new release: 0.6.0-beta

fix path matching in docker compose

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.2.2-beta
+current_version = 0.6.0-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
@@ -15,10 +15,6 @@ values =
 	beta
 	stable
 
-[bumpversion:file:client-packages/allauth/setup.py]
-
-[bumpversion:file:client-packages/sentry-auth-passbook/setup.py]
-
 [bumpversion:file:helm/passbook/values.yaml]
 
 [bumpversion:file:helm/passbook/Chart.yaml]
@@ -27,33 +23,5 @@ values =
 
 [bumpversion:file:passbook/__init__.py]
 
-[bumpversion:file:passbook/api/__init__.py]
-
-[bumpversion:file:passbook/core/__init__.py]
-
-[bumpversion:file:passbook/admin/__init__.py]
-
-[bumpversion:file:passbook/captcha_factor/__init__.py]
-
-[bumpversion:file:passbook/oauth_client/__init__.py]
-
-[bumpversion:file:passbook/ldap/__init__.py]
-
-[bumpversion:file:passbook/lib/__init__.py]
-
-[bumpversion:file:passbook/hibp_policy/__init__.py]
-
-[bumpversion:file:passbook/password_expiry_policy/__init__.py]
-
-[bumpversion:file:passbook/saml_idp/__init__.py]
-
-[bumpversion:file:passbook/audit/__init__.py]
-
-[bumpversion:file:passbook/oauth_provider/__init__.py]
-
-[bumpversion:file:passbook/otp/__init__.py]
-
-[bumpversion:file:passbook/app_gw/__init__.py]
-
-[bumpversion:file:passbook/suspicious_policy/__init__.py]
+[bumpversion:file:docker/nginx.conf]
 

.coveragerc

@@ -1,7 +1,6 @@
 [run]
 source = passbook
 omit =
-    env/
     */wsgi.py
     manage.py
     */migrations/*

.dockerignore

@@ -2,3 +2,4 @@ env
 helm
 passbook-ui
 static
+*.env.yml

.gitignore

@@ -191,3 +191,4 @@ pip-selfcheck.json
 # End of https://www.gitignore.io/api/python,django
 /static/
 local.env.yml
+.vscode/

.gitlab-ci.yml

@@ -1,109 +1,135 @@
 # Global Variables
 stages:
-  - build-buildimage
+  - build-base-image
+  - build-dev-image
   - test
   - build
-  - docs
-  - deploy
-image: docker.beryju.org/passbook/build-base:latest
-services:
-  - postgres:latest
-  - redis:latest
+  - package
+image: docker.beryju.org/passbook/dev:latest
 
 variables:
   POSTGRES_DB: passbook
   POSTGRES_USER: passbook
   POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
-create-build-image:
+before_script:
+  - pip install pipenv
+  # Ensure all dependencies are installed, even those not included in passbook/dev
+  # According to pipenv docs, -d outputs all packages, however it actually does not
+  - pipenv lock -r > requirements-all.txt
+  - pipenv lock -rd >> requirements-all.txt
+  - pip install -r requirements-all.txt
+
+create-base-image:
   image:
     name: gcr.io/kaniko-project/executor:debug
     entrypoint: [""]
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.build-base --destination docker.beryju.org/passbook/build-base:latest --destination docker.beryju.org/passbook/build-base:0.2.2-beta
-  stage: build-buildimage
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/base.Dockerfile --destination docker.beryju.org/passbook/base:latest --destination docker.beryju.org/passbook/base:0.6.0-beta
+  stage: build-base-image
   only:
     refs:
       - tags
       - /^version/.*$/
 
+build-dev-image:
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script:
+    - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
+  script:
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/dev.Dockerfile --destination docker.beryju.org/passbook/dev:latest --destination docker.beryju.org/passbook/dev:0.6.0-beta
+  stage: build-dev-image
+  only:
+    refs:
+      - tags
+      - /^version/.*$/
+
+
 isort:
   script:
     - isort -c -sg env
   stage: test
+  services:
+  - postgres:latest
+  - redis:latest
 migrations:
   script:
     - python manage.py migrate
   stage: test
-prospector:
-  script:
-    - prospector
-  stage: test
-pylint:
-  script:
-    - pylint passbook
-  stage: test
+  services:
+  - postgres:latest
+  - redis:latest
+# prospector:
+#   script:
+#     - prospector
+#   stage: test
+#   services:
+#   - postgres:latest
+#   - redis:latest
+# pylint:
+#   script:
+#     - pylint passbook
+#   stage: test
+#   services:
+#   - postgres:latest
+#   - redis:latest
 coverage:
   script:
-    - python manage.py collectstatic --no-input
     - coverage run manage.py test
     - coverage report
+    - coverage html
   stage: test
-bandit:
-  script:
-    - bandit -r passbook
-  stage: test
+  services:
+  - postgres:latest
+  - redis:latest
 
-package-docker:
+build-passbook-server:
+  stage: build
   image:
     name: gcr.io/kaniko-project/executor:debug
     entrypoint: [""]
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.2.2-beta
-  stage: build
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.6.0-beta
   only:
     - tags
     - /^version/.*$/
-package-helm:
+build-passbook-static:
   stage: build
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script:
+    - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/static.Dockerfile --destination docker.beryju.org/passbook/static:latest --destination docker.beryju.org/passbook/static:0.6.0-beta
+  only:
+    - tags
+    - /^version/.*$/
+  # running collectstatic fully initialises django, hence we need that databases
+  services:
+    - postgres:latest
+    - redis:latest
+
+package-helm:
+  image: debian:stretch-slim
+  stage: package
+  before_script:
+    - apt update && apt install -y curl
     - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
+  script:
     - helm init --client-only
+    - helm dependency update helm/passbook
     - helm package helm/passbook
   artifacts:
     paths:
       - passbook-*.tgz
-    expire_in: 2 days
+    expire_in: 1 week
   only:
     - tags
     - /^version/.*$/
-
-package-client-package-allauth:
-  script:
-    - cd client-packages/allauth
-    - python setup.py sdist
-    - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
-  stage: build
-  only:
-    refs:
-      - tags
-      - /^version/.*$/
-    changes:
-      - client-packages/allauth/**
-
-package-client-package-sentry:
-  script:
-    - cd client-packages/sentry-auth-passbook
-    - python setup.py sdist
-    - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
-  stage: build
-  only:
-    refs:
-      - tags
-      - /^version/.*$/
-    changes:
-      - client-packages/sentry-auth-passbook/**

.prospector.yaml

@@ -3,11 +3,9 @@ test-warnings: true
 doc-warnings: false
 
 ignore-paths:
-  - env
   - migrations
   - docs
   - node_modules
-  - client-packages
 
 uses:
  - django

.pylintrc

@@ -2,9 +2,10 @@
 
 disable=redefined-outer-name,arguments-differ,no-self-use,cyclic-import,fixme,locally-disabled,unpacking-non-sequence,too-many-ancestors,too-many-branches,too-few-public-methods
 load-plugins=pylint_django,pylint.extensions.bad_builtin
-#,pylint.extensions.docparams
 extension-pkg-whitelist=lxml
 const-rgx=[a-zA-Z0-9_]{1,40}$
+ignored-modules=django-otp
+jobs=4
 
 [SIMILARITIES]
 

.vscode/.ropeproject/config.py

@@ -1,114 +0,0 @@
-# The default ``config.py``
-# flake8: noqa
-
-
-def set_prefs(prefs):
-    """This function is called before opening the project"""
-
-    # Specify which files and folders to ignore in the project.
-    # Changes to ignored resources are not added to the history and
-    # VCSs.  Also they are not returned in `Project.get_files()`.
-    # Note that ``?`` and ``*`` match all characters but slashes.
-    # '*.pyc': matches 'test.pyc' and 'pkg/test.pyc'
-    # 'mod*.pyc': matches 'test/mod1.pyc' but not 'mod/1.pyc'
-    # '.svn': matches 'pkg/.svn' and all of its children
-    # 'build/*.o': matches 'build/lib.o' but not 'build/sub/lib.o'
-    # 'build//*.o': matches 'build/lib.o' and 'build/sub/lib.o'
-    prefs['ignored_resources'] = ['*.pyc', '*~', '.ropeproject',
-                                  '.hg', '.svn', '_svn', '.git', '.tox']
-
-    # Specifies which files should be considered python files.  It is
-    # useful when you have scripts inside your project.  Only files
-    # ending with ``.py`` are considered to be python files by
-    # default.
-    # prefs['python_files'] = ['*.py']
-
-    # Custom source folders:  By default rope searches the project
-    # for finding source folders (folders that should be searched
-    # for finding modules).  You can add paths to that list.  Note
-    # that rope guesses project source folders correctly most of the
-    # time; use this if you have any problems.
-    # The folders should be relative to project root and use '/' for
-    # separating folders regardless of the platform rope is running on.
-    # 'src/my_source_folder' for instance.
-    # prefs.add('source_folders', 'src')
-
-    # You can extend python path for looking up modules
-    # prefs.add('python_path', '~/python/')
-
-    # Should rope save object information or not.
-    prefs['save_objectdb'] = True
-    prefs['compress_objectdb'] = False
-
-    # If `True`, rope analyzes each module when it is being saved.
-    prefs['automatic_soa'] = True
-    # The depth of calls to follow in static object analysis
-    prefs['soa_followed_calls'] = 0
-
-    # If `False` when running modules or unit tests "dynamic object
-    # analysis" is turned off.  This makes them much faster.
-    prefs['perform_doa'] = True
-
-    # Rope can check the validity of its object DB when running.
-    prefs['validate_objectdb'] = True
-
-    # How many undos to hold?
-    prefs['max_history_items'] = 32
-
-    # Shows whether to save history across sessions.
-    prefs['save_history'] = True
-    prefs['compress_history'] = False
-
-    # Set the number spaces used for indenting.  According to
-    # :PEP:`8`, it is best to use 4 spaces.  Since most of rope's
-    # unit-tests use 4 spaces it is more reliable, too.
-    prefs['indent_size'] = 4
-
-    # Builtin and c-extension modules that are allowed to be imported
-    # and inspected by rope.
-    prefs['extension_modules'] = []
-
-    # Add all standard c-extensions to extension_modules list.
-    prefs['import_dynload_stdmods'] = True
-
-    # If `True` modules with syntax errors are considered to be empty.
-    # The default value is `False`; When `False` syntax errors raise
-    # `rope.base.exceptions.ModuleSyntaxError` exception.
-    prefs['ignore_syntax_errors'] = False
-
-    # If `True`, rope ignores unresolvable imports.  Otherwise, they
-    # appear in the importing namespace.
-    prefs['ignore_bad_imports'] = False
-
-    # If `True`, rope will insert new module imports as
-    # `from <package> import <module>` by default.
-    prefs['prefer_module_from_imports'] = False
-
-    # If `True`, rope will transform a comma list of imports into
-    # multiple separate import statements when organizing
-    # imports.
-    prefs['split_imports'] = False
-
-    # If `True`, rope will remove all top-level import statements and
-    # reinsert them at the top of the module when making changes.
-    prefs['pull_imports_to_top'] = True
-
-    # If `True`, rope will sort imports alphabetically by module name instead
-    # of alphabetically by import statement, with from imports after normal
-    # imports.
-    prefs['sort_imports_alphabetically'] = False
-
-    # Location of implementation of
-    # rope.base.oi.type_hinting.interfaces.ITypeHintingFactory In general
-    # case, you don't have to change this value, unless you're an rope expert.
-    # Change this value to inject you own implementations of interfaces
-    # listed in module rope.base.oi.type_hinting.providers.interfaces
-    # For example, you can add you own providers for Django Models, or disable
-    # the search type-hinting in a class hierarchy, etc.
-    prefs['type_hinting_factory'] = (
-        'rope.base.oi.type_hinting.factory.default_type_hinting_factory')
-
-
-def project_opened(project):
-    """This function is called after opening the project"""
-    # Do whatever you like here!

