authentik/passbook/factors/password/factor.py

"""passbook multi-factor authentication engine"""
from inspect import Signature

from django.contrib import messages
from django.contrib.auth import _clean_credentials
from django.contrib.auth.signals import user_login_failed
from django.core.exceptions import PermissionDenied
from django.forms.utils import ErrorList
from django.shortcuts import redirect, reverse
from django.utils.translation import gettext as _
from django.views.generic import FormView
from structlog import get_logger

from passbook.core.forms.authentication import PasswordFactorForm
from passbook.core.models import Nonce
from passbook.core.tasks import send_email
from passbook.factors.base import AuthenticationFactor
from passbook.factors.view import AuthenticationView
from passbook.lib.config import CONFIG
from passbook.lib.utils.reflection import path_to_class

LOGGER = get_logger()


def authenticate(request, backends, **credentials):
    """If the given credentials are valid, return a User object.

    Customized version of django's authenticate, which accepts a list of backends"""
    for backend_path in backends:
        backend = path_to_class(backend_path)()
        try:
            signature = Signature.from_callable(backend.authenticate)
            signature.bind(request, **credentials)
        except TypeError:
            LOGGER.debug("Backend doesn't accept our arguments", backend=backend)
            # This backend doesn't accept these credentials as arguments. Try the next one.
            continue
        LOGGER.debug('Attempting authentication...', backend=backend)
        try:
            user = backend.authenticate(request, **credentials)
        except PermissionDenied:
            LOGGER.debug('Backend threw PermissionDenied', backend=backend)
            # This backend says to stop in our tracks - this user should not be allowed in at all.
            break
        if user is None:
            continue
        # Annotate the user object with the path of the backend.
        user.backend = backend_path
        return user

    # The credentials supplied are invalid to all backends, fire signal
    user_login_failed.send(sender=__name__, credentials=_clean_credentials(
        credentials), request=request)

class PasswordFactor(FormView, AuthenticationFactor):
    """Authentication factor which authenticates against django's AuthBackend"""

    form_class = PasswordFactorForm
    template_name = 'login/factors/backend.html'

    def get_context_data(self, **kwargs):
        kwargs['show_password_forget_notice'] = CONFIG.y('passbook.password_reset.enabled')
        return super().get_context_data(**kwargs)

    def get(self, request, *args, **kwargs):
        if 'password-forgotten' in request.GET:
            nonce = Nonce.objects.create(user=self.pending_user)
            LOGGER.debug("DEBUG %s", str(nonce.uuid))
            # Send mail to user
            send_email.delay(self.pending_user.email, _('Forgotten password'),
                             'email/account_password_reset.html', {
                                 'url': self.request.build_absolute_uri(
                                     reverse('passbook_core:auth-password-reset',
                                             kwargs={
                                                 'nonce': nonce.uuid
                                             })
                                 )
                             })
            self.authenticator.cleanup()
            messages.success(request, _('Check your E-Mails for a password reset link.'))
            return redirect('passbook_core:auth-login')
        return super().get(request, *args, **kwargs)

