authentik/passbook/flows/views.py

"""passbook multi-stage authentication engine"""
from typing import Optional

from django.http import HttpRequest, HttpResponse
from django.shortcuts import get_object_or_404, redirect
from django.views.generic import View
from structlog import get_logger

from passbook.core.views.utils import PermissionDeniedView
from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableException
from passbook.flows.models import Flow, FlowDesignation, Stage
from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner
from passbook.lib.config import CONFIG
from passbook.lib.utils.reflection import class_to_path, path_to_class
from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs
from passbook.lib.views import bad_request_message

LOGGER = get_logger()
# Argument used to redirect user after login
NEXT_ARG_NAME = "next"
SESSION_KEY_PLAN = "passbook_flows_plan"


class FlowExecutorView(View):
    """Stage 1 Flow executor, passing requests to Stage Views"""

    flow: Flow

    plan: Optional[FlowPlan] = None
    current_stage: Stage
    current_stage_view: View

    def setup(self, request: HttpRequest, flow_slug: str):
        super().setup(request, flow_slug=flow_slug)
        # TODO: Do we always need this?
        self.flow = get_object_or_404(Flow, slug=flow_slug)

    def _check_config_domain(self) -> Optional[HttpResponse]:
        """Checks if current request's domain matches configured Domain, and
        adds a warning if not."""
        current_domain = self.request.get_host()
        if ":" in current_domain:
            current_domain, _ = current_domain.split(":")
        config_domain = CONFIG.y("domain")
        if current_domain != config_domain:
            message = (
                f"Current domain of '{current_domain}' doesn't "
                f"match configured domain of '{config_domain}'."
            )
            LOGGER.warning(message, flow_slug=self.flow.slug)
            return bad_request_message(self.request, message)
        return None

    def handle_invalid_flow(self, exc: BaseException) -> HttpResponse:
        """When a flow is non-applicable check if user is on the correct domain"""
        if NEXT_ARG_NAME in self.request.GET:
            LOGGER.debug("f(exec): Redirecting to next on fail")
            return redirect(self.request.GET.get(NEXT_ARG_NAME))
        incorrect_domain_message = self._check_config_domain()
        if incorrect_domain_message:
            return incorrect_domain_message
        return bad_request_message(self.request, str(exc))

    def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
        # Early check if theres an active Plan for the current session
        if SESSION_KEY_PLAN not in self.request.session:
            LOGGER.debug(
                "f(exec): No active Plan found, initiating planner", flow_slug=flow_slug
            )
            try:
                self.plan = self._initiate_plan()
            except FlowNonApplicableException as exc:
                LOGGER.warning("f(exec): Flow not applicable to current user", exc=exc)
                return self.handle_invalid_flow(exc)
            except EmptyFlowException as exc:
                LOGGER.warning("f(exec): Flow is empty", exc=exc)
                return self.handle_invalid_flow(exc)
        else:
            LOGGER.debug("f(exec): Continuing existing plan", flow_slug=flow_slug)
            self.plan = self.request.session[SESSION_KEY_PLAN]
        # We don't save the Plan after getting the next stage
        # as it hasn't been successfully passed yet
        self.current_stage = self.plan.next()
        LOGGER.debug(
            "f(exec): Current stage",
            current_stage=self.current_stage,
            flow_slug=self.flow.slug,
        )
        stage_cls = path_to_class(self.current_stage.type)
        self.current_stage_view = stage_cls(self)
        self.current_stage_view.request = request
        return super().dispatch(request)

    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """pass get request to current stage"""
        LOGGER.debug(
            "f(exec): Passing GET",
            view_class=class_to_path(self.current_stage_view.__class__),
            flow_slug=self.flow.slug,
        )
        return self.current_stage_view.get(request, *args, **kwargs)

