new release: 0.8.11-beta

move can_handle calls to binding endpoints (/login/ and /login/initiate/), so that /login/authorize/ works either way, can clean up the session and audit

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.8.8-beta
+current_version = 0.8.11-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.github/workflows/release.yml

@@ -16,11 +16,11 @@ jobs:
       - name: Building Docker Image
         run: docker build
           --no-cache
-          -t beryju/passbook:0.8.8-beta
+          -t beryju/passbook:0.8.11-beta
           -t beryju/passbook:latest
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook:0.8.8-beta
+        run: docker push beryju/passbook:0.8.11-beta
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/passbook:latest
   build-gatekeeper:
@@ -37,11 +37,11 @@ jobs:
           cd gatekeeper
           docker build \
           --no-cache \
-          -t beryju/passbook-gatekeeper:0.8.8-beta \
+          -t beryju/passbook-gatekeeper:0.8.11-beta \
           -t beryju/passbook-gatekeeper:latest \
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-gatekeeper:0.8.8-beta
+        run: docker push beryju/passbook-gatekeeper:0.8.11-beta
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/passbook-gatekeeper:latest
   build-static:
@@ -66,11 +66,11 @@ jobs:
         run: docker build
           --no-cache
           --network=$(docker network ls | grep github | awk '{print $1}')
-          -t beryju/passbook-static:0.8.8-beta
+          -t beryju/passbook-static:0.8.11-beta
           -t beryju/passbook-static:latest
           -f static.Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-static:0.8.8-beta
+        run: docker push beryju/passbook-static:0.8.11-beta
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/passbook-static:latest
   test-release:

.isort.cfg

@@ -0,0 +1,6 @@
+[settings]
+multi_line_output=3
+include_trailing_comma=True
+force_grid_wrap=0
+use_parentheses=True
+line_length=88

.pylintrc

@@ -7,7 +7,3 @@ const-rgx=[a-zA-Z0-9_]{1,40}$
 ignored-modules=django-otp
 jobs=4
 
-[SIMILARITIES]
-
-# Minimum lines number of a similarity.
-min-similarity-lines=20

docker-compose.yml

@@ -23,6 +23,8 @@ services:
   server:
     image: beryju/passbook:${SERVER_TAG:-latest}
     command:
+      - ./manage.py
+      - bootstrap
       - uwsgi
       - uwsgi.ini
     environment:
@@ -42,6 +44,8 @@ services:
   worker:
     image: beryju/passbook:${SERVER_TAG:-latest}
     command:
+      - ./manage.py
+      - bootstrap
       - celery
       - worker
       - --autoscale=10,3

helm/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.8.8-beta"
+appVersion: "0.8.11-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.8.8-beta"
+version: "0.8.11-beta"
 icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/templates/web-deployment.yaml

@@ -18,7 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
-        passbook.io/component: web
+        k8s.passbook.io/component: web
     spec:
       volumes:
         - name: config-volume
@@ -27,9 +27,12 @@ spec:
       initContainers:
         - name: passbook-database-migrations
           image: "beryju/passbook:{{ .Values.image.tag }}"
+          imagePullPolicy: Always
           command:
             - ./manage.py
           args:
+            - bootstrap
+            - ./manage.py
             - migrate
           volumeMounts:
             - mountPath: /etc/passbook
@@ -57,10 +60,12 @@ spec:
       containers:
         - name: {{ .Chart.Name }}
           image: "beryju/passbook:{{ .Values.image.tag }}"
-          imagePullPolicy: IfNotPresent
+          imagePullPolicy: Always
           command:
-            - uwsgi
+            - ./manage.py
           args:
+            - bootstrap
+            - uwsgi
             - uwsgi.ini
           volumeMounts:
             - mountPath: /etc/passbook

helm/templates/web-service.yaml

@@ -18,4 +18,4 @@ spec:
   selector:
     app.kubernetes.io/name: {{ include "passbook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
-    passbook.io/component: web
+    k8s.passbook.io/component: web

helm/templates/worker-deployment.yaml

@@ -18,7 +18,7 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "passbook.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
-        passbook.io/component: worker
+        k8s.passbook.io/component: worker
     spec:
       volumes:
         - name: config-volume
@@ -29,8 +29,10 @@ spec:
           image: "beryju/passbook:{{ .Values.image.tag }}"
           imagePullPolicy: IfNotPresent
           command:
-            - celery
+            - ./manage.py
           args:
+            - bootstrap
+            - celery
             - worker
             - --autoscale=10,3
             - -E

helm/values.yaml

@@ -2,7 +2,7 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 image:
-  tag: 0.8.8-beta
+  tag: 0.8.11-beta
 
 nameOverride: ""
 

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = "0.8.8-beta"
+__version__ = "0.8.11-beta"

passbook/admin/fields.py

@@ -48,7 +48,7 @@ class YAMLField(forms.CharField):
     def prepare_value(self, value):
         if isinstance(value, InvalidYAMLInput):
             return value
-        return yaml.dump(value, explicit_start=True)
+        return yaml.dump(value, explicit_start=True, default_flow_style=False)
 
     def has_changed(self, initial, data):
         if super().has_changed(initial, data):

passbook/admin/forms/base.py

@@ -1,40 +0,0 @@
-"""passbook form helpers"""
-from django import forms
-
-from passbook.admin.fields import YAMLField
-
-
-class TagModelForm(forms.ModelForm):
-    """Base form for models that have attributes"""
-
-    def __init__(self, *args, **kwargs):
-        # Check if we have an instance, load tags otherwise use an empty dict
-        instance = kwargs.get("instance", None)
-        tags = instance.tags if instance else {}
-        # Make sure all predefined tags exist in tags, and set default if they don't
-        predefined_tags = (
-            self._meta.model().get_predefined_tags()  # pylint: disable=no-member
-        )
-        for key, value in predefined_tags.items():
-            if key not in tags:
-                tags[key] = value
-        # Format JSON
-        kwargs["initial"]["tags"] = tags
-        super().__init__(*args, **kwargs)
-
-    def clean_tags(self):
-        """Make sure all required tags are set"""
-        if hasattr(self.instance, "get_required_keys") and hasattr(
-            self.instance, "tags"
-        ):
-            for key in self.instance.get_required_keys():
-                if key not in self.cleaned_data.get("tags"):
-                    raise forms.ValidationError("Tag %s missing." % key)
-        return self.cleaned_data.get("tags")
-
-
-# pylint: disable=too-few-public-methods
-class TagModelFormMeta:
-    """Base Meta class that uses the YAMLField"""
-
-    field_classes = {"tags": YAMLField}

passbook/admin/templates/administration/policy/test.html

@@ -11,16 +11,22 @@
 {% endblock %}
 
 {% block beneath_form %}
-<p class="loading" style="display: none;">
-  <span class="spinner spinner-xs spinner-inline"></span> {% trans 'Processing, please wait...' %}
-</p>
+<div class="pf-c-form__group pf-m-action" style="display: none;" id="loading">
+    <div class="pf-c-form__horizontal-group">
+        <span class="pf-c-spinner" role="progressbar" aria-valuetext="Loading...">
+            <span class="pf-c-spinner__clipper"></span>
+            <span class="pf-c-spinner__lead-ball"></span>
+            <span class="pf-c-spinner__tail-ball"></span>
+        </span>
+    </div>
+</div>
 {% endblock %}
 
