new release: 0.2.4-beta

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.2.1-beta
+current_version = 0.2.4-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.gitlab-ci.yml

@@ -15,6 +15,10 @@ variables:
   POSTGRES_USER: passbook
   POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
+before_script:
+  # Ensure all dependencies are installed, even those not included in passbook/build-base
+  - pip install -r requirements-dev.txt
+
 create-build-image:
   image:
     name: gcr.io/kaniko-project/executor:debug
@@ -22,7 +26,7 @@ create-build-image:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.build-base --destination docker.beryju.org/passbook/build-base:latest --destination docker.beryju.org/passbook/build-base:0.2.1-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.build-base --destination docker.beryju.org/passbook/build-base:latest --destination docker.beryju.org/passbook/build-base:0.2.4-beta
   stage: build-buildimage
   only:
     refs:
@@ -63,7 +67,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.2.1-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.2.4-beta
   stage: build
   only:
     - tags

client-packages/allauth/setup.py

@@ -3,7 +3,7 @@ from setuptools import setup
 
 setup(
     name='django-allauth-passbook',
-    version='0.2.1-beta',
+    version='0.2.4-beta',
     description='passbook support for django-allauth',
     # long_description='\n'.join(read_simple('docs/index.md')[2:]),
     long_description_content_type='text/markdown',

client-packages/sentry-auth-passbook/setup.py

@@ -18,12 +18,13 @@ tests_require = [
 
 setup(
     name='sentry-auth-passbook',
-    version='0.2.1-beta',
+    version='0.2.4-beta',
     author='BeryJu.org',
     author_email='support@beryju.org',
     url='https://passbook.beryju.org',
     description='passbook authentication provider for Sentry',
     long_description=__doc__,
+    long_description_content_type='text/markdown',
     license='MIT',
     packages=find_packages(exclude=['tests']),
     zip_safe=False,

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.2.1-beta"
+appVersion: "0.2.4-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.2.1-beta"
+version: "0.2.4-beta"
 icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/passbook/templates/passbook-appgw-deployment.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: {{ include "passbook.fullname" . }}-appgw
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "passbook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "passbook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: appgw
+    spec:
+      volumes:
+        - name: config-volume
+          configMap:
+            name: {{ include "passbook.fullname" . }}-config
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          command: ["/bin/sh","-c"]
+          args: ["./manage.py migrate && ./manage.py app_gw_web"]
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /etc/passbook
+              name: config-volume
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+              httpHeaders:
+                - name: Host
+                  value: kubernetes-healthcheck-host
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+              httpHeaders:
+                - name: Host
+                  value: kubernetes-healthcheck-host
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}

helm/passbook/templates/passbook-appgw-service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "passbook.fullname" . }}-appgw
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    passbook.io/component: appgw

helm/passbook/templates/passbook-ingress.yaml

@@ -32,7 +32,16 @@ spec:
         paths:
           - path: {{ $ingressPath }}
             backend:
-              serviceName: {{ $fullName }}
+              serviceName: {{ $fullName }}-web
+              servicePort: http
+  {{- end }}
+  {{- range .Values.ingress.app_gw_hosts }}
+    - host: {{ . | quote }}
+      http:
+        paths:
+          - path: {{ $ingressPath }}
+            backend:
+              serviceName: {{ $fullName }}-appgw
               servicePort: http
   {{- end }}
 {{- end }}

helm/passbook/templates/passbook-web-service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "passbook.fullname" . }}
+  name: {{ include "passbook.fullname" . }}-web
   labels:
     app.kubernetes.io/name: {{ include "passbook.name" . }}
     helm.sh/chart: {{ include "passbook.chart" . }}

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.2.1-beta
+  tag: 0.2.4-beta
 
 nameOverride: ""
 
@@ -37,6 +37,8 @@ ingress:
   path: /
   hosts:
     - passbook.k8s.local
+  app_gw_hosts:
+    - '*.passbook.k8s.local'
   defaultHost: passbook.k8s.local
   tls: []
   #  - secretName: chart-example-tls

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/app_gw/__init__.py

@@ -1,2 +1,2 @@
 """passbook Application Security Gateway Header"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/app_gw/management/commands/app_gw_web.py

