc6-cc92-4b98-b7e6-f4729df798d8"
-            },
-            "model": "passbook_policies_expression.expressionpolicy",
-            "attrs": {
-                "name": "default-password-change-password-equal",
-                "expression": "# Check that both passwords are equal.\nreturn request.context['password'] == request.context['password_repeat']"
-            }
-        },
         {
             "identifiers": {
                 "pk": "e54045a7-6ecb-4ad9-ad37-28e72d8e565e",
@@ -118,9 +108,6 @@
                 "fields": [
                     "7db91ee8-4290-4e08-8d39-63f132402515",
                     "d30b5eb4-7787-4072-b1ba-65b46e928920"
-                ],
-                "validation_policies": [
-                    "cd042fc6-cc92-4b98-b7e6-f4729df798d8"
                 ]
             }
         },

docs/flow/flows.md

@@ -39,7 +39,6 @@ This designates a flow for unenrollment. This flow can contain any amount of ver
 This designates a flow for recovery. This flow normally contains an [**identification**](stages/identification/index.md) stage to find the user. It can also contain any amount of verification stages, such as [**email**](stages/email/index.md) or [**captcha**](stages/captcha/index.md).
 Afterwards, use the [**prompt**](stages/prompt/index.md) stage to ask the user for a new password and the [**user_write**](stages/user_write.md) stage to update the password.
 
-### Change Password
+### Setup
 
-This designates a flow for password changes. This flow can contain any amount of verification stages, such as [**email**](stages/email/index.md) or [**captcha**](stages/captcha/index.md).
-Afterwards, use the [**prompt**](stages/prompt/index.md) stage to ask the user for a new password and the [**user_write**](stages/user_write.md) stage to update the password.
+This designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure Factors, like change a password and setup TOTP.

docs/installation/docker-compose.md

@@ -11,14 +11,21 @@ This installation method is for test-setups and small-scale productive setups.
 
 Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml). Place it in a directory of your choice.
 
+To optionally enable error-reporting, run `echo PASSBOOK_ERROR_REPORTING__ENABLED=true >> .env`
+
+To optionally deploy a different version run `echo PASSBOOK_TAG=0.10.6-stable >> .env`
+
+If this is a fresh passbook install run the following commands to generate a password:
+
+```
+sudo apt-get install -y pwgen
+echo "PG_PASS=$(pwgen 40 1)" >> .env
+echo "PASSBOOK_SECRET_KEY=$(pwgen 50 1)" >> .env
+```
+
+Afterwards, run these commands to finish
+
 ```
-wget https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml
-# Optionally enable Error-reporting
-# export PASSBOOK_ERROR_REPORTING=true
-# Optionally deploy a different version
-# export PASSBOOK_TAG=0.10.0-rc2
-# If this is a productive installation, set a different PostgreSQL Password
-# export PG_PASS=$(pwgen 40 1)
 docker-compose pull
 docker-compose up -d
 docker-compose run --rm server migrate
@@ -32,4 +39,6 @@ Now you can pull the Docker images needed by running `docker-compose pull`. Afte
 
 passbook will then be reachable via HTTP on port 80, and HTTPS on port 443. You can optionally configure the packaged traefik to use Let's Encrypt certificates for TLS Encryption.
 
+If you plan to access passbook via a reverse proxy which does SSL Termination, make sure you use the HTTPS port, so passbook is aware of the SSL connection.
+
 The initial setup process also creates a default admin user, the username and password for which is `pbadmin`. It is highly recommended to change this password as soon as you log in.

docs/installation/kubernetes.md

@@ -11,7 +11,7 @@ This installation automatically applies database migrations on startup. After th
 image:
   name: beryju/passbook
   name_static: beryju/passbook-static
-  tag: 0.9.0-stable
+  tag: 0.10.6-stable
 
 nameOverride: ""
 

docs/integrations/services/sentry/index.md

@@ -18,24 +18,28 @@ The following placeholders will be used:
 - `sentry.company` is the FQDN of the Sentry install.
 - `passbook.company` is the FQDN of the passbook install.
 
-Create an application in passbook. Create an OpenID provider with the following parameters:
+Create an application in passbook. Create a SAML Provider with the following values
 
--   Client Type: `Confidential`
--   Response types: `code (Authorization Code Flow)`
--   JWT Algorithm: `RS256`
--   Redirect URIs: `https://sentry.company/auth/sso/`
--   Scopes: `openid email`
+- ACS URL: `https://sentry.company/saml/acs/<sentry organisation name>/`
+- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
+- Issuer: `passbook`
+- Service Provider Binding: `Post`
+- Property Mapping: Select all Autogenerated Mappings
 
 ## Sentry
 
 **This guide assumes you've installed Sentry using [getsentry/onpremise](https://github.com/getsentry/onpremise)**
 
-- Add `sentry-auth-oidc` to `onpremise/sentry/requirements.txt` (Create the file if it doesn't exist yet)
-- Add the following block to your `onpremise/sentry/sentry.conf.py`:
-```
-OIDC_ISSUER = "passbook"
-OIDC_CLIENT_ID = "<Client ID from passbook>"
-OIDC_CLIENT_SECRET = "<Client Secret from passbook>"
-OIDC_SCOPE = "openid email"
-OIDC_DOMAIN = "https://passbook.company/application/oidc/"
-```
+Navigate to Settings -> Auth, and click on Configure next to SAML2
+
+![](./auth.png)
+
+In passbook, get the Metadata URL by right-clicking `Download Metadata` and selecting Copy Link Address, and paste that URL into Sentry.
+
+On the next screen, input these Values
+
+IdP User ID: `urn:oid:0.9.2342.19200300.100.1.1`
+User Email: `urn:oid:0.9.2342.19200300.100.1.3`
+First Name: `urn:oid:2.5.4.3`
+
+After confirming, Sentry will authenticate with passbook, and you should be redirected back to a page confirming your settings.

docs/integrations/services/sonarr/index.md

@@ -0,0 +1,37 @@
+# Sonarr Integration
+
+!!! note
+    These instructions apply to all projects in the *arr Family. If you use multiple of these projects, you can assign them to the same Outpost.
+
+## What is Sonarr
+
+From https://github.com/Sonarr/Sonarr
+
+!!! note ""
+    Sonarr is a PVR for Usenet and BitTorrent users. It can monitor multiple RSS feeds for new episodes of your favorite shows and will grab, sort and rename them. It can also be configured to automatically upgrade the quality of files already downloaded when a better quality format becomes available.
+
+
+## Preparation
+
+The following placeholders will be used:
+
+- `sonarr.company` is the FQDN of the Sonarr install.
+- `passbook.company` is the FQDN of the passbook install.
+
+Create an application in passbook. Create a Proxy Provider with the following values
+
+- Internal host
+
+    If Sonarr is running in docker, and you're deploying the passbook proxy on the same host, set the value to `http://sonarr:8989`, where sonarr is the name of your container.
+
+    If Sonarr is running on a different server than where you are deploying the passbook proxy, set the value to `http://sonarr.company:8989`.
+
+- External host
+
+    Set this to the external URL you will be accessing Sonarr from.
+
+## Deployment
+
+Create an outpost deployment for the provider you've created above, as described [here](../../../outposts/outposts.md). Deploy this Outpost either on the same host or a different host that can access Sonarr.
+
+The outpost will connect to passbook and configure itself.

docs/integrations/services/tower-awx/index.md

@@ -23,6 +23,7 @@ Create an application in passbook and note the slug, as this will be used later.
 
 - ACS URL: `https://awx.company/sso/complete/saml/`
 - Audience: `awx`
+- Service Provider Binding: Post
 - Issuer: `https://awx.company/sso/metadata/saml/`
 
 You can of course use a custom signing certificate, and adjust durations.

docs/integrations/services/ubuntu-landscape/index.md

@@ -0,0 +1,58 @@
+# Ubuntu Landscape Integration
+
+## What is Ubuntu Landscape
+
+From https://en.wikipedia.org/wiki/Landscape_(software)
+
+!!! note ""
+
+    Landscape is a systems management tool developed by Canonical. It can be run on-premises or in the cloud depending on the needs of the user. It is primarily designed for use with Ubuntu derivatives such as Desktop, Server, and Core.
+
+!!! warning
+
+    This requires passbook 0.10.3 or newer.
+
+## Preparation
+
+The following placeholders will be used:
+
+ - `landscape.company` is the FQDN of the Landscape server.
+ - `passbook.company` is the FQDN of the passbook install.
+
+Landscape uses the OpenID-Connect Protocol for single-sign on.
+
+## passbook Setup
+
+Create an OAuth2/OpenID-Connect Provider with the default settings. Set the Redirect URIs to `https://landscape.company/login/handle-openid`. Select all Autogenerated Scopes.
+
+Keep Note of the Client ID and the Client Secret.
+
+Create an application and assign access policies to the application. Set the application's provider to the provider you've just created.
+
+## Landscape Setup
+
+On the Landscape Server, edit the file `/etc/landscape/service.conf` and add the following snippet under the `[landscape]` section:
+
+```
+oidc-issuer = https://passbook.company/application/o/<slug of the application you've created>/
+oidc-client-id = <client ID of the provider you've created>
+oidc-client-secret = <client Secret of the provider you've created>
+```
+
+Afterwards, run `sudo lsctl restart` to restart the Landscape services.
+
+## Appendix
+
+To make an OpenID-Connect User admin, you have to insert some rows into the database.
+
+First login with your passbook user, and make sure the user is created successfully.
+
+Run `sudo -u postgres psql landscape-standalone-main` on the Landscape server to open a PostgreSQL Prompt.
+Then run `select * from person;` to get a list of all users. Take note of the ID given to your new user.
+
+Run the following commands to make this user an administrator:
+
+```sql
+INSERT INTO person_account VALUES (<user id>, 1);
+INSERT INTO person_access VALUES (<user id>, 1, 1);
+```

docs/integrations/services/vmware-vcenter/index.md

@@ -0,0 +1,77 @@
+# VMware vCenter Integration
+
+## What is vCenter
+
+From https://en.wikipedia.org/wiki/VCenter
+
+!!! note ""
+
+    vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts.
+
+!!! warning
+
+    This requires passbook 0.10.3 or newer.
+
+!!! warning
+
+    This requires VMware vCenter 7.0.0 or newer.
+
+## Preparation
+
+The following placeholders will be used:
+
+ - `vcenter.company` is the FQDN of the vCenter server.
+ - `passbook.company` is the FQDN of the passbook install.
+
+Since vCenter only allows OpenID-Connect in combination with Active Directory, it is recommended to have passbook sync with the same Active Directory.
+
+### Step 1
+
+Under *Property Mappings*, create a *Scope Mapping*. Give it a name like "OIDC-Scope-VMware-vCenter". Set the scope name to `openid` and the expression to the following
+
+```python
+return {
+  "domain": "<your active directory domain>",
+}
+```
+
+### Step 2
+
+!!! note
+    If your Active Directory Schema is the same as your Email address schema, skip to Step 3.
+
+Under *Sources*, click *Edit* and ensure that "Autogenerated Active Directory Mapping: userPrincipalName -> attributes.upn" has been added to your source.
+
+### Step 3
+
+Under *Providers*, create an OAuth2/OpenID Provider with these settings:
+
+ - Client Type: Confidential
+ - Response Type: code (ADFS Compatibility Mode, sends id_token as access_token)
+ - JWT Algorithm: RS256
+ - Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode`
+ - Post Logout Redirect URIs: `https://vcenter.company/ui/login`
+ - Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...".
+ - Scopes: Select the Scope Mapping you've created in Step 1
+
+![](./passbook_setup.png)
+
+### Step 4
+
+Create an application which uses this provider. Optionally apply access restrictions to the application.
+
+## vCenter Setup
+
+Login as local Administrator account (most likely ends with vsphere.local). Using the Menu in the Navigation bar, navigate to *Administration -> Single Sing-on -> Configuration*.
+
+Click on *Change Identity Provider* in the top-right corner.
+
+In the wizard, select "Microsoft ADFS" and click Next.
+
+Fill in the Client Identifier and Shared Secret from the Provider in passbook. For the OpenID Address, click on *View Setup URLs* in passbook, and copy the OpenID Configuration URL.
+
+On the next page, fill in your Active Directory Connection Details. These should be similar to what you have set in passbook.
+
+![](./vcenter_post_setup.png)
+
+If your vCenter was already setup with LDAP beforehand, your Role assignments will continue to work.

docs/outposts/deploy-docker-compose.md

@@ -0,0 +1,20 @@
+# Outpost deployment in docker-compose
+
+To deploy an outpost with docker-compose, use  this snippet in your docker-compose file.
+
+You can also run the outpost in a separate docker-compose project, you just have to ensure that the outpost container can reach your application container.