.vscode/settings.json

@@ -1,14 +0,0 @@
-{
-  "python.pythonPath": "env/bin/python",
-  "editor.tabSize": 4,
-  "[html]": {
-    "editor.tabSize": 2
-  },
-  "[yml]": {
-    "editor.tabSize": 2
-  },
-  "cSpell.words": [
-    "SAML",
-    "passbook"
-  ]
-}

Dockerfile

@@ -1,34 +1,9 @@
-FROM python:3.6-slim-stretch as build
+FROM docker.beryju.org/passbook/base:latest
 
 COPY ./passbook/ /app/passbook
 COPY ./manage.py /app/
-COPY ./requirements.txt /app/
-
-WORKDIR /app/
-
-RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
-    mkdir /app/static/ && \
-    pip install -r requirements.txt && \
-    pip install psycopg2 && \
-    ./manage.py collectstatic --no-input && \
-    apt-get remove --purge -y build-essential && \
-    apt-get autoremove --purge -y
-
-FROM python:3.6-slim-stretch
-
-COPY ./passbook/ /app/passbook
-COPY ./manage.py /app/
-COPY ./requirements.txt /app/
-COPY --from=build /app/static /app/static/
-
-WORKDIR /app/
-
-RUN apt-get update && apt-get install build-essential libssl-dev libffi-dev libpq-dev -y && \
-    pip install -r requirements.txt && \
-    pip install psycopg2 && \
-    adduser --system --home /app/ passbook && \
-    chown -R passbook /app/ && \
-    apt-get remove --purge -y build-essential && \
-    apt-get autoremove --purge -y
+COPY ./docker/uwsgi.ini /app/
 
 USER passbook
+
+WORKDIR /app/

Dockerfile.build-base

@@ -1,12 +0,0 @@
-FROM python:3.6
-
-COPY ./passbook/ /app/passbook
-COPY ./client-packages/ /app/client-packages
-COPY ./requirements.txt /app/
-COPY ./requirements-dev.txt /app/
-
-WORKDIR /app/
-
-RUN apt-get update && apt-get install libssl-dev libffi-dev libpq-dev -y && \
-     pip install -U -r requirements-dev.txt && \
-     rm -rf /app/*

Pipfile

@@ -0,0 +1,54 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[packages]
+celery = "*"
+cherrypy = "*"
+defusedxml = "*"
+django = "*"
+django-cors-middleware = "*"
+django-filters = "*"
+django-ipware = "*"
+django-model-utils = "*"
+django-oauth-toolkit = "*"
+django-oidc-provider = "*"
+django-otp = "*"
+django-recaptcha = "*"
+django-redis = "*"
+django-rest-framework = "*"
+djangorestframework = "==3.9.4"
+drf-yasg = "*"
+ldap3 = "*"
+lxml = "*"
+markdown = "*"
+oauthlib = "*"
+packaging = "*"
+psycopg2-binary = "*"
+pycryptodome = "*"
+pyyaml = "*"
+qrcode = "*"
+requests-oauthlib = "*"
+sentry-sdk = "*"
+service_identity = "*"
+signxml = "*"
+urllib3 = {extras = ["secure"],version = "*"}
+structlog = "*"
+
+[requires]
+python_version = "3.7"
+
+[dev-packages]
+astroid = "==2.2.5"
+coverage = "*"
+isort = "*"
+pylint = "==2.3.1"
+pylint-django = "==2.0.10"
+prospector = "==1.1.7"
+django-debug-toolbar = "*"
+bumpversion = "*"
+unittest-xml-reporting = "*"
+autopep8 = "*"
+bandit = "*"
+colorama = "*"

README.md

@@ -0,0 +1,9 @@
+# passbook
+
+## Quick instance
+
+```
+docker-compose pull
+docker-compose up -d
+docker-compose exec server ./manage.py createsuperuser
+```

base.Dockerfile

@@ -0,0 +1,19 @@
+FROM python:3.7-slim-stretch
+
+COPY ./Pipfile /app/
+COPY ./Pipfile.lock /app/
+
+WORKDIR /app/
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends build-essential && \
+    pip install pipenv uwsgi --no-cache-dir && \
+    apt-get remove -y --purge build-essential && \
+    apt-get autoremove -y --purge && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN pipenv lock -r > requirements.txt && \
+    pipenv --rm && \
+    pip install -r requirements.txt  --no-cache-dir && \
+    adduser --system --no-create-home passbook && \
+    chown -R passbook /app

client-packages/allauth/allauth_passbook/provider.py

@@ -1,35 +0,0 @@
-"""passbook provider"""
-from allauth.socialaccount.providers.base import ProviderAccount
-from allauth.socialaccount.providers.oauth2.provider import OAuth2Provider
-
-
-class PassbookAccount(ProviderAccount):
-    """passbook account"""
-
-    def to_str(self):
-        dflt = super().to_str()
-        return self.account.extra_data.get('username', dflt)
-
-
-class PassbookProvider(OAuth2Provider):
-    """passbook provider"""
-
-    id = 'passbook'
-    name = 'passbook'
-    account_class = PassbookAccount
-
-    def extract_uid(self, data):
-        return str(data['sub'])
-
-    def extract_common_fields(self, data):
-        return {
-            'email': data.get('email'),
-            'username': data.get('preferred_username'),
-            'name': data.get('name'),
-        }
-
-    def get_default_scope(self):
-        return ['openid:userinfo']
-
-
-provider_classes = [PassbookProvider] # noqa

client-packages/allauth/allauth_passbook/urls.py

@@ -1,6 +0,0 @@
-"""passbook provider"""
-from allauth.socialaccount.providers.oauth2.urls import default_urlpatterns
-
-from allauth_passbook.provider import PassbookProvider
-
-urlpatterns = default_urlpatterns(PassbookProvider)

client-packages/allauth/allauth_passbook/views.py

@@ -1,37 +0,0 @@
-"""passbook adapter"""
-import requests
-from allauth.socialaccount import app_settings
-from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter,
-                                                          OAuth2CallbackView,
-                                                          OAuth2LoginView)
-
-from allauth_passbook.provider import PassbookProvider
-
-
-class PassbookOAuth2Adapter(OAuth2Adapter):
-    """passbook OAuth2 Adapter"""
-    provider_id = PassbookProvider.id
-    # pylint: disable=no-member
-    settings = app_settings.PROVIDERS.get(provider_id, {}) # noqa
-    provider_base_url = settings.get("PASSBOOK_URL", 'https://id.beryju.org')
-
-    access_token_url = '{0}/application/oauth/token/'.format(provider_base_url)
-    authorize_url = '{0}/application/oauth/authorize/'.format(provider_base_url)
-    profile_url = '{0}/api/v1/openid/'.format(
-        provider_base_url)
-
-    def complete_login(self, request, app, access_token, **kwargs):
-        headers = {
-            'Authorization': 'Bearer {0}'.format(access_token.token),
-            'Content-Type': 'application/json',
-        }
-        extra_data = requests.get(self.profile_url, headers=headers)
-
-        return self.get_provider().sociallogin_from_response(
-            request,
-            extra_data.json()
-        )
-
-
-oauth2_login = OAuth2LoginView.adapter_view(PassbookOAuth2Adapter) # noqa
-oauth2_callback = OAuth2CallbackView.adapter_view(PassbookOAuth2Adapter) # noqa

client-packages/allauth/requirements.txt

@@ -1 +0,0 @@
-django-allauth

client-packages/allauth/setup.py

@@ -1,33 +0,0 @@
-"""passbook allauth setup.py"""
-from setuptools import setup
-
-setup(
-    name='django-allauth-passbook',
-    version='0.2.2-beta',
-    description='passbook support for django-allauth',
-    # long_description='\n'.join(read_simple('docs/index.md')[2:]),
-    long_description_content_type='text/markdown',
-    author='BeryJu.org',
-    author_email='hello@beryju.org',
-    packages=['allauth_passbook'],
-    include_package_data=True,
-    install_requires=['django-allauth'],
-    keywords='django allauth passbook',
-    license='MIT',
-    classifiers=[
-        'Intended Audience :: Developers',
-        'Topic :: Software Development :: Libraries :: Python Modules',
-        'Environment :: Web Environment',
-        'Topic :: Internet',
-        'License :: OSI Approved :: MIT License',
-        'Operating System :: OS Independent',
-        'Programming Language :: Python',
-        'Programming Language :: Python :: 3.4',
-        'Programming Language :: Python :: 3.5',
-        'Programming Language :: Python :: 3.6',
-        'Framework :: Django',
-        'Framework :: Django :: 1.11',
-        'Framework :: Django :: 2.0',
-        'Framework :: Django :: 2.1',
-    ],
-)

client-packages/sentry-auth-passbook/.gitignore

@@ -1,5 +0,0 @@
-*.pyc
-*.egg-info/
-*.eggs
-/dist
-/build

client-packages/sentry-auth-passbook/.travis.yml

@@ -1,32 +0,0 @@
-sudo: false
-language: python
-services:
-  - memcached
-  - postgresql
-  - redis-server
-python:
-  - '2.7'
-cache:
-  directories:
-    - node_modules
-    - "$HOME/.cache/pip"
-deploy:
-  provider: pypi
-  user: getsentry
-  password:
-    secure: kVmxKHkBWRLYyZme05p+WZSJmb8GjHV9uyuaSCVMRlqWCW+GXRB7P1xXR2jb9URTlNdcs56Ab/UrwzCbMFGC8LmwCeFVgIR/ltytVZG2FgXZPWaeA4dH25qK2oGWgzJ/xeiMpmuJqN9hRl25MX6jG7FZKvrrOkG7+8tpPd1yO+uYWZQbnebZMjcPBqEpn7CC0hR39GSoyVAbydpMe5hwENGQM26CepcicdrelfawItoUrXrkJzBHkIQQTO/xRSbCtRJOtzI5lwtv3GP0hcbOy5tI5dhG/93pLwZRc5+dZaCaP7oaVeOcBjN0zfINRQobt8d6h2Qgvd/YyFkGi0/xKn1zMmKIVLOG6VsYwEAUq8wNOsP4A/jdm4Y0J/1oEZStCkpaGpx85TYi4kq1hWQdyqaVJSPhh4Tk4roIaS2zOYQl+nIpbHqmJ4FJrg1il+TCdjBXobATQ1mKRBUrjD+RDzH/r4ogbd8+UwvvvevpqS2K+/wgT6UD0MzDInv9S29CUQvuFhPoqyJb5XRddHMRE9EEK/2Z8tFN91sDATnqfXHgwnvu00q/nKP5JnijBPzGmx7ydgUViIukklDrlPvo9BbRJz0Vr2vbAvMTrLMLCXqi5CwTm+v+iaOf/YaCziaG2vx0eVASYjpOLCedSgRZBubPM8z4E/HMXhChN7sVDWk=
-  on:
-    tags: true
-  distributions: sdist bdist_wheel
-env:
-  global:
-    - PIP_DOWNLOAD_CACHE=".pip_download_cache"
-before_install:
-  - pip install codecov
-install:
-  - make develop
-script:
-  - PYFLAKES_NODOCTEST=1 flake8
-  - coverage run --source=. -m py.test tests
-after_success:
-  - codecov

