authentik/passbook/flows/views.py

"""passbook multi-factor authentication engine"""
from typing import Optional

from django.contrib.auth import login
from django.http import HttpRequest, HttpResponse
from django.shortcuts import get_object_or_404, redirect
from django.views.generic import View
from structlog import get_logger

from passbook.core.models import Factor
from passbook.core.views.utils import PermissionDeniedView
from passbook.flows.exceptions import FlowNonApplicableError
from passbook.flows.models import Flow
from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner
from passbook.lib.config import CONFIG
from passbook.lib.utils.reflection import class_to_path, path_to_class
from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs
from passbook.lib.views import bad_request_message

LOGGER = get_logger()
# Argument used to redirect user after login
NEXT_ARG_NAME = "next"
SESSION_KEY_PLAN = "passbook_flows_plan"


class FlowExecutorView(View):
    """Stage 1 Flow executor, passing requests to Factor Views"""

    flow: Flow

    plan: FlowPlan
    current_factor: Factor
    current_factor_view: View

    def setup(self, request: HttpRequest, flow_slug: str):
        super().setup(request, flow_slug=flow_slug)
        # TODO: Do we always need this?
        self.flow = get_object_or_404(Flow, slug=flow_slug)

    def _check_config_domain(self) -> Optional[HttpResponse]:
        """Checks if current request's domain matches configured Domain, and
        adds a warning if not."""
        current_domain = self.request.get_host()
        if ":" in current_domain:
            current_domain, _ = current_domain.split(":")
        config_domain = CONFIG.y("domain")
        if current_domain != config_domain:
            message = (
                f"Current domain of '{current_domain}' doesn't "
                f"match configured domain of '{config_domain}'."
            )
            LOGGER.warning(message, flow_slug=self.flow.slug)
            return bad_request_message(self.request, message)
        return None

    def handle_flow_non_applicable(self) -> HttpResponse:
        """When a flow is non-applicable check if user is on the correct domain"""
        if NEXT_ARG_NAME in self.request.GET:
            return redirect(self.request.GET.get(NEXT_ARG_NAME))
        incorrect_domain_message = self._check_config_domain()
        if incorrect_domain_message:
            return incorrect_domain_message
        # TODO: Add message
        return redirect("passbook_core:index")

    def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
        # Early check if theres an active Plan for the current session
        if SESSION_KEY_PLAN not in self.request.session:
            LOGGER.debug(
                "No active Plan found, initiating planner", flow_slug=flow_slug
            )
            try:
                self.plan = self._initiate_plan()
            except FlowNonApplicableError as exc:
                LOGGER.warning("Flow not applicable to current user", exc=exc)
                return self.handle_flow_non_applicable()
        else:
            LOGGER.debug("Continuing existing plan", flow_slug=flow_slug)
            self.plan = self.request.session[SESSION_KEY_PLAN]
        # We don't save the Plan after getting the next factor
        # as it hasn't been successfully passed yet
        self.current_factor = self.plan.next()
        LOGGER.debug(
            "Current factor",
            current_factor=self.current_factor,
            flow_slug=self.flow.slug,
        )
        factor_cls = path_to_class(self.current_factor.type)
        self.current_factor_view = factor_cls(self)
        self.current_factor_view.request = request
        return super().dispatch(request)

    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """pass get request to current factor"""
        LOGGER.debug(
            "Passing GET",
            view_class=class_to_path(self.current_factor_view.__class__),
            flow_slug=self.flow.slug,
        )
        return self.current_factor_view.get(request, *args, **kwargs)

    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """pass post request to current factor"""
        LOGGER.debug(
            "Passing POST",
            view_class=class_to_path(self.current_factor_view.__class__),
            flow_slug=self.flow.slug,
        )
        return self.current_factor_view.post(request, *args, **kwargs)

    def _initiate_plan(self) -> FlowPlan:
        planner = FlowPlanner(self.flow)
        plan = planner.plan(self.request)
        self.request.session[SESSION_KEY_PLAN] = plan
        return plan

    def _flow_done(self) -> HttpResponse:
        """User Successfully passed all factors"""
        backend = self.plan.context[PLAN_CONTEXT_PENDING_USER].backend
        login(
            self.request, self.plan.context[PLAN_CONTEXT_PENDING_USER], backend=backend
        )
        LOGGER.debug(
            "Logged in",
            user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
            flow_slug=self.flow.slug,
        )
        self.cancel()
        next_param = self.request.GET.get(NEXT_ARG_NAME, None)
        if next_param and not is_url_absolute(next_param):
            return redirect(next_param)
        return redirect_with_qs("passbook_core:overview")