+
+```yaml
+version: 3.5
+
+services:
+  passbook_proxy:
+    image: beryju/passbook-proxy:0.10.0-stable
+    ports:
+      - 4180:4180
+      - 4443:4443
+    environment:
+      PASSBOOK_HOST: https://your-passbook.tld
+      PASSBOOK_INSECURE: 'false'
+      PASSBOOK_TOKEN: token-generated-by-passbook
+```

docs/outposts/deploy-kubernetes.md

@@ -0,0 +1,99 @@
+# Outpost deployment on Kubernetes
+
+Use the following manifest, replacing all values surrounded with `__`.
+
+Afterwards, configure the proxy provider to connect to `<service name>.<namespace>.svc.cluster.local`, and update your Ingress to connect to the `passbook-outpost` service.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/instance: test
+    app.kubernetes.io/managed-by: passbook.beryju.org
+    app.kubernetes.io/name: passbook-proxy
+    app.kubernetes.io/version: 0.10.0
+  name: passbook-outpost-api
+stringData:
+  passbook_host: '__PASSBOOK_URL__'
+  passbook_host_insecure: 'true'
+  token: '__PASSBOOK_TOKEN__'
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: test
+    app.kubernetes.io/managed-by: passbook.beryju.org
+    app.kubernetes.io/name: passbook-proxy
+    app.kubernetes.io/version: 0.10.0
+  name: passbook-outpost
+spec:
+  ports:
+  - name: http
+    port: 4180
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 4443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/instance: test
+    app.kubernetes.io/managed-by: passbook.beryju.org
+    app.kubernetes.io/name: passbook-proxy
+    app.kubernetes.io/version: 0.10.0
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: test
+    app.kubernetes.io/managed-by: passbook.beryju.org
+    app.kubernetes.io/name: passbook-proxy
+    app.kubernetes.io/version: 0.10.0
+  name: passbook-outpost
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: test
+      app.kubernetes.io/managed-by: passbook.beryju.org
+      app.kubernetes.io/name: passbook-proxy
+      app.kubernetes.io/version: 0.10.0
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: test
+        app.kubernetes.io/managed-by: passbook.beryju.org
+        app.kubernetes.io/name: passbook-proxy
+        app.kubernetes.io/version: 0.10.0
+    spec:
+      containers:
+      - env:
+        - name: PASSBOOK_HOST
+          valueFrom:
+            secretKeyRef:
+              key: passbook_host
+              name: passbook-outpost-api
+        - name: PASSBOOK_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: token
+              name: passbook-outpost-api
+        - name: PASSBOOK_INSECURE
+          valueFrom:
+            secretKeyRef:
+              key: passbook_host_insecure
+              name: passbook-outpost-api
+        image: beryju/passbook-proxy:0.10.0-stable
+        name: proxy
+        ports:
+        - containerPort: 4180
+          name: http
+          protocol: TCP
+        - containerPort: 4443
+          name: https
+          protocol: TCP
+```

docs/outposts/outposts.md

@@ -6,21 +6,9 @@ An outpost is a single deployment of a passbook component, which can be deployed
 
 Upon creation, a service account and a token is generated. The service account only has permissions to read the outpost and provider configuration. This token is used by the Outpost to connect to passbook.
 
-To deploy an outpost, you can for example use this docker-compose snippet:
+To deploy an outpost, see: <a name="deploy">
 
-```yaml
-version: 3.5
+- [Kubernetes](deploy-kubernetes.md)
+- [docker-compose](deploy-docker-compose.md)
 
-services:
-  passbook_proxy:
-    image: beryju/passbook-proxy:0.10.0-stable
-    ports:
-      - 4180:4180
-      - 4443:4443
-    environment:
-      PASSBOOK_HOST: https://your-passbook.tld
-      PASSBOOK_INSECURE: 'true'
-      PASSBOOK_TOKEN: token-generated-by-passbook
-```
-
-In future versions, this snippet will be automatically generated. You will also be able to deploy an outpost directly into a kubernetes cluster.w
+In future versions, this snippet will be automatically generated. You will also be able to deploy an outpost directly into a kubernetes cluster.

docs/outposts/upgrading.md

@@ -0,0 +1,9 @@
+# Upgrading an Outpost
+
+In the Outpost Overview list, you'll see if any deployed outposts are out of date.
+
+![](./upgrading_outdated.png)
+
+To upgrade the Outpost to the latest version, simple adjust the docker tag of the outpost the the new version.
+
+Since the configuration is managed by passbook, that's all you have to do.

docs/troubleshooting/access.md

@@ -0,0 +1,11 @@
+# Troubleshooting access problems
+
+## I get an access denied error when trying to access an application.
+
+If your user is a superuser, or has the attribute `passbook_user_debug` set to true:
+
+![](./passbook_user_debug.png)
+
+Afterwards, try to access the application again. You will now see a message explaining which policy denied you access:
+
+![](./access_denied_message.png)

e2e/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.7'
 
 services:
   chrome:
-    image: selenium/standalone-chrome-debug:3.141.59-20200525
+    image: selenium/standalone-chrome-debug:3.141.59-20200719
     volumes:
       - /dev/shm:/dev/shm
     network_mode: host

e2e/test_flows_enroll.py

@@ -1,58 +1,38 @@
 """Test Enroll flow"""
-from time import sleep
+from sys import platform
+from typing import Any, Dict, Optional
+from unittest.case import skipUnless
 
 from django.test import override_settings
-from docker import DockerClient, from_env
-from docker.models.containers import Container
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec
-from structlog import get_logger
 
 from e2e.utils import USER, SeleniumTestCase
 from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
-from passbook.policies.expression.models import ExpressionPolicy
 from passbook.stages.email.models import EmailStage, EmailTemplates
 from passbook.stages.identification.models import IdentificationStage
 from passbook.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from passbook.stages.user_login.models import UserLoginStage
 from passbook.stages.user_write.models import UserWriteStage
 
-LOGGER = get_logger()
-
 
+@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestFlowsEnroll(SeleniumTestCase):
     """Test Enroll flow"""
 
-    def setUp(self):
-        self.container = self.setup_client()
-        super().setUp()
-
-    def setup_client(self) -> Container:
-        """Setup test IdP container"""
-        client: DockerClient = from_env()
-        container = client.containers.run(
-            image="mailhog/mailhog:v1.0.1",
-            detach=True,
-            network_mode="host",
-            auto_remove=True,
-            healthcheck=Healthcheck(
+    def get_container_specs(self) -> Optional[Dict[str, Any]]:
+        return {
+            "image": "mailhog/mailhog:v1.0.1",
+            "detach": True,
+            "network_mode": "host",
+            "auto_remove": True,
+            "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:8025"],
                 interval=5 * 100 * 1000000,
                 start_period=1 * 100 * 1000000,
             ),
-        )
-        while True:
-            container.reload()
-            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
-            if status == "healthy":
-                return container
-            LOGGER.info("Container failed healthcheck")
-            sleep(1)
-
-    def tearDown(self):
-        self.container.kill()
-        super().tearDown()
+        }
 
     def test_enroll_2_step(self):
         """Test 2-step enroll flow"""
@@ -78,16 +58,9 @@ class TestFlowsEnroll(SeleniumTestCase):
             field_key="email", label="E-Mail", order=1, type=FieldTypes.EMAIL
         )
 
-        # Password checking policy
-        password_policy = ExpressionPolicy.objects.create(
-            name="policy-enrollment-password-equals",
-            expression="return request.context['password'] == request.context['password_repeat']",
-        )
-
         # Stages
         first_stage = PromptStage.objects.create(name="prompt-stage-first")
         first_stage.fields.set([username_prompt, password, password_repeat])
-        first_stage.validation_policies.set([password_policy])
         first_stage.save()
         second_stage = PromptStage.objects.create(name="prompt-stage-second")
         second_stage.fields.set([name_field, email])
@@ -171,16 +144,9 @@ class TestFlowsEnroll(SeleniumTestCase):
             field_key="email", label="E-Mail", order=1, type=FieldTypes.EMAIL
         )
 
-        # Password checking policy
-        password_policy = ExpressionPolicy.objects.create(
-            name="policy-enrollment-password-equals",
-            expression="return request.context['password'] == request.context['password_repeat']",
-        )
-
         # Stages
         first_stage = PromptStage.objects.create(name="prompt-stage-first")
         first_stage.fields.set([username_prompt, password, password_repeat])
-        first_stage.validation_policies.set([password_policy])
         first_stage.save()
         second_stage = PromptStage.objects.create(name="prompt-stage-second")
         second_stage.fields.set([name_field, email])
@@ -220,21 +186,25 @@ class TestFlowsEnroll(SeleniumTestCase):
         self.driver.find_element(By.ID, "id_name").send_keys("some name")
         self.driver.find_element(By.ID, "id_email").send_keys("foo@bar.baz")
         self.driver.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
-        sleep(3)
+        # Wait for the success message so we know the email is sent
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, ".pf-c-form > p"))
+        )
 
         # Open Mailhog
         self.driver.get("http://localhost:8025")
 
         # Click on first message
+        self.wait.until(
+            ec.presence_of_element_located((By.CLASS_NAME, "msglist-message"))
+        )
         self.driver.find_element(By.CLASS_NAME, "msglist-message").click()
-        sleep(3)
         self.driver.switch_to.frame(self.driver.find_element(By.CLASS_NAME, "tab-pane"))
         self.driver.find_element(By.ID, "confirm").click()
         self.driver.close()
         self.driver.switch_to.window(self.driver.window_handles[0])
 
         # We're now logged in
-        sleep(3)
         self.wait.until(
             ec.presence_of_element_located(
                 (By.XPATH, "//a[contains(@href, '/-/user/')]")

e2e/test_flows_login.py

@@ -1,10 +1,14 @@
 """test default login flow"""
+from sys import platform
+from unittest.case import skipUnless
+
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 
 from e2e.utils import USER, SeleniumTestCase
 
 
+@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestFlowsLogin(SeleniumTestCase):
     """test default login flow"""
 

e2e/test_flows_stage_setup.py

@@ -1,7 +1,6 @@
 """test stage setup flows (password change)"""
-import string
-from random import SystemRandom
-from time import sleep
+from sys import platform
+from unittest.case import skipUnless
 
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
@@ -9,9 +8,11 @@ from selenium.webdriver.common.keys import Keys
 from e2e.utils import USER, SeleniumTestCase
 from passbook.core.models import User
 from passbook.flows.models import Flow, FlowDesignation
+from passbook.providers.oauth2.generators import generate_client_secret
 from passbook.stages.password.models import PasswordStage
 
 
+@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestFlowsStageSetup(SeleniumTestCase):
     """test stage setup flows"""
 
@@ -27,10 +28,7 @@ class TestFlowsStageSetup(SeleniumTestCase):
         stage.change_flow = flow
         stage.save()
 
-        new_password = "".join(
-            SystemRandom().choice(string.ascii_uppercase + string.digits)
-            for _ in range(8)
-        )
+        new_password = generate_client_secret()
 
         self.driver.get(
             f"{self.live_server_url}/flows/default-authentication-flow/?next=%2F"
@@ -48,7 +46,7 @@ class TestFlowsStageSetup(SeleniumTestCase):
         self.driver.find_element(By.ID, "id_password_repeat").send_keys(new_password)
         self.driver.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
 
-        sleep(2)
+        self.wait_for_url(self.url("passbook_core:user-settings"))
         # Because USER() is cached, we need to get the user manually here
         user = User.objects.get(username=USER().username)
         self.assertTrue(user.check_password(new_password))

e2e/test_provider_oauth2_github.py

@@ -1,12 +1,12 @@
 """test OAuth Provider flow"""
-from time import sleep
+from sys import platform
+from typing import Any, Dict, Optional
+from unittest.case import skipUnless
 
-from docker import DockerClient, from_env
-from docker.models.containers import Container
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
-from structlog import get_logger
+from selenium.webdriver.support import expected_conditions as ec
 
 from e2e.utils import USER, SeleniumTestCase
 from passbook.core.models import Application
@@ -19,32 +19,29 @@ from passbook.providers.oauth2.generators import (
 )
 from passbook.providers.oauth2.models import ClientTypes, OAuth2Provider, ResponseTypes
 
-LOGGER = get_logger()
-
 
+@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestProviderOAuth2Github(SeleniumTestCase):
     """test OAuth Provider flow"""
 
     def setUp(self):
         self.client_id = generate_client_id()
         self.client_secret = generate_client_secret()
-        self.container = self.setup_client()
         super().setUp()
 
-    def setup_client(self) -> Container:
+    def get_container_specs(self) -> Optional[Dict[str, Any]]:
         """Setup client grafana container which we test OAuth against"""
-        client: DockerClient = from_env()
-        container = client.containers.run(
-            image="grafana/grafana:7.1.0",
-            detach=True,
-            network_mode="host",
-            auto_remove=True,
-            healthcheck=Healthcheck(
+        return {
+            "image": "grafana/grafana:7.1.0",
+            "detach": True,
+            "network_mode": "host",
+            "auto_remove": True,
+            "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:3000"],
                 interval=5 * 100 * 1000000,
                 start_period=1 * 100 * 1000000,
             ),
-            environment={
+            "environment": {
                 "GF_AUTH_GITHUB_ENABLED": "true",
                 "GF_AUTH_GITHUB_ALLOW_SIGN_UP": "true",
                 "GF_AUTH_GITHUB_CLIENT_ID": self.client_id,
@@ -61,22 +58,10 @@ class TestProviderOAuth2Github(SeleniumTestCase):
                 ),
                 "GF_LOG_LEVEL": "debug",
             },
-        )
-        while True:
-            container.reload()
-            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
-            if status == "healthy":
-                return container
-            LOGGER.info("Container failed healthcheck")
-            sleep(1)
-
-    def tearDown(self):
-        self.container.kill()
-        super().tearDown()
+        }
 
     def test_authorization_consent_implied(self):
         """test OAuth Provider flow (default authorization flow with implied consent)"""
-        sleep(1)
         # Bootstrap all needed objects
         authorization_flow = Flow.objects.get(
             slug="default-provider-authorization-implicit-consent"
@@ -129,7 +114,6 @@ class TestProviderOAuth2Github(SeleniumTestCase):
 