client-packages/sentry-auth-passbook/LICENSE

@@ -1,201 +0,0 @@
-                              Apache License
-                        Version 2.0, January 2004
-                     http://www.apache.org/licenses/
-
-TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-1. Definitions.
-
-   "License" shall mean the terms and conditions for use, reproduction,
-   and distribution as defined by Sections 1 through 9 of this document.
-
-   "Licensor" shall mean the copyright owner or entity authorized by
-   the copyright owner that is granting the License.
-
-   "Legal Entity" shall mean the union of the acting entity and all
-   other entities that control, are controlled by, or are under common
-   control with that entity. For the purposes of this definition,
-   "control" means (i) the power, direct or indirect, to cause the
-   direction or management of such entity, whether by contract or
-   otherwise, or (ii) ownership of fifty percent (50%) or more of the
-   outstanding shares, or (iii) beneficial ownership of such entity.
-
-   "You" (or "Your") shall mean an individual or Legal Entity
-   exercising permissions granted by this License.
-
-   "Source" form shall mean the preferred form for making modifications,
-   including but not limited to software source code, documentation
-   source, and configuration files.
-
-   "Object" form shall mean any form resulting from mechanical
-   transformation or translation of a Source form, including but
-   not limited to compiled object code, generated documentation,
-   and conversions to other media types.
-
-   "Work" shall mean the work of authorship, whether in Source or
-   Object form, made available under the License, as indicated by a
-   copyright notice that is included in or attached to the work
-   (an example is provided in the Appendix below).
-
-   "Derivative Works" shall mean any work, whether in Source or Object
-   form, that is based on (or derived from) the Work and for which the
-   editorial revisions, annotations, elaborations, or other modifications
-   represent, as a whole, an original work of authorship. For the purposes
-   of this License, Derivative Works shall not include works that remain
-   separable from, or merely link (or bind by name) to the interfaces of,
-   the Work and Derivative Works thereof.
-
-   "Contribution" shall mean any work of authorship, including
-   the original version of the Work and any modifications or additions
-   to that Work or Derivative Works thereof, that is intentionally
-   submitted to Licensor for inclusion in the Work by the copyright owner
-   or by an individual or Legal Entity authorized to submit on behalf of
-   the copyright owner. For the purposes of this definition, "submitted"
-   means any form of electronic, verbal, or written communication sent
-   to the Licensor or its representatives, including but not limited to
-   communication on electronic mailing lists, source code control systems,
-   and issue tracking systems that are managed by, or on behalf of, the
-   Licensor for the purpose of discussing and improving the Work, but
-   excluding communication that is conspicuously marked or otherwise
-   designated in writing by the copyright owner as "Not a Contribution."
-
-   "Contributor" shall mean Licensor and any individual or Legal Entity
-   on behalf of whom a Contribution has been received by Licensor and
-   subsequently incorporated within the Work.
-
-2. Grant of Copyright License. Subject to the terms and conditions of
-   this License, each Contributor hereby grants to You a perpetual,
-   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-   copyright license to reproduce, prepare Derivative Works of,
-   publicly display, publicly perform, sublicense, and distribute the
-   Work and such Derivative Works in Source or Object form.
-
-3. Grant of Patent License. Subject to the terms and conditions of
-   this License, each Contributor hereby grants to You a perpetual,
-   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-   (except as stated in this section) patent license to make, have made,
-   use, offer to sell, sell, import, and otherwise transfer the Work,
-   where such license applies only to those patent claims licensable
-   by such Contributor that are necessarily infringed by their
-   Contribution(s) alone or by combination of their Contribution(s)
-   with the Work to which such Contribution(s) was submitted. If You
-   institute patent litigation against any entity (including a
-   cross-claim or counterclaim in a lawsuit) alleging that the Work
-   or a Contribution incorporated within the Work constitutes direct
-   or contributory patent infringement, then any patent licenses
-   granted to You under this License for that Work shall terminate
-   as of the date such litigation is filed.
-
-4. Redistribution. You may reproduce and distribute copies of the
-   Work or Derivative Works thereof in any medium, with or without
-   modifications, and in Source or Object form, provided that You
-   meet the following conditions:
-
-   (a) You must give any other recipients of the Work or
-       Derivative Works a copy of this License; and
-
-   (b) You must cause any modified files to carry prominent notices
-       stating that You changed the files; and
-
-   (c) You must retain, in the Source form of any Derivative Works
-       that You distribute, all copyright, patent, trademark, and
-       attribution notices from the Source form of the Work,
-       excluding those notices that do not pertain to any part of
-       the Derivative Works; and
-
-   (d) If the Work includes a "NOTICE" text file as part of its
-       distribution, then any Derivative Works that You distribute must
-       include a readable copy of the attribution notices contained
-       within such NOTICE file, excluding those notices that do not
-       pertain to any part of the Derivative Works, in at least one
-       of the following places: within a NOTICE text file distributed
-       as part of the Derivative Works; within the Source form or
-       documentation, if provided along with the Derivative Works; or,
-       within a display generated by the Derivative Works, if and
-       wherever such third-party notices normally appear. The contents
-       of the NOTICE file are for informational purposes only and
-       do not modify the License. You may add Your own attribution
-       notices within Derivative Works that You distribute, alongside
-       or as an addendum to the NOTICE text from the Work, provided
-       that such additional attribution notices cannot be construed
-       as modifying the License.
-
-   You may add Your own copyright statement to Your modifications and
-   may provide additional or different license terms and conditions
-   for use, reproduction, or distribution of Your modifications, or
-   for any such Derivative Works as a whole, provided Your use,
-   reproduction, and distribution of the Work otherwise complies with
-   the conditions stated in this License.
-
-5. Submission of Contributions. Unless You explicitly state otherwise,
-   any Contribution intentionally submitted for inclusion in the Work
-   by You to the Licensor shall be under the terms and conditions of
-   this License, without any additional terms or conditions.
-   Notwithstanding the above, nothing herein shall supersede or modify
-   the terms of any separate license agreement you may have executed
-   with Licensor regarding such Contributions.
-
-6. Trademarks. This License does not grant permission to use the trade
-   names, trademarks, service marks, or product names of the Licensor,
-   except as required for reasonable and customary use in describing the
-   origin of the Work and reproducing the content of the NOTICE file.
-
-7. Disclaimer of Warranty. Unless required by applicable law or
-   agreed to in writing, Licensor provides the Work (and each
-   Contributor provides its Contributions) on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-   implied, including, without limitation, any warranties or conditions
-   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-   PARTICULAR PURPOSE. You are solely responsible for determining the
-   appropriateness of using or redistributing the Work and assume any
-   risks associated with Your exercise of permissions under this License.
-
-8. Limitation of Liability. In no event and under no legal theory,
-   whether in tort (including negligence), contract, or otherwise,
-   unless required by applicable law (such as deliberate and grossly
-   negligent acts) or agreed to in writing, shall any Contributor be
-   liable to You for damages, including any direct, indirect, special,
-   incidental, or consequential damages of any character arising as a
-   result of this License or out of the use or inability to use the
-   Work (including but not limited to damages for loss of goodwill,
-   work stoppage, computer failure or malfunction, or any and all
-   other commercial damages or losses), even if such Contributor
-   has been advised of the possibility of such damages.
-
-9. Accepting Warranty or Additional Liability. While redistributing
-   the Work or Derivative Works thereof, You may choose to offer,
-   and charge a fee for, acceptance of support, warranty, indemnity,
-   or other liability obligations and/or rights consistent with this
-   License. However, in accepting such obligations, You may act only
-   on Your own behalf and on Your sole responsibility, not on behalf
-   of any other Contributor, and only if You agree to indemnify,
-   defend, and hold each Contributor harmless for any liability
-   incurred by, or claims asserted against, such Contributor by reason
-   of your accepting any such warranty or additional liability.
-
-END OF TERMS AND CONDITIONS
-
-APPENDIX: How to apply the Apache License to your work.
-
-   To apply the Apache License to your work, attach the following
-   boilerplate notice, with the fields enclosed by brackets "[]"
-   replaced with your own identifying information. (Don't include
-   the brackets!)  The text should be enclosed in the appropriate
-   comment syntax for the file format. We also recommend that a
-   file or class name and description of purpose be included on the
-   same "printed page" as the copyright notice for easier
-   identification within third-party archives.
-
-Copyright 2016 Functional Software, Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.

client-packages/sentry-auth-passbook/MANIFEST.in

@@ -1,3 +0,0 @@
-include setup.py package.json webpack.config.js README.rst MANIFEST.in LICENSE AUTHORS
-recursive-include sentry_auth_supervisr/templates *
-global-exclude *~

client-packages/sentry-auth-passbook/Makefile

@@ -1,26 +0,0 @@
-.PHONY: clean develop install-tests lint publish test
-
-develop:
-	pip install "pip>=7"
-	pip install -e .
-	make install-tests
-
-install-tests:
-	pip install .[tests]
-
-lint:
-	@echo "--> Linting python"
-	flake8
-	@echo ""
-
-test:
-	@echo "--> Running Python tests"
-	py.test tests || exit 1
-	@echo ""
-
-publish:
-	python setup.py sdist bdist_wheel upload
-
-clean:
-	rm -rf *.egg-info src/*.egg-info
-	rm -rf dist build

client-packages/sentry-auth-passbook/README.rst

@@ -1,55 +0,0 @@
-GitHub Auth for Sentry
-======================
-
-An SSO provider for Sentry which enables GitHub organization-restricted authentication.
-
-Install
--------
-
-::
-
-    $ pip install https://github.com/getsentry/sentry-auth-github/archive/master.zip
-
-Setup
------
-
-Create a new application under your organization in GitHub. Enter the **Authorization
-callback URL** as the prefix to your Sentry installation:
-
-::
-
-    https://example.sentry.com
-
-
-Once done, grab your API keys and drop them in your ``sentry.conf.py``:
-
-.. code-block:: python
-
-    GITHUB_APP_ID = ""
-
-    GITHUB_API_SECRET = ""
-
-
-Verified email addresses can optionally be required:
-
-.. code-block:: python
-
-    GITHUB_REQUIRE_VERIFIED_EMAIL = True
-
-
-Optionally you may also specify the domain (for GHE users):
-
-.. code-block:: python
-
-    GITHUB_BASE_DOMAIN = "git.example.com"
-
-    GITHUB_API_DOMAIN = "api.git.example.com"
-
-
-If Subdomain isolation is disabled in GHE:
-
-.. code-block:: python
-
-    GITHUB_BASE_DOMAIN = "git.example.com"
-
-    GITHUB_API_DOMAIN = "git.example.com/api/v3"

client-packages/sentry-auth-passbook/conftest.py

@@ -1,14 +0,0 @@
-from __future__ import absolute_import
-
-# Run tests against sqlite for simplicity
-import os
-import os.path
-import sys
-
-sys.path.insert(0, os.path.join(os.path.dirname(__file__)))
-
-os.environ.setdefault('DB', 'sqlite')
-
-pytest_plugins = [
-    'sentry.utils.pytest'
-]

client-packages/sentry-auth-passbook/sentry_auth_passbook/__init__.py

@@ -1,7 +0,0 @@
-from __future__ import absolute_import
-
-from sentry.auth import register
-
-from .provider import PassbookOAuth2Provider
-
-register('passbook', PassbookOAuth2Provider)

client-packages/sentry-auth-passbook/sentry_auth_passbook/client.py

@@ -1,45 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from requests.exceptions import RequestException
-
-from sentry import http
-from sentry.utils import json
-
-from .constants import BASE_DOMAIN
-
-
-class PassbookApiError(Exception):
-    def __init__(self, message='', status=0):
-        super(PassbookApiError, self).__init__(message)
-        self.status = status
-
-
-class PassbookClient(object):
-    def __init__(self, client_id, client_secret):
-        self.client_id = client_id
-        self.client_secret = client_secret
-        self.http = http.build_session()
-
-    def _request(self, path, access_token):
-        params = {
-            'client_id': self.client_id,
-            'client_secret': self.client_secret,
-        }
-
-        headers = {
-            'Authorization': 'Bearer {0}'.format(access_token),
-        }
-
-        try:
-            req = self.http.get('https://{0}/{1}'.format(BASE_DOMAIN, path.lstrip('/')),
-                params=params,
-                headers=headers,
-            )
-        except RequestException as e:
-            raise PassbookApiError(unicode(e), status=getattr(e, 'status_code', 0))
-        if req.status_code < 200 or req.status_code >= 300:
-            raise PassbookApiError(req.content, status=req.status_code)
-        return json.loads(req.content)
-
-    def get_user(self, access_token):
-        return self._request('/api/v1/openid/', access_token)

client-packages/sentry-auth-passbook/sentry_auth_passbook/constants.py

@@ -1,14 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from django.conf import settings
-
-CLIENT_ID = getattr(settings, 'PASSBOOK_APP_ID', None)
-
-CLIENT_SECRET = getattr(settings, 'PASSBOOK_API_SECRET', None)
-
-SCOPE = 'openid:userinfo'
-
-BASE_DOMAIN = getattr(settings, 'PASSBOOK_BASE_DOMAIN', 'id.beryju.org')
-
-ACCESS_TOKEN_URL = 'https://{0}/application/oauth/token/'.format(BASE_DOMAIN)
-AUTHORIZE_URL = 'https://{0}/application/oauth/authorize/'.format(BASE_DOMAIN)