 {% block scripts %}
 {{ block.super }}
 <script>
-  $('form').on('submit', function () {
-    $('p.loading').show();
-  })
+document.querySelector("form").addEventListener("submit", (e) => {
+    document.getElementById("loading").removeAttribute("style");
+});
 </script>
 {% endblock %}

passbook/admin/views/users.py

@@ -9,7 +9,11 @@ from django.shortcuts import redirect
 from django.urls import reverse, reverse_lazy
 from django.utils.translation import ugettext as _
 from django.views.generic import DeleteView, DetailView, ListView, UpdateView
-from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+from guardian.mixins import (
+    PermissionListMixin,
+    PermissionRequiredMixin,
+    get_anonymous_user,
+)
 
 from passbook.admin.forms.users import UserForm
 from passbook.core.models import Nonce, User
@@ -25,6 +29,9 @@ class UserListView(LoginRequiredMixin, PermissionListMixin, ListView):
     paginate_by = 40
     template_name = "administration/user/list.html"
 
+    def get_queryset(self):
+        return super().get_queryset().exclude(pk=get_anonymous_user().pk)
+
 
 class UserCreateView(
     SuccessMessageMixin,

passbook/audit/models.py

@@ -33,11 +33,15 @@ def sanitize_dict(source: Dict[Any, Any]) -> Dict[Any, Any]:
             source[key] = sanitize_dict(value)
         elif isinstance(value, models.Model):
             model_content_type = ContentType.objects.get_for_model(value)
+            name = str(value)
+            if hasattr(value, "name"):
+                name = value.name
             source[key] = sanitize_dict(
                 {
                     "app": model_content_type.app_label,
-                    "name": model_content_type.model,
+                    "model_name": model_content_type.model,
                     "pk": value.pk,
+                    "name": name,
                 }
             )
         elif isinstance(value, UUID):
@@ -133,6 +137,7 @@ class Event(UUIDModel):
             action=self.action,
             context=self.context,
             client_ip=self.client_ip,
+            user=self.user,
         )
         return super().save(*args, **kwargs)
 

passbook/core/api/propertymappings.py

@@ -17,7 +17,7 @@ class PropertyMappingSerializer(ModelSerializer):
     class Meta:
 
         model = PropertyMapping
-        fields = ["pk", "name", "__type__"]
+        fields = ["pk", "name", "expression", "__type__"]
 
 
 class PropertyMappingViewSet(ReadOnlyModelViewSet):

passbook/core/forms/applications.py

@@ -10,7 +10,8 @@ class ApplicationForm(forms.ModelForm):
     """Application Form"""
 
     provider = forms.ModelChoiceField(
-        queryset=Provider.objects.all().select_subclasses(), required=False
+        queryset=Provider.objects.all().order_by("pk").select_subclasses(),
+        required=False,
     )
 
     class Meta:

passbook/core/signals.py

@@ -18,9 +18,11 @@ password_changed = Signal(providing_args=["user", "password"])
 def invalidate_policy_cache(sender, instance, **_):
     """Invalidate Policy cache when policy is updated"""
     from passbook.core.models import Policy
+    from passbook.policies.process import cache_key
 
     if isinstance(instance, Policy):
         LOGGER.debug("Invalidating policy cache", policy=instance)
-        keys = cache.keys("%s#*" % instance.pk)
+        prefix = cache_key(instance) + "*"
+        keys = cache.keys(prefix)
         cache.delete_many(keys)
         LOGGER.debug("Deleted %d keys", len(keys))

passbook/core/templates/login/base.html

@@ -54,9 +54,10 @@
                         <a href="{{ source.url }}" class="pf-c-login__main-footer-links-item-link">
                             {% if source.icon_path %}
                             <img src="{% static source.icon_path %}" alt="{{ source.name }}">
-                            {% endif %}
-                            {% if source.icon_url %}
+                            {% elif source.icon_url %}
                             <img src="icon_url" alt="{{ source.name }}">
+                            {% else %}
+                            <i class="pf-icon pf-icon-arrow" title="{{ source.name }}"></i>
                             {% endif %}
                         </a>
                     </li>

passbook/core/templates/login/denied.html

@@ -4,25 +4,16 @@
 {% load i18n %}
 {% load utils %}
 
-{% block head %}
-{{ block.super }}
-<style>
-    .pf-icon {
-        font-size: 48px;
-        text-align: center;
-    }
-</style>
-{% endblock %}
-
 {% block card %}
-<header class="login-pf-header">
-  <h1>{% trans title %}</h1>
-</header>
-<form method="POST">
+<form method="POST" class="pf-c-form">
     {% csrf_token %}
     {% include 'partials/form.html' %}
-  <span class="pf-icon pficon-error-circle-o btn-block"></span>
-  Access denied
+    <div class="pf-c-form__group">
+        <p>
+            <i class="pf-icon pf-icon-error-circle-o"></i>
+            {% trans 'Access denied' %}
+        </p>
+    </div>
     {% if 'back' in request.GET %}
     <a href="{% back %}" class="btn btn-primary btn-block btn-lg">{% trans 'Back' %}</a>
     {% endif %}

passbook/core/views/authentication.py

@@ -44,13 +44,13 @@ class LoginView(UserPassesTestMixin, FormView):
         kwargs["primary_action"] = _("Log in")
         kwargs["show_sign_up_notice"] = CONFIG.y("passbook.sign_up.enabled")
         kwargs["sources"] = []
-        sources = Source.objects.filter(enabled=True).select_subclasses()
+        sources = (
+            Source.objects.filter(enabled=True).order_by("name").select_subclasses()
+        )
         for source in sources:
             ui_login_button = source.ui_login_button
             if ui_login_button:
                 kwargs["sources"].append(ui_login_button)
-        # if kwargs["sources"]:
-        #     self.template_name = "login/with_sources.html"
         return super().get_context_data(**kwargs)
 
     def get_user(self, uid_value) -> Optional[User]:
@@ -231,7 +231,6 @@ class PasswordResetView(View):
         login(request, nonce.user)
         nonce.delete()
         messages.success(
-            request,
-            _(("Temporarily authenticated with Nonce, " "please change your password")),
+            request, _(("Temporarily authenticated, please change your password")),
         )
         return redirect("passbook_core:user-change-password")

passbook/lib/fields.py

@@ -1,48 +0,0 @@
-"""passbook lib fields"""
-from itertools import chain
-
-from django import forms
-from django.contrib.postgres.utils import prefix_validation_error
-
-from passbook.lib.widgets import DynamicArrayWidget
-
-
-class DynamicArrayField(forms.Field):
-    """Show array field as a dynamic amount of textboxes"""
-
-    default_error_messages = {
-        "item_invalid": "Item %(nth)s in the array did not validate: "
-    }
-
-    def __init__(self, base_field, **kwargs):
-        self.base_field = base_field
-        self.max_length = kwargs.pop("max_length", None)
-        kwargs.setdefault("widget", DynamicArrayWidget)
-        super().__init__(**kwargs)
-
-    def clean(self, value):
-        cleaned_data = []
-        errors = []
-        value = [x for x in value if x]
-        for index, item in enumerate(value):
-            try:
-                cleaned_data.append(self.base_field.clean(item))
-            except forms.ValidationError as error:
-                errors.append(
-                    prefix_validation_error(
-                        error,
-                        self.error_messages["item_invalid"],
-                        code="item_invalid",
-                        params={"nth": index},
-                    )
-                )
-        if errors:
-            raise forms.ValidationError(list(chain.from_iterable(errors)))
-        if not cleaned_data and self.required:
-            raise forms.ValidationError(self.error_messages["required"])
-        return cleaned_data
-
-    def has_changed(self, initial, data):
-        if not data and not initial:
-            return False
-        return super().has_changed(initial, data)