     def test_authorization_consent_explicit(self):
         """test OAuth Provider flow (default authorization flow with explicit consent)"""
-        sleep(1)
         # Bootstrap all needed objects
         authorization_flow = Flow.objects.get(
             slug="default-provider-authorization-explicit-consent"
@@ -167,8 +151,13 @@ class TestProviderOAuth2Github(SeleniumTestCase):
                 By.XPATH, "/html/body/div[2]/div/main/div/form/div[2]/ul/li[1]"
             ).text,
         )
-        sleep(1)
-        self.driver.find_element(By.CSS_SELECTOR, "[type=submit]").click()
+        self.driver.find_element(
+            By.CSS_SELECTOR,
+            (
+                "form[action='/flows/b/default-provider-authorization-explicit-consent/'] "
+                "[type=submit]"
+            ),
+        ).click()
 
         self.wait_for_url("http://localhost:3000/?orgId=1")
         self.driver.find_element(By.XPATH, "//a[contains(@href, '/profile')]").click()
@@ -197,7 +186,6 @@ class TestProviderOAuth2Github(SeleniumTestCase):
 
     def test_denied(self):
         """test OAuth Provider flow (default authorization flow, denied)"""
-        sleep(1)
         # Bootstrap all needed objects
         authorization_flow = Flow.objects.get(
             slug="default-provider-authorization-explicit-consent"
@@ -227,7 +215,10 @@ class TestProviderOAuth2Github(SeleniumTestCase):
         self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
         self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
         self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.wait_for_url(self.url("passbook_flows:denied"))
+
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))
+        )
         self.assertEqual(
             self.driver.find_element(By.CSS_SELECTOR, "header > h1").text,
             "Permission denied",

e2e/test_provider_oauth2_oidc.py

@@ -1,8 +1,9 @@
 """test OAuth2 OpenID Provider flow"""
+from sys import platform
 from time import sleep
+from typing import Any, Dict, Optional
+from unittest.case import skipUnless
 
-from docker import DockerClient, from_env
-from docker.models.containers import Container
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
@@ -32,31 +33,30 @@ from passbook.providers.oauth2.models import (
 )
 
 LOGGER = get_logger()
+APPLICATION_SLUG = "grafana"
 
 
+@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestProviderOAuth2OIDC(SeleniumTestCase):
     """test OAuth with OpenID Provider flow"""
 
     def setUp(self):
         self.client_id = generate_client_id()
         self.client_secret = generate_client_secret()
-        self.container = self.setup_client()
         super().setUp()
 
-    def setup_client(self) -> Container:
-        """Setup client grafana container which we test OIDC against"""
-        client: DockerClient = from_env()
-        container = client.containers.run(
-            image="grafana/grafana:7.1.0",
-            detach=True,
-            network_mode="host",
-            auto_remove=True,
-            healthcheck=Healthcheck(
+    def get_container_specs(self) -> Optional[Dict[str, Any]]:
+        return {
+            "image": "grafana/grafana:7.1.0",
+            "detach": True,
+            "network_mode": "host",
+            "auto_remove": True,
+            "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:3000"],
                 interval=5 * 100 * 1000000,
                 start_period=1 * 100 * 1000000,
             ),
-            environment={
+            "environment": {
                 "GF_AUTH_GENERIC_OAUTH_ENABLED": "true",
                 "GF_AUTH_GENERIC_OAUTH_CLIENT_ID": self.client_id,
                 "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET": self.client_secret,
@@ -70,20 +70,15 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
                 "GF_AUTH_GENERIC_OAUTH_API_URL": (
                     self.url("passbook_providers_oauth2:userinfo")
                 ),
+                "GF_AUTH_SIGNOUT_REDIRECT_URL": (
+                    self.url(
+                        "passbook_providers_oauth2:end-session",
+                        application_slug=APPLICATION_SLUG,
+                    )
+                ),
                 "GF_LOG_LEVEL": "debug",
             },
-        )
-        while True:
-            container.reload()
-            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
-            if status == "healthy":
-                return container
-            LOGGER.info("Container failed healthcheck")
-            sleep(1)
-
-    def tearDown(self):
-        self.container.kill()
-        super().tearDown()
+        }
 
     def test_redirect_uri_error(self):
         """test OpenID Provider flow (invalid redirect URI, check error message)"""
@@ -109,7 +104,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         )
         provider.save()
         Application.objects.create(
-            name="Grafana", slug="grafana", provider=provider,
+            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
         )
 
         self.driver.get("http://localhost:3000")
@@ -149,7 +144,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         )
         provider.save()
         Application.objects.create(
-            name="Grafana", slug="grafana", provider=provider,
+            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
         )
 
         self.driver.get("http://localhost:3000")
@@ -183,6 +178,72 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             USER().email,
         )
 
+    def test_authorization_logout(self):
+        """test OpenID Provider flow with logout"""
+        sleep(1)
+        # Bootstrap all needed objects
+        authorization_flow = Flow.objects.get(
+            slug="default-provider-authorization-implicit-consent"
+        )
+        provider = OAuth2Provider.objects.create(
+            name="grafana",
+            client_type=ClientTypes.CONFIDENTIAL,
+            client_id=self.client_id,
+            client_secret=self.client_secret,
+            rsa_key=CertificateKeyPair.objects.first(),
+            redirect_uris="http://localhost:3000/login/generic_oauth",
+            authorization_flow=authorization_flow,
+            response_type=ResponseTypes.CODE,
+        )
+        provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                scope_name__in=[SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE]
+            )
+        )
+        provider.save()
+        Application.objects.create(
+            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
+        )
+
+        self.driver.get("http://localhost:3000")
+        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
+        self.driver.find_element(By.ID, "id_uid_field").click()
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
+        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.driver.find_element(By.XPATH, "//a[contains(@href, '/profile')]").click()
+        self.assertEqual(
+            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
+            USER().name,
+        )
+        self.assertEqual(
+            self.driver.find_element(By.CSS_SELECTOR, "input[name=name]").get_attribute(
+                "value"
+            ),
+            USER().name,
+        )
+        self.assertEqual(
+            self.driver.find_element(
+                By.CSS_SELECTOR, "input[name=email]"
+            ).get_attribute("value"),
+            USER().email,
+        )
+        self.assertEqual(
+            self.driver.find_element(
+                By.CSS_SELECTOR, "input[name=login]"
+            ).get_attribute("value"),
+            USER().email,
+        )
+        self.driver.find_element(By.CSS_SELECTOR, "[href='/logout']").click()
+        self.wait_for_url(
+            self.url(
+                "passbook_providers_oauth2:end-session",
+                application_slug=APPLICATION_SLUG,
+            )
+        )
+        self.driver.find_element(By.ID, "logout").click()
+
     def test_authorization_consent_explicit(self):
         """test OpenID Provider flow (default authorization flow with explicit consent)"""
         sleep(1)
@@ -207,7 +268,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         )
         provider.save()
         app = Application.objects.create(
-            name="Grafana", slug="grafana", provider=provider,
+            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
         )
 
         self.driver.get("http://localhost:3000")
@@ -283,7 +344,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         )
         provider.save()
         app = Application.objects.create(
-            name="Grafana", slug="grafana", provider=provider,
+            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
         )
 
         negative_policy = ExpressionPolicy.objects.create(
@@ -297,7 +358,10 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
         self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
         self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.wait_for_url(self.url("passbook_flows:denied"))
+
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))
+        )
         self.assertEqual(
             self.driver.find_element(By.CSS_SELECTOR, "header > h1").text,
             "Permission denied",

e2e/test_provider_proxy.py

@@ -0,0 +1,96 @@
+"""Proxy and Outpost e2e tests"""
+from sys import platform
+from time import sleep
+from typing import Any, Dict, Optional
+from unittest.case import skipUnless
+
+from docker.client import DockerClient, from_env
+from docker.models.containers import Container
+from selenium.webdriver.common.by import By
+from selenium.webdriver.common.keys import Keys
+
+from e2e.utils import USER, SeleniumTestCase
+from passbook.core.models import Application
+from passbook.flows.models import Flow
+from passbook.outposts.models import Outpost, OutpostDeploymentType, OutpostType
+from passbook.providers.proxy.models import ProxyProvider
+
+
+@skipUnless(platform.startswith("linux"), "requires local docker")
+class TestProviderProxy(SeleniumTestCase):
+    """Proxy and Outpost e2e tests"""
+
+    proxy_container: Container
+
+    def tearDown(self) -> None:
+        super().tearDown()
+        self.proxy_container.kill()
+
+    def get_container_specs(self) -> Optional[Dict[str, Any]]:
+        return {
+            "image": "traefik/whoami:latest",
+            "detach": True,
+            "network_mode": "host",
+            "auto_remove": True,
+        }
+
+    def start_proxy(self, outpost: Outpost) -> Container:
+        """Start proxy container based on outpost created"""
+        client: DockerClient = from_env()
+        container = client.containers.run(
+            image="beryju/passbook-proxy:latest",
+            detach=True,
+            network_mode="host",
+            auto_remove=True,
+            environment={
+                "PASSBOOK_HOST": self.live_server_url,
+                "PASSBOOK_TOKEN": outpost.token.token_uuid.hex,
+            },
+        )
+        return container
+
+    def test_proxy_simple(self):
+        """Test simple outpost setup with single provider"""
+        proxy: ProxyProvider = ProxyProvider.objects.create(
+            name="proxy_provider",
+            authorization_flow=Flow.objects.get(
+                slug="default-provider-authorization-implicit-consent"
+            ),
+            internal_host="http://localhost:80",
+            external_host="http://localhost:4180",
+        )
+        # Ensure OAuth2 Params are set
+        proxy.set_oauth_defaults()
+        proxy.save()
+        # we need to create an application to actually access the proxy
+        Application.objects.create(name="proxy", slug="proxy", provider=proxy)
+        outpost: Outpost = Outpost.objects.create(
+            name="proxy_outpost",
+            type=OutpostType.PROXY,
+            deployment_type=OutpostDeploymentType.CUSTOM,
+        )
+        outpost.providers.add(proxy)
+        outpost.save()
+
+        self.proxy_container = self.start_proxy(outpost)
+
+        # Wait until outpost healthcheck succeeds
+        healthcheck_retries = 0
+        while healthcheck_retries < 50:
+            if outpost.deployment_health:
+                break
+            healthcheck_retries += 1
+            sleep(0.5)
+
+        self.driver.get("http://localhost:4180")
+
+        self.driver.find_element(By.ID, "id_uid_field").click()
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
+        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+
+        sleep(1)
+
+        full_body_text = self.driver.find_element(By.CSS_SELECTOR, "pre").text
+        self.assertIn("X-Forwarded-Preferred-Username: pbadmin", full_body_text)

e2e/test_provider_saml.py

@@ -1,11 +1,14 @@
 """test SAML Provider flow"""
+from sys import platform
 from time import sleep
+from unittest.case import skipUnless
 
 from docker import DockerClient, from_env
 from docker.models.containers import Container
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger
 
 from e2e.utils import USER, SeleniumTestCase
@@ -23,6 +26,7 @@ from passbook.providers.saml.models import (
 LOGGER = get_logger()
 
 
+@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestProviderSAML(SeleniumTestCase):
     """test SAML Provider flow"""
 
@@ -60,10 +64,6 @@ class TestProviderSAML(SeleniumTestCase):
             LOGGER.info("Container failed healthcheck")
             sleep(1)
 
-    def tearDown(self):
-        self.container.kill()
-        super().tearDown()
-
     def test_sp_initiated_implicit(self):
         """test SAML Provider flow SP-initiated flow (implicit consent)"""
         # Bootstrap all needed objects
@@ -207,7 +207,10 @@ class TestProviderSAML(SeleniumTestCase):
         self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
         self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
         self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.wait_for_url(self.url("passbook_flows:denied"))
+
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))
+        )
         self.assertEqual(
             self.driver.find_element(By.CSS_SELECTOR, "header > h1").text,
             "Permission denied",

e2e/test_source_oauth.py

@@ -1,8 +1,11 @@
 """test OAuth Source"""
 from os.path import abspath
+from sys import platform
 from time import sleep
+from typing import Any, Dict, Optional
+from unittest.case import skipUnless
 
-from docker import DockerClient, from_env
+from django.test import override_settings
 from docker.models.containers import Container
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
@@ -21,6 +24,7 @@ CONFIG_PATH = "/tmp/dex.yml"
 LOGGER = get_logger()
 
 
+@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestSourceOAuth(SeleniumTestCase):
     """test OAuth Source flow"""
 
@@ -28,7 +32,7 @@ class TestSourceOAuth(SeleniumTestCase):
 
     def setUp(self):
         self.client_secret = generate_client_secret()
-        self.container = self.setup_client()
+        self.prepare_dex_config()
         super().setUp()
 
     def prepare_dex_config(self):
@@ -66,34 +70,23 @@ class TestSourceOAuth(SeleniumTestCase):
         with open(CONFIG_PATH, "w+") as _file:
             safe_dump(config, _file)
 
-    def setup_client(self) -> Container:
-        """Setup test Dex container"""
-        self.prepare_dex_config()
-        client: DockerClient = from_env()