    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """pass post request to current stage"""
        LOGGER.debug(
            "f(exec): Passing POST",
            view_class=class_to_path(self.current_stage_view.__class__),
            flow_slug=self.flow.slug,
        )
        return self.current_stage_view.post(request, *args, **kwargs)

    def _initiate_plan(self) -> FlowPlan:
        planner = FlowPlanner(self.flow)
        plan = planner.plan(self.request)
        self.request.session[SESSION_KEY_PLAN] = plan
        return plan

    def _flow_done(self) -> HttpResponse:
        """User Successfully passed all stages"""
        self.cancel()
        next_param = self.request.GET.get(NEXT_ARG_NAME, None)
        if next_param and not is_url_absolute(next_param):
            return redirect(next_param)
        return redirect_with_qs("passbook_core:overview")

    def stage_ok(self) -> HttpResponse:
        """Callback called by stages upon successful completion.
        Persists updated plan and context to session."""
        LOGGER.debug(
            "f(exec): Stage ok",
            stage_class=class_to_path(self.current_stage_view.__class__),
            flow_slug=self.flow.slug,
        )
        self.plan.stages.pop(0)
        self.request.session[SESSION_KEY_PLAN] = self.plan
        if self.plan.stages:
            LOGGER.debug(
                "f(exec): Continuing with next stage",
                reamining=len(self.plan.stages),
                flow_slug=self.flow.slug,
            )
            return redirect_with_qs(
                "passbook_flows:flow-executor", self.request.GET, **self.kwargs
            )
        # User passed all stages
        LOGGER.debug(
            "f(exec): User passed all stages",
            user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
            flow_slug=self.flow.slug,
        )
        return self._flow_done()

    def stage_invalid(self) -> HttpResponse:
        """Callback used stage when data is correct but a policy denies access
        or the user account is disabled."""
        LOGGER.debug("f(exec): Stage invalid", flow_slug=self.flow.slug)
        self.cancel()
        return redirect_with_qs("passbook_flows:denied", self.request.GET)

    def cancel(self):
        """Cancel current execution and return a redirect"""
        del self.request.session[SESSION_KEY_PLAN]


class FlowPermissionDeniedView(PermissionDeniedView):
    """User could not be authenticated"""


class ToDefaultFlow(View):
    """Redirect to default flow matching by designation"""

    designation: Optional[FlowDesignation] = None

    def dispatch(self, request: HttpRequest) -> HttpResponse:
        flow = get_object_or_404(Flow, designation=self.designation)
        # TODO: Get Flow depending on subdomain?
        return redirect_with_qs(
            "passbook_flows:flow-executor", request.GET, flow_slug=flow.slug
        )
factors: -> stage 2020-05-08 17:46:39 +00:00			`"""passbook multi-stage authentication engine"""`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`from typing import Optional`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`from django.http import HttpRequest, HttpResponse`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`from django.shortcuts import get_object_or_404, redirect`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from django.views.generic import View`
*(minor): stdlib logging to structlog 2019-10-01 08:24:10 +00:00			`from structlog import get_logger`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
flows: fix denied view not being registered 2020-05-08 14:50:50 +00:00			`from passbook.core.views.utils import PermissionDeniedView`
flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00			`from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableException`
			`from passbook.flows.models import Flow, FlowDesignation, Stage`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner`
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`from passbook.lib.config import CONFIG`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from passbook.lib.utils.reflection import class_to_path, path_to_class`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs`
all: fix left over references to error templates 2020-02-21 14:04:37 +00:00			`from passbook.lib.views import bad_request_message`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
*(minor): remove __name__ param from get_logger 2019-10-04 08:08:53 +00:00			`LOGGER = get_logger()`
ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00			`# Argument used to redirect user after login`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`NEXT_ARG_NAME = "next"`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`SESSION_KEY_PLAN = "passbook_flows_plan"`
ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`class FlowExecutorView(View):`
factors: -> stage 2020-05-08 17:46:39 +00:00			`"""Stage 1 Flow executor, passing requests to Stage Views"""`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`flow: Flow`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00
flows: separate final login step from flow executor 2020-05-09 21:19:36 +00:00			`plan: Optional[FlowPlan] = None`
factors: -> stage 2020-05-08 17:46:39 +00:00			`current_stage: Stage`
			`current_stage_view: View`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`def setup(self, request: HttpRequest, flow_slug: str):`
			`super().setup(request, flow_slug=flow_slug)`
			`# TODO: Do we always need this?`
			`self.flow = get_object_or_404(Flow, slug=flow_slug)`
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`def _check_config_domain(self) -> Optional[HttpResponse]:`
			`"""Checks if current request's domain matches configured Domain, and`
			`adds a warning if not."""`
			`current_domain = self.request.get_host()`
factors: strip port for domain check 2020-02-18 16:05:30 +00:00			`if ":" in current_domain:`
			`current_domain, _ = current_domain.split(":")`
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`config_domain = CONFIG.y("domain")`
			`if current_domain != config_domain:`
			`message = (`
			`f"Current domain of '{current_domain}' doesn't "`
			`f"match configured domain of '{config_domain}'."`
			`)`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`LOGGER.warning(message, flow_slug=self.flow.slug)`
all: fix left over references to error templates 2020-02-21 14:04:37 +00:00			`return bad_request_message(self.request, message)`
factors/view: show concise error message when domain is mis-configured 2020-02-18 15:20:38 +00:00			`return None`

flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00			`def handle_invalid_flow(self, exc: BaseException) -> HttpResponse:`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`"""When a flow is non-applicable check if user is on the correct domain"""`
*(minor): small refactor 2019-10-07 14:33:48 +00:00			`if NEXT_ARG_NAME in self.request.GET:`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`LOGGER.debug("f(exec): Redirecting to next on fail")`
*(minor): small refactor 2019-10-07 14:33:48 +00:00			`return redirect(self.request.GET.get(NEXT_ARG_NAME))`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`incorrect_domain_message = self._check_config_domain()`
			`if incorrect_domain_message:`
			`return incorrect_domain_message`
flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00			`return bad_request_message(self.request, str(exc))`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00
			`def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:`
			`# Early check if theres an active Plan for the current session`
			`if SESSION_KEY_PLAN not in self.request.session:`
			`LOGGER.debug(`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`"f(exec): No active Plan found, initiating planner", flow_slug=flow_slug`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`)`
			`try:`
			`self.plan = self._initiate_plan()`
flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00			`except FlowNonApplicableException as exc:`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`LOGGER.warning("f(exec): Flow not applicable to current user", exc=exc)`
flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00			`return self.handle_invalid_flow(exc)`
			`except EmptyFlowException as exc:`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`LOGGER.warning("f(exec): Flow is empty", exc=exc)`
flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00			`return self.handle_invalid_flow(exc)`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`else:`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`LOGGER.debug("f(exec): Continuing existing plan", flow_slug=flow_slug)`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`self.plan = self.request.session[SESSION_KEY_PLAN]`
factors: -> stage 2020-05-08 17:46:39 +00:00			`# We don't save the Plan after getting the next stage`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`# as it hasn't been successfully passed yet`
factors: -> stage 2020-05-08 17:46:39 +00:00			`self.current_stage = self.plan.next()`
flows: add to api and add forms 2020-05-08 16:29:18 +00:00			`LOGGER.debug(`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`"f(exec): Current stage",`
			`current_stage=self.current_stage,`
			`flow_slug=self.flow.slug,`
flows: add to api and add forms 2020-05-08 16:29:18 +00:00			`)`
factors: -> stage 2020-05-08 17:46:39 +00:00			`stage_cls = path_to_class(self.current_stage.type)`
			`self.current_stage_view = stage_cls(self)`
			`self.current_stage_view.request = request`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`return super().dispatch(request)`