passbook/lib/logging.py

@@ -0,0 +1,9 @@
+"""logging helpers"""
+from os import getpid
+
+
+# pylint: disable=unused-argument
+def add_process_id(logger, method_name, event_dict):
+    """Add the current process ID"""
+    event_dict["pid"] = getpid()
+    return event_dict

passbook/lib/management/commands/bootstrap.py

@@ -0,0 +1,66 @@
+"""passbook management command to bootstrap"""
+from argparse import REMAINDER
+from subprocess import Popen  # nosec
+
+# pylint: disable=redefined-builtin
+from sys import exit, stderr, stdin, stdout
+from time import sleep
+
+from django.core.management.base import BaseCommand
+from django.db import connection
+from django.db.utils import OperationalError
+from django_redis import get_redis_connection
+from redis.exceptions import ConnectionError as RedisConnectionError
+from structlog import get_logger
+
+LOGGER = get_logger()
+
+
+class Command(BaseCommand):
+    """Bootstrap passbook, ensure Database and Cache are
+    reachable, and directories are writeable"""
+
+    help = """Bootstrap passbook, ensure Database and Cache are
+    reachable, and directories are writeable"""
+
+    def add_arguments(self, parser):
+        parser.add_argument("command", nargs=REMAINDER)
+
+    def check_database(self) -> bool:
+        """Return true if database is reachable, false otherwise"""
+        try:
+            connection.cursor()
+            LOGGER.info("Database reachable")
+            return True
+        except OperationalError:
+            LOGGER.info("Database unreachable")
+            return False
+
+    def check_cache(self) -> bool:
+        """Return true if cache is reachable, false otherwise"""
+        try:
+            con = get_redis_connection("default")
+            con.ping()
+            LOGGER.info("Cache reachable")
+            return True
+        except RedisConnectionError:
+            LOGGER.info("Cache unreachable")
+            return False
+
+    def handle(self, *args, **options):
+        LOGGER.info("passbook bootstrapping...")
+        should_check = True
+        while should_check:
+            should_check = not (self.check_database() and self.check_cache())
+            sleep(1)
+        LOGGER.info("Dependencies are up, starting command...")
+        proc = Popen(
+            args=options.get("command"), stdout=stdout, stderr=stderr, stdin=stdin
+        )  # nosec
+        try:
+            proc.wait()
+            exit(proc.returncode)
+        except KeyboardInterrupt:
+            LOGGER.info("Killing process")
+            proc.kill()
+            exit(254)

passbook/lib/sentry.py

@@ -1,29 +1,28 @@
 """passbook sentry integration"""
+from billiard.exceptions import WorkerLostError
+from botocore.client import ClientError
+from django.core.exceptions import DisallowedHost, ValidationError
+from django.db import InternalError, OperationalError, ProgrammingError
+from django_redis.exceptions import ConnectionInterrupted
+from redis.exceptions import RedisError
+from rest_framework.exceptions import APIException
 from structlog import get_logger
 
 LOGGER = get_logger()
 
 
 class SentryIgnoredException(Exception):
-    """Base Class for all errors that are supressed, and not sent to sentry."""
+    """Base Class for all errors that are suppressed, and not sent to sentry."""
 
 
 def before_send(event, hint):
     """Check if error is database error, and ignore if so"""
-    from django_redis.exceptions import ConnectionInterrupted
-    from django.db import OperationalError, InternalError
-    from django.core.exceptions import ValidationError
-    from rest_framework.exceptions import APIException
-    from billiard.exceptions import WorkerLostError
-    from django.core.exceptions import DisallowedHost
-    from botocore.client import ClientError
-    from redis.exceptions import RedisError
-
     ignored_classes = (
         OperationalError,
+        InternalError,
+        ProgrammingError,
         ConnectionInterrupted,
         APIException,
-        InternalError,
         ConnectionResetError,
         WorkerLostError,
         DisallowedHost,

passbook/policies/expression/evaluator.py

@@ -19,7 +19,7 @@ LOGGER = get_logger()
 
 
 class Evaluator:
-    """Validate and evaulate jinja2-based expressions"""
+    """Validate and evaluate jinja2-based expressions"""
 
     _env: NativeEnvironment
 
@@ -51,11 +51,12 @@ class Evaluator:
         """Return dictionary with additional global variables passed to expression"""
         # update passbook/policies/expression/templates/policy/expression/form.html
         # update docs/policies/expression/index.md
+        kwargs["pb_is_group_member"] = Evaluator.jinja2_func_is_group_member
+        kwargs["pb_logger"] = get_logger()
+        if request.http_request:
             kwargs["pb_is_sso_flow"] = request.http_request.session.get(
                 AuthenticationView.SESSION_IS_SSO_LOGIN, False
             )
-        kwargs["pb_is_group_member"] = Evaluator.jinja2_func_is_group_member
-        kwargs["pb_logger"] = get_logger()
             kwargs["pb_client_ip"] = (
                 get_client_ip(request.http_request) or "255.255.255.255"
             )
@@ -81,7 +82,7 @@ class Evaluator:
                     req=request,
                 )
                 return PolicyResult(False)
-            if isinstance(result, list) and len(result) == 2:
+            if isinstance(result, (list, tuple)) and len(result) == 2:
                 return PolicyResult(*result)
             if result:
                 return PolicyResult(result)

passbook/policies/expression/templates/policy/expression/form.html

@@ -9,7 +9,7 @@
         <p>
             Expression using <a href="https://jinja.palletsprojects.com/en/2.11.x/templates/">Jinja</a>. Following variables are available:
         </p>
-        <ul>
+        <ul class="pf-c-list">
             <li><code>request.user</code>: Passbook User Object (<a href="https://beryju.github.io/passbook/property-mappings/reference/user-object/">Reference</a>)</li>
             <li><code>request.http_request</code>: Django HTTP Request Object (<a href="https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects">Reference</a>) </li>
             <li><code>request.obj</code>: Model the Policy is run against. </li>
@@ -19,7 +19,7 @@
             <li><code>pb_client_ip</code>: Client's IP Address.</li>
         </ul>
         <p>Custom Filters:</p>
-        <ul>
+        <ul class="pf-c-list">
             <li><code>regex_match(regex)</code>: Checks if value matches <code>regex</code></li>
             <li><code>regex_replace(regex, repl)</code>: Replace string matched by <code>regex</code> with <code>repl</code></li>
         </ul>

passbook/policies/expression/tests/test_evaluator.py

@@ -0,0 +1,58 @@
+"""evaluator tests"""
+from django.core.exceptions import ValidationError
+from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from passbook.policies.expression.evaluator import Evaluator
+from passbook.policies.types import PolicyRequest
+
+
+class TestEvaluator(TestCase):
+    """Evaluator tests"""
+
+    def setUp(self):
+        self.request = PolicyRequest(user=get_anonymous_user())
+
+    def test_valid(self):
+        """test simple value expression"""
+        template = "True"
+        evaluator = Evaluator()
+        self.assertEqual(evaluator.evaluate(template, self.request).passing, True)
+
+    def test_messages(self):
+        """test expression with message return"""
+        template = "False, 'some message'"
+        evaluator = Evaluator()
+        result = evaluator.evaluate(template, self.request)
+        self.assertEqual(result.passing, False)
+        self.assertEqual(result.messages, ("some message",))
+
+    def test_invalid_syntax(self):
+        """test invalid syntax"""
+        template = "{%"
+        evaluator = Evaluator()
+        result = evaluator.evaluate(template, self.request)
+        self.assertEqual(result.passing, False)
+        self.assertEqual(result.messages, ("tag name expected",))
+
+    def test_undefined(self):
+        """test undefined result"""
+        template = "{{ foo.bar }}"
+        evaluator = Evaluator()
+        result = evaluator.evaluate(template, self.request)
+        self.assertEqual(result.passing, False)
+        self.assertEqual(result.messages, ("'foo' is undefined",))
+
+    def test_validate(self):
+        """test validate"""
+        template = "True"
+        evaluator = Evaluator()
+        result = evaluator.validate(template)
+        self.assertEqual(result, True)
+
+    def test_validate_invalid(self):
+        """test validate"""
+        template = "{%"
+        evaluator = Evaluator()
+        with self.assertRaises(ValidationError):
+            evaluator.validate(template)

passbook/policies/process.py

@@ -5,16 +5,19 @@ from multiprocessing.connection import Connection
 from django.core.cache import cache
 from structlog import get_logger
 