@@ -0,0 +1,30 @@
+"""passbook app_gw webserver management command"""
+
+from logging import getLogger
+
+from daphne.cli import CommandLineInterface
+from django.core.management.base import BaseCommand
+from django.utils import autoreload
+
+from passbook.lib.config import CONFIG
+
+LOGGER = getLogger(__name__)
+
+
+class Command(BaseCommand):
+    """Run Daphne Webserver for app_gw"""
+
+    def handle(self, *args, **options):
+        """passbook daphne server"""
+        autoreload.run_with_reloader(self.daphne_server)
+
+    def daphne_server(self):
+        """Run daphne server within autoreload"""
+        autoreload.raise_last_exception()
+        CommandLineInterface().run([
+            '-p', str(CONFIG.y('app_gw.port', 8000)),
+            '-b', CONFIG.y('app_gw.listen', '0.0.0.0'),  # nosec
+            '--access-log', '/dev/null',
+            '--application-close-timeout', '500',
+            'passbook.app_gw.asgi:application'
+        ])

passbook/audit/__init__.py

@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/audit/models.py

@@ -22,7 +22,7 @@ class AuditEntry(UUIDModel):
     ACTION_AUTHORIZE_APPLICATION = 'authorize_application'
     ACTION_SUSPICIOUS_REQUEST = 'suspicious_request'
     ACTION_SIGN_UP = 'sign_up'
-    ACTION_PASSWORD_RESET = 'password_reset' # noqa
+    ACTION_PASSWORD_RESET = 'password_reset' # noqa # nosec
     ACTION_INVITE_CREATED = 'invitation_created'
     ACTION_INVITE_USED = 'invitation_used'
     ACTIONS = (

passbook/captcha_factor/__init__.py

@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/core/__init__.py

@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/core/management/commands/web.py

@@ -2,11 +2,12 @@
 
 from logging import getLogger
 
-from daphne.cli import CommandLineInterface
+import cherrypy
+from django.conf import settings
 from django.core.management.base import BaseCommand
-from django.utils import autoreload
 
 from passbook.lib.config import CONFIG
+from passbook.root.wsgi import application
 
 LOGGER = getLogger(__name__)
 
@@ -15,16 +16,21 @@ class Command(BaseCommand):
     """Run CherryPy webserver"""
 
     def handle(self, *args, **options):
-        """passbook daphne server"""
-        autoreload.run_with_reloader(self.daphne_server)
-
-    def daphne_server(self):
-        """Run daphne server within autoreload"""
-        autoreload.raise_last_exception()
-        CommandLineInterface().run([
-            '-p', str(CONFIG.y('web.port', 8000)),
-            '-b', CONFIG.y('web.listen', '0.0.0.0'),  # nosec
-            '--access-log', '/dev/null',
-            '--application-close-timeout', '500',
-            'passbook.root.asgi:application'
-        ])
+        """passbook cherrypy server"""
+        cherrypy.config.update(CONFIG.get('web'))
+        cherrypy.tree.graft(application, '/')
+        # Mount NullObject to serve static files
+        cherrypy.tree.mount(None, settings.STATIC_URL, config={
+            '/': {
+                'tools.staticdir.on': True,
+                'tools.staticdir.dir': settings.STATIC_ROOT,
+                'tools.expires.on': True,
+                'tools.expires.secs': 86400,
+                'tools.gzip.on': True,
+            }
+        })
+        cherrypy.engine.start()
+        for file in CONFIG.loaded_file:
+            cherrypy.engine.autoreload.files.add(file)
+            LOGGER.info("Added '%s' to autoreload triggers", file)
+        cherrypy.engine.block()

