new release: 0.10.5-stable

root: fix IP detection when using multiple reverse proxies
docs: add notice to use https when using external reverse proxy
2020-09-20 13:58:33 +02:00 · 2020-09-20 13:36:23 +02:00 · 2020-09-20 13:36:07 +02:00 · 2020-09-19 23:07:39 +02:00 · 2020-09-19 22:54:36 +02:00 · 2020-09-19 22:23:11 +02:00
18 changed files with 58 additions and 44 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.10.4-stable
+current_version = 0.10.5-stable
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -18,11 +18,11 @@ jobs:
      - name: Building Docker Image
        run: docker build
          --no-cache
-          -t beryju/passbook:0.10.4-stable
+          -t beryju/passbook:0.10.5-stable
          -t beryju/passbook:latest
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook:0.10.4-stable
+        run: docker push beryju/passbook:0.10.5-stable
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/passbook:latest
  build-proxy:
@ -48,11 +48,11 @@ jobs:
          cd proxy
          docker build \
          --no-cache \
-          -t beryju/passbook-proxy:0.10.4-stable \
+          -t beryju/passbook-proxy:0.10.5-stable \
          -t beryju/passbook-proxy:latest \
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-proxy:0.10.4-stable
+        run: docker push beryju/passbook-proxy:0.10.5-stable
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/passbook-proxy:latest
  build-static:
@ -77,11 +77,11 @@ jobs:
        run: docker build
          --no-cache
          --network=$(docker network ls | grep github | awk '{print $1}')
-          -t beryju/passbook-static:0.10.4-stable
+          -t beryju/passbook-static:0.10.5-stable
          -t beryju/passbook-static:latest
          -f static.Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-static:0.10.4-stable
+        run: docker push beryju/passbook-static:0.10.5-stable
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/passbook-static:latest
  test-release:
@ -114,5 +114,5 @@ jobs:
          SENTRY_PROJECT: passbook
          SENTRY_URL: https://sentry.beryju.org
        with:
-          tagName: 0.10.4-stable
+          tagName: 0.10.5-stable
          environment: beryjuorg-prod
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -23,7 +23,7 @@ services:
    labels:
      - traefik.enable=false
  server:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.10.4-stable}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.10.5-stable}
    command: server
    environment:
      PASSBOOK_REDIS__HOST: redis
@ -41,7 +41,7 @@ services:
    env_file:
      - .env
  worker:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.10.4-stable}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.10.5-stable}
    command: worker
    networks:
      - internal
@ -55,7 +55,7 @@ services:
    env_file:
      - .env
  static:
-    image: beryju/passbook-static:${PASSBOOK_TAG:-0.10.4-stable}
+    image: beryju/passbook-static:${PASSBOOK_TAG:-0.10.5-stable}
    networks:
      - internal
    labels:
--- a/docs/installation/docker-compose.md
+++ b/docs/installation/docker-compose.md
@ -13,7 +13,7 @@ Download the latest `docker-compose.yml` from [here](https://raw.githubuserconte
 To optionally enable error-reporting, run `echo PASSBOOK_ERROR_REPORTING__ENABLED=true >> .env`
-To optionally deploy a different version run `echo PASSBOOK_TAG=0.10.4-stable >> .env`
+To optionally deploy a different version run `echo PASSBOOK_TAG=0.10.5-stable >> .env`
 If this is a fresh passbook install run the following commands to generate a password:
@ -39,4 +39,6 @@ Now you can pull the Docker images needed by running `docker-compose pull`. Afte
 passbook will then be reachable via HTTP on port 80, and HTTPS on port 443. You can optionally configure the packaged traefik to use Let's Encrypt certificates for TLS Encryption.
 If you plan to access passbook via a reverse proxy which does SSL Termination, make sure you use the HTTPS port, so passbook is aware of the SSL connection.
 The initial setup process also creates a default admin user, the username and password for which is `pbadmin`. It is highly recommended to change this password as soon as you log in.