-from passbook.core.models import Policy
+from passbook.core.models import Policy, User
 from passbook.policies.exceptions import PolicyException
 from passbook.policies.types import PolicyRequest, PolicyResult
 
 LOGGER = get_logger()
 
 
-def cache_key(policy, user):
+def cache_key(policy: Policy, user: User = None) -> str:
     """Generate Cache key for policy"""
-    return f"policy_{policy.pk}#{user.pk}"
+    prefix = f"policy_{policy.pk}"
+    if user:
+        prefix += f"#{user.pk}"
+    return prefix
 
 
 class PolicyProcess(Process):
@@ -33,7 +36,7 @@ class PolicyProcess(Process):
     def run(self):
         """Task wrapper to run policy checking"""
         LOGGER.debug(
-            "Running policy",
+            "P_ENG(proc): Running policy",
             policy=self.policy,
             user=self.request.user,
             process="PolicyProcess",
@@ -41,13 +44,13 @@ class PolicyProcess(Process):
         try:
             policy_result = self.policy.passes(self.request)
         except PolicyException as exc:
-            LOGGER.debug(exc)
+            LOGGER.debug("P_ENG(proc): error", exc=exc)
             policy_result = PolicyResult(False, str(exc))
         # Invert result if policy.negate is set
         if self.policy.negate:
             policy_result.passing = not policy_result.passing
         LOGGER.debug(
-            "Got result",
+            "P_ENG(proc): Finished",
             policy=self.policy,
             result=policy_result,
             process="PolicyProcess",
@@ -56,5 +59,5 @@ class PolicyProcess(Process):
         )
         key = cache_key(self.policy, self.request.user)
         cache.set(key, policy_result)
-        LOGGER.debug("Cached policy evaluation", key=key)
+        LOGGER.debug("P_ENG(proc): Cached policy evaluation", key=key)
         self.connection.send(policy_result)

passbook/policies/types.py

@@ -1,7 +1,7 @@
 """policy structures"""
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Tuple
+from typing import TYPE_CHECKING, Optional, Tuple
 
 from django.db.models import Model
 from django.http import HttpRequest
@@ -14,11 +14,13 @@ class PolicyRequest:
     """Data-class to hold policy request data"""
 
     user: User
-    http_request: HttpRequest
-    obj: Model
+    http_request: Optional[HttpRequest]
+    obj: Optional[Model]
 
     def __init__(self, user: User):
         self.user = user
+        self.http_request = None
+        self.obj = None
 
     def __str__(self):
         return f"<PolicyRequest user={self.user}>"

passbook/providers/oauth/templates/oauth2_provider/authorize.html

@@ -3,15 +3,12 @@
 {% load utils %}
 {% load i18n %}
 
-{% block title %}
+{% block card_title %}
 {% title 'Authorize Application' %}
 {% endblock %}
 
 {% block card %}
-<header class="login-pf-header">
-  <h1>{% trans 'Authorize Application' %}</h1>
-</header>
-<form method="POST">
+<form method="POST" class="pf-c-form">
     {% csrf_token %}
     {% if not error %}
         {% csrf_token %}
@@ -20,32 +17,40 @@
                 {{ field }}
             {% endif %}
         {% endfor %}
-        <div class="form-group">
+        <div class="pf-c-form__group">
             <p class="subtitle">
                 {% blocktrans with remote=application.name %}
-                You're about to sign into {{ remote }}
+                You're about to sign into {{ remote }}.
                 {% endblocktrans %}
             </p>
             <p>{% trans "Application requires following permissions" %}</p>
-            <ul>
+            <ul class="pf-c-list">
                 {% for scope in scopes_descriptions %}
                 <li>{{ scope }}</li>
                 {% endfor %}
             </ul>
             {{ form.errors }}
             {{ form.non_field_errors }}
+        </div>
+        <div class="pf-c-form__group">
             <p>
                 {% blocktrans with user=user %}
                 You are logged in as {{ user }}. Not you?
                 {% endblocktrans %}
                 <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
             </p>
-            <div class="form-group">
-                <input type="submit" class="btn btn-success btn-disabled btn-lg click-spinner" name="allow" value="{% trans 'Continue' %}">
-                <a href="{% back %}" class="btn btn-default btn-lg">{% trans "Cancel" %}</a>
         </div>
-            <div class="form-group spinner-hidden hidden">
-                <div class="spinner"></div>
+        <div class="pf-c-form__group pf-m-action">
+            <input type="submit" class="pf-c-button pf-m-primary" name="allow" value="{% trans 'Continue' %}">
+            <a href="{% back %}" class="pf-c-button pf-m-secondary">{% trans "Cancel" %}</a>
+        </div>
+        <div class="pf-c-form__group" style="display: none;" id="loading">
+            <div class="pf-c-form__horizontal-group">
+                <span class="pf-c-spinner" role="progressbar" aria-valuetext="Loading...">
+                    <span class="pf-c-spinner__clipper"></span>
+                    <span class="pf-c-spinner__lead-ball"></span>
+                    <span class="pf-c-spinner__tail-ball"></span>
+                </span>
             </div>
         </div>
     {% else %}
@@ -61,9 +66,8 @@
 
 {% block scripts %}
 <script>
-    $('.click-spinner').on('click', function (e) {
-        $('.spinner-hidden').removeClass('hidden');
-        $(e.target).addClass('disabled');
-    })
+document.querySelector("form").addEventListener("submit", (e) => {
+    document.getElementById("loading").removeAttribute("style");
+});
 </script>
 {% endblock %}

passbook/providers/oidc/forms.py

@@ -19,6 +19,8 @@ class OIDCProviderForm(forms.ModelForm):
         self.fields["client_secret"].initial = generate_client_secret()
 
     def save(self, *args, **kwargs):
+        self.instance.reuse_consent = False  # This is managed by passbook
+        self.instance.require_consent = True  # This is managed by passbook
         response = super().save(*args, **kwargs)
         # Check if openidprovider class instance exists
         if not OpenIDProvider.objects.filter(oidc_client=self.instance).exists():

passbook/providers/oidc/templates/oidc_provider/authorize.html

@@ -3,15 +3,12 @@
 {% load utils %}
 {% load i18n %}
 
-{% block title %}
-{% title 'Authorize Application' %}
+{% block card_title %}
+{% trans 'Authorize Application' %}
 {% endblock %}
 