passbook/core/templates/base/skeleton_login.html

@@ -0,0 +1,54 @@
+{% load static %}
+{% load i18n %}
+{% load utils %}
+
+<!DOCTYPE html>
+<html lang="en" class="layout-pf layout-pf-fixed transitions">
+
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>
+    {% block title %}
+    {% title %}
+    {% endblock %}
+  </title>
+  <link rel="icon" type="image/png" href="{% static 'img/logo.png' %}">
+  <link rel="shortcut icon" type="image/png" href="{% static 'img/logo.png' %}">
+  <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly.min.css' %}">
+  <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly-additions.min.css' %}">
+  <link rel="stylesheet" type="text/css" href="{% static 'css/passbook.css' %}">
+  <style>
+    .login-pf {
+      background-attachment: fixed;
+      scroll-behavior: smooth;
+      background-size: cover;
+    }
+  </style>
+  {% block head %}
+  {% endblock %}
+</head>
+
+<body class="login-pf">
+  {% if 'impersonate_id' in request.session %}
+  <div class="experimental-pf-bar">
+    <span id="experimentalBar" class="experimental-pf-text">
+      {% blocktrans with user=user %}You're currently impersonating {{ user }}.{% endblocktrans %}
+      <a href="?__unimpersonate=True" id="acceptMessage">{% trans 'Stop impersonation' %}</a>
+    </span>
+  </div>
+  {% endif %}
+  {% block body %}
+  {% endblock %}
+  <script src="{% static 'js/jquery.min.js' %}"></script>
+  <script src="{% static 'js/bootstrap.min.js' %}"></script>
+  <script src="{% static 'js/patternfly.min.js' %}"></script>
+  <script src="{% static 'js/passbook.js' %}"></script>
+  {% block scripts %}
+  {% endblock %}
+  <div class="modals">
+    {% include 'partials/about_modal.html' %}
+  </div>
+</body>
+
+</html>

passbook/core/templates/login/base.html

@@ -1,4 +1,4 @@
-{% extends 'base/skeleton.html' %}
+{% extends 'base/skeleton_login.html' %}
 
 {% load static %}
 {% load i18n %}

passbook/hibp_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/ldap/__init__.py

@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/lib/__init__.py

@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/lib/config.py

@@ -137,4 +137,6 @@ def signal_handler(sender, **kwargs):
     """Add all loaded config files to autoreload watcher"""
     for path in CONFIG.loaded_file:
         sender.watch_file(path)
+
+
 autoreload_started.connect(signal_handler)

passbook/lib/default.yml

@@ -23,9 +23,13 @@ email:
   use_ssl: false
   from: passbook <passbook@domain.tld>
 web:
-  listen: 0.0.0.0
-  port: 8000
-  threads: 30
+  server.socket_host: 0.0.0.0
+  server.socket_port: 8000
+  server.thread_pool: 20
+  log.screen: false
+  log.access_file: ''
+  log.error_file: ''
+
 debug: false
 secure_proxy_header:
   HTTP_X_FORWARDED_PROTO: https
@@ -96,3 +100,6 @@ saml_idp:
   types:
     - passbook.saml_idp.processors.generic
     - passbook.saml_idp.processors.salesforce
+app_gw:
+  listen: 0.0.0.0
+  port: 8000

passbook/oauth_client/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/oauth_provider/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/oauth_provider/forms.py

@@ -1,4 +1,4 @@
-"""passbook OAuth2 IDP Forms"""
+"""passbook OAuth2 Provider Forms"""
 
 from django import forms
 

passbook/oauth_provider/models.py

@@ -25,8 +25,6 @@ class OAuth2Provider(Provider, AbstractApplication):
                 reverse('passbook_oauth_provider:token')),
             'userinfo_url': request.build_absolute_uri(
                 reverse('passbook_api:openid')),
-            'openid_url': request.build_absolute_uri(
-                reverse('passbook_oauth_provider:openid-discovery'))
         }
 
     class Meta:

passbook/oauth_provider/templates/oauth2_provider/setup_url_modal.html

@@ -31,19 +31,10 @@
             </div>
           </div>
         </form>
-        <hr>
-        <form class="form-horizontal">
-          <div class="form-group">
-            <label class="col-sm-3 control-label">{% trans 'OpenID Configuration URL' %}</label>
-            <div class="col-sm-9">
-              <input type="text"class="form-control" readonly value="{{ openid_url }}">
-            </div>
-          </div>
-        </form>
       </div>
       <div class="modal-footer">
         <button type="button" class="btn btn-primary" data-dismiss="modal">{% trans 'Close' %}</button>
       </div>
     </div>
   </div>
-</div>
+</div>

