authentik/passbook/outposts/models.py

"""Outpost models"""
from dataclasses import asdict, dataclass, field
from datetime import datetime
from typing import Iterable, List, Optional, Union
from uuid import uuid4

from dacite import from_dict
from django.core.cache import cache
from django.db import models, transaction
from django.db.models.base import Model
from django.http import HttpRequest
from django.utils.translation import gettext_lazy as _
from guardian.models import UserObjectPermission
from guardian.shortcuts import assign_perm
from packaging.version import LegacyVersion, Version, parse

from passbook import __version__
from passbook.core.models import Provider, Token, TokenIntents, User
from passbook.lib.config import CONFIG
from passbook.lib.utils.template import render_to_string

OUR_VERSION = parse(__version__)
OUTPOST_HELLO_INTERVAL = 10


@dataclass
class OutpostConfig:
    """Configuration an outpost uses to configure it self"""

    passbook_host: str
    passbook_host_insecure: bool = False

    log_level: str = CONFIG.y("log_level")
    error_reporting_enabled: bool = CONFIG.y_bool("error_reporting.enabled")
    error_reporting_environment: str = CONFIG.y(
        "error_reporting.environment", "customer"
    )

    kubernetes_replicas: int = field(default=1)
    kubernetes_namespace: str = field(default="default")


class OutpostModel(Model):
    """Base model for providers that need more objects than just themselves"""

    def get_required_objects(self) -> Iterable[models.Model]:
        """Return a list of all required objects"""
        return [self]

    class Meta:

        abstract = True


class OutpostType(models.TextChoices):
    """Outpost types, currently only the reverse proxy is available"""

    PROXY = "proxy"


class OutpostDeploymentType(models.TextChoices):
    """Deployment types that are managed through passbook"""

    KUBERNETES = "kubernetes"
    DOCKER = "docker"
    CUSTOM = "custom"


def default_outpost_config():
    """Get default outpost config"""
    return asdict(OutpostConfig(passbook_host=""))


class Outpost(models.Model):
    """Outpost instance which manages a service user and token"""

    uuid = models.UUIDField(default=uuid4, editable=False, primary_key=True)
    name = models.TextField()

    type = models.TextField(choices=OutpostType.choices, default=OutpostType.PROXY)
    deployment_type = models.TextField(
        choices=OutpostDeploymentType.choices,
        default=OutpostDeploymentType.CUSTOM,
        help_text=_(
            "Select between passbook-managed deployment types or a custom deployment."
        ),
    )
    _config = models.JSONField(default=default_outpost_config)

    providers = models.ManyToManyField(Provider)

    @property
    def config(self) -> OutpostConfig:
        """Load config as OutpostConfig object"""
        return from_dict(OutpostConfig, self._config)

    @config.setter
    def config(self, value):
        """Dump config into json"""
        self._config = asdict(value)

    @property
    def state_cache_prefix(self) -> str:
        """Key by which the outposts status is saved"""
        return f"outpost_{self.uuid.hex}_state"

    @property
    def state(self) -> List["OutpostState"]:
        """Get outpost's health status"""
        return OutpostState.for_outpost(self)

    @property
    def user(self) -> User:
        """Get/create user with access to all required objects"""
        users = User.objects.filter(username=f"pb-outpost-{self.uuid.hex}")
        if not users.exists():
            user: User = User.objects.create(username=f"pb-outpost-{self.uuid.hex}")
            user.set_unusable_password()
            user.save()
        else:
            user = users.first()
        # To ensure the user only has the correct permissions, we delete all of them and re-add
        # the ones the user needs
        with transaction.atomic():
            UserObjectPermission.objects.filter(user=user).delete()
            for model in self.get_required_objects():
                code_name = f"{model._meta.app_label}.view_{model._meta.model_name}"
                assign_perm(code_name, user, model)
        return user

    @property
    def token_identifier(self) -> str:
        """Get Token identifier"""
        return f"pb-outpost-{self.pk}-api"