 {% block card %}
-<header class="login-pf-header">
-  <h1>{% trans 'Authorize Application' %}</h1>
-</header>
-<form method="POST">
+<form method="POST" class="pf-c-form">
     {% csrf_token %}
     {% if not error %}
         {% csrf_token %}
@@ -20,14 +17,14 @@
                 {{ field }}
             {% endif %}
         {% endfor %}
-        <div class="form-group">
+        <div class="pf-c-form__group">
             <p class="subtitle">
                 {% blocktrans with remote=client.name %}
-                You're about to sign into {{ remote }}
+                You're about to sign into {{ remote }}.
                 {% endblocktrans %}
             </p>
             <p>{% trans "Application requires following permissions" %}</p>
-            <ul>
+            <ul class="pf-c-list">
                 {% for scope in scopes %}
                 <li>{{ scope.name }}</li>
                 {% endfor %}
@@ -35,18 +32,26 @@
             {{ hidden_inputs }}
             {{ form.errors }}
             {{ form.non_field_errors }}
+        </div>
+        <div class="pf-c-form__group">
             <p>
                 {% blocktrans with user=user %}
                 You are logged in as {{ user }}. Not you?
                 {% endblocktrans %}
                 <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
             </p>
-            <div class="form-group">
-                <input type="submit" class="btn btn-success btn-disabled btn-lg click-spinner" name="allow" value="{% trans 'Continue' %}">
-                <a href="{% back %}" class="btn btn-default btn-lg">{% trans "Cancel" %}</a>
         </div>
-            <div class="form-group spinner-hidden hidden">
-                <div class="spinner"></div>
+        <div class="pf-c-form__group pf-m-action">
+            <input type="submit" class="pf-c-button pf-m-primary" name="allow" value="{% trans 'Continue' %}">
+            <a href="{% back %}" class="pf-c-button pf-m-secondary">{% trans "Cancel" %}</a>
+        </div>
+        <div class="pf-c-form__group" style="display: none;" id="loading">
+            <div class="pf-c-form__horizontal-group">
+                <span class="pf-c-spinner" role="progressbar" aria-valuetext="Loading...">
+                    <span class="pf-c-spinner__clipper"></span>
+                    <span class="pf-c-spinner__lead-ball"></span>
+                    <span class="pf-c-spinner__tail-ball"></span>
+                </span>
             </div>
         </div>
     {% else %}
@@ -62,9 +67,8 @@
 
 {% block scripts %}
 <script>
-    $('.click-spinner').on('click', function (e) {
-        $('.spinner-hidden').removeClass('hidden');
-        $(e.target).addClass('disabled');
-    })
+document.querySelector("form").addEventListener("submit", (e) => {
+    document.getElementById("loading").removeAttribute("style");
+});
 </script>
 {% endblock %}

passbook/providers/oidc/templates/oidc_provider/error.html

@@ -0,0 +1,18 @@
+{% extends 'login/base.html' %}
+
+{% load static %}
+{% load i18n %}
+{% load utils %}
+
+{% block card_title %}
+{% trans error %}
+{% endblock %}
+
+{% block card %}
+<form>
+    <h3>{% trans description %}</h3>
+    {% if 'back' in request.GET %}
+    <a href="{% back %}" class="btn btn-primary btn-block btn-lg">{% trans 'Back' %}</a>
+    {% endif %}
+</form>
+{% endblock %}

passbook/providers/saml/processors/base.py

@@ -184,7 +184,7 @@ class Processor:
         try:
             self._extract_saml_request()
         except KeyError:
-            raise CannotHandleAssertion(f"Couldn't find SAML request in user session:")
+            raise CannotHandleAssertion(f"Couldn't find SAML request in user session")
 
         try:
             self._decode_and_parse_request()

passbook/providers/saml/templates/saml/idp/autosubmit_form.html

@@ -3,23 +3,17 @@
 {% load utils %}
 {% load i18n %}
 
-{% block title %}
+{% block card_title %}
 {% title 'Redirecting...' %}
 {% endblock %}
 
 {% block card %}
-<header class="login-pf-header">
-    <h1>{% trans 'Redirecting...' %}</h1>
-</header>
 <form method="POST" action="{{ url }}">
     {% csrf_token %}
     {% for key, value in attrs.items %}
     <input type="hidden" name="{{ key }}" value="{{ value }}">
     {% endfor %}
     <div class="login-group">
-        <h3>
-            {% trans "Redirecting..." %}
-        </h3>
         <p>
             {% blocktrans with user=user %}
             You are logged in as {{ user }}.
@@ -34,6 +28,6 @@
 {% block scripts %}
 {{ block.super }}
 <script>
-    $('form').submit();
+document.querySelector("form").submit();
 </script>
 {% endblock %}

passbook/providers/saml/templates/saml/idp/login.html

@@ -4,11 +4,8 @@
 {% load i18n %}
 
 {% block card %}
-<form method="POST" class="pf-c-form" action="{{ saml_params.acs_url }}">
+<form method="POST" class="pf-c-form">
     {% csrf_token %}
-    <input type="hidden" name="ACSUrl" value="{{ saml_params.acs_url }}">
-    <input type="hidden" name="RelayState" value="{{ saml_params.relay_state }}" />
-    <input type="hidden" name="SAMLResponse" value="{{ saml_params.saml_response }}" />
     <div class="pf-c-form__group">
         <h3>
             {% blocktrans with provider=provider.application.name %}

passbook/providers/saml/templates/saml/idp/property_mapping_form.html

@@ -8,7 +8,7 @@
     <div class="c-form__horizontal-group">
         <p>
             Expression using <a href="https://jinja.palletsprojects.com/en/2.11.x/templates/">Jinja</a>. Following variables are available:
-            <ul>
+            <ul class="pf-c-list">
                 <li><code>user</code>: Passbook User Object (<a href="https://beryju.github.io/passbook/reference/property-mappings/user-object/">Reference</a>)</li>
                 <li><code>request</code>: Django HTTP Request Object (<a href="https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects">Reference</a>) </li>
                 <li><code>provider</code>: Passbook SAML Provider Object (<a href="https://github.com/BeryJu/passbook/blob/master/passbook/providers/saml/models.py#L16">Reference</a>) </li>

passbook/providers/saml/templates/saml/xml/subject.xml

@@ -1,7 +1,5 @@
 <saml:Subject>
-    <saml:NameID Format="{{ SUBJECT_FORMAT }}">
-    {{ SUBJECT }}
-    </saml:NameID>
+    <saml:NameID Format="{{ SUBJECT_FORMAT }}">{{ SUBJECT }}</saml:NameID>
     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml:SubjectConfirmationData {{ IN_RESPONSE_TO|safe }} NotOnOrAfter="{{ NOT_ON_OR_AFTER }}" Recipient="{{ ACS_URL }}" />
     </saml:SubjectConfirmation>

passbook/providers/saml/urls.py

@@ -16,9 +16,9 @@ urlpatterns = [
         "<slug:application>/login/", views.LoginBeginView.as_view(), name="saml-login"
     ),
     path(
-        "<slug:application>/login/process/",
-        views.LoginProcessView.as_view(),
-        name="saml-login-process",
+        "<slug:application>/login/authorize/",
+        views.AuthorizeView.as_view(),
+        name="saml-login-authorize",
     ),
     path("<slug:application>/logout/", views.LogoutView.as_view(), name="saml-logout"),
     path(

passbook/providers/saml/views.py

@@ -21,12 +21,16 @@ from passbook.core.models import Application, Provider
 from passbook.lib.utils.template import render_to_string
 from passbook.lib.views import bad_request_message
 from passbook.policies.engine import PolicyEngine
-from passbook.providers.saml import exceptions
+from passbook.providers.saml.exceptions import CannotHandleAssertion
 from passbook.providers.saml.models import SAMLProvider
 from passbook.providers.saml.processors.types import SAMLResponseParams
 