passbook/oauth_provider/urls.py

@@ -3,7 +3,7 @@
 from django.urls import path
 from oauth2_provider import views
 
-from passbook.oauth_provider.views import oauth2, openid
+from passbook.oauth_provider.views import oauth2
 
 urlpatterns = [
     # Custom OAuth 2 Authorize View
@@ -17,9 +17,4 @@ urlpatterns = [
     path("token/", views.TokenView.as_view(), name="token"),
     path("revoke_token/", views.RevokeTokenView.as_view(), name="revoke-token"),
     path("introspect/", views.IntrospectTokenView.as_view(), name="introspect"),
-    # OpenID-Connect Discovery
-    path('.well-known/openid-configuration', openid.OpenIDConfigurationView.as_view(),
-         name='openid-discovery'),
-    path('.well-known/jwks.json', openid.JSONWebKeyView.as_view(),
-         name='openid-jwks'),
 ]

passbook/oauth_provider/views/oauth2.py

@@ -57,10 +57,10 @@ class PassbookAuthorizationView(AccessMixin, AuthorizationView):
         provider.save()
         self._application = application
         # Check permissions
-        passing, policy_meaages = self.user_has_access(self._application, request.user)
+        passing, policy_messages = self.user_has_access(self._application, request.user)
         if not passing:
-            for policy_meaage in policy_meaages:
-                messages.error(request, policy_meaage)
+            for policy_message in policy_messages:
+                messages.error(request, policy_message)
             return redirect('passbook_oauth_provider:oauth2-permission-denied')
         # Some clients don't pass response_type, so we default to code
         if 'response_type' not in request.GET:

passbook/oauth_provider/views/openid.py

@@ -1,35 +0,0 @@
-"""passbook oauth provider OpenID Views"""
-
-from django.http import HttpRequest, JsonResponse
-from django.shortcuts import reverse
-from django.views.generic import View
-
-
-class OpenIDConfigurationView(View):
-    """Return OpenID Configuration"""
-
-    def get_issuer_url(self, request):
-        """Get correct issuer URL"""
-        full_url = request.build_absolute_uri(reverse('passbook_oauth_provider:openid-discovery'))
-        return full_url.replace(".well-known/openid-configuration", "")
-
-    def get(self, request: HttpRequest):
-        """Get Response conform to https://openid.net/specs/openid-connect-discovery-1_0.html"""
-        return JsonResponse({
-            'issuer': self.get_issuer_url(request),
-            'authorization_endpoint': request.build_absolute_uri(
-                reverse('passbook_oauth_provider:oauth2-authorize')),
-            'token_endpoint': request.build_absolute_uri(reverse('passbook_oauth_provider:token')),
-            "jwks_uri": request.build_absolute_uri(reverse('passbook_oauth_provider:openid-jwks')),
-            "scopes_supported": [
-                "openid",
-            ],
-        })
-
-
-class JSONWebKeyView(View):
-    """JSON Web Key View"""
-
-    def get(self, request: HttpRequest):
-        """JSON Webkeys are not implemented yet, hence return an empty object"""
-        return JsonResponse({})

passbook/oidc_provider/apps.py

@@ -0,0 +1,31 @@
+"""passbook auth oidc provider app config"""
+from logging import getLogger
+
+from django.apps import AppConfig
+from django.db.utils import InternalError, OperationalError, ProgrammingError
+from django.urls import include, path
+
+LOGGER = getLogger(__name__)
+
+class PassbookOIDCProviderConfig(AppConfig):
+    """passbook auth oidc provider app config"""
+
+    name = 'passbook.oidc_provider'
+    label = 'passbook_oidc_provider'
+    verbose_name = 'passbook OIDC Provider'
+
+    def ready(self):
+        try:
+            from Cryptodome.PublicKey import RSA
+            from oidc_provider.models import RSAKey
+            if not RSAKey.objects.exists():
+                key = RSA.generate(2048)
+                rsakey = RSAKey(key=key.exportKey('PEM').decode('utf8'))
+                rsakey.save()
+                LOGGER.info("Created key")
+        except (OperationalError, ProgrammingError, InternalError):
+            pass
+        from passbook.root import urls
+        urls.urlpatterns.append(
+            path('application/oidc/', include('oidc_provider.urls', namespace='oidc_provider')),
+        )

