This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/passbook/flows/models.py

160 lines
5.4 KiB
Python
Raw Normal View History

"""Flow models"""
from typing import TYPE_CHECKING, Optional, Type
from uuid import uuid4
from django.db import models
Squashed commit of the following: commit 88029a43355d73011b9fd078231fd932cfa1e2a6 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:55:55 2020 +0200 admin: update to work with new form commit 4040eb9619a9beb8ae6bc93f49c0170e4f198f15 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:43:30 2020 +0200 *: remove path-based import from all PropertyMappings commit c9663a08dade5b14fcc9a1ddb68637ccc2da8dc9 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:33:34 2020 +0200 flows: update work with new stages commit a3d92ebc0a9744efbe3f3940d83e357fad0c63d5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:23:30 2020 +0200 stages/*: remove path-based import from all stages commit 6fa825e372942dbc9f3733ffdac888d44f862ec5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:03:55 2020 +0200 providers/*: remove path-based import from all providers commit 6aefd072c881870948f746992803a181eb65d1e1 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:58:48 2020 +0200 policies/*: remove path-based import from all policies commit ac2dd3611fd70c880c2ce356651aee54c11014cf Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:11:27 2020 +0200 sources/*: remove path-based import from all sources commit 74e628ce9c4f3359e34b17eae922b76e47bc1a37 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:43:38 2020 +0200 ui: allow overriding of verbose_name commit d4ee18ee32491c4b41090120b72986de3c7e5222 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:08:27 2020 +0200 sources/oauth: migrate from discordapp.com to discord.com
2020-07-20 16:17:14 +00:00
from django.forms import ModelForm
from django.http import HttpRequest
from django.utils.translation import gettext_lazy as _
2020-05-08 17:46:39 +00:00
from model_utils.managers import InheritanceManager
from structlog import get_logger
2020-05-08 17:46:39 +00:00
from passbook.core.types import UIUserSettings
from passbook.policies.models import PolicyBindingModel
if TYPE_CHECKING:
from passbook.flows.stage import StageView
LOGGER = get_logger()
class NotConfiguredAction(models.TextChoices):
"""Decides how the FlowExecutor should proceed when a stage isn't configured"""
SKIP = "skip"
# CONFIGURE = "configure"
2020-05-09 18:54:56 +00:00
class FlowDesignation(models.TextChoices):
"""Designation of what a Flow should be used for. At a later point, this
should be replaced by a database entry."""
AUTHENTICATION = "authentication"
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
AUTHORIZATION = "authorization"
INVALIDATION = "invalidation"
ENROLLMENT = "enrollment"
UNRENOLLMENT = "unenrollment"
RECOVERY = "recovery"
STAGE_SETUP = "stage_setup"
class Stage(models.Model):
2020-05-08 17:46:39 +00:00
"""Stage is an instance of a component used in a flow. This can verify the user,
enroll the user or offer a way of recovery"""
stage_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
2020-05-08 17:46:39 +00:00
name = models.TextField()
objects = InheritanceManager()
Squashed commit of the following: commit 88029a43355d73011b9fd078231fd932cfa1e2a6 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:55:55 2020 +0200 admin: update to work with new form commit 4040eb9619a9beb8ae6bc93f49c0170e4f198f15 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:43:30 2020 +0200 *: remove path-based import from all PropertyMappings commit c9663a08dade5b14fcc9a1ddb68637ccc2da8dc9 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:33:34 2020 +0200 flows: update work with new stages commit a3d92ebc0a9744efbe3f3940d83e357fad0c63d5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:23:30 2020 +0200 stages/*: remove path-based import from all stages commit 6fa825e372942dbc9f3733ffdac888d44f862ec5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:03:55 2020 +0200 providers/*: remove path-based import from all providers commit 6aefd072c881870948f746992803a181eb65d1e1 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:58:48 2020 +0200 policies/*: remove path-based import from all policies commit ac2dd3611fd70c880c2ce356651aee54c11014cf Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:11:27 2020 +0200 sources/*: remove path-based import from all sources commit 74e628ce9c4f3359e34b17eae922b76e47bc1a37 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:43:38 2020 +0200 ui: allow overriding of verbose_name commit d4ee18ee32491c4b41090120b72986de3c7e5222 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:08:27 2020 +0200 sources/oauth: migrate from discordapp.com to discord.com
2020-07-20 16:17:14 +00:00
def type(self) -> Type["StageView"]:
"""Return StageView class that implements logic for this stage"""
# This is a bit of a workaround, since we can't set class methods with setattr
if hasattr(self, "__in_memory_type"):
return getattr(self, "__in_memory_type")
raise NotImplementedError
def form(self) -> Type[ModelForm]:
"""Return Form class used to edit this object"""
raise NotImplementedError
2020-05-08 17:46:39 +00:00
@property
def ui_user_settings(self) -> Optional[UIUserSettings]:
"""Entrypoint to integrate with User settings. Can either return None if no
user settings are available, or an instanace of UIUserSettings."""