-        container = client.containers.run(
-            image="quay.io/dexidp/dex:v2.24.0",
-            detach=True,
-            network_mode="host",
-            auto_remove=True,
-            command="serve /config.yml",
-            healthcheck=Healthcheck(
+    def get_container_specs(self) -> Optional[Dict[str, Any]]:
+        return {
+            "image": "quay.io/dexidp/dex:v2.24.0",
+            "detach": True,
+            "network_mode": "host",
+            "auto_remove": True,
+            "command": "serve /config.yml",
+            "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:5556/dex/healthz"],
                 interval=5 * 100 * 1000000,
                 start_period=1 * 100 * 1000000,
             ),
-            volumes={abspath(CONFIG_PATH): {"bind": "/config.yml", "mode": "ro"}},
-        )
-        while True:
-            container.reload()
-            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
-            if status == "healthy":
-                return container
-            LOGGER.info("Container failed healthcheck")
-            sleep(1)
+            "volumes": {abspath(CONFIG_PATH): {"bind": "/config.yml", "mode": "ro"}},
+        }
 
     def create_objects(self):
         """Create required objects"""
-        sleep(1)
         # Bootstrap all needed objects
         authentication_flow = Flow.objects.get(slug="default-source-authentication")
         enrollment_flow = Flow.objects.get(slug="default-source-enrollment")
@@ -111,10 +104,6 @@ class TestSourceOAuth(SeleniumTestCase):
             consumer_secret=self.client_secret,
         )
 
-    def tearDown(self):
-        self.container.kill()
-        super().tearDown()
-
     def test_oauth_enroll(self):
         """test OAuth Source With With OIDC"""
         self.create_objects()
@@ -141,6 +130,7 @@ class TestSourceOAuth(SeleniumTestCase):
         )
         self.driver.find_element(By.CSS_SELECTOR, "button[type=submit]").click()
 
+        self.wait.until(ec.presence_of_element_located((By.NAME, "username")))
         # At this point we've been redirected back
         # and we're asked for the username
         self.driver.find_element(By.NAME, "username").click()
@@ -167,6 +157,42 @@ class TestSourceOAuth(SeleniumTestCase):
             "admin@example.com",
         )
 
+    @override_settings(SESSION_COOKIE_SAMESITE="strict")
+    def test_oauth_samesite_strict(self):
+        """test OAuth Source With SameSite set to strict
+        (=will fail because session is not carried over)"""
+        self.create_objects()
+        self.driver.get(self.live_server_url)
+
+        self.wait.until(
+            ec.presence_of_element_located(
+                (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link")
+            )
+        )
+        self.driver.find_element(
+            By.CLASS_NAME, "pf-c-login__main-footer-links-item-link"
+        ).click()
+
+        # Now we should be at the IDP, wait for the login field
+        self.wait.until(ec.presence_of_element_located((By.ID, "login")))
+        self.driver.find_element(By.ID, "login").send_keys("admin@example.com")
+        self.driver.find_element(By.ID, "password").send_keys("password")
+        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
+
+        # Wait until we're logged in
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "button[type=submit]"))
+        )
+        self.driver.find_element(By.CSS_SELECTOR, "button[type=submit]").click()
+
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, ".pf-c-alert__title"))
+        )
+        self.assertEqual(
+            self.driver.find_element(By.CSS_SELECTOR, ".pf-c-alert__title").text,
+            "Authentication Failed.",
+        )
+
     def test_oauth_enroll_auth(self):
         """test OAuth Source With With OIDC (enroll and authenticate again)"""
         self.test_oauth_enroll()
@@ -178,10 +204,11 @@ class TestSourceOAuth(SeleniumTestCase):
                 (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link")
             )
         )
+        sleep(1)
         self.driver.find_element(
             By.CLASS_NAME, "pf-c-login__main-footer-links-item-link"
         ).click()
-
+        sleep(1)
         # Now we should be at the IDP, wait for the login field
         self.wait.until(ec.presence_of_element_located((By.ID, "login")))
         self.driver.find_element(By.ID, "login").send_keys("admin@example.com")

e2e/test_source_saml.py

@@ -1,8 +1,9 @@
 """test SAML Source"""
+from sys import platform
 from time import sleep
+from typing import Any, Dict, Optional
+from unittest.case import skipUnless
 
-from docker import DockerClient, from_env
-from docker.models.containers import Container
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
@@ -68,48 +69,31 @@ Sm75WXsflOxuTn08LbgGc4s=
 -----END PRIVATE KEY-----"""
 
 
+@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestSourceSAML(SeleniumTestCase):
     """test SAML Source flow"""
 
-    def setUp(self):
-        self.container = self.setup_client()
-        super().setUp()
-
-    def setup_client(self) -> Container:
-        """Setup test IdP container"""
-        client: DockerClient = from_env()
-        container = client.containers.run(
-            image="kristophjunge/test-saml-idp:1.15",
-            detach=True,
-            network_mode="host",
-            auto_remove=True,
-            healthcheck=Healthcheck(
+    def get_container_specs(self) -> Optional[Dict[str, Any]]:
+        return {
+            "image": "kristophjunge/test-saml-idp:1.15",
+            "detach": True,
+            "network_mode": "host",
+            "auto_remove": True,
+            "healthcheck": Healthcheck(
                 test=["CMD", "curl", "http://localhost:8080"],
                 interval=5 * 100 * 1000000,
                 start_period=1 * 100 * 1000000,
             ),
-            environment={
+            "environment": {
                 "SIMPLESAMLPHP_SP_ENTITY_ID": "entity-id",
                 "SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE": (
                     f"{self.live_server_url}/source/saml/saml-idp-test/acs/"
                 ),
             },
-        )
-        while True:
-            container.reload()
-            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
-            if status == "healthy":
-                return container
-            LOGGER.info("Container failed healthcheck")
-            sleep(1)
-
-    def tearDown(self):
-        self.container.kill()
-        super().tearDown()
+        }
 
     def test_idp_redirect(self):
         """test SAML Source With redirect binding"""
-        sleep(1)
         # Bootstrap all needed objects
         authentication_flow = Flow.objects.get(slug="default-source-authentication")
         enrollment_flow = Flow.objects.get(slug="default-source-enrollment")
@@ -161,7 +145,6 @@ class TestSourceSAML(SeleniumTestCase):
 
     def test_idp_post(self):
         """test SAML Source With post binding"""
-        sleep(1)
         # Bootstrap all needed objects
         authentication_flow = Flow.objects.get(slug="default-source-authentication")
         enrollment_flow = Flow.objects.get(slug="default-source-enrollment")
@@ -215,7 +198,6 @@ class TestSourceSAML(SeleniumTestCase):
 
     def test_idp_post_auto(self):
         """test SAML Source With post binding (auto redirect)"""
-        sleep(1)
         # Bootstrap all needed objects
         authentication_flow = Flow.objects.get(slug="default-source-authentication")
         enrollment_flow = Flow.objects.get(slug="default-source-enrollment")

e2e/utils.py

@@ -4,13 +4,16 @@ from glob import glob
 from importlib.util import module_from_spec, spec_from_file_location
 from inspect import getmembers, isfunction
 from os import environ, makedirs
-from time import time
+from time import sleep, time
+from typing import Any, Dict, Optional
 
 from django.apps import apps
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
 from django.db import connection, transaction
 from django.db.utils import IntegrityError
 from django.shortcuts import reverse
+from docker import DockerClient, from_env
+from docker.models.containers import Container
 from selenium import webdriver
 from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
 from selenium.webdriver.remote.webdriver import WebDriver
@@ -30,15 +33,37 @@ def USER() -> User:  # noqa
 class SeleniumTestCase(StaticLiveServerTestCase):
     """StaticLiveServerTestCase which automatically creates a Webdriver instance"""
 
+    container: Optional[Container] = None
+
     def setUp(self):
         super().setUp()
         makedirs("selenium_screenshots/", exist_ok=True)
         self.driver = self._get_driver()
         self.driver.maximize_window()
-        self.driver.implicitly_wait(30)
-        self.wait = WebDriverWait(self.driver, 50)
+        self.driver.implicitly_wait(10)
+        self.wait = WebDriverWait(self.driver, 30)
         self.apply_default_data()
         self.logger = get_logger()
+        if specs := self.get_container_specs():
+            self.container = self._start_container(specs)
+
+    def _start_container(self, specs: Dict[str, Any]) -> Container:
+        client: DockerClient = from_env()
+        container = client.containers.run(**specs)
+        if "healthcheck" not in specs:
+            return container
+        while True:
+            container.reload()
+            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
+            if status == "healthy":
+                return container
+            self.logger.info("Container failed healthcheck")
+            sleep(1)
+
+    def get_container_specs(self) -> Optional[Dict[str, Any]]:
+        """Optionally get container specs which will launched on setup, wait for the container to
+        be healthy, and deleted again on tearDown"""
+        return None
 
     def _get_driver(self) -> WebDriver:
         return webdriver.Remote(
@@ -57,6 +82,8 @@ class SeleniumTestCase(StaticLiveServerTestCase):
             self.logger.warning(
                 line["message"], source=line["source"], level=line["level"]
             )
+        if self.container:
+            self.container.kill()
         self.driver.quit()
         super().tearDown()
 

helm/Chart.yaml

@@ -1,15 +1,15 @@
 apiVersion: v2
-appVersion: "0.10.0-rc2"
+appVersion: "0.10.6-stable"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.10.0-rc2"
-icon: https://github.com/BeryJu/passbook/blob/master/passbook/static/static/passbook/logo.svg
+version: "0.10.6-stable"
+icon: https://github.com/BeryJu/passbook/blob/master/docs/images/logo.svg
 dependencies:
   - name: postgresql
-    version: 9.3.2
+    version: 9.4.1
     repository: https://charts.bitnami.com/bitnami
     condition: install.postgresql
   - name: redis
-    version: 10.7.16
+    version: 10.9.0
     repository: https://charts.bitnami.com/bitnami
     condition: install.redis

helm/templates/web-deployment.yaml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     k8s.passbook.beryju.org/component: web
 spec:
-  replicas: {{ serverReplicas }}
+  replicas: {{ .Values.serverReplicas }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "passbook.name" . }}
@@ -22,10 +22,29 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         k8s.passbook.beryju.org/component: web
     spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/name
+                  operator: In
+                  values:
+                  - {{ include "passbook.name" . }}
+                - key: app.kubernetes.io/instance
+                  operator: In
+                  values:
+                  - {{ .Release.Name }}
+                - key: k8s.passbook.beryju.org/component
+                  operator: In
+                  values:
+                  - web
+              topologyKey: "kubernetes.io/hostname"
       initContainers:
         - name: passbook-database-migrations
           image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
-          imagePullPolicy: Always
           args: [migrate]
           envFrom:
             - configMapRef:
@@ -50,7 +69,6 @@ spec:
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
-          imagePullPolicy: Always
           args: [server]
           envFrom:
             - configMapRef:
@@ -93,7 +111,7 @@ spec:
           resources:
             requests:
               cpu: 100m
-              memory: 200M
+              memory: 300M
             limits:
               cpu: 300m
-              memory: 350M
+              memory: 500M

helm/templates/worker-deployment.yaml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     k8s.passbook.beryju.org/component: worker
 spec:
-  replicas: {{ workerReplicas }}
+  replicas: {{ .Values.workerReplicas }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "passbook.name" . }}
@@ -22,6 +22,26 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         k8s.passbook.beryju.org/component: worker
     spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/name
+                  operator: In
+                  values:
+                  - {{ include "passbook.name" . }}
+                - key: app.kubernetes.io/instance
+                  operator: In
+                  values:
+                  - {{ .Release.Name }}
+                - key: k8s.passbook.beryju.org/component
+                  operator: In
+                  values:
+                  - worker
+              topologyKey: "kubernetes.io/hostname"
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
@@ -50,7 +70,7 @@ spec:
           resources:
             requests:
               cpu: 150m
-              memory: 300M
+              memory: 400M
             limits:
               cpu: 300m
-              memory: 500M
+              memory: 600M

helm/values.yaml

@@ -4,7 +4,7 @@
 image:
   name: beryju/passbook
   name_static: beryju/passbook-static
-  tag: 0.10.0-rc2
+  tag: 0.10.6-stable
 
 nameOverride: ""
 

lifecycle/bootstrap.sh

@@ -4,7 +4,7 @@ printf '{"event": "Bootstrap completed", "level": "info", "logger": "bootstrap",
 if [[ "$1" == "server" ]]; then
     gunicorn -c /lifecycle/gunicorn.conf.py passbook.root.asgi:application
 elif [[ "$1" == "worker" ]]; then
-    celery worker --autoscale=10,3 -E -B -A=passbook.root.celery -s=/tmp/celerybeat-schedule
+    celery worker --autoscale=10,3 -E -B -A=passbook.root.celery -s=/tmp/celerybeat-schedule -Q passbook,passbook_scheduled
 elif [[ "$1" == "migrate" ]]; then
     # Run system migrations first, run normal migrations after
     python -m lifecycle.migrate

lifecycle/gunicorn.conf.py

@@ -1,9 +1,10 @@
 """Gunicorn config"""
+from multiprocessing import cpu_count
+from pathlib import Path
+
 import structlog
 
 bind = "0.0.0.0:8000"
-workers = 2
-threads = 4
 
 user = "passbook"
 group = "passbook"
@@ -40,3 +41,11 @@ logconfig_dict = {
         "gunicorn": {"handlers": ["console"], "level": "INFO", "propagate": False},
     },
 }
+
+# if we're running in kubernetes, use fixed workers because we can scale with more pods
+# otherwise (assume docker-compose), use as much as we can
+if Path("/var/run/secrets/kubernetes.io").exists():
+    workers = 2
+else:
+    worker = cpu_count() * 2 + 1
+threads = 4

lifecycle/wait_for_db.py

@@ -1,16 +1,28 @@
 #!/usr/bin/env python
 """This file needs to be run from the root of the project to correctly
 import passbook. This is done by the dockerfile."""