--- a/docs/installation/kubernetes.md
+++ b/docs/installation/kubernetes.md
@ -11,7 +11,7 @@ This installation automatically applies database migrations on startup. After th
 image:
  name: beryju/passbook
  name_static: beryju/passbook-static
-  tag: 0.10.4-stable
+  tag: 0.10.5-stable
 nameOverride: ""
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "0.10.4-stable"
+appVersion: "0.10.5-stable"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.10.4-stable"
+version: "0.10.5-stable"
 icon: https://github.com/BeryJu/passbook/blob/master/docs/images/logo.svg
 dependencies:
  - name: postgresql
--- a/helm/values.yaml
+++ b/helm/values.yaml
@ -4,7 +4,7 @@
 image:
  name: beryju/passbook
  name_static: beryju/passbook-static
-  tag: 0.10.4-stable
+  tag: 0.10.5-stable
 nameOverride: ""
--- a/passbook/init.py
+++ b/passbook/init.py
@ -1,2 +1,2 @@
 """passbook"""
-__version__ = "0.10.4-stable"
+__version__ = "0.10.5-stable"
--- a/passbook/admin/templates/administration/outpost/list.html
+++ b/passbook/admin/templates/administration/outpost/list.html
@ -5,18 +5,6 @@
 {% load passbook_utils %}
 {% load admin_reflection %}
 {% block head %}
 {{ block.super }}
 <style>
 .pf-m-success {
    color: var(--pf-global--success-color--100);
 }
 .pf-m-danger {
    color: var(--pf-global--danger-color--100);
 }
 </style>
 {% endblock %}
 {% block content %}
 <section class="pf-c-page__main-section pf-m-light">
    <div class="pf-c-content">
--- a/passbook/admin/views/policies_bindings.py
+++ b/passbook/admin/views/policies_bindings.py
@ -9,11 +9,12 @@ from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from django.views.generic import ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 from guardian.shortcuts import get_objects_for_user
 from passbook.admin.views.utils import DeleteMessageView
 from passbook.lib.views import CreateAssignPermView
 from passbook.policies.forms import PolicyBindingForm
-from passbook.policies.models import PolicyBinding, PolicyBindingModel
+from passbook.policies.models import PolicyBinding
 class PolicyBindingListView(LoginRequiredMixin, PermissionListMixin, ListView):
@ -29,13 +30,18 @@ class PolicyBindingListView(LoginRequiredMixin, PermissionListMixin, ListView):
        # Since `select_subclasses` does not work with a foreign key, we have to do two queries here
        # First, get all pbm objects that have bindings attached
        objects = (
-            PolicyBindingModel.objects.filter(policies__isnull=False)
+            get_objects_for_user(
                self.request.user, "passbook_policies.view_policybindingmodel"
            )
            .filter(policies__isnull=False)
            .select_subclasses()
            .select_related()
            .order_by("pk")
        )
        for pbm in objects:
-            pbm.bindings = PolicyBinding.objects.filter(target__pk=pbm.pbm_uuid)
+            pbm.bindings = get_objects_for_user(
                self.request.user, self.permission_required
            ).filter(target__pk=pbm.pbm_uuid)
        return objects
--- a/passbook/audit/models.py
+++ b/passbook/audit/models.py
@ -15,7 +15,10 @@ from django.views.debug import SafeExceptionReporterFilter
 from guardian.shortcuts import get_anonymous_user
 from structlog import get_logger
-from passbook.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER
+from passbook.core.middleware import (
    SESSION_IMPERSONATE_ORIGINAL_USER,
    SESSION_IMPERSONATE_USER,
 )
 from passbook.lib.utils.http import get_client_ip
 LOGGER = get_logger()
@ -148,8 +151,9 @@ class Event(models.Model):
        # Check if we're currently impersonating, and add that user
        if hasattr(request, "session"):
            if SESSION_IMPERSONATE_ORIGINAL_USER in request.session:
                self.user = request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
                self.context["on_behalf_of"] = model_to_dict(
-                    request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
+                    request.session[SESSION_IMPERSONATE_USER]
                )
        # User 255.255.255.255 as fallback if IP cannot be determined
        self.client_ip = get_client_ip(request) or "255.255.255.255"
--- a/passbook/core/views/impersonate.py
+++ b/passbook/core/views/impersonate.py
@ -31,7 +31,7 @@ class ImpersonateInitView(View):
        request.session[SESSION_IMPERSONATE_ORIGINAL_USER] = request.user