    @property
    def token(self) -> Token:
        """Get/create token for auto-generated user"""
        token = Token.filter_not_expired(user=self.user, intent=TokenIntents.INTENT_API)
        if token.exists():
            return token.first()
        return Token.objects.create(
            user=self.user,
            identifier=self.token_identifier,
            intent=TokenIntents.INTENT_API,
            description=f"Autogenerated by passbook for Outpost {self.name}",
            expiring=False,
        )

    def get_required_objects(self) -> Iterable[models.Model]:
        """Get an iterator of all objects the user needs read access to"""
        objects = [self]
        for provider in (
            Provider.objects.filter(outpost=self).select_related().select_subclasses()
        ):
            if isinstance(provider, OutpostModel):
                objects.extend(provider.get_required_objects())
            else:
                objects.append(provider)
        return objects

    def html_deployment_view(self, request: HttpRequest) -> Optional[str]:
        """return template and context modal to view token and other config info"""
        return render_to_string(
            "outposts/deployment_modal.html",
            {"outpost": self, "full_url": request.build_absolute_uri("/")},
        )

    def __str__(self) -> str:
        return f"Outpost {self.name}"


@dataclass
class OutpostState:
    """Outpost instance state, last_seen and version"""

    uid: str
    last_seen: Optional[datetime] = field(default=None)
    version: Optional[str] = field(default=None)
    version_should: Union[Version, LegacyVersion] = field(default=OUR_VERSION)

    _outpost: Optional[Outpost] = field(default=None)

    @property
    def version_outdated(self) -> bool:
        """Check if outpost version matches our version"""
        if not self.version:
            return False
        return parse(self.version) < OUR_VERSION

    @staticmethod
    def for_outpost(outpost: Outpost) -> List["OutpostState"]:
        """Get all states for an outpost"""
        keys = cache.keys(f"{outpost.state_cache_prefix}_*")
        states = []
        for key in keys:
            channel = key.replace(f"{outpost.state_cache_prefix}_", "")
            states.append(OutpostState.for_channel(outpost, channel))
        return states

    @staticmethod
    def for_channel(outpost: Outpost, channel: str) -> "OutpostState":
        """Get state for a single channel"""
        key = f"{outpost.state_cache_prefix}_{channel}"
        data = cache.get(key, {"uid": channel})
        state = from_dict(OutpostState, data)
        state.uid = channel
        # pylint: disable=protected-access
        state._outpost = outpost
        return state

    def save(self, timeout=OUTPOST_HELLO_INTERVAL):
        """Save current state to cache"""
        full_key = f"{self._outpost.state_cache_prefix}_{self.uid}"
        return cache.set(full_key, asdict(self), timeout=timeout)

    def delete(self):
        """Manually delete from cache, used on channel disconnect"""
        full_key = f"{self._outpost.state_cache_prefix}_{self.uid}"
        cache.delete(full_key)
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`"""Outpost models"""`
outposts: rewrite state logic, use cache to expire old channels, support multiple instances 2020-10-14 08:44:17 +00:00			`from dataclasses import asdict, dataclass, field`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`from datetime import datetime`
outposts: rewrite state logic, use cache to expire old channels, support multiple instances 2020-10-14 08:44:17 +00:00			`from typing import Iterable, List, Optional, Union`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`from uuid import uuid4`

			`from dacite import from_dict`
			`from django.core.cache import cache`
outposts: add tests for permissions 2020-09-14 15:34:07 +00:00			`from django.db import models, transaction`
outpost: fix outpost update signal only being sent to outposts connected to the same passbook instance 2020-09-13 12:29:40 +00:00			`from django.db.models.base import Model`
outposts: add modal to show setup information 2020-09-18 22:25:28 +00:00			`from django.http import HttpRequest`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`from django.utils.translation import gettext_lazy as _`
outposts: add tests for permissions 2020-09-14 15:34:07 +00:00			`from guardian.models import UserObjectPermission`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`from guardian.shortcuts import assign_perm`
outposts: rewrite state logic, use cache to expire old channels, support multiple instances 2020-10-14 08:44:17 +00:00			`from packaging.version import LegacyVersion, Version, parse`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
outposts: add support for version checking 2020-09-18 22:54:48 +00:00			`from passbook import __version__`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`from passbook.core.models import Provider, Token, TokenIntents, User`
			`from passbook.lib.config import CONFIG`
outposts: add modal to show setup information 2020-09-18 22:25:28 +00:00			`from passbook.lib.utils.template import render_to_string`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
outposts: add support for version checking 2020-09-18 22:54:48 +00:00			`OUR_VERSION = parse(__version__)`
outposts: rewrite state logic, use cache to expire old channels, support multiple instances 2020-10-14 08:44:17 +00:00			`OUTPOST_HELLO_INTERVAL = 10`
outposts: add support for version checking 2020-09-18 22:54:48 +00:00
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
			`@dataclass`
			`class OutpostConfig:`
			`"""Configuration an outpost uses to configure it self"""`