    def form_valid(self, form):
        """Authenticate against django's authentication backend"""
        uid_fields = CONFIG.y('passbook.uid_fields')
        kwargs = {
            'password': form.cleaned_data.get('password'),
        }
        for uid_field in uid_fields:
            kwargs[uid_field] = getattr(self.authenticator.pending_user, uid_field)
        try:
            user = authenticate(self.request, self.authenticator.current_factor.backends, **kwargs)
            if user:
                # User instance returned from authenticate() has .backend property set
                self.authenticator.pending_user = user
                self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend
                return self.authenticator.user_ok()
            # No user was found -> invalid credentials
            LOGGER.debug("Invalid credentials")
            # Manually inject error into form
            # pylint: disable=protected-access
            errors = form._errors.setdefault("password", ErrorList())
            errors.append(_("Invalid password"))
            return self.form_invalid(form)
        except PermissionDenied:
            # User was found, but permission was denied (i.e. user is not active)
            LOGGER.debug("Denied access", **kwargs)
            return self.authenticator.user_invalid()
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`"""passbook multi-factor authentication engine"""`
rewrite PasswordFactor to use backends setting instead of trying all backends 2019-03-10 20:47:08 +00:00			`from inspect import Signature`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00
move forgot password to PasswordFactor 2019-02-25 15:41:33 +00:00			`from django.contrib import messages`
rewrite PasswordFactor to use backends setting instead of trying all backends 2019-03-10 20:47:08 +00:00			`from django.contrib.auth import _clean_credentials`
			`from django.contrib.auth.signals import user_login_failed`
core: better handle MFA BackendFactor failures 2018-12-18 14:34:15 +00:00			`from django.core.exceptions import PermissionDenied`
			`from django.forms.utils import ErrorList`
add E-Mail support via celery task, untested, closes #17 2019-02-26 13:07:47 +00:00			`from django.shortcuts import redirect, reverse`
core: better handle MFA BackendFactor failures 2018-12-18 14:34:15 +00:00			`from django.utils.translation import gettext as _`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from django.views.generic import FormView`
*(minor): stdlib logging to structlog 2019-10-01 08:24:10 +00:00			`from structlog import get_logger`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00
use Inheritance for Factors instead of JSONField 2019-02-24 21:39:09 +00:00			`from passbook.core.forms.authentication import PasswordFactorForm`
add Nonce (one-time links), add password reset function (missing e-mail verification), closes #7 2019-02-25 19:46:23 +00:00			`from passbook.core.models import Nonce`
add E-Mail support via celery task, untested, closes #17 2019-02-26 13:07:47 +00:00			`from passbook.core.tasks import send_email`
*(minor): small refactor 2019-10-07 14:33:48 +00:00			`from passbook.factors.base import AuthenticationFactor`
			`from passbook.factors.view import AuthenticationView`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from passbook.lib.config import CONFIG`
rewrite PasswordFactor to use backends setting instead of trying all backends 2019-03-10 20:47:08 +00:00			`from passbook.lib.utils.reflection import path_to_class`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00
*(minor): remove __name__ param from get_logger 2019-10-04 08:08:53 +00:00			`LOGGER = get_logger()`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00

rewrite PasswordFactor to use backends setting instead of trying all backends 2019-03-10 20:47:08 +00:00			`def authenticate(request, backends, **credentials):`
			`"""If the given credentials are valid, return a User object.`
*(minor): small refactor 2019-10-07 14:33:48 +00:00
rewrite PasswordFactor to use backends setting instead of trying all backends 2019-03-10 20:47:08 +00:00			`Customized version of django's authenticate, which accepts a list of backends"""`
			`for backend_path in backends:`
			`backend = path_to_class(backend_path)()`
			`try:`
			`signature = Signature.from_callable(backend.authenticate)`
			`signature.bind(request, **credentials)`
			`except TypeError:`
*(minor): make better use of structured logging 2019-10-04 08:21:33 +00:00			`LOGGER.debug("Backend doesn't accept our arguments", backend=backend)`
rewrite PasswordFactor to use backends setting instead of trying all backends 2019-03-10 20:47:08 +00:00			`# This backend doesn't accept these credentials as arguments. Try the next one.`
			`continue`
*(minor): make better use of structured logging 2019-10-04 08:21:33 +00:00			`LOGGER.debug('Attempting authentication...', backend=backend)`
rewrite PasswordFactor to use backends setting instead of trying all backends 2019-03-10 20:47:08 +00:00			`try:`
			`user = backend.authenticate(request, **credentials)`
			`except PermissionDenied:`
*(minor): make better use of structured logging 2019-10-04 08:21:33 +00:00			`LOGGER.debug('Backend threw PermissionDenied', backend=backend)`
rewrite PasswordFactor to use backends setting instead of trying all backends 2019-03-10 20:47:08 +00:00			`# This backend says to stop in our tracks - this user should not be allowed in at all.`
			`break`
			`if user is None:`
			`continue`
			`# Annotate the user object with the path of the backend.`
			`user.backend = backend_path`
			`return user`