    def factor_ok(self) -> HttpResponse:
        """Callback called by factors upon successful completion.
        Persists updated plan and context to session."""
        LOGGER.debug(
            "Factor ok",
            factor_class=class_to_path(self.current_factor_view.__class__),
            flow_slug=self.flow.slug,
        )
        self.request.session[SESSION_KEY_PLAN] = self.plan
        if self.plan.factors:
            LOGGER.debug(
                "Continuing with next factor",
                reamining=len(self.plan.factors),
                flow_slug=self.flow.slug,
            )
            return redirect_with_qs(
                "passbook_flows:flow-executor", self.request.GET, **self.kwargs
            )
        # User passed all factors
        LOGGER.debug(
            "User passed all factors",
            user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
            flow_slug=self.flow.slug,
        )
        return self._flow_done()

    def factor_invalid(self) -> HttpResponse:
        """Callback used factor when data is correct but a policy denies access
        or the user account is disabled."""
        LOGGER.debug("User invalid", flow_slug=self.flow.slug)
        self.cancel()
        return redirect_with_qs("passbook_flows:denied", self.request.GET)

    def cancel(self) -> HttpResponse:
        """Cancel current execution and return a redirect"""
        del self.request.session[SESSION_KEY_PLAN]
        return redirect_with_qs("passbook_flows:denied", self.request.GET)


class FlowPermissionDeniedView(PermissionDeniedView):
    """User could not be authenticated"""
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`"""passbook multi-factor authentication engine"""`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`from typing import Optional`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from django.contrib.auth import login`
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`from django.http import HttpRequest, HttpResponse`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`from django.shortcuts import get_object_or_404, redirect`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from django.views.generic import View`
*(minor): stdlib logging to structlog 2019-10-01 08:24:10 +00:00			`from structlog import get_logger`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`from passbook.core.models import Factor`
flows: fix denied view not being registered 2020-05-08 14:50:50 +00:00			`from passbook.core.views.utils import PermissionDeniedView`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`from passbook.flows.exceptions import FlowNonApplicableError`
			`from passbook.flows.models import Flow`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner`
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`from passbook.lib.config import CONFIG`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from passbook.lib.utils.reflection import class_to_path, path_to_class`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs`
all: fix left over references to error templates 2020-02-21 14:04:37 +00:00			`from passbook.lib.views import bad_request_message`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
*(minor): remove __name__ param from get_logger 2019-10-04 08:08:53 +00:00			`LOGGER = get_logger()`
ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00			`# Argument used to redirect user after login`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`NEXT_ARG_NAME = "next"`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`SESSION_KEY_PLAN = "passbook_flows_plan"`
ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`class FlowExecutorView(View):`
			`"""Stage 1 Flow executor, passing requests to Factor Views"""`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`flow: Flow`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`plan: FlowPlan`
policy(minor): Move policy-related code to separate package 2019-10-01 08:17:39 +00:00			`current_factor: Factor`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`current_factor_view: View`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`def setup(self, request: HttpRequest, flow_slug: str):`
			`super().setup(request, flow_slug=flow_slug)`
			`# TODO: Do we always need this?`
			`self.flow = get_object_or_404(Flow, slug=flow_slug)`
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`def _check_config_domain(self) -> Optional[HttpResponse]:`
			`"""Checks if current request's domain matches configured Domain, and`
			`adds a warning if not."""`
			`current_domain = self.request.get_host()`
factors: strip port for domain check 2020-02-18 16:05:30 +00:00			`if ":" in current_domain:`
			`current_domain, _ = current_domain.split(":")`
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`config_domain = CONFIG.y("domain")`
			`if current_domain != config_domain:`
			`message = (`
			`f"Current domain of '{current_domain}' doesn't "`
			`f"match configured domain of '{config_domain}'."`
			`)`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`LOGGER.warning(message, flow_slug=self.flow.slug)`
all: fix left over references to error templates 2020-02-21 14:04:37 +00:00			`return bad_request_message(self.request, message)`
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`return None`

flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`def handle_flow_non_applicable(self) -> HttpResponse:`
			`"""When a flow is non-applicable check if user is on the correct domain"""`
*(minor): small refactor 2019-10-07 14:33:48 +00:00			`if NEXT_ARG_NAME in self.request.GET:`
			`return redirect(self.request.GET.get(NEXT_ARG_NAME))`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`incorrect_domain_message = self._check_config_domain()`
			`if incorrect_domain_message:`
			`return incorrect_domain_message`
			`# TODO: Add message`
			`return redirect("passbook_core:index")`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00
			`def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:`
			`# Early check if theres an active Plan for the current session`
			`if SESSION_KEY_PLAN not in self.request.session:`
			`LOGGER.debug(`
			`"No active Plan found, initiating planner", flow_slug=flow_slug`
			`)`
			`try:`
			`self.plan = self._initiate_plan()`
			`except FlowNonApplicableError as exc:`
			`LOGGER.warning("Flow not applicable to current user", exc=exc)`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`return self.handle_flow_non_applicable()`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`else:`
			`LOGGER.debug("Continuing existing plan", flow_slug=flow_slug)`
			`self.plan = self.request.session[SESSION_KEY_PLAN]`
			`# We don't save the Plan after getting the next factor`
			`# as it hasn't been successfully passed yet`
			`self.current_factor = self.plan.next()`
flows: add to api and add forms 2020-05-08 16:29:18 +00:00			`LOGGER.debug(`
			`"Current factor",`
			`current_factor=self.current_factor,`
			`flow_slug=self.flow.slug,`
			`)`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`factor_cls = path_to_class(self.current_factor.type)`
			`self.current_factor_view = factor_cls(self)`
			`self.current_factor_view.request = request`
			`return super().dispatch(request)`

			`def get(self, request: HttpRequest, args, *kwargs) -> HttpResponse:`
			`"""pass get request to current factor"""`
			`LOGGER.debug(`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`"Passing GET",`
			`view_class=class_to_path(self.current_factor_view.__class__),`
			`flow_slug=self.flow.slug,`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`)`
			`return self.current_factor_view.get(request, args, *kwargs)`

			`def post(self, request: HttpRequest, args, *kwargs) -> HttpResponse:`
			`"""pass post request to current factor"""`
			`LOGGER.debug(`
			`"Passing POST",`
			`view_class=class_to_path(self.current_factor_view.__class__),`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`flow_slug=self.flow.slug,`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`)`
			`return self.current_factor_view.post(request, args, *kwargs)`

			`def _initiate_plan(self) -> FlowPlan:`
			`planner = FlowPlanner(self.flow)`
			`plan = planner.plan(self.request)`
			`self.request.session[SESSION_KEY_PLAN] = plan`
			`return plan`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00
			`def _flow_done(self) -> HttpResponse:`
			`"""User Successfully passed all factors"""`
			`backend = self.plan.context[PLAN_CONTEXT_PENDING_USER].backend`
			`login(`
			`self.request, self.plan.context[PLAN_CONTEXT_PENDING_USER], backend=backend`
			`)`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`LOGGER.debug(`
			`"Logged in",`
			`user=self.plan.context[PLAN_CONTEXT_PENDING_USER],`
			`flow_slug=self.flow.slug,`
			`)`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`self.cancel()`
			`next_param = self.request.GET.get(NEXT_ARG_NAME, None)`
			`if next_param and not is_url_absolute(next_param):`
			`return redirect(next_param)`
			`return redirect_with_qs("passbook_core:overview")`

			`def factor_ok(self) -> HttpResponse:`
			`"""Callback called by factors upon successful completion.`
			`Persists updated plan and context to session."""`
			`LOGGER.debug(`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`"Factor ok",`
			`factor_class=class_to_path(self.current_factor_view.__class__),`
			`flow_slug=self.flow.slug,`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`)`
			`self.request.session[SESSION_KEY_PLAN] = self.plan`
			`if self.plan.factors:`
			`LOGGER.debug(`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`"Continuing with next factor",`
			`reamining=len(self.plan.factors),`
			`flow_slug=self.flow.slug,`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`)`
			`return redirect_with_qs(`
			`"passbook_flows:flow-executor", self.request.GET, **self.kwargs`
			`)`
			`# User passed all factors`
			`LOGGER.debug(`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`"User passed all factors",`
			`user=self.plan.context[PLAN_CONTEXT_PENDING_USER],`
			`flow_slug=self.flow.slug,`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`)`
			`return self._flow_done()`

			`def factor_invalid(self) -> HttpResponse:`
			`"""Callback used factor when data is correct but a policy denies access`
			`or the user account is disabled."""`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`LOGGER.debug("User invalid", flow_slug=self.flow.slug)`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`self.cancel()`
flows: fix denied view not being registered 2020-05-08 14:50:50 +00:00			`return redirect_with_qs("passbook_flows:denied", self.request.GET)`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00
			`def cancel(self) -> HttpResponse:`
			`"""Cancel current execution and return a redirect"""`
			`del self.request.session[SESSION_KEY_PLAN]`
flows: fix denied view not being registered 2020-05-08 14:50:50 +00:00			`return redirect_with_qs("passbook_flows:denied", self.request.GET)`


			`class FlowPermissionDeniedView(PermissionDeniedView):`
			`"""User could not be authenticated"""`