client-packages/sentry-auth-passbook/sentry_auth_passbook/provider.py

@@ -1,62 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from sentry.auth.exceptions import IdentityNotValid
-from sentry.auth.providers.oauth2 import (OAuth2Callback, OAuth2Login,
-                                          OAuth2Provider)
-
-from .client import PassbookApiError, PassbookClient
-from .constants import (ACCESS_TOKEN_URL, AUTHORIZE_URL, CLIENT_ID,
-                        CLIENT_SECRET, SCOPE)
-from .views import FetchUser, PassbookConfigureView
-
-
-class PassbookOAuth2Provider(OAuth2Provider):
-    access_token_url = ACCESS_TOKEN_URL
-    authorize_url = AUTHORIZE_URL
-    name = 'Passbook'
-    client_id = CLIENT_ID
-    client_secret = CLIENT_SECRET
-
-    def __init__(self, **config):
-        super(PassbookOAuth2Provider, self).__init__(**config)
-
-    def get_configure_view(self):
-        return PassbookConfigureView.as_view()
-
-    def get_auth_pipeline(self):
-        return [
-            OAuth2Login(
-                authorize_url=self.authorize_url,
-                client_id=self.client_id,
-                scope=SCOPE,
-            ),
-            OAuth2Callback(
-                access_token_url=self.access_token_url,
-                client_id=self.client_id,
-                client_secret=self.client_secret,
-            ),
-            FetchUser(
-                client_id=self.client_id,
-                client_secret=self.client_secret,
-            ),
-        ]
-
-    def get_refresh_token_url(self):
-        return ACCESS_TOKEN_URL
-
-    def build_identity(self, state):
-        data = state['data']
-        user_data = state['user']
-        return {
-            'id': user_data['email'],
-            'email': user_data['email'],
-            'name': user_data['name'],
-            'data': self.get_oauth_data(data),
-        }
-
-    def build_config(self, state):
-        return {}
-
-    def refresh_identity(self, auth_identity):
-        client = PassbookClient(self.client_id, self.client_secret)
-        access_token = auth_identity.data['access_token']

client-packages/sentry-auth-passbook/sentry_auth_passbook/views.py

@@ -1,75 +0,0 @@
-from __future__ import absolute_import, print_function
-
-from django import forms
-
-from sentry.auth.view import AuthView, ConfigureView
-from sentry.models import AuthIdentity
-
-from .client import PassbookClient
-
-
-def _get_name_from_email(email):
-    """
-    Given an email return a capitalized name. Ex. john.smith@example.com would return John Smith.
-    """
-    name = email.rsplit('@', 1)[0]
-    name = ' '.join([n_part.capitalize() for n_part in name.split('.')])
-    return name
-
-
-class FetchUser(AuthView):
-    def __init__(self, client_id, client_secret, *args, **kwargs):
-        self.client = PassbookClient(client_id, client_secret)
-        super(FetchUser, self).__init__(*args, **kwargs)
-
-    def handle(self, request, helper):
-        access_token = helper.fetch_state('data')['access_token']
-
-        user = self.client.get_user(access_token)
-
-        # A user hasn't set their name in their Passbook profile so it isn't
-        # populated in the response
-        if not user.get('name'):
-            user['name'] = _get_name_from_email(user['email'])
-
-        helper.bind_state('user', user)
-
-        return helper.next_step()
-
-
-class ConfirmEmailForm(forms.Form):
-    email = forms.EmailField(label='Email')
-
-
-class ConfirmEmail(AuthView):
-    def handle(self, request, helper):
-        user = helper.fetch_state('user')
-
-        # TODO(dcramer): this isnt ideal, but our current flow doesnt really
-        # support this behavior;
-        try:
-            auth_identity = AuthIdentity.objects.select_related('user').get(
-                auth_provider=helper.auth_provider,
-                ident=user['id'],
-            )
-        except AuthIdentity.DoesNotExist:
-            pass
-        else:
-            user['email'] = auth_identity.user.email
-
-        if user.get('email'):
-            return helper.next_step()
-
-        form = ConfirmEmailForm(request.POST or None)
-        if form.is_valid():
-            user['email'] = form.cleaned_data['email']
-            helper.bind_state('user', user)
-            return helper.next_step()
-
-        return self.respond('sentry_auth_passbook/enter-email.html', {
-            'form': form,
-        })
-
-class PassbookConfigureView(ConfigureView):
-    def dispatch(self, request, organization, auth_provider):
-        return self.render('sentry_auth_passbook/configure.html')

client-packages/sentry-auth-passbook/setup.cfg

@@ -1,12 +0,0 @@
-[wheel]
-universal = 1
-
-[pytest]
-python_files = test*.py
-addopts = --tb=native -p no:doctest
-norecursedirs = bin dist docs htmlcov script hooks node_modules .* {args}
-
-[flake8]
-ignore = F999,E501,E128,E124,E402,W503,E731,C901
-max-line-length = 100
-exclude = .tox,.git,*/migrations/*,node_modules/*,docs/*

client-packages/sentry-auth-passbook/setup.py

@@ -1,45 +0,0 @@
-#!/usr/bin/env python
-"""
-sentry-auth-passbook
-==================
-
-:copyright: (c) 2016 Functional Software, Inc
-"""
-from setuptools import find_packages, setup
-
-install_requires = [
-    'sentry>=7.0.0',
-]
-
-tests_require = [
-    'mock',
-    'flake8>=2.0,<2.1',
-]
-
-setup(
-    name='sentry-auth-passbook',
-    version='0.2.2-beta',
-    author='BeryJu.org',
-    author_email='support@beryju.org',
-    url='https://passbook.beryju.org',
-    description='passbook authentication provider for Sentry',
-    long_description=__doc__,
-    license='MIT',
-    packages=find_packages(exclude=['tests']),
-    zip_safe=False,
-    install_requires=install_requires,
-    tests_require=tests_require,
-    extras_require={'tests': tests_require},
-    include_package_data=True,
-    entry_points={
-        'sentry.apps': [
-            'auth_passbook = sentry_auth_passbook',
-        ],
-    },
-    classifiers=[
-        'Intended Audience :: Developers',
-        'Intended Audience :: System Administrators',
-        'Operating System :: OS Independent',
-        'Topic :: Software Development'
-    ],
-)

client-packages/sentry-auth-passbook/tests/test_provider.py

@@ -1,6 +0,0 @@
-from sentry.testutils import TestCase
-
-
-class GitHubOAuth2ProviderTest(TestCase):
-    def test_simple(self):
-        pass

client-packages/sentry-auth-passbook/tests/test_views.py

@@ -1,17 +0,0 @@
-from __future__ import absolute_import, print_function
-
-import pytest
-from sentry_auth_sentry.views import _get_name_from_email
-
-expected_data = [
-    ('john.smith@example.com', 'John Smith'),
-    ('john@example.com', 'John'),
-    ('XYZ-234=3523@example.com', 'Xyz-234=3523'),
-    ('XYZ.1111@example.com', 'Xyz 1111'),
-    ('JOHN@example.com', 'John'),
-]
-
-
-@pytest.mark.parametrize("email,expected_name", expected_data)
-def test_get_name_from_email(email, expected_name):
-    assert _get_name_from_email(email) == expected_name

dev.Dockerfile

@@ -0,0 +1,5 @@
+FROM docker.beryju.org/passbook/base:latest
+
+RUN pipenv lock --dev -r > requirements-dev.txt && \
+    pipenv --rm && \
+    pip install -r /app/requirements-dev.txt  --no-cache-dir

docker-compose.yml

@@ -0,0 +1,97 @@
+---
+version: '3.2'
+
+services:
+  postgresql:
+    image: postgres
+    volumes:
+      - database:/var/lib/postgresql/data
+    networks:
+      - internal
+    environment:
+      - POSTGRES_PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+      - POSTGRES_USER=passbook
+      - POSTGRES_DB=passbook
+    labels:
+      - traefik.enable=false
+  redis:
+    image: redis
+    networks:
+      - internal
+    labels:
+      - traefik.enable=false
+  database-migrate:
+    build:
+      context: .
+    image: docker.beryju.org/passbook/server:${TAG:-test}
+    command:
+      - ./manage.py
+      - migrate
+    networks:
+      - internal
+    restart: 'no'
+    environment:
+      - PASSBOOK_REDIS__HOST=redis
+      - PASSBOOK_POSTGRESQL__HOST=postgresql
+      - PASSBOOK_POSTGRESQL__PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+  server:
+    build:
+      context: .
+    image: docker.beryju.org/passbook/server:${TAG:-test}
+    command:
+      - uwsgi
+      - uwsgi.ini
+    environment:
+      - PASSBOOK_REDIS__HOST=redis
+      - PASSBOOK_POSTGRESQL__HOST=postgresql
+      - PASSBOOK_POSTGRESQL__PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+    ports:
+      - 8000
+    networks:
+      - internal
+    labels:
+      - traefik.port=8000
+      - traefik.docker.network=internal
+      - traefik.frontend.rule=PathPrefix:/
+  worker:
+    image: docker.beryju.org/passbook/server:${TAG:-test}
+    command:
+      - ./manage.py
+      - worker
+    networks:
+      - internal
+    labels:
+      - traefik.enable=false
+    environment:
+      - PASSBOOK_REDIS__HOST=redis
+      - PASSBOOK_POSTGRESQL__HOST=postgresql
+      - PASSBOOK_POSTGRESQL__PASSWORD=${PG_PASS:-thisisnotagoodpassword}
+  static:
+    build:
+      context: .
+      dockerfile: static.Dockerfile
+    image: docker.beryju.org/passbook/static:${TAG:-test}
+    networks:
+      - internal
+    labels:
+      - traefik.frontend.rule=PathPrefix:/static, /robots.txt
+      - traefik.port=80
+      - traefik.docker.network=internal
+  traefik:
+    image: traefik:1.7
+    command: --api --docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    ports:
+      - "0.0.0.0:80:80"
+      - "0.0.0.0:443:443"
+      - "0.0.0.0:8080:8080"
+    networks:
+      - internal
+
+volumes:
+  database:
+    driver: local
+
+networks:
+  internal: {}

docker/nginx.conf

@@ -0,0 +1,66 @@
+user  nginx;
+worker_processes  1;
+
+error_log  stderr warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format json_combined escape=json
+        '{'
+            '"time_local":"$time_local",'
+            '"remote_addr":"$remote_addr",'
+            '"remote_user":"$remote_user",'
+            '"request":"$request",'
+            '"status": "$status",'
+            '"body_bytes_sent":"$body_bytes_sent",'
+            '"request_time":"$request_time",'
+            '"http_referrer":"$http_referer",'
+            '"http_user_agent":"$http_user_agent"'
+        '}';
+
+    access_log /dev/stdout json_combined;
+
+    sendfile        on;
+    tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    server {
+
+        server_name _;
+
+        gzip on;
+        gzip_types application/javascript image/* text/css;
+        gunzip on;
+        add_header X-passbook-Version 0.6.0-beta;
+        add_header Vary X-passbook-Version;
+        root /data/;
+
+        location /_/healthz {
+            return 204;
+        }
+        location ~* \.(jpg|jpeg|png|gif|ico)$ {
+            expires 30d;
+        }
+        location ~* \.(css|js)$ {
+            expires 7d;
+        }
+
+    }
+
+    server {
+
+        listen 8080;
+
+        location = /stub_status {
+            stub_status;
+        }
+    }
+}

docker/uwsgi.ini

@@ -0,0 +1,10 @@
+[uwsgi]
+http = 0.0.0.0:8000
+chdir = /app
+wsgi-file = passbook/root/wsgi.py
+processes = 4
+master = true
+threads = 2
+enable-threads = true
+uid = passbook
+gid = passbook

helm/passbook/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 6.3.10
+- name: redis
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 9.2.1
+digest: sha256:bdde250e1401dccdd5161e39c807f9e88b05e3e8e72e74df767a1bbb5fc39a4a
+generated: "2019-10-01T10:46:06.542706+02:00"

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.2.2-beta"
+appVersion: "0.6.0-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.2.2-beta"
+version: "0.6.0-beta"
 icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/passbook/app-readme.md