			`passbook_host: str`
			`passbook_host_insecure: bool = False`

			`log_level: str = CONFIG.y("log_level")`
			`error_reporting_enabled: bool = CONFIG.y_bool("error_reporting.enabled")`
			`error_reporting_environment: str = CONFIG.y(`
			`"error_reporting.environment", "customer"`
			`)`

outpost: rewrite kubernetes controller 2020-10-14 15:49:09 +00:00			`kubernetes_replicas: int = field(default=1)`
			`kubernetes_namespace: str = field(default="default")`

Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
outpost: fix outpost update signal only being sent to outposts connected to the same passbook instance 2020-09-13 12:29:40 +00:00			`class OutpostModel(Model):`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`"""Base model for providers that need more objects than just themselves"""`

			`def get_required_objects(self) -> Iterable[models.Model]:`
			`"""Return a list of all required objects"""`
			`return [self]`

outpost: fix outpost update signal only being sent to outposts connected to the same passbook instance 2020-09-13 12:29:40 +00:00			`class Meta:`

			`abstract = True`

Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
			`class OutpostType(models.TextChoices):`
			`"""Outpost types, currently only the reverse proxy is available"""`

			`PROXY = "proxy"`


			`class OutpostDeploymentType(models.TextChoices):`
			`"""Deployment types that are managed through passbook"""`

outpost: rewrite kubernetes controller 2020-10-14 15:49:09 +00:00			`KUBERNETES = "kubernetes"`
outposts: implement docker controller 2020-10-03 22:36:12 +00:00			`DOCKER = "docker"`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`CUSTOM = "custom"`


			`def default_outpost_config():`
			`"""Get default outpost config"""`
			`return asdict(OutpostConfig(passbook_host=""))`


			`class Outpost(models.Model):`
			`"""Outpost instance which manages a service user and token"""`

			`uuid = models.UUIDField(default=uuid4, editable=False, primary_key=True)`
			`name = models.TextField()`

			`type = models.TextField(choices=OutpostType.choices, default=OutpostType.PROXY)`
			`deployment_type = models.TextField(`
			`choices=OutpostDeploymentType.choices,`
			`default=OutpostDeploymentType.CUSTOM,`
			`help_text=_(`
			`"Select between passbook-managed deployment types or a custom deployment."`
			`),`
			`)`
			`_config = models.JSONField(default=default_outpost_config)`

			`providers = models.ManyToManyField(Provider)`

			`@property`
			`def config(self) -> OutpostConfig:`
			`"""Load config as OutpostConfig object"""`
outposts: fix Kubernetes Controller not exporting dicts, secrets not being b64 encoded 2020-09-13 20:19:26 +00:00			`return from_dict(OutpostConfig, self._config)`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
			`@config.setter`
			`def config(self, value):`
			`"""Dump config into json"""`
outposts: fix Kubernetes Controller not exporting dicts, secrets not being b64 encoded 2020-09-13 20:19:26 +00:00			`self._config = asdict(value)`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
outposts: rewrite state logic, use cache to expire old channels, support multiple instances 2020-10-14 08:44:17 +00:00			`@property`
			`def state_cache_prefix(self) -> str:`
outposts: add support for version checking 2020-09-18 22:54:48 +00:00			`"""Key by which the outposts status is saved"""`
outposts: rewrite state logic, use cache to expire old channels, support multiple instances 2020-10-14 08:44:17 +00:00			`return f"outpost_{self.uuid.hex}_state"`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
			`@property`
outposts: rewrite state logic, use cache to expire old channels, support multiple instances 2020-10-14 08:44:17 +00:00			`def state(self) -> List["OutpostState"]:`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`"""Get outpost's health status"""`
outposts: rewrite state logic, use cache to expire old channels, support multiple instances 2020-10-14 08:44:17 +00:00			`return OutpostState.for_outpost(self)`
outposts: add support for version checking 2020-09-18 22:54:48 +00:00
outposts: fix permissions not being updated when providers are modified 2020-09-14 13:41:02 +00:00			`@property`
			`def user(self) -> User:`
			`"""Get/create user with access to all required objects"""`
			`users = User.objects.filter(username=f"pb-outpost-{self.uuid.hex}")`
			`if not users.exists():`
			`user: User = User.objects.create(username=f"pb-outpost-{self.uuid.hex}")`
			`user.set_unusable_password()`
			`user.save()`
			`else:`
			`user = users.first()`
outposts: add tests for permissions 2020-09-14 15:34:07 +00:00			`# To ensure the user only has the correct permissions, we delete all of them and re-add`
			`# the ones the user needs`
			`with transaction.atomic():`
			`UserObjectPermission.objects.filter(user=user).delete()`
			`for model in self.get_required_objects():`
			`code_name = f"{model._meta.app_label}.view_{model._meta.model_name}"`
			`assign_perm(code_name, user, model)`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`return user`