			`def get(self, request: HttpRequest, args, *kwargs) -> HttpResponse:`
factors: -> stage 2020-05-08 17:46:39 +00:00			`"""pass get request to current stage"""`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`LOGGER.debug(`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`"f(exec): Passing GET",`
factors: -> stage 2020-05-08 17:46:39 +00:00			`view_class=class_to_path(self.current_stage_view.__class__),`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`flow_slug=self.flow.slug,`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`)`
factors: -> stage 2020-05-08 17:46:39 +00:00			`return self.current_stage_view.get(request, args, *kwargs)`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00
			`def post(self, request: HttpRequest, args, *kwargs) -> HttpResponse:`
factors: -> stage 2020-05-08 17:46:39 +00:00			`"""pass post request to current stage"""`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`LOGGER.debug(`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`"f(exec): Passing POST",`
factors: -> stage 2020-05-08 17:46:39 +00:00			`view_class=class_to_path(self.current_stage_view.__class__),`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`flow_slug=self.flow.slug,`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`)`
factors: -> stage 2020-05-08 17:46:39 +00:00			`return self.current_stage_view.post(request, args, *kwargs)`
flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00
			`def _initiate_plan(self) -> FlowPlan:`
			`planner = FlowPlanner(self.flow)`
			`plan = planner.plan(self.request)`
			`self.request.session[SESSION_KEY_PLAN] = plan`
			`return plan`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00
			`def _flow_done(self) -> HttpResponse:`
factors: -> stage 2020-05-08 17:46:39 +00:00			`"""User Successfully passed all stages"""`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`self.cancel()`
			`next_param = self.request.GET.get(NEXT_ARG_NAME, None)`
			`if next_param and not is_url_absolute(next_param):`
			`return redirect(next_param)`
			`return redirect_with_qs("passbook_core:overview")`

factors: -> stage 2020-05-08 17:46:39 +00:00			`def stage_ok(self) -> HttpResponse:`
			`"""Callback called by stages upon successful completion.`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`Persists updated plan and context to session."""`
			`LOGGER.debug(`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`"f(exec): Stage ok",`
factors: -> stage 2020-05-08 17:46:39 +00:00			`stage_class=class_to_path(self.current_stage_view.__class__),`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`flow_slug=self.flow.slug,`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`)`
flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00			`self.plan.stages.pop(0)`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`self.request.session[SESSION_KEY_PLAN] = self.plan`
factors: -> stage 2020-05-08 17:46:39 +00:00			`if self.plan.stages:`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`LOGGER.debug(`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`"f(exec): Continuing with next stage",`
factors: -> stage 2020-05-08 17:46:39 +00:00			`reamining=len(self.plan.stages),`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`flow_slug=self.flow.slug,`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`)`
			`return redirect_with_qs(`
			`"passbook_flows:flow-executor", self.request.GET, **self.kwargs`
			`)`
factors: -> stage 2020-05-08 17:46:39 +00:00			`# User passed all stages`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`LOGGER.debug(`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`"f(exec): User passed all stages",`
flows: make sure flow_slug is logged consistently 2020-05-08 14:51:12 +00:00			`user=self.plan.context[PLAN_CONTEXT_PENDING_USER],`
			`flow_slug=self.flow.slug,`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`)`
			`return self._flow_done()`

factors: -> stage 2020-05-08 17:46:39 +00:00			`def stage_invalid(self) -> HttpResponse:`
			`"""Callback used stage when data is correct but a policy denies access`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`or the user account is disabled."""`
stages/identification: simplify unittests 2020-05-09 23:01:58 +00:00			`LOGGER.debug("f(exec): Stage invalid", flow_slug=self.flow.slug)`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`self.cancel()`
flows: fix denied view not being registered 2020-05-08 14:50:50 +00:00			`return redirect_with_qs("passbook_flows:denied", self.request.GET)`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00
flows: separate final login step from flow executor 2020-05-09 21:19:36 +00:00			`def cancel(self):`
flows: complete migration to FlowExecutorView, fully use context 2020-05-08 14:10:27 +00:00			`"""Cancel current execution and return a redirect"""`
			`del self.request.session[SESSION_KEY_PLAN]`
flows: fix denied view not being registered 2020-05-08 14:50:50 +00:00

			`class FlowPermissionDeniedView(PermissionDeniedView):`
			`"""User could not be authenticated"""`
flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00

			`class ToDefaultFlow(View):`
			`"""Redirect to default flow matching by designation"""`

			`designation: Optional[FlowDesignation] = None`

			`def dispatch(self, request: HttpRequest) -> HttpResponse:`
			`flow = get_object_or_404(Flow, designation=self.designation)`
			`# TODO: Get Flow depending on subdomain?`
			`return redirect_with_qs(`
			`"passbook_flows:flow-executor", request.GET, flow_slug=flow.slug`
			`)`