@@ -1 +0,0 @@
-# passbook

helm/passbook/questions.yml

@@ -1,98 +0,0 @@
----
-categories:
-  - Authentication
-  - SSO
-questions:
-  - default: "true"
-    variable: config.error_reporting
-    type: boolean
-    description: "Enable error-reporting to sentry.services.beryju.org"
-    group: "passbook Configuration"
-    label: "Error Reporting"
-    ####################################################################
-    ### PostgreSQL
-    ####################################################################
-  - variable: postgresql.enabled
-    default: true
-    description: "Deploy a database server as part of this deployment, or set to false and configure an external database connection."
-    type: boolean
-    required: true
-    label: Install PostgreSQL
-    show_subquestion_if: true
-    group: "Database Settings"
-    subquestions:
-      - variable: postgresql.postgresqlDatabase
-        default: "passbook"
-        description: "Database name to create"
-        type: string
-        label: PostgreSQL Database
-      - variable: postgresql.postgresqlUsername
-        default: "passbook"
-        description: "Database user to create"
-        type: string
-        label: PostgreSQL User
-      - variable: postgresql.postgresqlPassword
-        default: ""
-        description: "password will be auto-generated if not specified"
-        type: password
-        label: PostgreSQL Password
-  - variable: externalDatabase.host
-    default: ""
-    description: "Host of the external database"
-    type: string
-    label: External Database Host
-    show_if: "postgresql.enabled=false"
-    group: "Database Settings"
-  - variable: externalDatabase.user
-    default: ""
-    description: "Existing username in the external DB"
-    type: string
-    label: External Database username
-    show_if: "postgresql.enabled=false"
-    group: "Database Settings"
-  - variable: externalDatabase.password
-    default: ""
-    description: "External database password"
-    type: password
-    label: External Database password
-    show_if: "postgresql.enabled=false"
-    group: "Database Settings"
-  - variable: externalDatabase.database
-    default: ""
-    description: "Name of the existing database"
-    type: string
-    label: External Database
-    show_if: "postgresql.enabled=false"
-    group: "Database Settings"
-  - variable: externalDatabase.port
-    default: "3306"
-    description: "External database port number"
-    type: string
-    label: External Database Port
-    show_if: "postgresql.enabled=false"
-    group: "Database Settings"
-  - variable: postgresql.persistence.enabled
-    default: false
-    description: "Enable persistent volume for PostgreSQL"
-    type: boolean
-    required: true
-    label: PostgreSQL Persistent Volume Enabled
-    show_if: "postgresql.enabled=true"
-    show_subquestion_if: true
-    group: "Database Settings"
-    subquestions:
-      - variable: postgresql.master.persistence.size
-        default: "8Gi"
-        description: "PostgreSQL Persistent Volume Size"
-        type: string
-        label: PostgreSQL Volume Size
-      - variable: postgresql.master.persistence.storageClass
-        default: ""
-        description: "If undefined or null, uses the default StorageClass. Default to null"
-        type: storageclass
-        label: Default StorageClass for PostgreSQL
-      - variable: postgresql.master.persistence.existingClaim
-        default: ""
-        description: "If not empty, uses the specified existing PVC instead of creating new one"
-        type: string
-        label: Existing Persistent Volume Claim for PostgreSQL

helm/passbook/requirements.lock

@@ -1,12 +1,9 @@
 dependencies:
-- name: rabbitmq
-  repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 4.3.2
 - name: postgresql
   repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 3.10.1
+  version: 4.2.2
 - name: redis
   repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 5.1.0
-digest: sha256:8bf68bc928a2e3c0f05139635be05fa0840554c7bde4cecd624fac78fb5fa5a3
-generated: 2019-03-21T11:06:51.553379+01:00
+  version: 9.2.1
+digest: sha256:8782e974a1094eaeecf1d68f093ca4fb84977217b2bd38b09790a05ec289aec2
+generated: "2019-10-02T21:03:25.90491153Z"

helm/passbook/requirements.yaml

@@ -1,10 +1,7 @@
 dependencies:
-- name: rabbitmq
-  version: 4.3.2
-  repository: https://kubernetes-charts.storage.googleapis.com/
 - name: postgresql
-  version: 3.10.1
+  version: 4.2.2
   repository: https://kubernetes-charts.storage.googleapis.com/
 - name: redis
-  version: 5.1.0
+  version: 9.2.1
   repository: https://kubernetes-charts.storage.googleapis.com/

helm/passbook/templates/configmap.yaml

@@ -4,41 +4,16 @@ metadata:
   name: {{ include "passbook.fullname" . }}-config
 data:
   config.yml: |
-    # Env for Docker images
-    databases:
-      default:
-        engine: django.db.backends.postgresql
-        name: {{ .Values.postgresql.postgresqlDatabase }}
-        user: postgres
-        password: {{ .Values.postgresql.postgresqlPassword }}
-        host: {{ .Release.Name }}-postgresql
-        port: ''
-    log:
-      level:
-        console: WARNING
-        file: WARNING
-      file: /dev/null
-      syslog:
-        host: 127.0.0.1
-        port: 514
-    email:
-      host: {{ .Values.config.email.host }}
-      port: 25
-      user: ''
-      password: ''
-      use_tls: false
-      use_ssl: false
-      from: passbook <passbook@domain.tld>
-    web:
-      listen: 0.0.0.0
-      port: 8000
-      threads: 30
-    debug: false
-    secure_proxy_header:
-      HTTP_X_FORWARDED_PROTO: https
-    rabbitmq: "user:{{ .Values.rabbitmq.rabbitmq.password }}@{{ .Release.Name }}-rabbitmq"
-    redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master/0"
-    # Error reporting, sends stacktrace to sentry.services.beryju.org
+    postgresql:
+      host: "{{ .Release.Name }}-postgresql"
+      name: "{{ .Values.postgresql.postgresqlDatabase }}"
+      user: postgres
+    redis:
+      host: "{{ .Release.Name }}-redis-master"
+      cache_db: 0
+      message_queue_db: 1
+
+    # Error reporting, sends stacktrace to sentry.beryju.org
     error_report_enabled: {{ .Values.config.error_reporting }}
 
     {{- if .Values.config.secret_key }}
@@ -49,10 +24,10 @@ data:
 
     primary_domain: {{ .Values.primary_domain }}
     domains:
-        {{- range .Values.ingress.hosts }}
-        - {{ . | quote }}
-        {{- end }}
-        - kubernetes-healthcheck-host
+      {{- range .Values.ingress.hosts }}
+      - {{ . | quote }}
+      {{- end }}
+      - kubernetes-healthcheck-host
 
     passbook:
       sign_up:
@@ -115,23 +90,9 @@ data:
       # create_users: true
       # # Reset LDAP password when user reset their password
       # reset_password: true
-    oauth_client:
-      # List of python packages with sources types to load.
-      types:
-        - passbook.oauth_client.source_types.discord
-        - passbook.oauth_client.source_types.facebook
-        - passbook.oauth_client.source_types.github
-        - passbook.oauth_client.source_types.google
-        - passbook.oauth_client.source_types.reddit
-        - passbook.oauth_client.source_types.supervisr
-        - passbook.oauth_client.source_types.twitter
-        - passbook.oauth_client.source_types.azure_ad
     saml_idp:
       signing: true
       autosubmit: false
       issuer: passbook
       assertion_valid_for: 86400
       # List of python packages with provider types to load.
-      types:
-        - passbook.saml_idp.processors.generic
-        - passbook.saml_idp.processors.salesforce

helm/passbook/templates/ingress.yaml

@@ -1,6 +1,5 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "passbook.fullname" . -}}
-{{- $ingressPath := .Values.ingress.path -}}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
@@ -30,9 +29,17 @@ spec:
     - host: {{ . | quote }}
       http:
         paths:
-          - path: {{ $ingressPath }}
+          - path: /
             backend:
-              serviceName: {{ $fullName }}
+              serviceName: {{ $fullName }}-web
+              servicePort: http
+          - path: /static/
+            backend:
+              serviceName: {{ $fullName }}-static
+              servicePort: http
+          - path: /robots.txt
+            backend:
+              serviceName: {{ $fullName }}-static
               servicePort: http
   {{- end }}
 {{- end }}

helm/passbook/templates/passbook-web-deployment.yaml

@@ -1,67 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: {{ include "passbook.fullname" . }}-web
-  labels:
-    app.kubernetes.io/name: {{ include "passbook.name" . }}
-    helm.sh/chart: {{ include "passbook.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "passbook.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: {{ include "passbook.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        passbook.io/component: web
-    spec:
-      volumes:
-        - name: config-volume
-          configMap:
-            name: {{ include "passbook.fullname" . }}-config
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
-          imagePullPolicy: IfNotPresent
-          command: ["/bin/sh","-c"]
-          args: ["./manage.py migrate && ./manage.py web"]
-          ports:
-            - name: http
-              containerPort: 8000
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /etc/passbook
-              name: config-volume
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-              httpHeaders:
-                - name: Host
-                  value: kubernetes-healthcheck-host
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
-              httpHeaders:
-                - name: Host
-                  value: kubernetes-healthcheck-host
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}

helm/passbook/templates/static-deployment.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: {{ include "passbook.fullname" . }}-static
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "passbook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "passbook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        k8s.passbook.io/component: static
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: '9113'
+        field.cattle.io/workloadMetrics: '[{"path":"/metrics","port":9113,"schema":"HTTP"}]'
+    spec:
+      containers:
+        - name: {{ .Chart.Name }}-static
+          image: "docker.beryju.org/passbook/static:{{ .Values.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            initialDelaySeconds: 10
+            timeoutSeconds: 5
+            httpGet:
+              path: /_/healthz
+              port: http
+          readinessProbe:
+            initialDelaySeconds: 10
+            timeoutSeconds: 5
+            httpGet:
+              path: /_/healthz
+              port: http
+          resources:
+            requests:
+              cpu: 10m
+              memory: 10M
+            limits:
+              cpu: 20m
+              memory: 20M
+        - name: {{ .Chart.Name }}-static-prometheus
+          image: nginx/nginx-prometheus-exporter:0.4.1
+          imagePullPolicy: IfNotPresent

helm/passbook/templates/static-service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "passbook.fullname" . }}-static
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    k8s.passbook.io/component: static
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    k8s.passbook.io/component: static

helm/passbook/templates/web-deployment.yaml

@@ -0,0 +1,92 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: {{ include "passbook.fullname" . }}-web
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "passbook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "passbook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        passbook.io/component: web
+    spec:
+      initContainers:
+        - name: passbook-database-migrations
+          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
+          command:
+            - ./manage.py
+          args:
+            - migrate
+          envFrom:
+            - configMapRef:
+                name: {{ include "passbook.fullname" . }}-config
+              prefix: PASSBOOK_
+          env:
+            - name: PASSBOOK_REDIS__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-redis"
+                  key: redis-password
+            - name: PASSBOOK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-postgresql"
+                  key: postgresql-password
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          command:
+            - uwsgi
+          args:
+            - uwsgi.ini
+          envFrom:
+            - configMapRef:
+                name: {{ include "passbook.fullname" . }}-config
+              prefix: PASSBOOK_
+          env:
+            - name: PASSBOOK_REDIS__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-redis"
+                  key: redis-password
+            - name: PASSBOOK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-postgresql"
+                  key: postgresql-password
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+              httpHeaders:
+                - name: Host
+                  value: kubernetes-healthcheck-host
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+              httpHeaders:
+                - name: Host
+                  value: kubernetes-healthcheck-host
+          resources:
+            requests:
+              cpu: 50m
+              memory: 150M
+            limits:
+              cpu: 200m
+              memory: 300M

helm/passbook/templates/web-service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "passbook.fullname" . }}
+  name: {{ include "passbook.fullname" . }}-web
   labels:
     app.kubernetes.io/name: {{ include "passbook.name" . }}
     helm.sh/chart: {{ include "passbook.chart" . }}

helm/passbook/templates/worker-deployment.yaml

@@ -20,33 +20,37 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         passbook.io/component: worker
     spec:
-      volumes:
-        - name: config-volume
-          configMap:
-            name: {{ include "passbook.fullname" . }}-config
       containers:
         - name: {{ .Chart.Name }}
           image: "docker.beryju.org/passbook/server:{{ .Values.image.tag }}"
           imagePullPolicy: IfNotPresent
-          command: ["./manage.py", "worker"]
-          ports:
-            - name: http
-              containerPort: 8000
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /etc/passbook
-              name: config-volume
+          command:
+            - celery
+          args:
+            - worker
+            - --autoscale=10,3
+            - -E
+            - -B
+            - -A passbook.root.celery
+          envFrom:
+            - configMapRef:
+                name: {{ include "passbook.fullname" . }}-config
+              prefix: PASSBOOK_
+          env:
+            - name: PASSBOOK_REDIS__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-redis"
+                  key: redis-password
+            - name: PASSBOOK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-postgresql"
+                  key: postgresql-password
           resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}
+            requests:
+              cpu: 150m
+              memory: 300M
+            limits:
+              cpu: 300m
+              memory: 500M