+from json import dumps
+from sys import stderr
 from time import sleep
 
 from psycopg2 import OperationalError, connect
 from redis import Redis
 from redis.exceptions import RedisError
-from structlog import get_logger
 
 from passbook.lib.config import CONFIG
 
-LOGGER = get_logger()
+
+def j_print(event: str, log_level: str = "info", **kwargs):
+    """Print event in the same format as structlog with JSON.
+    Used before structlog is configured."""
+    data = {
+        "event": event,
+        "level": log_level,
+        "logger": __name__,
+    }
+    data.update(**kwargs)
+    print(dumps(data), file=stderr)
+
 
 while True:
     try:
@@ -24,7 +36,7 @@ while True:
         break
     except OperationalError:
         sleep(1)
-        LOGGER.warning("PostgreSQL Connection failed, retrying...")
+        j_print("PostgreSQL Connection failed, retrying...")
 
 while True:
     try:
@@ -38,4 +50,4 @@ while True:
         break
     except RedisError:
         sleep(1)
-        LOGGER.warning("Redis Connection failed, retrying...")
+        j_print("Redis Connection failed, retrying...")

mkdocs.yml

@@ -30,7 +30,11 @@ nav:
     - OAuth2: providers/oauth2.md
     - SAML: providers/saml.md
     - Proxy: providers/proxy.md
-  - Outposts: outposts/outposts.md
+  - Outposts:
+    - Overview: outposts/outposts.md
+    - Upgrading: outposts/upgrading.md
+    - Deploy on docker-compose: outposts/deploy-docker-compose.md
+    - Deploy on Kubernetes: outposts/deploy-kubernetes.md
   - Expressions:
     - Overview: expressions/index.md
     - Reference:
@@ -49,9 +53,14 @@ nav:
         - Harbor: integrations/services/harbor/index.md
         - Sentry: integrations/services/sentry/index.md
         - Ansible Tower/AWX: integrations/services/tower-awx/index.md
+        - VMware vCenter: integrations/services/vmware-vcenter/index.md
+        - Ubuntu Landscape: integrations/services/ubuntu-landscape/index.md
+        - Sonarr: integrations/services/sonarr/index.md
   - Upgrading:
     - to 0.9: upgrading/to-0.9.md
     - to 0.10: upgrading/to-0.10.md
+  - Troubleshooting:
+    - Access problems: troubleshooting/access.md
 
 repo_name: "BeryJu/passbook"
 repo_url: https://github.com/BeryJu/passbook

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = "0.10.0-rc2"
+__version__ = "0.10.6-stable"

passbook/admin/fields.py

@@ -15,11 +15,8 @@ class CodeMirrorWidget(forms.Textarea):
         self.mode = mode
 
     def render(self, *args, **kwargs):
-        if "attrs" not in kwargs:
-            kwargs["attrs"] = {}
-        attrs = kwargs["attrs"]
-        if "class" not in attrs:
-            attrs["class"] = ""
+        attrs = kwargs.setdefault("attrs", {})
+        attrs.setdefault("class", "")
         attrs["class"] += " codemirror"
         attrs["data-cm-mode"] = self.mode
         return super().render(*args, **kwargs)
@@ -56,6 +53,8 @@ class YAMLField(forms.JSONField):
             )
         if isinstance(converted, str):
             return YAMLString(converted)
+        if converted is None:
+            return {}
         return converted
 
     def bound_data(self, data, initial):

passbook/admin/forms/users.py

@@ -12,7 +12,7 @@ class UserForm(forms.ModelForm):
     class Meta:
 
         model = User
-        fields = ["username", "name", "email", "is_staff", "is_active", "attributes"]
+        fields = ["username", "name", "email", "is_active", "attributes"]
         widgets = {
             "name": forms.TextInput,
             "attributes": CodeMirrorWidget,

passbook/admin/middleware.py

@@ -1,26 +0,0 @@
-"""passbook admin Middleware to impersonate users"""
-
-from passbook.core.models import User
-
-
-def impersonate(get_response):
-    """Middleware to impersonate users"""
-
-    def middleware(request):
-        """Middleware to impersonate users"""
-
-        # User is superuser and has __impersonate ID set
-        if request.user.is_superuser and "__impersonate" in request.GET:
-            request.session["impersonate_id"] = request.GET["__impersonate"]
-        # user wants to stop impersonation
-        elif "__unimpersonate" in request.GET and "impersonate_id" in request.session:
-            del request.session["impersonate_id"]
-
-        # Actually impersonate user
-        if request.user.is_superuser and "impersonate_id" in request.session:
-            request.user = User.objects.get(pk=request.session["impersonate_id"])
-
-        response = get_response(request)
-        return response
-
-    return middleware

passbook/admin/settings.py

@@ -1,5 +0,0 @@
-"""passbook admin settings"""
-
-MIDDLEWARE = [
-    "passbook.admin.middleware.impersonate",
-]

passbook/admin/templates/administration/group/list.html

@@ -50,7 +50,7 @@
                     </td>
                     <td role="cell">
                         <span>
-                            {{ group.user_set.all|length }}
+                            {{ group.users.all|length }}
                         </span>
                     </td>
                     <td>

passbook/admin/templates/administration/outpost/list.html

@@ -3,18 +3,7 @@
 {% load i18n %}
 {% load humanize %}
 {% load passbook_utils %}
-
-{% block head %}
-{{ block.super }}
-<style>
-.pf-m-success {
-    color: var(--pf-global--success-color--100);
-}
-.pf-m-danger {
-    color: var(--pf-global--danger-color--100);
-}
-</style>
-{% endblock %}
+{% load admin_reflection %}
 
 {% block content %}
 <section class="pf-c-page__main-section pf-m-light">
@@ -32,7 +21,7 @@
         <div class="pf-c-toolbar">
             <div class="pf-c-toolbar__content">
                 <div class="pf-c-toolbar__bulk-select">
-                    <a href="{% url 'passbook_admin:flow-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
+                    <a href="{% url 'passbook_admin:outpost-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
                 </div>
                 {% include 'partials/pagination.html' %}
             </div>
@@ -43,6 +32,7 @@
                     <th role="columnheader" scope="col">{% trans 'Name' %}</th>
                     <th role="columnheader" scope="col">{% trans 'Providers' %}</th>
                     <th role="columnheader" scope="col">{% trans 'Health' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Version' %}</th>
                     <th role="cell"></th>
                 </tr>
             </thead>
@@ -50,7 +40,7 @@
                 {% for outpost in object_list %}
                 <tr role="row">
                     <th role="columnheader">
-                        <a href="{% url 'passbook_outposts:setup' outpost_pk=outpost.pk %}">{{ outpost.name }}</a>
+                        <span>{{ outpost.name }}</span>
                     </th>
                     <td role="cell">
                         <span>
@@ -58,7 +48,7 @@
                         </span>
                     </td>
                     <td role="cell">
-                        {% with health=outpost.health %}
+                        {% with health=outpost.deployment_health %}
                         {% if health %}
                             <i class="fas fa-check pf-m-success"></i> {{ health|naturaltime }}
                         {% else %}
@@ -66,9 +56,28 @@
                         {% endif %}
                         {% endwith %}
                     </td>
+                    <td role="cell">
+                        <span>
+                            {% with ver=outpost.deployment_version %}
+                            {% if ver.outdated %}
+                                {% if ver.version == "" %}
+                                <i class="fas fa-times pf-m-danger"></i> -
+                                {% else %}
+                                <i class="fas fa-times pf-m-danger"></i> {% blocktrans with is=ver.version should=ver.should %}{{ is }}, should be {{ should }}{% endblocktrans %}
+                                {% endif %}
+                            {% else %}
+                            <i class="fas fa-check pf-m-success"></i> {{ ver.version }}
+                            {% endif %}
+                            {% endwith %}
+                        </span>
+                    </td>
                     <td>
                         <a class="pf-c-button pf-m-secondary" href="{% url 'passbook_admin:outpost-update' pk=outpost.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
                         <a class="pf-c-button pf-m-danger" href="{% url 'passbook_admin:outpost-delete' pk=outpost.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                        {% get_htmls outpost as htmls %}
+                        {% for html in htmls %}
+                        {{ html|safe }}
+                        {% endfor %}
                     </td>
                 </tr>
                 {% endfor %}

passbook/admin/templates/administration/policy/list.html

@@ -55,7 +55,7 @@
                     <th role="columnheader">
                         <div>
                             <div>{{ policy.name }}</div>
-                            {% if not policy.bindings.exists %}
+                            {% if not policy.bindings.exists and not policy.promptstage_set.exists %}
                             <i class="pf-icon pf-icon-warning-triangle"></i>
                             <small>{% trans 'Warning: Policy is not assigned.' %}</small>
                             {% else %}

passbook/admin/templates/administration/user/list.html

@@ -55,7 +55,7 @@
                         <a class="pf-c-button pf-m-secondary" href="{% url 'passbook_admin:user-update' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
                         <a class="pf-c-button pf-m-danger" href="{% url 'passbook_admin:user-delete' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
                         <a class="pf-c-button pf-m-tertiary" href="{% url 'passbook_admin:user-password-reset' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Reset Password' %}</a>
-                        <a class="pf-c-button pf-m-tertiary" href="{% url 'passbook_core:overview' %}?__impersonate={{ user.pk }}">{% trans 'Impersonate' %}</a>
+                        <a class="pf-c-button pf-m-tertiary" href="{% url 'passbook_core:impersonate-init' user_id=user.pk %}">{% trans 'Impersonate' %}</a>
                     </td>
                 </tr>
                 {% endfor %}

passbook/admin/tests.py

@@ -8,7 +8,7 @@ from django.test import Client, TestCase
 from django.urls.exceptions import NoReverseMatch
 
 from passbook.admin.urls import urlpatterns
-from passbook.core.models import User
+from passbook.core.models import Group, User
 from passbook.lib.utils.reflection import get_apps
 
 
@@ -16,7 +16,9 @@ class TestAdmin(TestCase):
     """Generic admin tests"""
 
     def setUp(self):
-        self.user = User.objects.create_superuser(username="test")
+        self.user = User.objects.create_user(username="test")
+        self.user.pb_groups.add(Group.objects.filter(is_superuser=True).first())
+        self.user.save()
         self.client = Client()
         self.client.force_login(self.user)
 

passbook/admin/views/applications.py

@@ -5,7 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 

passbook/admin/views/certificate_key_pair.py

@@ -5,7 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 

passbook/admin/views/flows.py

@@ -7,7 +7,7 @@ from django.contrib.auth.mixins import (
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import DetailView, FormView, ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 

passbook/admin/views/groups.py

@@ -5,7 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 

passbook/admin/views/outposts.py

@@ -1,18 +1,21 @@
 """passbook Outpost administration"""
+from dataclasses import asdict
+from typing import Any, Dict
+
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.auth.mixins import (
     PermissionRequiredMixin as DjangoPermissionRequiredMixin,
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.admin.views.utils import DeleteMessageView
 from passbook.lib.views import CreateAssignPermView
 from passbook.outposts.forms import OutpostForm
-from passbook.outposts.models import Outpost
+from passbook.outposts.models import Outpost, OutpostConfig
 
 
 class OutpostListView(LoginRequiredMixin, PermissionListMixin, ListView):
@@ -41,6 +44,13 @@ class OutpostCreateView(
     success_url = reverse_lazy("passbook_admin:outposts")
     success_message = _("Successfully created Outpost")
 
+    def get_initial(self) -> Dict[str, Any]:
+        return {
+            "_config": asdict(
+                OutpostConfig(passbook_host=self.request.build_absolute_uri("/"))
+            )
+        }
+
 
 class OutpostUpdateView(
     SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, UpdateView
@@ -53,7 +63,7 @@ class OutpostUpdateView(
 
     template_name = "generic/update.html"
     success_url = reverse_lazy("passbook_admin:outposts")
-    success_message = _("Successfully updated Certificate-Key Pair")
+    success_message = _("Successfully updated Outpost")
 
 
 class OutpostDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
@@ -64,4 +74,4 @@ class OutpostDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessa
 
     template_name = "generic/delete.html"
     success_url = reverse_lazy("passbook_admin:outposts")
-    success_message = _("Successfully deleted Certificate-Key Pair")
+    success_message = _("Successfully deleted Outpost")

passbook/admin/views/overview.py

@@ -1,8 +1,10 @@
 """passbook administration overview"""
+from typing import Union
+
 from django.core.cache import cache
 from django.shortcuts import redirect, reverse
 from django.views.generic import TemplateView
-from packaging.version import Version, parse
+from packaging.version import LegacyVersion, Version, parse
 from requests import RequestException, get
 
 from passbook import __version__
@@ -16,7 +18,7 @@ from passbook.stages.invitation.models import Invitation
 VERSION_CACHE_KEY = "passbook_latest_version"
 
 
-def latest_version() -> Version:
+def latest_version() -> Union[LegacyVersion, Version]:
     """Get latest release from GitHub, cached"""
     if not cache.get(VERSION_CACHE_KEY):
         try:
@@ -45,7 +47,7 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
     def get_context_data(self, **kwargs):
         kwargs["application_count"] = len(Application.objects.all())
         kwargs["policy_count"] = len(Policy.objects.all())
-        kwargs["user_count"] = len(User.objects.all())