passbook/oidc_provider/forms.py

@@ -0,0 +1,38 @@
+"""passbook OIDC IDP Forms"""
+
+from django import forms
+from oauth2_provider.generators import (generate_client_id,
+                                        generate_client_secret)
+from oidc_provider.models import Client
+
+from passbook.oidc_provider.models import OpenIDProvider
+
+
+class OIDCProviderForm(forms.ModelForm):
+    """OpenID Client form"""
+
+    def __init__(self, *args, **kwargs):
+        # Correctly load data from 1:1 rel
+        if 'instance' in kwargs:
+            kwargs['instance'] = kwargs['instance'].oidc_client
+        super().__init__(*args, **kwargs)
+        self.fields['client_id'].initial = generate_client_id()
+        self.fields['client_secret'].initial = generate_client_secret()
+
+    def save(self, *args, **kwargs):
+        response = super().save(*args, **kwargs)
+        # Check if openidprovider class instance exists
+        if not OpenIDProvider.objects.filter(oidc_client=self.instance).exists():
+            OpenIDProvider.objects.create(oidc_client=self.instance)
+        return response
+
+    class Meta:
+        model = Client
+        fields = [
+            'name', 'client_type', 'client_id', 'client_secret', 'response_types',
+            'jwt_alg', 'reuse_consent', 'require_consent', '_redirect_uris', '_scope'
+        ]
+        # exclude = ['owner', 'website_url', 'terms_url', 'contact_email', 'logo', ]
+        labels = {
+            'client_secret': "Client Secret"
+        }

passbook/oidc_provider/lib.py

@@ -0,0 +1,30 @@
+"""OIDC Permission checking"""
+from logging import getLogger
+
+from django.contrib import messages
+from django.shortcuts import redirect
+
+from passbook.core.models import Application
+from passbook.core.policies import PolicyEngine
+
+LOGGER = getLogger(__name__)
+
+def check_permissions(request, user, client):
+    """Check permissions, used for
+    https://django-oidc-provider.readthedocs.io/en/latest/
+    sections/settings.html#oidc-after-userlogin-hook"""
+    try:
+        application = client.openidprovider.application
+    except Application.DoesNotExist:
+        return redirect('passbook_oauth_provider:oauth2-permission-denied')
+    LOGGER.debug("Checking permissions of %s on application %s...", user, application)
+    policy_engine = PolicyEngine(application.policies.all())
+    policy_engine.for_user(user).with_request(request).build()
+
+    # Check permissions
+    passing, policy_messages = policy_engine.result
+    if not passing:
+        for policy_message in policy_messages:
+            messages.error(request, policy_message)
+        return redirect('passbook_oauth_provider:oauth2-permission-denied')
+    return None

passbook/oidc_provider/migrations/0001_initial.py

@@ -0,0 +1,25 @@
+# Generated by Django 2.2.3 on 2019-07-05 12:16
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('oidc_provider', '0026_client_multiple_response_types'),
+        ('passbook_core', '0024_ssologinpolicy'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='OpenIDProvider',
+            fields=[
+                ('provider_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Provider')),
+                ('oidc_client', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, to='oidc_provider.Client')),
+            ],
+            bases=('passbook_core.provider',),
+        ),
+    ]

passbook/oidc_provider/models.py

@@ -0,0 +1,45 @@
+"""oidc models"""
+from django.db import models
+from django.shortcuts import reverse
+from django.utils.translation import gettext as _
+from oidc_provider.models import Client
+
+from passbook.core.models import Provider
+
+
+class OpenIDProvider(Provider):
+    """Proxy model for OIDC Client"""
+    # Since oidc_provider doesn't currently support swappable models
+    # (https://github.com/juanifioren/django-oidc-provider/pull/305)
+    # we have a 1:1 relationship, and update oidc_client when the form is saved.
+
+    oidc_client = models.OneToOneField(Client, on_delete=models.CASCADE)
+
+    form = 'passbook.oidc_provider.forms.OIDCProviderForm'
+
+    @property
+    def name(self):
+        """Name property for UI"""
+        return self.oidc_client.name
+
+    def __str__(self):
+        return "OpenID Connect Provider %s" % self.oidc_client.__str__()
+
+    def html_setup_urls(self, request):
+        """return template and context modal with URLs for authorize, token, openid-config, etc"""
+        return "oidc_provider/setup_url_modal.html", {
+            'provider': self,
+            'authorize': request.build_absolute_uri(
+                reverse('oidc_provider:authorize')),
+            'token': request.build_absolute_uri(
+                reverse('oidc_provider:token')),
+            'userinfo': request.build_absolute_uri(
+                reverse('oidc_provider:userinfo')),
+            'provider_info': request.build_absolute_uri(
+                reverse('oidc_provider:provider-info')),
+        }
+
+    class Meta:
+
+        verbose_name = _('OpenID Provider')
+        verbose_name_plural = _('OpenID Providers')