 LOGGER = get_logger()
 URL_VALIDATOR = URLValidator(schemes=("http", "https"))
+SESSION_KEY_SAML_REQUEST = "SAMLRequest"
+SESSION_KEY_SAML_RESPONSE = "SAMLResponse"
+SESSION_KEY_RELAY_STATE = "RelayState"
+SESSION_KEY_PARAMS = "SAMLParams"
 
 
 class AccessRequiredView(AccessMixin, View):
@@ -50,14 +54,18 @@ class AccessRequiredView(AccessMixin, View):
 
     def _has_access(self) -> bool:
         """Check if user has access to application"""
-        LOGGER.debug(
-            "_has_access", user=self.request.user, app=self.provider.application
-        )
         policy_engine = PolicyEngine(
             self.provider.application.policies.all(), self.request.user, self.request
         )
         policy_engine.build()
-        return policy_engine.passing
+        passing = policy_engine.passing
+        LOGGER.debug(
+            "saml_has_access",
+            user=self.request.user,
+            app=self.provider.application,
+            passing=passing,
+        )
+        return passing
 
     def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         if not request.user.is_authenticated:
@@ -75,80 +83,29 @@ class LoginBeginView(AccessRequiredView):
     """Receives a SAML 2.0 AuthnRequest from a Service Provider and
     stores it in the session prior to enforcing login."""
 
-    @method_decorator(csrf_exempt)
-    def dispatch(self, request: HttpRequest, application: str) -> HttpResponse:
-        if request.method == "POST":
-            source = request.POST
-        else:
-            source = request.GET
-
+    def handler(self, source, application: str) -> HttpResponse:
+        """Handle SAML Request whether its a POST or a Redirect binding"""
         # Store these values now, because Django's login cycle won't preserve them.
         try:
-            request.session["SAMLRequest"] = source["SAMLRequest"]
+            self.request.session[SESSION_KEY_SAML_REQUEST] = source[
+                SESSION_KEY_SAML_REQUEST
+            ]
         except (KeyError, MultiValueDictKeyError):
-            return bad_request_message(request, "The SAML request payload is missing.")
-
-        request.session["RelayState"] = source.get("RelayState", "")
-        return redirect(
-            reverse(
-                "passbook_providers_saml:saml-login-process",
-                kwargs={"application": application},
-            )
+            return bad_request_message(
+                self.request, "The SAML request payload is missing."
             )
 
-
-class LoginProcessView(AccessRequiredView):
-    """Processor-based login continuation.
-    Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
-
-    def handle_redirect(
-        self, params: SAMLResponseParams, skipped_authorization: bool
-    ) -> HttpResponse:
-        """Handle direct redirect to SP"""
-        # Log Application Authorization
-        Event.new(
-            EventAction.AUTHORIZE_APPLICATION,
-            authorized_application=self.provider.application,
-            skipped_authorization=skipped_authorization,
-        ).from_http(self.request)
-        return render(
-            self.request,
-            "saml/idp/autosubmit_form.html",
-            {
-                "url": params.acs_url,
-                "attrs": {
-                    "SAMLResponse": params.saml_response,
-                    "RelayState": params.relay_state,
-                },
-            },
+        self.request.session[SESSION_KEY_RELAY_STATE] = source.get(
+            SESSION_KEY_RELAY_STATE, ""
         )
 
-    def get(self, request: HttpRequest, application: str) -> HttpResponse:
-        """Handle get request, i.e. render form"""
-        # User access gets checked in dispatch
-
-        # Otherwise we generate the IdP initiated session
         try:
-            # application.skip_authorization is set so we directly redirect the user
-            if self.provider.application.skip_authorization:
-                return self.post(request, application)
-
-            self.provider.processor.init_deep_link(request)
+            self.provider.processor.can_handle(self.request)
             params = self.provider.processor.generate_response()
-
-            return render(
-                request,
-                "saml/idp/login.html",
-                {
-                    "saml_params": params,
-                    "provider": self.provider,
-                    "title": "Authorize Application",
-                },
-            )
-
-        except exceptions.CannotHandleAssertion as exc:
-            LOGGER.error(exc)
-            did_you_mean_link = request.build_absolute_uri(
+            self.request.session[SESSION_KEY_PARAMS] = params
+        except CannotHandleAssertion as exc:
+            LOGGER.info(exc)
+            did_you_mean_link = self.request.build_absolute_uri(
                 reverse(
                     "passbook_providers_saml:saml-login-initiate",
                     kwargs={"application": application},
@@ -158,19 +115,97 @@ class LoginProcessView(AccessRequiredView):
                 f" Did you mean to go <a href='{did_you_mean_link}'>here</a>?"
             )
             return bad_request_message(
-                request, mark_safe(str(exc) + did_you_mean_message)
+                self.request, mark_safe(str(exc) + did_you_mean_message)
             )
 
+        return redirect(
+            reverse(
+                "passbook_providers_saml:saml-login-authorize",
+                kwargs={"application": application},
+            )
+        )
+
+    @method_decorator(csrf_exempt)
+    def get(self, request: HttpRequest, application: str) -> HttpResponse:
+        """Handle REDIRECT bindings"""
+        return self.handler(request.GET, application)
+
+    @method_decorator(csrf_exempt)
+    def post(self, request: HttpRequest, application: str) -> HttpResponse:
+        """Handle POST Bindings"""
+        return self.handler(request.POST, application)
+
+
+class InitiateLoginView(AccessRequiredView):
+    """IdP-initiated Login"""
+
+    def get(self, request: HttpRequest, application: str) -> HttpResponse:
+        """Initiates an IdP-initiated link to a simple SP resource/target URL."""
+        self.provider.processor.is_idp_initiated = True
+        self.provider.processor.init_deep_link(request)
+        params = self.provider.processor.generate_response()
+        request.session[SESSION_KEY_PARAMS] = params
+        return redirect(
+            reverse(
+                "passbook_providers_saml:saml-login-authorize",
+                kwargs={"application": application},
+            )
+        )
+
+
+class AuthorizeView(AccessRequiredView):
+    """Ask the user for authorization to continue to the SP.
+    Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
+
+    def get(self, request: HttpRequest, application: str) -> HttpResponse:
+        """Handle get request, i.e. render form"""
+        # User access gets checked in dispatch
+
+        # Otherwise we generate the IdP initiated session
+        try:
+            # application.skip_authorization is set so we directly redirect the user
+            if self.provider.application.skip_authorization:
+                LOGGER.debug("skipping authz", application=self.provider.application)
+                return self.post(request, application)
+
+            return render(
+                request,
+                "saml/idp/login.html",
+                {"provider": self.provider, "title": "Authorize Application",},
+            )
+
+        except KeyError:
+            return bad_request_message(request, "Missing SAML Payload")
+
     # pylint: disable=unused-argument
     def post(self, request: HttpRequest, application: str) -> HttpResponse:
         """Handle post request, return back to ACS"""
         # User access gets checked in dispatch
 
-        # we get here when skip_authorization is False, and after the user accepted
+        # we get here when skip_authorization is True, and after the user accepted
         # the authorization form
-        self.provider.processor.can_handle(request)
-        saml_params = self.provider.processor.generate_response()
-        return self.handle_redirect(saml_params, True)
+        # Log Application Authorization
+        Event.new(
+            EventAction.AUTHORIZE_APPLICATION,
+            authorized_application=self.provider.application,
+            skipped_authorization=self.provider.application.skip_authorization,
+        ).from_http(self.request)
+        self.request.session.pop(SESSION_KEY_SAML_REQUEST, None)
+        self.request.session.pop(SESSION_KEY_SAML_RESPONSE, None)
+        self.request.session.pop(SESSION_KEY_RELAY_STATE, None)
+        response: SAMLResponseParams = self.request.session.pop(SESSION_KEY_PARAMS)
+        return render(
+            self.request,
+            "saml/idp/autosubmit_form.html",
+            {
+                "url": response.acs_url,
+                "attrs": {
+                    "ACSUrl": response.acs_url,
+                    SESSION_KEY_SAML_RESPONSE: response.saml_response,
+                    SESSION_KEY_RELAY_STATE: response.relay_state,
+                },
+            },
+        )
 