+        kwargs["user_count"] = len(User.objects.all()) - 1  # Remove anonymous user
         kwargs["provider_count"] = len(Provider.objects.all())
         kwargs["source_count"] = len(Source.objects.all())
         kwargs["stage_count"] = len(Stage.objects.all())
@@ -58,7 +60,7 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
             application=None
         )
         kwargs["policies_without_binding"] = len(
-            Policy.objects.filter(bindings__isnull=True)
+            Policy.objects.filter(bindings__isnull=True, promptstage__isnull=True)
         )
         kwargs["cached_policies"] = len(cache.keys("policy_*"))
         kwargs["cached_flows"] = len(cache.keys("flow_*"))

passbook/admin/views/policies.py

@@ -10,7 +10,7 @@ from django.contrib.messages.views import SuccessMessageMixin
 from django.db.models import QuerySet
 from django.http import HttpResponse
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import FormView
 from django.views.generic.detail import DetailView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin

passbook/admin/views/policies_bindings.py

@@ -6,14 +6,15 @@ from django.contrib.auth.mixins import (
 from django.contrib.messages.views import SuccessMessageMixin
 from django.db.models import QuerySet
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+from guardian.shortcuts import get_objects_for_user
 
 from passbook.admin.views.utils import DeleteMessageView
 from passbook.lib.views import CreateAssignPermView
 from passbook.policies.forms import PolicyBindingForm
-from passbook.policies.models import PolicyBinding, PolicyBindingModel
+from passbook.policies.models import PolicyBinding
 
 
 class PolicyBindingListView(LoginRequiredMixin, PermissionListMixin, ListView):
@@ -29,13 +30,18 @@ class PolicyBindingListView(LoginRequiredMixin, PermissionListMixin, ListView):
         # Since `select_subclasses` does not work with a foreign key, we have to do two queries here
         # First, get all pbm objects that have bindings attached
         objects = (
-            PolicyBindingModel.objects.filter(policies__isnull=False)
+            get_objects_for_user(
+                self.request.user, "passbook_policies.view_policybindingmodel"
+            )
+            .filter(policies__isnull=False)
             .select_subclasses()
             .select_related()
             .order_by("pk")
         )
         for pbm in objects:
-            pbm.bindings = PolicyBinding.objects.filter(target__pk=pbm.pbm_uuid)
+            pbm.bindings = get_objects_for_user(
+                self.request.user, self.permission_required
+            ).filter(target__pk=pbm.pbm_uuid)
         return objects
 
 

passbook/admin/views/property_mapping.py

@@ -5,7 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.admin.views.utils import (

passbook/admin/views/providers.py

@@ -5,7 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.admin.views.utils import (

passbook/admin/views/sources.py

@@ -5,7 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.admin.views.utils import (

passbook/admin/views/stages.py

@@ -5,7 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.admin.views.utils import (

passbook/admin/views/stages_bindings.py

@@ -5,7 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 

passbook/admin/views/stages_invitations.py

@@ -6,7 +6,7 @@ from django.contrib.auth.mixins import (
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import HttpResponseRedirect
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import ListView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 

passbook/admin/views/stages_prompts.py

@@ -5,7 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 

passbook/admin/views/tokens.py

@@ -1,7 +1,7 @@
 """passbook Token administration"""
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.urls import reverse_lazy
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import ListView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 

passbook/admin/views/users.py

@@ -9,7 +9,7 @@ from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse, reverse_lazy
 from django.utils.http import urlencode
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django.views.generic import DetailView, ListView, UpdateView
 from guardian.mixins import (
     PermissionListMixin,

passbook/api/v2/urls.py

@@ -1,6 +1,5 @@
 """api v2 urls"""
-from django.conf.urls import url
-from django.urls import path
+from django.urls import path, re_path
 from drf_yasg import openapi
 from drf_yasg.views import get_schema_view
 from rest_framework import routers
@@ -119,7 +118,7 @@ SchemaView = get_schema_view(
 )
 
 urlpatterns = [
-    url(
+    re_path(
         r"^swagger(?P<format>\.json|\.yaml)$",
         SchemaView.without_ui(cache_timeout=0),
         name="schema-json",

passbook/audit/middleware.py

@@ -0,0 +1,87 @@
+"""Audit middleware"""
+from functools import partial
+from typing import Callable
+
+from django.contrib.auth.models import User
+from django.db.models import Model
+from django.db.models.signals import post_save, pre_delete
+from django.http import HttpRequest, HttpResponse
+
+from passbook.audit.models import Event, EventAction, model_to_dict
+from passbook.audit.signals import EventNewThread
+from passbook.core.middleware import LOCAL
+
+
+class AuditMiddleware:
+    """Register handlers for duration of request-response that log creation/update/deletion
+    of models"""
+
+    get_response: Callable[[HttpRequest], HttpResponse]
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest) -> HttpResponse:
+        # Connect signal for automatic logging
+        if hasattr(request, "user") and getattr(
+            request.user, "is_authenticated", False
+        ):
+            post_save_handler = partial(
+                self.post_save_handler, user=request.user, request=request
+            )
+            pre_delete_handler = partial(
+                self.pre_delete_handler, user=request.user, request=request
+            )
+            post_save.connect(
+                post_save_handler,
+                dispatch_uid=LOCAL.passbook["request_id"],
+                weak=False,
+            )
+            pre_delete.connect(
+                pre_delete_handler,
+                dispatch_uid=LOCAL.passbook["request_id"],
+                weak=False,
+            )
+
+        response = self.get_response(request)
+
+        post_save.disconnect(dispatch_uid=LOCAL.passbook["request_id"])
+        pre_delete.disconnect(dispatch_uid=LOCAL.passbook["request_id"])
+
+        return response
+
+    # pylint: disable=unused-argument
+    def process_exception(self, request: HttpRequest, exception: Exception):
+        """Unregister handlers in case of exception"""
+        post_save.disconnect(dispatch_uid=LOCAL.passbook["request_id"])
+        pre_delete.disconnect(dispatch_uid=LOCAL.passbook["request_id"])
+
+    @staticmethod
+    # pylint: disable=unused-argument
+    def post_save_handler(
+        user: User, request: HttpRequest, sender, instance: Model, created: bool, **_
+    ):
+        """Signal handler for all object's post_save"""
+        if isinstance(instance, Event):
+            return
+
+        action = EventAction.MODEL_CREATED if created else EventAction.MODEL_UPDATED
+        EventNewThread(
+            action, request, user=user, kwargs={"model": model_to_dict(instance)}
+        ).run()
+
+    @staticmethod
+    # pylint: disable=unused-argument
+    def pre_delete_handler(
+        user: User, request: HttpRequest, sender, instance: Model, **_
+    ):
+        """Signal handler for all object's pre_delete"""
+        if isinstance(instance, Event):
+            return
+
+        EventNewThread(
+            EventAction.MODEL_DELETED,
+            request,
+            user=user,
+            kwargs={"model": model_to_dict(instance)},
+        ).run()

passbook/audit/migrations/0002_auto_20200918_2116.py

@@ -0,0 +1,33 @@
+# Generated by Django 3.1.1 on 2020-09-18 21:16
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_audit", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="event",
+            name="action",
+            field=models.TextField(
+                choices=[
+                    ("LOGIN", "login"),
+                    ("LOGIN_FAILED", "login_failed"),
+                    ("LOGOUT", "logout"),
+                    ("AUTHORIZE_APPLICATION", "authorize_application"),
+                    ("SUSPICIOUS_REQUEST", "suspicious_request"),
+                    ("SIGN_UP", "sign_up"),
+                    ("PASSWORD_RESET", "password_reset"),
+                    ("INVITE_CREATED", "invitation_created"),
+                    ("INVITE_USED", "invitation_used"),
+                    ("IMPERSONATION_STARTED", "impersonation_started"),
+                    ("IMPERSONATION_ENDED", "impersonation_ended"),
+                    ("CUSTOM", "custom"),
+                ]
+            ),
+        ),
+    ]

passbook/audit/migrations/0003_auto_20200917_1155.py

@@ -0,0 +1,59 @@
+# Generated by Django 3.1.1 on 2020-09-17 11:55
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+import passbook.audit.models
+
+
+def convert_user_to_json(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    Event = apps.get_model("passbook_audit", "Event")
+
+    db_alias = schema_editor.connection.alias
+    for event in Event.objects.all():
+        event.delete()
+        # Because event objects cannot be updated, we have to re-create them
+        event.pk = None
+        event.user_json = (
+            passbook.audit.models.get_user(event.user) if event.user else {}
+        )
+        event._state.adding = True
+        event.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_audit", "0002_auto_20200918_2116"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="event",
+            name="action",
+            field=models.TextField(
+                choices=[
+                    ("LOGIN", "login"),
+                    ("LOGIN_FAILED", "login_failed"),
+                    ("LOGOUT", "logout"),
+                    ("AUTHORIZE_APPLICATION", "authorize_application"),
+                    ("SUSPICIOUS_REQUEST", "suspicious_request"),
+                    ("SIGN_UP", "sign_up"),
+                    ("PASSWORD_RESET", "password_reset"),
+                    ("INVITE_CREATED", "invitation_created"),
+                    ("INVITE_USED", "invitation_used"),
+                    ("IMPERSONATION_STARTED", "impersonation_started"),
+                    ("IMPERSONATION_ENDED", "impersonation_ended"),
+                    ("CUSTOM", "custom"),
+                ]
+            ),
+        ),
+        migrations.AddField(
+            model_name="event", name="user_json", field=models.JSONField(default=dict),
+        ),
+        migrations.RunPython(convert_user_to_json),
+        migrations.RemoveField(model_name="event", name="user",),
+        migrations.RenameField(
+            model_name="event", old_name="user_json", new_name="user"
+        ),
+    ]

passbook/audit/migrations/0004_auto_20200921_1829.py

@@ -0,0 +1,37 @@
+# Generated by Django 3.1.1 on 2020-09-21 18:29
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_audit", "0003_auto_20200917_1155"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="event",
+            name="action",
+            field=models.TextField(
+                choices=[
+                    ("login", "Login"),
+                    ("login_failed", "Login Failed"),
+                    ("logout", "Logout"),
+                    ("sign_up", "Sign Up"),
+                    ("authorize_application", "Authorize Application"),
+                    ("suspicious_request", "Suspicious Request"),
+                    ("password_set", "Password Set"),
+                    ("invitation_created", "Invite Created"),
+                    ("invitation_used", "Invite Used"),
+                    ("source_linked", "Source Linked"),
+                    ("impersonation_started", "Impersonation Started"),
+                    ("impersonation_ended", "Impersonation Ended"),
+                    ("model_created", "Model Created"),
+                    ("model_updated", "Model Updated"),
+                    ("model_deleted", "Model Deleted"),
+                    ("custom_", "Custom Prefix"),
+                ]
+            ),
+        ),
+    ]

passbook/audit/models.py

@@ -1,23 +1,27 @@
 """passbook audit models"""
-from enum import Enum
 from inspect import getmodule, stack
-from typing import Any, Dict, Optional
+from typing import Any, Dict, Optional, Union
 from uuid import UUID, uuid4
 
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
-from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import ValidationError
 from django.db import models
+from django.db.models.base import Model
 from django.http import HttpRequest
 from django.utils.translation import gettext as _
 from django.views.debug import SafeExceptionReporterFilter
-from guardian.shortcuts import get_anonymous_user
+from guardian.utils import get_anonymous_user
 from structlog import get_logger
 
+from passbook.core.middleware import (
+    SESSION_IMPERSONATE_ORIGINAL_USER,
+    SESSION_IMPERSONATE_USER,
+)
+from passbook.core.models import User
 from passbook.lib.utils.http import get_client_ip
 
-LOGGER = get_logger()
+LOGGER = get_logger("passbook.audit")
 
 
 def cleanse_dict(source: Dict[Any, Any]) -> Dict[Any, Any]:
@@ -36,6 +40,35 @@ def cleanse_dict(source: Dict[Any, Any]) -> Dict[Any, Any]:
     return final_dict
 
 
+def model_to_dict(model: Model) -> Dict[str, Any]:
+    """Convert model to dict"""
+    name = str(model)
+    if hasattr(model, "name"):
+        name = model.name
+    return {
+        "app": model._meta.app_label,
+        "model_name": model._meta.model_name,
+        "pk": model.pk,
+        "name": name,
+    }
+
+
+def get_user(user: User, original_user: Optional[User] = None) -> Dict[str, Any]:
+    """Convert user object to dictionary, optionally including the original user"""
+    if isinstance(user, AnonymousUser):
+        user = get_anonymous_user()
+    user_data = {
+        "username": user.username,
+        "pk": user.pk,
+        "email": user.email,
+    }
+    if original_user:
+        original_data = get_user(original_user)
+        original_data["on_behalf_of"] = user_data
+        return original_data
+    return user_data
+
+
 def sanitize_dict(source: Dict[Any, Any]) -> Dict[Any, Any]:
     """clean source of all Models that would interfere with the JSONField.