passbook/oidc_provider/requirements.txt

@@ -0,0 +1 @@
+django-oidc-provider

passbook/oidc_provider/settings.py

@@ -0,0 +1,7 @@
+"""passbook OIDC Provider"""
+
+INSTALLED_APPS = [
+    'oidc_provider',
+]
+
+OIDC_AFTER_USERLOGIN_HOOK = "passbook.oidc_provider.lib.check_permissions"

passbook/oidc_provider/templates/oidc_provider/authorize.html

@@ -0,0 +1,70 @@
+{% extends "login/base.html" %}
+
+{% load utils %}
+{% load i18n %}
+
+{% block title %}
+{% title 'Authorize Application' %}
+{% endblock %}
+
+{% block card %}
+<header class="login-pf-header">
+  <h1>{% trans 'Authorize Application' %}</h1>
+</header>
+<form method="POST">
+    {% csrf_token %}
+    {% if not error %}
+        {% csrf_token %}
+        {% for field in form %}
+            {% if field.is_hidden %}
+                {{ field }}
+            {% endif %}
+        {% endfor %}
+        <div class="form-group">
+            <p class="subtitle">
+                {% blocktrans with remote=client.name %}
+                You're about to sign into {{ remote }}
+                {% endblocktrans %}
+            </p>
+            <p>{% trans "Application requires following permissions" %}</p>
+            <ul>
+                {% for scope in scopes %}
+                <li>{{ scope.name }}</li>
+                {% endfor %}
+            </ul>
+            {{ hidden_inputs }}
+            {{ form.errors }}
+            {{ form.non_field_errors }}
+            <p>
+                {% blocktrans with user=user %}
+                You are logged in as {{ user }}. Not you?
+                {% endblocktrans %}
+                <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
+            </p>
+            <div class="form-group">
+                <input type="submit" class="btn btn-success btn-disabled btn-lg click-spinner" name="allow" value="{% trans 'Continue' %}">
+                <a href="{% back %}" class="btn btn-default btn-lg">{% trans "Cancel" %}</a>
+            </div>
+            <div class="form-group spinner-hidden hidden">
+                <div class="spinner"></div>
+            </div>
+        </div>
+    {% else %}
+    <div class="login-group">
+        <p class="subtitle">
+            {% blocktrans with err=error.error %}Error: {{ err }}{% endblocktrans %}
+        </p>
+        <p>{{ error.description }}</p>
+    </div>
+    {% endif %}
+</form>
+{% endblock %}
+
+{% block scripts %}
+<script>
+    $('.click-spinner').on('click', function (e) {
+        $('.spinner-hidden').removeClass('hidden');
+        $(e.target).addClass('disabled');
+    })
+</script>
+{% endblock %}