 
 @method_decorator(csrf_exempt, name="dispatch")
@@ -204,7 +239,9 @@ class SLOLogout(AccessRequiredView):
     # pylint: disable=unused-argument
     def post(self, request: HttpRequest, application: str) -> HttpResponse:
         """Perform logout"""
-        request.session["SAMLRequest"] = request.POST["SAMLRequest"]
+        request.session[SESSION_KEY_SAML_REQUEST] = request.POST[
+            SESSION_KEY_SAML_REQUEST
+        ]
         # TODO: Parse SAML LogoutRequest from POST data, similar to login_process().
         # TODO: Modify the base processor to handle logouts?
         # TODO: Combine this with login_process(), since they are so very similar?
@@ -259,54 +296,7 @@ class DescriptorDownloadView(AccessRequiredView):
             )
         else:
             response = HttpResponse(metadata, content_type="application/xml")
-            response["Content-Disposition"] = (
-                'attachment; filename="' '%s_passbook_meta.xml"' % self.provider.name
-            )
+            response[
+                "Content-Disposition"
+            ] = f'attachment; filename="{self.provider.name}_passbook_meta.xml"'
             return response
-
-
-class InitiateLoginView(AccessRequiredView):
-    """IdP-initiated Login"""
-
-    def handle_redirect(
-        self, params: SAMLResponseParams, skipped_authorization: bool
-    ) -> HttpResponse:
-        """Handle direct redirect to SP"""
-        # Log Application Authorization
-        Event.new(
-            EventAction.AUTHORIZE_APPLICATION,
-            authorized_application=self.provider.application,
-            skipped_authorization=skipped_authorization,
-        ).from_http(self.request)
-        return render(
-            self.request,
-            "saml/idp/autosubmit_form.html",
-            {
-                "url": params.acs_url,
-                "attrs": {
-                    "SAMLResponse": params.saml_response,
-                    "RelayState": params.relay_state,
-                },
-            },
-        )
-
-    # pylint: disable=unused-argument
-    def get(self, request: HttpRequest, application: str) -> HttpResponse:
-        """Initiates an IdP-initiated link to a simple SP resource/target URL."""
-        self.provider.processor.is_idp_initiated = True
-        self.provider.processor.init_deep_link(request)
-        params = self.provider.processor.generate_response()
-
-        # IdP-initiated Login Flow
-        if self.provider.application.skip_authorization:
-            return self.handle_redirect(params, True)
-
-        return render(
-            request,
-            "saml/idp/login.html",
-            {
-                "saml_params": params,
-                "provider": self.provider,
-                "title": "Authorize Application",
-            },
-        )

passbook/root/settings.py

@@ -22,6 +22,7 @@ from sentry_sdk.integrations.django import DjangoIntegration
 
 from passbook import __version__
 from passbook.lib.config import CONFIG
+from passbook.lib.logging import add_process_id
 from passbook.lib.sentry import before_send
 
 LOGGER = structlog.get_logger()
@@ -53,6 +54,7 @@ if DEBUG:
     CSRF_COOKIE_NAME = "passbook_csrf_debug"
     LANGUAGE_COOKIE_NAME = "passbook_language_debug"
     SESSION_COOKIE_NAME = "passbook_session_debug"
+    SESSION_COOKIE_SAMESITE = None
 else:
     CSRF_COOKIE_NAME = "passbook_csrf"
     LANGUAGE_COOKIE_NAME = "passbook_language"
@@ -278,6 +280,7 @@ structlog.configure_once(
     processors=[
         structlog.stdlib.add_log_level,
         structlog.stdlib.add_logger_name,
+        add_process_id,
         structlog.stdlib.PositionalArgumentsFormatter(),
         structlog.processors.TimeStamper(),
         structlog.processors.StackInfoRenderer(),
@@ -314,7 +317,7 @@ LOGGING = {
     },
     "handlers": {
         "console": {
-            "level": DEBUG,
+            "level": "DEBUG",
             "class": "logging.StreamHandler",
             "formatter": "colored" if DEBUG else "plain",
         },
@@ -322,6 +325,7 @@ LOGGING = {
     "loggers": {},
 }
 _LOGGING_HANDLER_MAP = {
+    "": "DEBUG",
     "passbook": "DEBUG",
     "django": "WARNING",
     "celery": "WARNING",
@@ -334,7 +338,7 @@ for handler_name, level in _LOGGING_HANDLER_MAP.items():
     LOGGING["loggers"][handler_name] = {
         "handlers": ["console"],
         "level": level,
-        "propagate": True,
+        "propagate": False,
     }
 
 TEST = False

passbook/sources/ldap/templates/ldap/property_mapping_form.html

@@ -8,7 +8,7 @@
     <div class="c-form__horizontal-group">
         <p>
             Expression using <a href="https://jinja.palletsprojects.com/en/2.11.x/templates/">Jinja</a>. Following variables are available:
-            <ul>
+            <ul class="pf-c-list">
                 <li><code>ldap</code>: A Dictionary of all values retrieved from LDAP.</li>
             </ul>
         </p>

passbook/sources/oauth/clients.py

@@ -1,8 +1,9 @@
 """OAuth Clients"""
 import json
-from typing import Dict
+from typing import Dict, Optional
 from urllib.parse import parse_qs, urlencode
 
+from django.http import HttpRequest
 from django.utils.crypto import constant_time_compare, get_random_string
 from django.utils.encoding import force_text
 from requests import Session
@@ -18,30 +19,26 @@ LOGGER = get_logger()
 class BaseOAuthClient:
     """Base OAuth Client"""
 
-    _session: Session = None
+    session: Session = None
 
     def __init__(self, source, token=""):  # nosec
         self.source = source
         self.token = token
-        self._session = Session()
-        self._session.headers.update({"User-Agent": "passbook %s" % __version__})
+        self.session = Session()
+        self.session.headers.update({"User-Agent": "passbook %s" % __version__})
 
     def get_access_token(self, request, callback=None):
         "Fetch access token from callback request."
         raise NotImplementedError("Defined in a sub-class")  # pragma: no cover
 
-    def get_profile_info(self, raw_token):
+    def get_profile_info(self, token: Dict[str, str]):
         "Fetch user profile information."
         try:
-            token = json.loads(raw_token)
             headers = {
                 "Authorization": f"{token['token_type']} {token['access_token']}"
             }
-            response = self.request(
-                "get",
-                self.source.profile_url,
-                token=token["access_token"],
-                headers=headers,
+            response = self.session.request(
+                "get", self.source.profile_url, headers=headers,
             )
             response.raise_for_status()
         except RequestException as exc:
@@ -67,10 +64,6 @@ class BaseOAuthClient:
         "Parse token and secret from raw token response."
         raise NotImplementedError("Defined in a sub-class")  # pragma: no cover
 
-    def request(self, method, url, **kwargs):
-        "Build remote url request."
-        return self._session.request(method, url, **kwargs)
-
     @property
     def session_key(self):
         """Return Session Key"""
@@ -80,36 +73,48 @@ class BaseOAuthClient:
 class OAuthClient(BaseOAuthClient):
     """OAuth1 Client"""
 