        request.session[SESSION_IMPERSONATE_USER] = user_to_be
-        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request)
+        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
        return redirect("passbook_core:overview")
@ -48,9 +48,11 @@ class ImpersonateEndView(View):
            LOGGER.debug("Can't end impersonation", user=request.user)
            return redirect("passbook_core:overview")
        original_user = request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
        del request.session[SESSION_IMPERSONATE_USER]
        del request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
-        Event.new(EventAction.IMPERSONATION_ENDED).from_http(request)
+        Event.new(EventAction.IMPERSONATION_ENDED).from_http(request, original_user)
        return redirect("passbook_core:overview")
--- a/passbook/lib/utils/http.py
+++ b/passbook/lib/utils/http.py
@ -14,7 +14,7 @@ def _get_client_ip_from_meta(meta: Dict[str, Any]) -> Optional[str]:
    )
    for _header in headers:
        if _header in meta:
-            return meta.get(_header)
+            return meta.get(_header).split(", ")[0]
    return None
--- a/passbook/providers/oauth2/views/token.py
+++ b/passbook/providers/oauth2/views/token.py
@ -91,7 +91,7 @@ class TokenParams:
            try:
                self.refresh_token = RefreshToken.objects.get(
-                    refresh_token=raw_token, client=self.provider
+                    refresh_token=raw_token, provider=self.provider
                )
            except RefreshToken.DoesNotExist:
--- a/passbook/root/asgi.py
+++ b/passbook/root/asgi.py
@ -102,11 +102,14 @@ class ASGILogger:
        await self.app(scope, receive, send_hooked)
    def _get_ip(self) -> str:
        client_ip = None
        for header in ASGI_IP_HEADERS:
            if header in self.headers:
-                return self.headers[header].decode()
+                client_ip = self.headers[header].decode()
        if not client_ip:
            client_ip, _ = self.scope.get("client", ("", 0))
-        return client_ip
+        # Check if header has multiple values, and use the first one
        return client_ip.split(", ")[0]
    def log(self, runtime: float):
        """Outpot access logs in a structured format"""
--- a/passbook/static/static/passbook/passbook.css
+++ b/passbook/static/static/passbook/passbook.css
@ -49,6 +49,13 @@
    max-height: var(--pf-c-login__main-footer-links-item-link-svg--Height);
 }
 .pf-m-success {
    color: var(--pf-global--success-color--100);
 }
 .pf-m-danger {
    color: var(--pf-global--danger-color--100);
 }
 /* fix multiple selects height */
 select[multiple] {
    height: initial;
--- a/proxy/pkg/server/api_bundle.go
+++ b/proxy/pkg/server/api_bundle.go
@ -51,8 +51,10 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
 	providerOpts.OIDCJwksURL = *provider.OidcConfiguration.JwksURI
 	providerOpts.ProfileURL = *provider.OidcConfiguration.UserinfoEndpoint
 	if provider.SkipPathRegex != "" {
 		skipRegexes := strings.Split(provider.SkipPathRegex, "\n")
 		providerOpts.SkipAuthRegex = skipRegexes
 	}
 	providerOpts.UpstreamServers = []options.Upstream{
 		{
--- a/proxy/pkg/version.go
+++ b/proxy/pkg/version.go
@ -1,3 +1,3 @@
 package pkg
-const VERSION = "0.10.4-stable"
+const VERSION = "0.10.5-stable"
Author	SHA1	Message	Date
Jens Langhammer	c7ca95ff2b	new release: 0.10.5-stable	2020-09-20 13:58:33 +02:00
Jens Langhammer	9f403a71ed	root: fix IP detection when using multiple reverse proxies	2020-09-20 13:36:23 +02:00
Jens Langhammer	2f4139df65	docs: add notice to use https when using external reverse proxy	2020-09-20 13:36:07 +02:00
Jens Langhammer	f3ee8f7d9c	admin: fix permissions not being checked for policybinding list	2020-09-19 23:07:39 +02:00
Jens Langhammer	5fa3729702	audit: fix fields for events from impersonation being swapped	2020-09-19 22:54:36 +02:00
Jens Langhammer	87f44fada4	providers/oauth2: fix refreshtoken being initialised wrong	2020-09-19 22:23:11 +02:00
Jens Langhammer	c0026f3e16	admin: move pf-m-success to base css	2020-09-19 21:12:39 +02:00
Jens Langhammer	c1051059f4	proxy: fix empty regex field being interpreted as regex	2020-09-19 21:05:41 +02:00
`@ -1,2 +1,2 @@`
	`"""passbook"""`	`"""passbook"""`
	`__version__ = "0.10.4-stable"`	`__version__ = "0.10.5-stable"`
`@ -1,3 +1,3 @@`
	`package pkg`	`package pkg`

	`const VERSION = "0.10.4-stable"`	`const VERSION = "0.10.5-stable"`