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.2.2-beta
+  tag: 0.6.0-beta
 
 nameOverride: ""
 
@@ -21,9 +21,12 @@ postgresql:
   postgresqlDatabase: passbook
   postgresqlPassword: foo
 
-rabbitmq:
-  rabbitmq:
-    password: foo
+redis:
+  cluster:
+    enabled: false
+  master:
+    persistence:
+      enabled: false
 
 service:
   type: ClusterIP
@@ -37,26 +40,7 @@ ingress:
   path: /
   hosts:
     - passbook.k8s.local
-  defaultHost: passbook.k8s.local
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
   #      - passbook.k8s.local
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #  cpu: 100m
-  #  memory: 128Mi
-  # requests:
-  #  cpu: 100m
-  #  memory: 128Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.2.2-beta'
+__version__ = '0.6.0-beta'

passbook/admin/__init__.py

@@ -1,2 +0,0 @@
-"""passbook admin"""
-__version__ = '0.2.2-beta'

passbook/admin/requirements.txt

@@ -1,2 +0,0 @@
-django-rest-framework
-drf_yasg

passbook/admin/templates/administration/overview.html

@@ -179,8 +179,8 @@
                     <span class="card-pf-aggregate-status-notification">
                         <a href="#">
                             {% if worker_count < 1%}
-                            <span class="pficon-error-circle-o" data-toggle="tooltip" data-placement="right"
-                                title="{% trans 'No workers connected. Policies will not work and you may expect other issues.' %}"></span> {{ worker_count }}
+                            <span class="pficon-warning-triangle-o" data-toggle="tooltip" data-placement="right"
+                                title="{% trans 'No workers connected.' %}"></span> {{ worker_count }}
                             {% else %}
                             <span class="pficon pficon-ok"></span>{{ worker_count }}
                             {% endif %}

passbook/admin/templatetags/admin_reflection.py

@@ -1,14 +1,14 @@
 """passbook admin templatetags"""
 import inspect
-from logging import getLogger
 
 from django import template
 from django.db.models import Model
+from structlog import get_logger
 
 from passbook.lib.utils.template import render_to_string
 
 register = template.Library()
-LOGGER = getLogger(__name__)
+LOGGER = get_logger()
 
 @register.simple_tag()
 def get_links(model_instance):

passbook/admin/views/overview.py

@@ -3,8 +3,8 @@ from django.core.cache import cache
 from django.shortcuts import redirect, reverse
 from django.views.generic import TemplateView
 
+from passbook import __version__
 from passbook.admin.mixins import AdminRequiredMixin
-from passbook.core import __version__
 from passbook.core.models import (Application, Factor, Invitation, Policy,
                                   Provider, Source, User)
 from passbook.root.celery import CELERY_APP

passbook/admin/views/policy.py

@@ -11,8 +11,8 @@ from django.views.generic.detail import DetailView
 from passbook.admin.forms.policies import PolicyTestForm
 from passbook.admin.mixins import AdminRequiredMixin
 from passbook.core.models import Policy
-from passbook.core.policies import PolicyEngine
 from passbook.lib.utils.reflection import path_to_class
+from passbook.policies.engine import PolicyEngine
 
 
 class PolicyListView(AdminRequiredMixin, ListView):

passbook/api/__init__.py

@@ -1,2 +0,0 @@
-"""passbook api"""
-__version__ = '0.2.2-beta'

passbook/api/requirements.txt

@@ -1,3 +0,0 @@
-django-rest-framework
-drf_yasg
-django-filters

passbook/app_gw/__init__.py

@@ -1,2 +0,0 @@
-"""passbook Application Security Gateway Header"""
-__version__ = '0.2.2-beta'

passbook/app_gw/apps.py

@@ -1,16 +0,0 @@
-"""passbook Application Security Gateway app"""
-from importlib import import_module
-
-from django.apps import AppConfig
-
-
-class PassbookApplicationApplicationGatewayConfig(AppConfig):
-    """passbook app_gw app"""
-
-    name = 'passbook.app_gw'
-    label = 'passbook_app_gw'
-    verbose_name = 'passbook Application Security Gateway'
-    mountpoint = 'app_gw/'
-
-    def ready(self):
-        import_module('passbook.app_gw.signals')

passbook/app_gw/middleware.py

@@ -1,33 +0,0 @@
-"""passbook app_gw middleware"""
-from django.views.generic import RedirectView
-
-from passbook.app_gw.proxy.handler import RequestHandler
-from passbook.lib.config import CONFIG
-
-
-class ApplicationGatewayMiddleware:
-    """Check if request should be proxied or handeled normally"""
-
-    _app_gw_cache = {}
-
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        # Rudimentary cache
-        host_header = request.META.get('HTTP_HOST')
-        if host_header not in self._app_gw_cache:
-            self._app_gw_cache[host_header] = RequestHandler.find_app_gw_for_request(request)
-        if self._app_gw_cache[host_header]:
-            return self.dispatch(request, self._app_gw_cache[host_header])
-        return self.get_response(request)
-
-    def dispatch(self, request, app_gw):
-        """Build proxied request and pass to upstream"""
-        handler = RequestHandler(app_gw, request)
-
-        if not handler.check_permission():
-            to_url = 'https://%s/?next=%s' % (CONFIG.get('domains')[0], request.get_full_path())
-            return RedirectView.as_view(url=to_url)(request)
-
-        return handler.get_response()

passbook/app_gw/migrations/0002_auto_20190321_1521.py

@@ -1,18 +0,0 @@
-# Generated by Django 2.1.7 on 2019-03-21 15:21
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('passbook_app_gw', '0001_initial'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='rewriterule',
-            name='conditions',
-            field=models.ManyToManyField(blank=True, to='passbook_core.Policy'),
-        ),
-    ]

passbook/app_gw/migrations/0003_auto_20190411_1314.py

@@ -1,18 +0,0 @@
-# Generated by Django 2.2 on 2019-04-11 13:14
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('passbook_app_gw', '0002_auto_20190321_1521'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='applicationgatewayprovider',
-            name='authentication_header',
-            field=models.TextField(blank=True, default='X-Remote-User'),
-        ),
-    ]

passbook/app_gw/proxy/exceptions.py

@@ -1,8 +0,0 @@
-"""Exception classes"""
-
-class ReverseProxyException(Exception):
-    """Base for revproxy exception"""
-
-
-class InvalidUpstream(ReverseProxyException):
-    """Invalid upstream set"""

passbook/app_gw/proxy/handler.py

@@ -1,225 +0,0 @@
-"""passbook app_gw request handler"""
-import mimetypes
-from logging import getLogger
-from random import SystemRandom
-from urllib.parse import urlparse
-
-import certifi
-import urllib3
-from django.core.cache import cache
-from django.utils.http import urlencode
-
-from passbook.app_gw.models import ApplicationGatewayProvider
-from passbook.app_gw.proxy.exceptions import InvalidUpstream
-from passbook.app_gw.proxy.response import get_django_response
-from passbook.app_gw.proxy.rewrite import Rewriter
-from passbook.app_gw.proxy.utils import encode_items, normalize_request_headers
-from passbook.core.models import Application
-from passbook.core.policies import PolicyEngine
-
-SESSION_UPSTREAM_KEY = 'passbook_app_gw_upstream'
-IGNORED_HOSTNAMES_KEY = 'passbook_app_gw_ignored'
-LOGGER = getLogger(__name__)
-QUOTE_SAFE = r'<.;>\(}*+|~=-$/_:^@)[{]&\'!,"`'
-ERRORS_MESSAGES = {
-    'upstream-no-scheme': ("Upstream URL scheme must be either "
-                           "'http' or 'https' (%s).")
-}
-HTTP_NO_VERIFY = urllib3.PoolManager()
-HTTP = urllib3.PoolManager(
-    cert_reqs='CERT_REQUIRED',
-    ca_certs=certifi.where())
-IGNORED_HOSTS = cache.get(IGNORED_HOSTNAMES_KEY, [])
-POLICY_CACHE = {}
-
-class RequestHandler:
-    """Forward requests"""
-
-    _parsed_url = None
-    _request_headers = None
-
-    def __init__(self, app_gw, request):
-        self.app_gw = app_gw
-        self.request = request
-        if self.app_gw.pk not in POLICY_CACHE:
-            POLICY_CACHE[self.app_gw.pk] = self.app_gw.application.policies.all()
-
-    @staticmethod
-    def find_app_gw_for_request(request):
-        """Check if a request should be proxied or forwarded to passbook"""
-        # Check if hostname is in cached list of ignored hostnames
-        # This saves us having to query the database on each request
-        host_header = request.META.get('HTTP_HOST')
-        if host_header in IGNORED_HOSTS:
-            # LOGGER.debug("%s is ignored", host_header)
-            return False
-        # Look through all ApplicationGatewayProviders and check hostnames
-        matches = ApplicationGatewayProvider.objects.filter(
-            server_name__contains=[host_header],
-            enabled=True)
-        if not matches.exists():
-            # Mo matching Providers found, add host header to ignored list
-            IGNORED_HOSTS.append(host_header)
-            cache.set(IGNORED_HOSTNAMES_KEY, IGNORED_HOSTS)
-            # LOGGER.debug("Ignoring %s", host_header)
-            return False
-        # At this point we're certain there's a matching ApplicationGateway
-        if len(matches) > 1:
-            # This should never happen
-            raise ValueError
-        app_gw = matches.first()
-        try:
-            # Check if ApplicationGateway is associated with application
-            getattr(app_gw, 'application')
-            if app_gw:
-                return app_gw
-        except Application.DoesNotExist:
-            pass
-            # LOGGER.debug("ApplicationGateway not associated with Application")
-        return True
-
-    def _get_upstream(self):
-        """Choose random upstream and save in session"""
-        if SESSION_UPSTREAM_KEY not in self.request.session:
-            self.request.session[SESSION_UPSTREAM_KEY] = {}
-        if self.app_gw.pk not in self.request.session[SESSION_UPSTREAM_KEY]:
-            upstream_index = int(SystemRandom().random() * len(self.app_gw.upstream))
-            self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk] = upstream_index
-        return self.app_gw.upstream[self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk]]
-
-    def get_upstream(self):
-        """Get upstream as parsed url"""
-        upstream = self._get_upstream()
-
-        self._parsed_url = urlparse(upstream)
-
-        if self._parsed_url.scheme not in ('http', 'https'):
-            raise InvalidUpstream(ERRORS_MESSAGES['upstream-no-scheme'] %
-                                  upstream)
-
-        return upstream
-
-    def _format_path_to_redirect(self):
-        # LOGGER.debug("Path before: %s", self.request.get_full_path())
-        rewriter = Rewriter(self.app_gw, self.request)
-        after = rewriter.build()
-        # LOGGER.debug("Path after: %s", after)
-        return after
-
-    def get_proxy_request_headers(self):
-        """Get normalized headers for the upstream
-        Gets all headers from the original request and normalizes them.
-        Normalization occurs by removing the prefix ``HTTP_`` and
-        replacing and ``_`` by ``-``. Example: ``HTTP_ACCEPT_ENCODING``
-        becames ``Accept-Encoding``.
-        .. versionadded:: 0.9.1
-        :param request:  The original HTTPRequest instance
-        :returns:  Normalized headers for the upstream
-        """
-        return normalize_request_headers(self.request)
-
-    def get_request_headers(self):
-        """Return request headers that will be sent to upstream.
-        The header REMOTE_USER is set to the current user
-        if AuthenticationMiddleware is enabled and
-        the view's add_remote_user property is True.
-        .. versionadded:: 0.9.8
-        """
-        request_headers = self.get_proxy_request_headers()
-        if not self.app_gw.authentication_header:
-            return request_headers
-        request_headers[self.app_gw.authentication_header] = self.request.user.get_username()
-        # LOGGER.debug("%s set", self.app_gw.authentication_header)
-
-        return request_headers
-
-    def check_permission(self):
-        """Check if user is authenticated and has permission to access app"""
-        if not hasattr(self.request, 'user'):
-            return False
-        if not self.request.user.is_authenticated:
-            return False
-        policy_engine = PolicyEngine(POLICY_CACHE[self.app_gw.pk])
-        policy_engine.for_user(self.request.user).with_request(self.request).build()
-        passing, _messages = policy_engine.result
-
-        return passing
-
-    def get_encoded_query_params(self):
-        """Return encoded query params to be used in proxied request"""
-        get_data = encode_items(self.request.GET.lists())
-        return urlencode(get_data)
-
-    def _created_proxy_response(self, path):
-        request_payload = self.request.body
-
-        # LOGGER.debug("Request headers: %s", self._request_headers)
-
-        request_url = self.get_upstream() + path
-        # LOGGER.debug("Request URL: %s", request_url)
-
-        if self.request.GET:
-            request_url += '?' + self.get_encoded_query_params()
-            # LOGGER.debug("Request URL: %s", request_url)
-
-        http = HTTP
-        if not self.app_gw.upstream_ssl_verification:
-            http = HTTP_NO_VERIFY
-
-        try:
-            proxy_response = http.urlopen(self.request.method,
-                                          request_url,
-                                          redirect=False,
-                                          retries=None,
-                                          headers=self._request_headers,
-                                          body=request_payload,
-                                          decode_content=False,
-                                          preload_content=False)
-            # LOGGER.debug("Proxy response header: %s",
-            #              proxy_response.getheaders())
-        except urllib3.exceptions.HTTPError as error:
-            LOGGER.exception(error)
-            raise
-
-        return proxy_response
-
-    def _replace_host_on_redirect_location(self, proxy_response):
-        location = proxy_response.headers.get('Location')
-        if location:
-            if self.request.is_secure():
-                scheme = 'https://'
-            else:
-                scheme = 'http://'
-            request_host = scheme + self.request.META.get('HTTP_HOST')
-
-            upstream_host_http = 'http://' + self._parsed_url.netloc
-            upstream_host_https = 'https://' + self._parsed_url.netloc
-
-            location = location.replace(upstream_host_http, request_host)
-            location = location.replace(upstream_host_https, request_host)
-            proxy_response.headers['Location'] = location
-            # LOGGER.debug("Proxy response LOCATION: %s",
-            #              proxy_response.headers['Location'])
-
-    def _set_content_type(self, proxy_response):
-        content_type = proxy_response.headers.get('Content-Type')
-        if not content_type:
-            content_type = (mimetypes.guess_type(self.request.path)[0] or
-                            self.app_gw.default_content_type)
-            proxy_response.headers['Content-Type'] = content_type
-            # LOGGER.debug("Proxy response CONTENT-TYPE: %s",
-            #              proxy_response.headers['Content-Type'])
-
-    def get_response(self):
-        """Pass request to upstream and return response"""
-        self._request_headers = self.get_request_headers()
-
-        path = self._format_path_to_redirect()
-        proxy_response = self._created_proxy_response(path)
-
-        self._replace_host_on_redirect_location(proxy_response)
-        self._set_content_type(proxy_response)
-        response = get_django_response(proxy_response, strict_cookies=False)
-
-        # LOGGER.debug("RESPONSE RETURNED: %s", response)
-        return response