core: Add Token identifier as sudo-primary key 2020-10-03 21:37:58 +00:00			`@property`
			`def token_identifier(self) -> str:`
			`"""Get Token identifier"""`
			`return f"pb-outpost-{self.pk}-api"`

Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`@property`
			`def token(self) -> Token:`
			`"""Get/create token for auto-generated user"""`
			`token = Token.filter_not_expired(user=self.user, intent=TokenIntents.INTENT_API)`
			`if token.exists():`
			`return token.first()`
			`return Token.objects.create(`
			`user=self.user,`
core: Add Token identifier as sudo-primary key 2020-10-03 21:37:58 +00:00			`identifier=self.token_identifier,`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`intent=TokenIntents.INTENT_API,`
			`description=f"Autogenerated by passbook for Outpost {self.name}",`
			`expiring=False,`
			`)`

			`def get_required_objects(self) -> Iterable[models.Model]:`
			`"""Get an iterator of all objects the user needs read access to"""`
			`objects = [self]`
			`for provider in (`
			`Provider.objects.filter(outpost=self).select_related().select_subclasses()`
			`):`
			`if isinstance(provider, OutpostModel):`
			`objects.extend(provider.get_required_objects())`
			`else:`
			`objects.append(provider)`
			`return objects`

outposts: add modal to show setup information 2020-09-18 22:25:28 +00:00			`def html_deployment_view(self, request: HttpRequest) -> Optional[str]:`
			`"""return template and context modal to view token and other config info"""`
			`return render_to_string(`
			`"outposts/deployment_modal.html",`
			`{"outpost": self, "full_url": request.build_absolute_uri("/")},`
			`)`

Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`def __str__(self) -> str:`
			`return f"Outpost {self.name}"`
outposts: rewrite state logic, use cache to expire old channels, support multiple instances 2020-10-14 08:44:17 +00:00

			`@dataclass`
			`class OutpostState:`
			`"""Outpost instance state, last_seen and version"""`

			`uid: str`
			`last_seen: Optional[datetime] = field(default=None)`
			`version: Optional[str] = field(default=None)`
			`version_should: Union[Version, LegacyVersion] = field(default=OUR_VERSION)`

			`_outpost: Optional[Outpost] = field(default=None)`

			`@property`
			`def version_outdated(self) -> bool:`
			`"""Check if outpost version matches our version"""`
			`if not self.version:`
			`return False`
			`return parse(self.version) < OUR_VERSION`

			`@staticmethod`
			`def for_outpost(outpost: Outpost) -> List["OutpostState"]:`
			`"""Get all states for an outpost"""`
			`keys = cache.keys(f"{outpost.state_cache_prefix}_*")`
			`states = []`
			`for key in keys:`
			`channel = key.replace(f"{outpost.state_cache_prefix}_", "")`
			`states.append(OutpostState.for_channel(outpost, channel))`
			`return states`

			`@staticmethod`
			`def for_channel(outpost: Outpost, channel: str) -> "OutpostState":`
			`"""Get state for a single channel"""`
			`key = f"{outpost.state_cache_prefix}_{channel}"`
			`data = cache.get(key, {"uid": channel})`
			`state = from_dict(OutpostState, data)`
			`state.uid = channel`
			`# pylint: disable=protected-access`
			`state._outpost = outpost`
			`return state`

			`def save(self, timeout=OUTPOST_HELLO_INTERVAL):`
			`"""Save current state to cache"""`
			`full_key = f"{self._outpost.state_cache_prefix}_{self.uid}"`
			`return cache.set(full_key, asdict(self), timeout=timeout)`

			`def delete(self):`
			`"""Manually delete from cache, used on channel disconnect"""`
			`full_key = f"{self._outpost.state_cache_prefix}_{self.uid}"`
			`cache.delete(full_key)`