passbook/oidc_provider/templates/oidc_provider/setup_url_modal.html

@@ -0,0 +1,49 @@
+{% load i18n %}
+
+<button class="btn btn-default btn-sm" data-toggle="modal" data-target="#{{ provider.pk }}">{% trans 'View Setup URLs' %}</button>
+<div class="modal fade" id="{{ provider.pk }}" tabindex="-1" role="dialog" aria-labelledby="{{ provider.pk }}Label" aria-hidden="true">
+  <div class="modal-dialog">
+    <div class="modal-content">
+      <div class="modal-header">
+        <button type="button" class="close" data-dismiss="modal" aria-hidden="true" aria-label="Close">
+          <span class="pficon pficon-close"></span>
+        </button>
+        <h4 class="modal-title" id="{{ provider.pk }}Label">{% trans 'Setup URLs' %}</h4>
+      </div>
+      <div class="modal-body">
+        <form class="form-horizontal">
+          <div class="form-group">
+            <label class="col-sm-3 control-label">{% trans 'Authorize URL' %}</label>
+            <div class="col-sm-9">
+              <input type="text"class="form-control" readonly value="{{ authorize }}">
+            </div>
+          </div>
+          <div class="form-group">
+            <label class="col-sm-3 control-label">{% trans 'Token URL' %}</label>
+            <div class="col-sm-9">
+              <input type="text" class="form-control" readonly value="{{ token }}">
+            </div>
+          </div>
+          <div class="form-group">
+            <label class="col-sm-3 control-label">{% trans 'Userinfo Endpoint' %}</label>
+            <div class="col-sm-9">
+              <input type="text" class="form-control" readonly value="{{ userinfo }}">
+            </div>
+          </div>
+        </form>
+        <hr>
+        <form class="form-horizontal">
+          <div class="form-group">
+            <label class="col-sm-3 control-label">{% trans 'OpenID Configuration URL' %}</label>
+            <div class="col-sm-9">
+              <input type="text"class="form-control" readonly value="{{ provider_info }}">
+            </div>
+          </div>
+        </form>
+      </div>
+      <div class="modal-footer">
+        <button type="button" class="btn btn-primary" data-dismiss="modal">{% trans 'Close' %}</button>
+      </div>
+    </div>
+  </div>
+</div>

passbook/otp/__init__.py

@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/password_expiry_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/root/requirements.txt

@@ -1,5 +1,6 @@
 celery
 colorlog
+cherrypy
 django-ipware
 django-model-utils
 django-redis
@@ -11,5 +12,4 @@ psycopg2
 PyYAML
 sentry-sdk
 pip
-whitenoise
 urllib3<1.25,>=1.21.1

passbook/root/settings.py

@@ -82,6 +82,7 @@ INSTALLED_APPS = [
     'passbook.ldap.apps.PassbookLdapConfig',
     'passbook.oauth_client.apps.PassbookOAuthClientConfig',
     'passbook.oauth_provider.apps.PassbookOAuthProviderConfig',
+    'passbook.oidc_provider.apps.PassbookOIDCProviderConfig',
     'passbook.saml_idp.apps.PassbookSAMLIDPConfig',
     'passbook.otp.apps.PassbookOTPConfig',
     'passbook.captcha_factor.apps.PassbookCaptchaFactorConfig',
@@ -122,7 +123,6 @@ CACHES = {
 
 MIDDLEWARE = [
     'django.contrib.sessions.middleware.SessionMiddleware',
-    'whitenoise.middleware.WhiteNoiseMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'passbook.app_gw.middleware.ApplicationGatewayMiddleware',
     'django.middleware.security.SecurityMiddleware',
@@ -221,7 +221,7 @@ CELERY_BEAT_SCHEDULE = {
 
 if not DEBUG:
     sentry_init(
-        dsn="https://55b5dd780bc14f4c96bba69b7a9abbcc@sentry.services.beryju.org/8",
+        dsn="https://33cdbcb23f8b436dbe0ee06847410b67@sentry.beryju.org/3",
         integrations=[
             DjangoIntegration(),
             CeleryIntegration(),
@@ -239,7 +239,6 @@ if not DEBUG:
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 
 STATIC_URL = '/static/'
-STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'
 
 with CONFIG.cd('log'):
     LOGGING = {

passbook/saml_idp/__init__.py

@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

passbook/suspicious_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook suspicious_policy"""
-__version__ = '0.2.1-beta'
+__version__ = '0.2.4-beta'

requirements-dev.txt

@@ -5,7 +5,7 @@ isort
 astroid==2.0.4
 pylint==2.1.1
 pylint-django==2.0.2
-prospector
+prospector==1.1.5
 django-debug-toolbar
 pycodestyle<2.4.0,>=2.0.0
 bumpversion

requirements.txt

@@ -8,3 +8,4 @@
 -r passbook/admin/requirements.txt
 -r passbook/api/requirements.txt
 -r passbook/app_gw/requirements.txt
+-r passbook/oidc_provider/requirements.txt