     Models are replaced with a dictionary of {
@@ -48,18 +81,7 @@ def sanitize_dict(source: Dict[Any, Any]) -> Dict[Any, Any]:
         if isinstance(value, dict):
             final_dict[key] = sanitize_dict(value)
         elif isinstance(value, models.Model):
-            model_content_type = ContentType.objects.get_for_model(value)
-            name = str(value)
-            if hasattr(value, "name"):
-                name = value.name
-            final_dict[key] = sanitize_dict(
-                {
-                    "app": model_content_type.app_label,
-                    "model_name": model_content_type.model,
-                    "pk": value.pk,
-                    "name": name,
-                }
-            )
+            final_dict[key] = sanitize_dict(model_to_dict(value))
         elif isinstance(value, UUID):
             final_dict[key] = value.hex
         else:
@@ -67,36 +89,39 @@ def sanitize_dict(source: Dict[Any, Any]) -> Dict[Any, Any]:
     return final_dict
 
 
-class EventAction(Enum):
+class EventAction(models.TextChoices):
     """All possible actions to save into the audit log"""
 
     LOGIN = "login"
     LOGIN_FAILED = "login_failed"
     LOGOUT = "logout"
+
+    SIGN_UP = "sign_up"
     AUTHORIZE_APPLICATION = "authorize_application"
     SUSPICIOUS_REQUEST = "suspicious_request"
-    SIGN_UP = "sign_up"
-    PASSWORD_RESET = "password_reset"  # noqa # nosec
+    PASSWORD_SET = "password_set"  # noqa # nosec
+
     INVITE_CREATED = "invitation_created"
     INVITE_USED = "invitation_used"
-    CUSTOM = "custom"
 
-    @staticmethod
-    def as_choices():
-        """Generate choices of actions used for database"""
-        return tuple(
-            (x, y.value) for x, y in getattr(EventAction, "__members__").items()
-        )
+    SOURCE_LINKED = "source_linked"
+
+    IMPERSONATION_STARTED = "impersonation_started"
+    IMPERSONATION_ENDED = "impersonation_ended"
+
+    MODEL_CREATED = "model_created"
+    MODEL_UPDATED = "model_updated"
+    MODEL_DELETED = "model_deleted"
+
+    CUSTOM_PREFIX = "custom_"
 
 
 class Event(models.Model):
     """An individual audit log event"""
 
     event_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    user = models.ForeignKey(
-        settings.AUTH_USER_MODEL, null=True, on_delete=models.SET_NULL
-    )
-    action = models.TextField(choices=EventAction.as_choices())
+    user = models.JSONField(default=dict)
+    action = models.TextField(choices=EventAction.choices)
     date = models.DateTimeField(auto_now_add=True)
     app = models.TextField()
     context = models.JSONField(default=dict, blank=True)
@@ -111,20 +136,18 @@ class Event(models.Model):
 
     @staticmethod
     def new(
-        action: EventAction,
+        action: Union[str, EventAction],
         app: Optional[str] = None,
         _inspect_offset: int = 1,
         **kwargs,
     ) -> "Event":
         """Create new Event instance from arguments. Instance is NOT saved."""
         if not isinstance(action, EventAction):
-            raise ValueError(
-                f"action must be EventAction instance but was {type(action)}"
-            )
+            action = EventAction.CUSTOM_PREFIX + action
         if not app:
             app = getmodule(stack()[_inspect_offset][0]).__name__
         cleaned_kwargs = cleanse_dict(sanitize_dict(kwargs))
-        event = Event(action=action.value, app=app, context=cleaned_kwargs)
+        event = Event(action=action, app=app, context=cleaned_kwargs)
         return event
 
     def from_http(
@@ -134,12 +157,19 @@ class Event(models.Model):
         Events independently from requests.
         `user` arguments optionally overrides user from requests."""
         if hasattr(request, "user"):
-            if isinstance(request.user, AnonymousUser):
-                self.user = get_anonymous_user()
-            else:
-                self.user = request.user
+            self.user = get_user(
+                request.user,
+                request.session.get(SESSION_IMPERSONATE_ORIGINAL_USER, None),
+            )
         if user:
-            self.user = user
+            self.user = get_user(user)
+        # Check if we're currently impersonating, and add that user
+        if hasattr(request, "session"):
+            if SESSION_IMPERSONATE_ORIGINAL_USER in request.session:
+                self.user = get_user(request.session[SESSION_IMPERSONATE_ORIGINAL_USER])
+                self.user["on_behalf_of"] = get_user(
+                    request.session[SESSION_IMPERSONATE_USER]
+                )
         # User 255.255.255.255 as fallback if IP cannot be determined
         self.client_ip = get_client_ip(request) or "255.255.255.255"
         # If there's no app set, we get it from the requests too

passbook/audit/signals.py

@@ -20,12 +20,12 @@ from passbook.stages.user_write.signals import user_write
 class EventNewThread(Thread):
     """Create Event in background thread"""
 
-    action: EventAction
+    action: str
     request: HttpRequest
     kwargs: Dict[str, Any]
     user: Optional[User] = None
 
-    def __init__(self, action: EventAction, request: HttpRequest, **kwargs):
+    def __init__(self, action: str, request: HttpRequest, **kwargs):
         super().__init__()
         self.action = action
         self.request = request
@@ -57,7 +57,7 @@ def on_user_logged_out(sender, request: HttpRequest, user: User, **_):
 # pylint: disable=unused-argument
 def on_user_write(sender, request: HttpRequest, user: User, data: Dict[str, Any], **_):
     """Log User write"""
-    thread = EventNewThread(EventAction.CUSTOM, request, **data)
+    thread = EventNewThread("stages/user_write", request, **data)
     thread.user = user
     thread.run()
 

passbook/audit/templates/audit/list.html

@@ -40,12 +40,28 @@
                             </div>
                         </th>
                         <td role="cell">
+                            <div>
+                                <div>
                                     <code>{{ entry.context }}</code>
+                                </div>
+                                {% if entry.user.on_behalf_of %}
+                                <small>
+                                    {% blocktrans with username=entry.user.on_behalf_of.username %}
+                                    On behalf of {{ username }}
+                                    {% endblocktrans %}
+                                </small>
+                                {% endif %}
+                            </div>
                         </td>
                         <td role="cell">
-                            <span>
-                                {{ entry.user }}
-                            </span>
+                            <div>
+                                <div>{{ entry.user.username }}</div>
+                                <small>
+                                    {% blocktrans with pk=entry.user.pk %}
+                                    ID: {{ pk }}
+                                    {% endblocktrans %}
+                                </small>
+                            </div>
                         </td>
                         <td role="cell">
                             <span>

passbook/audit/tests/test_event.py

@@ -4,7 +4,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 
-from passbook.audit.models import Event, EventAction
+from passbook.audit.models import Event
 from passbook.policies.dummy.models import DummyPolicy
 
 
@@ -13,7 +13,7 @@ class TestAuditEvent(TestCase):
 
     def test_new_with_model(self):
         """Create a new Event passing a model as kwarg"""
-        event = Event.new(EventAction.CUSTOM, test={"model": get_anonymous_user()})
+        event = Event.new("unittest", test={"model": get_anonymous_user()})
         event.save()  # We save to ensure nothing is un-saveable
         model_content_type = ContentType.objects.get_for_model(get_anonymous_user())
         self.assertEqual(
@@ -24,7 +24,7 @@ class TestAuditEvent(TestCase):
     def test_new_with_uuid_model(self):
         """Create a new Event passing a model (with UUID PK) as kwarg"""
         temp_model = DummyPolicy.objects.create(name="test", result=True)
-        event = Event.new(EventAction.CUSTOM, model=temp_model)
+        event = Event.new("unittest", model=temp_model)
         event.save()  # We save to ensure nothing is un-saveable
         model_content_type = ContentType.objects.get_for_model(temp_model)
         self.assertEqual(

passbook/core/api/groups.py

@@ -11,7 +11,7 @@ class GroupSerializer(ModelSerializer):
     class Meta:
 
         model = Group
-        fields = ["pk", "name", "parent", "user_set", "attributes"]
+        fields = ["pk", "name", "is_superuser", "parent", "users", "attributes"]
 
 
 class GroupViewSet(ModelViewSet):

passbook/core/api/users.py

@@ -1,5 +1,5 @@
 """User API Views"""
-from rest_framework.serializers import ModelSerializer
+from rest_framework.serializers import BooleanField, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from passbook.core.models import User
@@ -8,10 +8,12 @@ from passbook.core.models import User
 class UserSerializer(ModelSerializer):
     """User Serializer"""
 
+    is_superuser = BooleanField(read_only=True)
+
     class Meta:
 
         model = User
-        fields = ["pk", "username", "name", "email"]
+        fields = ["pk", "username", "name", "is_superuser", "email"]
 
 
 class UserViewSet(ModelViewSet):

passbook/core/forms/applications.py

@@ -29,7 +29,16 @@ class ApplicationForm(forms.ModelForm):
         ]
         widgets = {
             "name": forms.TextInput(),
-            "meta_launch_url": forms.TextInput(),
+            "meta_launch_url": forms.TextInput(
+                attrs={
+                    "placeholder": _(
+                        (
+                            "If left empty, passbook will try to extract the launch URL "
+                            "based on the selected provider."