-    def get_access_token(self, request, callback=None):
+    _default_headers = {
+        "Accept": "application/json",
+    }
+
+    def get_access_token(
+        self, request: HttpRequest, callback=None
+    ) -> Optional[Dict[str, str]]:
         "Fetch access token from callback request."
         raw_token = request.session.get(self.session_key, None)
         verifier = request.GET.get("oauth_verifier", None)
         if raw_token is not None and verifier is not None:
-            data = {"oauth_verifier": verifier}
+            data = {
+                "oauth_verifier": verifier,
+                "oauth_callback": callback,
+                "token": raw_token,
+            }
             callback = request.build_absolute_uri(callback or request.path)
             callback = force_text(callback)
             try:
-                response = self.request(
+                response = self.session.request(
                     "post",
                     self.source.access_token_url,
-                    token=raw_token,
                     data=data,
-                    oauth_callback=callback,
+                    headers=self._default_headers,
                 )
                 response.raise_for_status()
             except RequestException as exc:
                 LOGGER.warning("Unable to fetch access token", exc=exc)
                 return None
             else:
-                return response.text
+                return response.json()
         return None
 
     def get_request_token(self, request, callback):
         "Fetch the OAuth request token. Only required for OAuth 1.0."
         callback = force_text(request.build_absolute_uri(callback))
         try:
-            response = self.request(
-                "post", self.source.request_token_url, oauth_callback=callback
+            response = self.session.request(
+                "post",
+                self.source.request_token_url,
+                data={"oauth_callback": callback},
+                headers=self._default_headers,
             )
             response.raise_for_status()
         except RequestException as exc:
@@ -154,7 +159,7 @@ class OAuthClient(BaseOAuthClient):
             callback_uri=callback,
         )
         kwargs["auth"] = oauth
-        return super(OAuthClient, self).request(method, url, **kwargs)
+        return super(OAuthClient, self).session.request(method, url, **kwargs)
 
     @property
     def session_key(self):
@@ -164,6 +169,10 @@ class OAuthClient(BaseOAuthClient):
 class OAuth2Client(BaseOAuthClient):
     """OAuth2 Client"""
 
+    _default_headers = {
+        "Accept": "application/json",
+    }
+
     # pylint: disable=unused-argument
     def check_application_state(self, request, callback):
         "Check optional state parameter."
@@ -197,15 +206,19 @@ class OAuth2Client(BaseOAuthClient):
             LOGGER.warning("No code returned by the source")
             return None
         try:
-            response = self.request(
-                "post", self.source.access_token_url, data=args, **request_kwargs
+            response = self.session.request(
+                "post",
+                self.source.access_token_url,
+                data=args,
+                headers=self._default_headers,
+                **request_kwargs,
             )
             response.raise_for_status()
         except RequestException as exc:
             LOGGER.warning("Unable to fetch access token", exc=exc)
             return None
         else:
-            return response.text
+            return response.json()
 
     # pylint: disable=unused-argument
     def get_application_state(self, request, callback):
@@ -247,7 +260,7 @@ class OAuth2Client(BaseOAuthClient):
             params = kwargs.get("params", {})
             params["access_token"] = token
             kwargs["params"] = params
-        return super(OAuth2Client, self).request(method, url, **kwargs)
+        return super(OAuth2Client, self).session.request(method, url, **kwargs)
 
     @property
     def session_key(self):

passbook/sources/oauth/forms.py

@@ -116,7 +116,7 @@ class AzureADOAuthSourceForm(OAuthSourceForm):
     class Meta(OAuthSourceForm.Meta):
 
         overrides = {
-            "provider_type": "azure_ad",
+            "provider_type": "azure-ad",
             "request_token_url": "",
             "authorization_url": "https://login.microsoftonline.com/common/oauth2/authorize",
             "access_token_url": "https://login.microsoftonline.com/common/oauth2/token",

passbook/sources/oauth/views/core.py

@@ -89,13 +89,15 @@ class OAuthCallback(OAuthClientMixin, View):
             client = self.get_client(self.source)
             callback = self.get_callback_url(self.source)
             # Fetch access token
-            raw_token = client.get_access_token(self.request, callback=callback)
-            if raw_token is None:
+            token = client.get_access_token(self.request, callback=callback)
+            if token is None:
                 return self.handle_login_failure(
                     self.source, "Could not retrieve token."
                 )
+            if "error" in token:
+                return self.handle_login_failure(self.source, token["error"])
             # Fetch profile info
-            info = client.get_profile_info(raw_token)
+            info = client.get_profile_info(token)
             if info is None:
                 return self.handle_login_failure(
                     self.source, "Could not retrieve profile."
@@ -105,7 +107,7 @@ class OAuthCallback(OAuthClientMixin, View):
                 return self.handle_login_failure(self.source, "Could not determine id.")
             # Get or create access record
             defaults = {
-                "access_token": raw_token,
+                "access_token": token.get("access_token"),
             }
             existing = UserOAuthSourceConnection.objects.filter(
                 source=self.source, identifier=identifier
@@ -113,13 +115,15 @@ class OAuthCallback(OAuthClientMixin, View):
 
             if existing.exists():
                 connection = existing.first()
-                connection.access_token = raw_token
+                connection.access_token = token.get("access_token")
                 UserOAuthSourceConnection.objects.filter(pk=connection.pk).update(
                     **defaults
                 )
             else:
                 connection = UserOAuthSourceConnection(
-                    source=self.source, identifier=identifier, access_token=raw_token
+                    source=self.source,
+                    identifier=identifier,
+                    access_token=token.get("access_token"),
                 )
             user = authenticate(
                 source=self.source, identifier=identifier, request=request

passbook/static/static/passbook/pf.css

@@ -7,33 +7,18 @@
     z-index: 0;
 }
 
-@@ -1,204 +0,0 @@
-.navbar-brand-name {
-    height: 35px;
+/* login page's icons */
+.pf-c-login__main-footer-links-item-link img {
+    fill: var(--pf-c-login__main-footer-links-item-link-svg--Fill);
+    width: 100%;
+    max-width: var(--pf-c-login__main-footer-links-item-link-svg--Width);
+    height: 100%;
+    max-height: var(--pf-c-login__main-footer-links-item-link-svg--Height);
 }
 
-.dynamic-array-widget .array-item {
-  display: flex;
-  align-items: center;
-  margin-bottom: 15px;
-}
-
-.dynamic-array-widget .remove_sign {
-  width: 10px;
-  height: 2px;
-  background: #a41515;
-  border-radius: 1px;
-}
-
-.dynamic-array-widget .remove {
-  height: 15px;
-  display: flex;
-  align-items: center;
-  margin-left: 5px;
-}
-
-.dynamic-array-widget .remove:hover {
-  cursor: pointer;
+/* fix multiple selects height */
+select[multiple] {
+    height: initial;
 }
 
 /* Selector */

passbook/static/static/passbook/pf.js

@@ -36,3 +36,19 @@ document.querySelectorAll(".codemirror").forEach((cm) => {
         autoRefresh: true,
     });
 });
+
+// Automatic slug fields
+const convertToSlug = (text) => {
+    return text
+        .toLowerCase()
+        .replace(/[^\w ]+/g, '')
+        .replace(/ +/g, '-');
+};
+
+document.querySelectorAll("input[name=name]").forEach((input) => {
+    input.addEventListener("input", (e) => {
+        const form = e.target.closest("form");
+        const slugField = form.querySelector("input[name=slug]");
+        slugField.value = convertToSlug(e.target.value);
+    });
+});