return None
def __str__(self):
return f"Stage {self.name}"
def in_memory_stage(view: Type["StageView"]) -> Stage:
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
"""Creates an in-memory stage instance, based on a `_type` as view."""
stage = Stage()
Squashed commit of the following: commit 88029a43355d73011b9fd078231fd932cfa1e2a6 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:55:55 2020 +0200 admin: update to work with new form commit 4040eb9619a9beb8ae6bc93f49c0170e4f198f15 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:43:30 2020 +0200 *: remove path-based import from all PropertyMappings commit c9663a08dade5b14fcc9a1ddb68637ccc2da8dc9 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:33:34 2020 +0200 flows: update work with new stages commit a3d92ebc0a9744efbe3f3940d83e357fad0c63d5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:23:30 2020 +0200 stages/*: remove path-based import from all stages commit 6fa825e372942dbc9f3733ffdac888d44f862ec5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:03:55 2020 +0200 providers/*: remove path-based import from all providers commit 6aefd072c881870948f746992803a181eb65d1e1 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:58:48 2020 +0200 policies/*: remove path-based import from all policies commit ac2dd3611fd70c880c2ce356651aee54c11014cf Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:11:27 2020 +0200 sources/*: remove path-based import from all sources commit 74e628ce9c4f3359e34b17eae922b76e47bc1a37 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:43:38 2020 +0200 ui: allow overriding of verbose_name commit d4ee18ee32491c4b41090120b72986de3c7e5222 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:08:27 2020 +0200 sources/oauth: migrate from discordapp.com to discord.com
2020-07-20 16:17:14 +00:00
# Because we can't pickle a locally generated function,
# we set the view as a separate property and reference a generic function
# that returns that member
setattr(stage, "__in_memory_type", view)
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
return stage
class Flow(PolicyBindingModel):
2020-05-08 17:46:39 +00:00
"""Flow describes how a series of Stages should be executed to authenticate/enroll/recover
a user. Additionally, policies can be applied, to specify which users
have access to this flow."""
flow_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
name = models.TextField()
slug = models.SlugField(unique=True)
2020-05-09 18:54:56 +00:00
designation = models.CharField(max_length=100, choices=FlowDesignation.choices)
2020-05-08 17:46:39 +00:00
stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
@staticmethod
def with_policy(request: HttpRequest, **flow_filter) -> Optional["Flow"]:
"""Get a Flow by `**flow_filter` and check if the request from `request` can access it."""
from passbook.policies.engine import PolicyEngine
flows = Flow.objects.filter(**flow_filter)
for flow in flows:
engine = PolicyEngine(flow, request.user, request)
engine.build()
result = engine.result
if result.passing:
LOGGER.debug("with_policy: flow passing", flow=flow)
return flow
LOGGER.warning(
"with_policy: flow not passing", flow=flow, messages=result.messages
)
LOGGER.debug("with_policy: no flow found", filters=flow_filter)
return None
def related_flow(self, designation: str, request: HttpRequest) -> Optional["Flow"]:
"""Get a related flow with `designation`. Currently this only queries
Flows by `designation`, but will eventually use `self` for related lookups."""
return Flow.with_policy(request, designation=designation)
def __str__(self) -> str:
return f"Flow {self.name} ({self.slug})"
class Meta:
verbose_name = _("Flow")
verbose_name_plural = _("Flows")
class FlowStageBinding(PolicyBindingModel):
2020-05-08 17:46:39 +00:00
"""Relationship between Flow and Stage. Order is required and unique for
each flow-stage Binding. Additionally, policies can be specified, which determine if
this Binding applies to the current user"""
fsb_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
target = models.ForeignKey("Flow", on_delete=models.CASCADE)
2020-05-08 17:46:39 +00:00
stage = models.ForeignKey(Stage, on_delete=models.CASCADE)
re_evaluate_policies = models.BooleanField(
default=False,
help_text=_(
"When this option is enabled, the planner will re-evaluate policies bound to this."
),
)
order = models.IntegerField()
objects = InheritanceManager()
def __str__(self) -> str:
return f"Flow Binding {self.target} -> {self.stage}"
class Meta:
ordering = ["order", "target"]
2020-05-08 17:46:39 +00:00
verbose_name = _("Flow Stage Binding")
verbose_name_plural = _("Flow Stage Bindings")
unique_together = (("target", "stage", "order"),)