			`# The credentials supplied are invalid to all backends, fire signal`
			`user_login_failed.send(sender=__name__, credentials=_clean_credentials(`
			`credentials), request=request)`

use Inheritance for Factors instead of JSONField 2019-02-24 21:39:09 +00:00			`class PasswordFactor(FormView, AuthenticationFactor):`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`"""Authentication factor which authenticates against django's AuthBackend"""`

use Inheritance for Factors instead of JSONField 2019-02-24 21:39:09 +00:00			`form_class = PasswordFactorForm`
core: cleanup templates, add template for backend authentication 2018-12-14 12:50:58 +00:00			`template_name = 'login/factors/backend.html'`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00
move forgot password to PasswordFactor 2019-02-25 15:41:33 +00:00			`def get_context_data(self, **kwargs):`
			`kwargs['show_password_forget_notice'] = CONFIG.y('passbook.password_reset.enabled')`
			`return super().get_context_data(**kwargs)`

			`def get(self, request, args, *kwargs):`
			`if 'password-forgotten' in request.GET:`
add Nonce (one-time links), add password reset function (missing e-mail verification), closes #7 2019-02-25 19:46:23 +00:00			`nonce = Nonce.objects.create(user=self.pending_user)`
			`LOGGER.debug("DEBUG %s", str(nonce.uuid))`
add E-Mail support via celery task, untested, closes #17 2019-02-26 13:07:47 +00:00			`# Send mail to user`
			`send_email.delay(self.pending_user.email, _('Forgotten password'),`
			`'email/account_password_reset.html', {`
			`'url': self.request.build_absolute_uri(`
add PropertyMapping Model, add Subclass for SAML, test with AWS 2019-03-08 11:47:50 +00:00			`reverse('passbook_core:auth-password-reset',`
add E-Mail support via celery task, untested, closes #17 2019-02-26 13:07:47 +00:00			`kwargs={`
			`'nonce': nonce.uuid`
			`})`
			`)`
			`})`
move forgot password to PasswordFactor 2019-02-25 15:41:33 +00:00			`self.authenticator.cleanup()`
			`messages.success(request, _('Check your E-Mails for a password reset link.'))`
			`return redirect('passbook_core:auth-login')`
			`return super().get(request, args, *kwargs)`

core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`def form_valid(self, form):`
			`"""Authenticate against django's authentication backend"""`
			`uid_fields = CONFIG.y('passbook.uid_fields')`
			`kwargs = {`
			`'password': form.cleaned_data.get('password'),`
			`}`
			`for uid_field in uid_fields:`
			`kwargs[uid_field] = getattr(self.authenticator.pending_user, uid_field)`
core: better handle MFA BackendFactor failures 2018-12-18 14:34:15 +00:00			`try:`
rewrite PasswordFactor to use backends setting instead of trying all backends 2019-03-10 20:47:08 +00:00			`user = authenticate(self.request, self.authenticator.current_factor.backends, **kwargs)`
core: better handle MFA BackendFactor failures 2018-12-18 14:34:15 +00:00			`if user:`
			`# User instance returned from authenticate() has .backend property set`
			`self.authenticator.pending_user = user`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend`
core: better handle MFA BackendFactor failures 2018-12-18 14:34:15 +00:00			`return self.authenticator.user_ok()`
			`# No user was found -> invalid credentials`
			`LOGGER.debug("Invalid credentials")`
			`# Manually inject error into form`
			`# pylint: disable=protected-access`
			`errors = form._errors.setdefault("password", ErrorList())`
			`errors.append(_("Invalid password"))`
			`return self.form_invalid(form)`
			`except PermissionDenied:`
			`# User was found, but permission was denied (i.e. user is not active)`
*(minor): make better use of structured logging 2019-10-04 08:21:33 +00:00			`LOGGER.debug("Denied access", **kwargs)`
core: better handle MFA BackendFactor failures 2018-12-18 14:34:15 +00:00			`return self.authenticator.user_invalid()`