passbook/app_gw/proxy/response.py

@@ -1,63 +0,0 @@
-"""response functions from django-revproxy"""
-import logging
-
-from django.http import HttpResponse, StreamingHttpResponse
-
-from passbook.app_gw.proxy.utils import (cookie_from_string,
-                                         set_response_headers, should_stream)
-
-#: Default number of bytes that are going to be read in a file lecture
-DEFAULT_AMT = 2 ** 16
-
-logger = logging.getLogger('revproxy.response')
-
-
-def get_django_response(proxy_response, strict_cookies=False):
-    """This method is used to create an appropriate response based on the
-    Content-Length of the proxy_response. If the content is bigger than
-    MIN_STREAMING_LENGTH, which is found on utils.py,
-    than django.http.StreamingHttpResponse will be created,
-    else a django.http.HTTPResponse will be created instead
-
-    :param proxy_response: An Instance of urllib3.response.HTTPResponse that
-                           will create an appropriate response
-    :param strict_cookies: Whether to only accept RFC-compliant cookies
-    :returns: Returns an appropriate response based on the proxy_response
-              content-length
-    """
-    status = proxy_response.status
-    headers = proxy_response.headers
-
-    logger.debug('Proxy response headers: %s', headers)
-
-    content_type = headers.get('Content-Type')
-
-    logger.debug('Content-Type: %s', content_type)
-
-    if should_stream(proxy_response):
-        logger.info('Content-Length is bigger than %s', DEFAULT_AMT)
-        response = StreamingHttpResponse(proxy_response.stream(DEFAULT_AMT),
-                                         status=status,
-                                         content_type=content_type)
-    else:
-        content = proxy_response.data or b''
-        response = HttpResponse(content, status=status,
-                                content_type=content_type)
-
-    logger.info('Normalizing response headers')
-    set_response_headers(response, headers)
-
-    logger.debug('Response headers: %s', getattr(response, '_headers'))
-
-    cookies = proxy_response.headers.getlist('set-cookie')
-    logger.info('Checking for invalid cookies')
-    for cookie_string in cookies:
-        cookie_dict = cookie_from_string(cookie_string,
-                                         strict_cookies=strict_cookies)
-        # if cookie is invalid cookie_dict will be None
-        if cookie_dict:
-            response.set_cookie(**cookie_dict)
-
-    logger.debug('Response cookies: %s', response.cookies)
-
-    return response

passbook/app_gw/proxy/rewrite.py

@@ -1,42 +0,0 @@
-"""passbook app_gw rewriter"""
-
-from passbook.app_gw.models import RewriteRule
-
-RULE_CACHE = {}
-
-class Context:
-    """Empty class which we dynamically add attributes to"""
-
-class Rewriter:
-    """Apply rewrites"""
-
-    __application = None
-    __request = None
-
-    def __init__(self, application, request):
-        self.__application = application
-        self.__request = request
-        if self.__application.pk not in RULE_CACHE:
-            RULE_CACHE[self.__application.pk] = RewriteRule.objects.filter(
-                provider__in=[self.__application])
-
-    def __build_context(self, matches):
-        """Build object with .0, .1, etc as groups and give access to request"""
-        context = Context()
-        for index, group_match in enumerate(matches.groups()):
-            setattr(context, "g%d" % (index + 1), group_match)
-        setattr(context, 'request', self.__request)
-        return context
-
-    def build(self):
-        """Run all rules over path and return final path"""
-        path = self.__request.get_full_path()
-        for rule in RULE_CACHE[self.__application.pk]:
-            matches = rule.compiled_matcher.search(path)
-            if not matches:
-                continue
-            replace_context = self.__build_context(matches)
-            path = rule.replacement.format(context=replace_context)
-            if rule.halt:
-                return path
-        return path

passbook/app_gw/proxy/utils.py

@@ -1,225 +0,0 @@
-"""Utils from django-revproxy, slightly adjusted"""
-import logging
-import re
-from wsgiref.util import is_hop_by_hop
-
-try:
-    from http.cookies import SimpleCookie
-    COOKIE_PREFIX = ''
-except ImportError:
-    from Cookie import SimpleCookie
-    COOKIE_PREFIX = 'Set-Cookie: '
-
-
-#: List containing string constant that are used to represent headers that can
-#: be ignored in the required_header function
-IGNORE_HEADERS = (
-    'HTTP_ACCEPT_ENCODING',  # We want content to be uncompressed so
-                             # we remove the Accept-Encoding from
-                             # original request
-    'HTTP_HOST',
-    'HTTP_REMOTE_USER',
-)
-
-
-# Default from HTTP RFC 2616
-#   See: http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7.1
-#: Variable that represent the default charset used
-DEFAULT_CHARSET = 'latin-1'
-
-#: List containing string constants that represents possible html content type
-HTML_CONTENT_TYPES = (
-    'text/html',
-    'application/xhtml+xml'
-)
-
-#: Variable used to represent a minimal content size required for response
-#: to be turned into stream
-MIN_STREAMING_LENGTH = 4 * 1024  # 4KB
-
-#: Regex used to find charset in a html content type
-_get_charset_re = re.compile(r';\s*charset=(?P<charset>[^\s;]+)', re.I)
-
-
-def is_html_content_type(content_type):
-    """Function used to verify if the parameter is a proper html content type
-
-    :param content_type: String variable that represent a content-type
-    :returns:  A boolean value stating if the content_type is a valid html
-               content type
-    """
-    for html_content_type in HTML_CONTENT_TYPES:
-        if content_type.startswith(html_content_type):
-            return True
-
-    return False
-
-
-def should_stream(proxy_response):
-    """Function to verify if the proxy_response must be converted into
-    a stream.This will be done by checking the proxy_response content-length
-    and verify if its length is bigger than one stipulated
-    by MIN_STREAMING_LENGTH.
-
-    :param proxy_response: An Instance of urllib3.response.HTTPResponse
-    :returns: A boolean stating if the proxy_response should
-              be treated as a stream
-    """
-    content_type = proxy_response.headers.get('Content-Type')
-
-    if is_html_content_type(content_type):
-        return False
-
-    try:
-        content_length = int(proxy_response.headers.get('Content-Length', 0))
-    except ValueError:
-        content_length = 0
-
-    if not content_length or content_length > MIN_STREAMING_LENGTH:
-        return True
-
-    return False
-
-
-def get_charset(content_type):
-    """Function used to retrieve the charset from a content-type.If there is no
-    charset in the content type then the charset defined on DEFAULT_CHARSET
-    will be returned
-
-    :param  content_type:   A string containing a Content-Type header
-    :returns:               A string containing the charset
-    """
-    if not content_type:
-        return DEFAULT_CHARSET
-
-    matched = _get_charset_re.search(content_type)
-    if matched:
-        # Extract the charset and strip its double quotes
-        return matched.group('charset').replace('"', '')
-    return DEFAULT_CHARSET
-
-
-def required_header(header):
-    """Function that verify if the header parameter is a essential header
-
-    :param header:  A string represented a header
-    :returns:       A boolean value that represent if the header is required
-    """
-    if header in IGNORE_HEADERS:
-        return False
-
-    if header.startswith('HTTP_') or header == 'CONTENT_TYPE':
-        return True
-
-    return False
-
-
-def set_response_headers(response, response_headers):
-    """Set response's header"""
-    for header, value in response_headers.items():
-        if is_hop_by_hop(header) or header.lower() == 'set-cookie':
-            continue
-
-        response[header.title()] = value
-
-    logger.debug('Response headers: %s', getattr(response, '_headers'))
-
-
-def normalize_request_headers(request):
-    """Function used to transform header, replacing 'HTTP\\_' to ''
-    and replace '_' to '-'
-
-    :param request:  A HttpRequest that will be transformed
-    :returns:        A dictionary with the normalized headers
-    """
-    norm_headers = {}
-    for header, value in request.META.items():
-        if required_header(header):
-            norm_header = header.replace('HTTP_', '').title().replace('_', '-')
-            norm_headers[norm_header] = value
-
-    return norm_headers
-
-
-def encode_items(items):
-    """Function that encode all elements in the list of items passed as
-    a parameter
-
-    :param items:  A list of tuple
-    :returns:      A list of tuple with all items encoded in 'utf-8'
-    """
-    encoded = []
-    for key, values in items:
-        for value in values:
-            encoded.append((key.encode('utf-8'), value.encode('utf-8')))
-    return encoded
-
-
-logger = logging.getLogger('revproxy.cookies')
-
-
-def cookie_from_string(cookie_string, strict_cookies=False):
-    """Parser for HTTP header set-cookie
-    The return from this function will be used as parameters for
-    django's response.set_cookie method. Because set_cookie doesn't
-    have parameter comment, this cookie attribute will be ignored.
-
-    :param  cookie_string: A string representing a valid cookie
-    :param  strict_cookies: Whether to only accept RFC-compliant cookies
-    :returns: A dictionary containing the cookie_string attributes
-    """
-
-    if strict_cookies:
-
-        cookies = SimpleCookie(COOKIE_PREFIX + cookie_string)
-        if not cookies.keys():
-            return None
-        cookie_name, = cookies.keys()
-        cookie_dict = {k: v for k, v in cookies[cookie_name].items()
-                       if v and k != 'comment'}
-        cookie_dict['key'] = cookie_name
-        cookie_dict['value'] = cookies[cookie_name].value
-        return cookie_dict
-    valid_attrs = ('path', 'domain', 'comment', 'expires',
-                   'max_age', 'httponly', 'secure')
-
-    cookie_dict = {}
-
-    cookie_parts = cookie_string.split(';')
-    try:
-        cookie_dict['key'], cookie_dict['value'] = \
-            cookie_parts[0].split('=', 1)
-        cookie_dict['value'] = cookie_dict['value'].replace('"', '')
-    except ValueError:
-        logger.warning('Invalid cookie: `%s`', cookie_string)
-        return None
-
-    if cookie_dict['value'].startswith('='):
-        logger.warning('Invalid cookie: `%s`', cookie_string)
-        return None
-
-    for part in cookie_parts[1:]:
-        if '=' in part:
-            attr, value = part.split('=', 1)
-            value = value.strip()
-        else:
-            attr = part
-            value = ''
-
-        attr = attr.strip().lower()
-        if not attr:
-            continue
-
-        if attr in valid_attrs:
-            if attr in ('httponly', 'secure'):
-                cookie_dict[attr] = True
-            elif attr in 'comment':
-                # ignoring comment attr as explained in the
-                # function docstring
-                continue
-            else:
-                cookie_dict[attr] = value
-        else:
-            logger.warning('Unknown cookie attribute %s', attr)
-
-        return cookie_dict