+                        )
+                    )
+                }
+            ),
             "meta_icon_url": forms.TextInput(),
             "meta_publisher": forms.TextInput(),
         }

passbook/core/forms/groups.py

@@ -18,21 +18,19 @@ class GroupForm(forms.ModelForm):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         if self.instance.pk:
-            self.initial["members"] = self.instance.user_set.values_list(
-                "pk", flat=True
-            )
+            self.initial["members"] = self.instance.users.values_list("pk", flat=True)
 
     def save(self, *args, **kwargs):
         instance = super().save(*args, **kwargs)
         if instance.pk:
-            instance.user_set.clear()
-            instance.user_set.add(*self.cleaned_data["members"])
+            instance.users.clear()
+            instance.users.add(*self.cleaned_data["members"])
         return instance
 
     class Meta:
 
         model = Group
-        fields = ["name", "parent", "members", "attributes"]
+        fields = ["name", "is_superuser", "parent", "members", "attributes"]
         widgets = {
             "name": forms.TextInput(),
             "attributes": CodeMirrorWidget,

passbook/core/middleware.py

@@ -0,0 +1,56 @@
+"""passbook admin Middleware to impersonate users"""
+from logging import Logger
+from threading import local
+from typing import Callable
+from uuid import uuid4
+
+from django.http import HttpRequest, HttpResponse
+
+SESSION_IMPERSONATE_USER = "passbook_impersonate_user"
+SESSION_IMPERSONATE_ORIGINAL_USER = "passbook_impersonate_original_user"
+LOCAL = local()
+
+
+class ImpersonateMiddleware:
+    """Middleware to impersonate users"""
+
+    get_response: Callable[[HttpRequest], HttpResponse]
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest) -> HttpResponse:
+        # No permission checks are done here, they need to be checked before
+        # SESSION_IMPERSONATE_USER is set.
+
+        if SESSION_IMPERSONATE_USER in request.session:
+            request.user = request.session[SESSION_IMPERSONATE_USER]
+
+        return self.get_response(request)
+
+
+class RequestIDMiddleware:
+    """Add a unique ID to every request"""
+
+    get_response: Callable[[HttpRequest], HttpResponse]
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest) -> HttpResponse:
+        if not hasattr(request, "request_id"):
+            request_id = uuid4().hex
+            setattr(request, "request_id", request_id)
+            LOCAL.passbook = {"request_id": request_id}
+        response = self.get_response(request)
+        response["X-passbook-id"] = request.request_id
+        del LOCAL.passbook["request_id"]
+        return response
+
+
+# pylint: disable=unused-argument
+def structlog_add_request_id(logger: Logger, method_name: str, event_dict):
+    """If threadlocal has passbook defined, add request_id to log"""
+    if hasattr(LOCAL, "passbook"):
+        event_dict["request_id"] = LOCAL.passbook.get("request_id", "")
+    return event_dict

passbook/core/migrations/0003_default_user.py

@@ -1,7 +1,7 @@
 # Generated by Django 3.0.6 on 2020-05-23 16:40
 
 from django.apps.registry import Apps
-from django.db import migrations
+from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
@@ -14,9 +14,7 @@ def create_default_user(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     pbadmin, _ = User.objects.using(db_alias).get_or_create(
         username="pbadmin", email="root@localhost", name="passbook Default Admin"
     )
-    pbadmin.set_password("pbadmin")  # noqa # nosec
-    pbadmin.is_superuser = True
-    pbadmin.is_staff = True
+    pbadmin.set_password("pbadmin", signal=False)  # noqa # nosec
     pbadmin.save()
 
 
@@ -27,5 +25,15 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
+        migrations.RemoveField(model_name="user", name="is_superuser",),
+        migrations.RemoveField(model_name="user", name="is_staff",),
         migrations.RunPython(create_default_user),
+        migrations.AddField(
+            model_name="user",
+            name="is_superuser",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="user", name="is_staff", field=models.BooleanField(default=False)
+        ),
     ]

passbook/core/migrations/0009_group_is_superuser.py

@@ -0,0 +1,49 @@
+# Generated by Django 3.1.1 on 2020-09-15 19:53
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+import passbook.core.models
+
+
+def create_default_admin_group(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+    Group = apps.get_model("passbook_core", "Group")
+    User = apps.get_model("passbook_core", "User")
+
+    # Creates a default admin group
+    group, _ = Group.objects.using(db_alias).get_or_create(
+        is_superuser=True, defaults={"name": "passbook Admins",}
+    )
+    group.users.set(User.objects.filter(username="pbadmin"))
+    group.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0008_auto_20200824_1532"),
+    ]
+
+    operations = [
+        migrations.RemoveField(model_name="user", name="is_superuser",),
+        migrations.RemoveField(model_name="user", name="is_staff",),
+        migrations.AlterField(
+            model_name="user",
+            name="pb_groups",
+            field=models.ManyToManyField(
+                related_name="users", to="passbook_core.Group"
+            ),
+        ),
+        migrations.AddField(
+            model_name="group",
+            name="is_superuser",
+            field=models.BooleanField(
+                default=False, help_text="Users added to this group will be superusers."
+            ),
+        ),
+        migrations.RunPython(create_default_admin_group),
+        migrations.AlterModelManagers(
+            name="user", managers=[("objects", passbook.core.models.UserManager()),],
+        ),
+    ]

passbook/core/migrations/0010_auto_20200917_1021.py

@@ -0,0 +1,24 @@
+# Generated by Django 3.1.1 on 2020-09-17 10:21
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0009_group_is_superuser"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="user",
+            options={
+                "permissions": (
+                    ("reset_user_password", "Reset Password"),
+                    ("impersonate", "Can impersonate other users"),
+                ),
+                "verbose_name": "User",
+                "verbose_name_plural": "Users",
+            },
+        ),
+    ]

passbook/core/models.py

@@ -4,6 +4,7 @@ from typing import Any, Optional, Type
 from uuid import uuid4
 
 from django.contrib.auth.models import AbstractUser
+from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
 from django.db.models import Q, QuerySet
 from django.forms import ModelForm
@@ -22,6 +23,7 @@ from passbook.lib.models import CreatedUpdatedModel
 from passbook.policies.models import PolicyBindingModel
 
 LOGGER = get_logger()
+PASSBOOK_USER_DEBUG = "passbook_user_debug"
 
 
 def default_token_duration():
@@ -33,7 +35,12 @@ class Group(models.Model):
     """Custom Group model which supports a basic hierarchy"""
 
     group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+
     name = models.CharField(_("name"), max_length=80)
+    is_superuser = models.BooleanField(
+        default=False, help_text=_("Users added to this group will be superusers.")
+    )
+
     parent = models.ForeignKey(
         "Group",
         blank=True,
@@ -51,6 +58,14 @@ class Group(models.Model):
         unique_together = (("name", "parent",),)
 
 
+class UserManager(DjangoUserManager):
+    """Custom user manager that doesn't assign is_superuser and is_staff"""
+
+    def create_user(self, username, email=None, password=None, **extra_fields):
+        """Custom user manager that doesn't assign is_superuser and is_staff"""
+        return self._create_user(username, email, password, **extra_fields)
+
+
 class User(GuardianUserMixin, AbstractUser):
     """Custom User model to allow easier adding o f user-based settings"""
 
@@ -58,20 +73,35 @@ class User(GuardianUserMixin, AbstractUser):
     name = models.TextField(help_text=_("User's display name."))
 
     sources = models.ManyToManyField("Source", through="UserSourceConnection")
-    pb_groups = models.ManyToManyField("Group")
+    pb_groups = models.ManyToManyField("Group", related_name="users")
     password_change_date = models.DateTimeField(auto_now_add=True)
 
     attributes = models.JSONField(default=dict, blank=True)
 
-    def set_password(self, password):
-        if self.pk:
+    objects = UserManager()
+
+    @property
+    def is_superuser(self) -> bool:
+        """Get supseruser status based on membership in a group with superuser status"""
+        return self.pb_groups.filter(is_superuser=True).exists()
+
+    @property
+    def is_staff(self) -> bool:
+        """superuser == staff user"""
+        return self.is_superuser
+
+    def set_password(self, password, signal=True):
+        if self.pk and signal:
             password_changed.send(sender=self, user=self, password=password)
         self.password_change_date = now()
         return super().set_password(password)
 
     class Meta:
 
-        permissions = (("reset_user_password", "Reset Password"),)
+        permissions = (
+            ("reset_user_password", "Reset Password"),
+            ("impersonate", "Can impersonate other users"),
+        )
         verbose_name = _("User")
         verbose_name_plural = _("Users")
 
@@ -92,6 +122,12 @@ class Provider(models.Model):
 
     objects = InheritanceManager()
 
+    @property
+    def launch_url(self) -> Optional[str]:
+        """URL to this provider and initiate authorization for the user.
+        Can return None for providers that are not URL-based"""
+        return None
+
     def form(self) -> Type[ModelForm]:
         """Return Form class used to edit this object"""
         raise NotImplementedError
@@ -119,6 +155,14 @@ class Application(PolicyBindingModel):
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
 
+    def get_launch_url(self) -> Optional[str]:
+        """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
+        if self.meta_launch_url:
+            return self.meta_launch_url
+        if self.provider:
+            return self.get_provider().launch_url
+        return None
+
     def get_provider(self) -> Optional[Provider]:
         """Get casted provider instance"""
         if not self.provider:

passbook/core/tasks.py

@@ -1,4 +1,5 @@
 """passbook core tasks"""
+from django.utils.timezone import now
 from structlog import get_logger
 
 from passbook.core.models import ExpiringModel
@@ -12,5 +13,10 @@ def clean_expired_models():
     """Remove expired objects"""
     for cls in ExpiringModel.__subclasses__():
         cls: ExpiringModel
-        amount, _ = cls.filter_not_expired().delete()
+        amount, _ = (
+            cls.objects.all()
+            .exclude(expiring=False)
+            .exclude(expiring=True, expires__gt=now())
+            .delete()
+        )
         LOGGER.debug("Deleted expired models", model=cls, amount=amount)

passbook/core/templates/base/page.html

@@ -20,8 +20,12 @@
                 </button>
             </div>
             <a class="pf-c-page__header-brand-link">
-                <img class="pf-c-brand" src="{% static 'passbook/logo.png' %}" alt="" />
-                <img class="pf-c-brand" src="{% static 'passbook/brand.svg' %}" alt="passbook" />
+                <div class="pf-c-brand pb-brand">
+                    <img src="{{ config.passbook.branding.logo }}" alt="passbook icon">
+                    {% if config.passbook.branding.title_show %}
+                    <small><small>{{ config.passbook.branding.title }}</small></small>
+                    {% endif %}
+                </div>
             </a>
         </div>
         <div class="pf-c-page__header-nav">

passbook/core/templates/base/skeleton.html

@@ -6,26 +6,28 @@
 
 <html lang="en">
     <head>
+        <link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff2' %}" as="font" type="font/woff2" crossorigin>
+        <link rel="preload" href="{% static 'passbook/fonts/DINEngschriftStd.woff' %}" as="font" type="font/woff" crossorigin>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        <title>{% block title %}{% trans title|default:"passbook" %}{% endblock %}</title>
+        <title>{% block title %}{% trans title|default:config.passbook.branding.title %}{% endblock %}</title>
         <link rel="icon" type="image/png" href="{% static 'passbook/logo.png' %}">
         <link rel="shortcut icon" type="image/png" href="{% static 'passbook/logo.png' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'node_modules/@patternfly/patternfly/patternfly.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'node_modules/@patternfly/patternfly/patternfly-addons.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'node_modules/@fortawesome/fontawesome-free/css/fontawesome.min.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'passbook/pf.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'passbook/passbook.css' %}">
         {% block head %}
         {% endblock %}
     </head>
     <body>
-        {% if 'impersonate_id' in request.session %}
+        {% if 'passbook_impersonate_user' in request.session %}
         <div class="pf-c-banner pf-m-warning pf-c-alert pf-m-sticky">
             <div class="pf-l-flex pf-m-justify-content-center pf-m-justify-content-space-between-on-lg pf-m-nowrap" style="height: 100%;">
                 <div class=""></div>
                 <div class="pf-u-display-none pf-u-display-block-on-lg">
                     {% blocktrans with user=user %}You're currently impersonating {{ user }}.{% endblocktrans %}
-                    <a href="?__unimpersonate=True" id="acceptMessage">{% trans 'Stop impersonation' %}</a>
+                    <a href="{% url 'passbook_core:impersonate-end' %}?back={{ request.get_full_path }}" id="acceptMessage">{% trans 'Stop impersonation' %}</a>
                 </div>
                 <div class=""></div>
             </div>
@@ -35,6 +37,6 @@
         {% endblock %}
         {% block scripts %}
         {% endblock %}
-        <script src="{% static 'passbook/pf.js' %}"></script>
+        <script src="{% static 'passbook/passbook.js' %}"></script>
     </body>
 </html>