passbook/app_gw/requirements.txt

@@ -1,7 +0,0 @@
-django-revproxy
-urllib3[secure]
-channels
-service_identity
-websocket-client
-daphne<2.3.0
-asgiref~=2.3

passbook/app_gw/settings.py

@@ -1,5 +0,0 @@
-"""Application Security Gateway settings"""
-INSTALLED_APPS = [
-    'channels'
-]
-ASGI_APPLICATION = "passbook.app_gw.websocket.routing.application"

passbook/app_gw/signals.py

@@ -1,20 +0,0 @@
-"""passbook app_gw cache clean signals"""
-
-from logging import getLogger
-
-from django.core.cache import cache
-from django.db.models.signals import post_save
-from django.dispatch import receiver
-
-from passbook.app_gw.models import ApplicationGatewayProvider
-from passbook.app_gw.proxy.handler import IGNORED_HOSTNAMES_KEY
-
-LOGGER = getLogger(__name__)
-
-@receiver(post_save)
-# pylint: disable=unused-argument
-def invalidate_app_gw_cache(sender, instance, **kwargs):
-    """Invalidate Policy cache when app_gw is updated"""
-    if isinstance(instance, ApplicationGatewayProvider):
-        LOGGER.debug("Invalidating cache for ignored hostnames")
-        cache.delete(IGNORED_HOSTNAMES_KEY)

passbook/app_gw/urls.py

@@ -1,2 +0,0 @@
-"""passbook app_gw urls"""
-urlpatterns = []

passbook/app_gw/websocket/consumer.py

@@ -1,83 +0,0 @@
-"""websocket proxy consumer"""
-import threading
-from logging import getLogger
-from ssl import CERT_NONE
-
-import websocket
-from channels.generic.websocket import WebsocketConsumer
-
-from passbook.app_gw.models import ApplicationGatewayProvider
-
-LOGGER = getLogger(__name__)
-
-class ProxyConsumer(WebsocketConsumer):
-    """Proxy websocket connection to upstream"""
-
-    _headers_dict = {}
-    _app_gw = None
-    _client = None
-    _thread = None
-
-    def _fix_headers(self, input_dict):
-        """Fix headers from bytestrings to normal strings"""
-        return {
-            key.decode('utf-8'): value.decode('utf-8')
-            for key, value in dict(input_dict).items()
-        }
-
-    def connect(self):
-        """Extract host header, lookup in database and proxy connection"""
-        self._headers_dict = self._fix_headers(dict(self.scope.get('headers')))
-        host = self._headers_dict.pop('host')
-        query_string = self.scope.get('query_string').decode('utf-8')
-        matches = ApplicationGatewayProvider.objects.filter(
-            server_name__contains=[host],
-            enabled=True)
-        if matches.exists():
-            self._app_gw = matches.first()
-            # TODO: Get upstream that starts with wss or
-            upstream = self._app_gw.upstream[0].replace('http', 'ws') + self.scope.get('path')
-            if query_string:
-                upstream += '?' + query_string
-            sslopt = {}
-            if not self._app_gw.upstream_ssl_verification:
-                sslopt = {"cert_reqs": CERT_NONE}
-            self._client = websocket.WebSocketApp(
-                url=upstream,
-                subprotocols=self.scope.get('subprotocols'),
-                header=self._headers_dict,
-                on_message=self._client_on_message_handler(),
-                on_error=self._client_on_error_handler(),
-                on_close=self._client_on_close_handler(),
-                on_open=self._client_on_open_handler())
-            LOGGER.debug("Accepting connection for %s", host)
-            self._thread = threading.Thread(target=lambda: self._client.run_forever(sslopt=sslopt))
-            self._thread.start()
-
-    def _client_on_open_handler(self):
-        return lambda ws: self.accept(self._client.sock.handshake_response.subprotocol)
-
-    def _client_on_message_handler(self):
-        # pylint: disable=unused-argument,invalid-name
-        def message_handler(ws, message):
-            if isinstance(message, str):
-                self.send(text_data=message)
-            else:
-                self.send(bytes_data=message)
-        return message_handler
-
-    def _client_on_error_handler(self):
-        return lambda ws, error: print(error)
-
-    def _client_on_close_handler(self):
-        return lambda ws: self.disconnect(0)
-
-    def disconnect(self, code):
-        self._client.close()
-
-    def receive(self, text_data=None, bytes_data=None):
-        if text_data:
-            opcode = websocket.ABNF.OPCODE_TEXT
-        if bytes_data:
-            opcode = websocket.ABNF.OPCODE_BINARY
-        self._client.send(text_data or bytes_data, opcode)

passbook/app_gw/websocket/routing.py

@@ -1,17 +0,0 @@
-"""app_gw websocket proxy"""
-from channels.auth import AuthMiddlewareStack
-from channels.routing import ProtocolTypeRouter, URLRouter
-from django.conf.urls import url
-
-from passbook.app_gw.websocket.consumer import ProxyConsumer
-
-websocket_urlpatterns = [
-    url(r'^(.*)$', ProxyConsumer),
-]
-
-application = ProtocolTypeRouter({
-    # (http->django views is added by default)
-    'websocket': AuthMiddlewareStack(
-        URLRouter(websocket_urlpatterns)
-    ),
-})

passbook/audit/__init__.py

@@ -1,2 +0,0 @@
-"""passbook audit Header"""
-__version__ = '0.2.2-beta'

passbook/audit/migrations/0001_initial.py

@@ -1,7 +1,8 @@
-# Generated by Django 2.1.7 on 2019-02-16 09:13
+# Generated by Django 2.2.6 on 2019-10-07 14:07
 
 import uuid
 
+import django.contrib.postgres.fields.jsonb
 import django.db.models.deletion
 from django.conf import settings
 from django.db import migrations, models
@@ -23,7 +24,7 @@ class Migration(migrations.Migration):
                 ('action', models.TextField(choices=[('login', 'login'), ('login_failed', 'login_failed'), ('logout', 'logout'), ('authorize_application', 'authorize_application'), ('suspicious_request', 'suspicious_request'), ('sign_up', 'sign_up'), ('password_reset', 'password_reset'), ('invitation_created', 'invitation_created'), ('invitation_used', 'invitation_used')])),
                 ('date', models.DateTimeField(auto_now_add=True)),
                 ('app', models.TextField()),
-                ('_context', models.TextField()),
+                ('context', django.contrib.postgres.fields.jsonb.JSONField(blank=True, default=dict)),
                 ('request_ip', models.GenericIPAddressField()),
                 ('created', models.DateTimeField(auto_now_add=True)),
                 ('user', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL)),
@@ -33,19 +34,4 @@ class Migration(migrations.Migration):
                 'verbose_name_plural': 'Audit Entries',
             },
         ),
-        migrations.CreateModel(
-            name='LoginAttempt',
-            fields=[
-                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
-                ('created', models.DateField(auto_now_add=True)),
-                ('last_updated', models.DateTimeField(auto_now=True)),
-                ('target_uid', models.CharField(max_length=254)),
-                ('request_ip', models.GenericIPAddressField()),
-                ('attempts', models.IntegerField(default=1)),
-            ],
-        ),
-        migrations.AlterUniqueTogether(
-            name='loginattempt',
-            unique_together={('target_uid', 'request_ip', 'created')},
-        ),
     ]

passbook/audit/migrations/0002_auto_20190221_1201.py

@@ -1,18 +0,0 @@
-# Generated by Django 2.1.7 on 2019-02-21 12:01
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('passbook_audit', '0001_initial'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='loginattempt',
-            name='created',
-            field=models.DateTimeField(auto_now_add=True),
-        ),
-    ]

passbook/audit/migrations/0003_auto_20190221_1240.py

@@ -1,23 +0,0 @@
-# Generated by Django 2.1.7 on 2019-02-21 12:40
-
-import django.contrib.postgres.fields.jsonb
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('passbook_audit', '0002_auto_20190221_1201'),
-    ]
-
-    operations = [
-        migrations.RemoveField(
-            model_name='auditentry',
-            name='_context',
-        ),
-        migrations.AddField(
-            model_name='auditentry',
-            name='context',
-            field=django.contrib.postgres.fields.jsonb.JSONField(blank=True, default=dict),
-        ),
-    ]

passbook/audit/migrations/0004_delete_loginattempt.py

@@ -1,16 +0,0 @@
-# Generated by Django 2.1.7 on 2019-03-08 14:53
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('passbook_audit', '0003_auto_20190221_1240'),
-    ]
-
-    operations = [
-        migrations.DeleteModel(
-            name='LoginAttempt',
-        ),
-    ]

passbook/audit/models.py

@@ -1,6 +1,4 @@
 """passbook audit models"""
-from logging import getLogger
-
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.postgres.fields import JSONField
@@ -8,10 +6,11 @@ from django.core.exceptions import ValidationError
 from django.db import models
 from django.utils.translation import gettext as _
 from ipware import get_client_ip
+from structlog import get_logger
 
 from passbook.lib.models import UUIDModel
 
-LOGGER = getLogger(__name__)
+LOGGER = get_logger()
 
 class AuditEntry(UUIDModel):
     """An individual audit log entry"""

passbook/captcha_factor/__init__.py

@@ -1,2 +0,0 @@
-"""passbook captcha_factor Header"""
-__version__ = '0.2.2-beta'

passbook/captcha_factor/apps.py

@@ -1,10 +0,0 @@
-"""passbook captcha app"""
-from django.apps import AppConfig
-
-
-class PassbookCaptchaFactorConfig(AppConfig):
-    """passbook captcha app"""
-
-    name = 'passbook.captcha_factor'
-    label = 'passbook_captcha_factor'
-    verbose_name = 'passbook Captcha'

passbook/captcha_factor/requirements.txt

@@ -1 +0,0 @@
-django-recaptcha

passbook/core/__init__.py

@@ -1,2 +0,0 @@
-"""passbook core"""
-__version__ = '0.2.2-beta'

passbook/core/apps.py

@@ -1,12 +1,12 @@
 """passbook core app config"""
 from importlib import import_module
-from logging import getLogger
 
 from django.apps import AppConfig
+from django.conf import settings
+from structlog import get_logger
 
-from passbook.lib.config import CONFIG
+LOGGER = get_logger()
 
-LOGGER = getLogger(__name__)
 
 class PassbookCoreConfig(AppConfig):
     """passbook core app config"""
@@ -17,11 +17,9 @@ class PassbookCoreConfig(AppConfig):
     mountpoint = ''
 
     def ready(self):
-        import_module('passbook.core.policies')
-        factors_to_load = CONFIG.y('passbook.factors', [])
-        for factors_to_load in factors_to_load:
+        for factors_to_load in settings.PASSBOOK_CORE_FACTORS:
             try:
                 import_module(factors_to_load)
-                LOGGER.info("Loaded %s", factors_to_load)
+                LOGGER.info("Loaded factor", factor_class=factors_to_load)
             except ImportError as exc:
                 LOGGER.debug(exc)

passbook/core/forms/applications.py

@@ -16,7 +16,7 @@ class ApplicationForm(forms.ModelForm):
 
         model = Application
         fields = ['name', 'slug', 'launch_url', 'icon_url',
-                  'policies', 'provider', 'skip_authorization']
+                  'provider', 'policies', 'skip_authorization']
         widgets = {
             'name': forms.TextInput(),
             'launch_url': forms.TextInput(),