authentik/passbook/providers/proxy/models.py

"""passbook proxy models"""
import string
from random import SystemRandom
from typing import Iterable, Optional, Type
from urllib.parse import urljoin

from django.db import models
from django.forms import ModelForm
from django.http import HttpRequest
from django.utils.translation import gettext as _

from passbook.crypto.models import CertificateKeyPair
from passbook.lib.models import DomainlessURLValidator
from passbook.outposts.models import OutpostModel
from passbook.providers.oauth2.constants import (
    SCOPE_OPENID,
    SCOPE_OPENID_EMAIL,
    SCOPE_OPENID_PROFILE,
)
from passbook.providers.oauth2.models import (
    ClientTypes,
    JWTAlgorithms,
    OAuth2Provider,
    ResponseTypes,
    ScopeMapping,
)

SCOPE_PB_PROXY = "pb_proxy"


def get_cookie_secret():
    """Generate random 32-character string for cookie-secret"""
    return "".join(
        SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32)
    )


def _get_callback_url(uri: str) -> str:
    return urljoin(uri, "/pbprox/callback")


class ProxyProvider(OutpostModel, OAuth2Provider):
    """Protect applications that don't support any of the other
    Protocols by using a Reverse-Proxy."""

    internal_host = models.TextField(
        validators=[DomainlessURLValidator(schemes=("http", "https"))]
    )
    external_host = models.TextField(
        validators=[DomainlessURLValidator(schemes=("http", "https"))]
    )
    internal_host_ssl_validation = models.BooleanField(
        default=True,
        help_text=_("Validate SSL Certificates of upstream servers"),
        verbose_name=_("Internal host SSL Validation"),
    )

    skip_path_regex = models.TextField(
        default="",
        blank=True,
        help_text=_(
            (
                "Regular expressions for which authentication is not required. "
                "Each new line is interpreted as a new Regular Expression."
            )
        ),
    )

    basic_auth_enabled = models.BooleanField(
        default=False,
        verbose_name=_("Set HTTP-Basic Authentication"),
        help_text=_(
            "Set a custom HTTP-Basic Authentication header based on values from passbook."
        ),
    )
    basic_auth_user_attribute = models.TextField(
        blank=True,
        verbose_name=_("HTTP-Basic Username Key"),
        help_text=_(
            (
                "User/Group Attribute used for the user part of the HTTP-Basic Header. "
                "If not set, the user's Email address is used."
            )
        ),
    )
    basic_auth_password_attribute = models.TextField(
        blank=True,
        verbose_name=_("HTTP-Basic Password Key"),
        help_text=_(
            (
                "User/Group Attribute used for the password part of the HTTP-Basic Header."
            )
        ),
    )

    certificate = models.ForeignKey(
        CertificateKeyPair,
        on_delete=models.SET_NULL,
        null=True,
        blank=True,
    )

    cookie_secret = models.TextField(default=get_cookie_secret)

    @property
    def form(self) -> Type[ModelForm]:
        from passbook.providers.proxy.forms import ProxyProviderForm

        return ProxyProviderForm

    @property
    def launch_url(self) -> Optional[str]:
        """Use external_host as launch URL"""
        return self.external_host

    def html_setup_urls(self, request: HttpRequest) -> Optional[str]:
        """Overwrite Setup URLs as they are not needed for proxy"""
        return None

    def set_oauth_defaults(self):
        """Ensure all OAuth2-related settings are correct"""
        self.client_type = ClientTypes.CONFIDENTIAL
        self.response_type = ResponseTypes.CODE
        self.jwt_alg = JWTAlgorithms.RS256
        self.rsa_key = CertificateKeyPair.objects.first()
        scopes = ScopeMapping.objects.filter(
            scope_name__in=[
                SCOPE_OPENID,
                SCOPE_OPENID_PROFILE,
                SCOPE_OPENID_EMAIL,
                SCOPE_PB_PROXY,
            ]
        )
        self.property_mappings.set(scopes)
        self.redirect_uris = "\n".join(
            [
                _get_callback_url(self.external_host),
                _get_callback_url(self.internal_host),
            ]
        )

    def __str__(self):
        return f"Proxy Provider {self.name}"

    def get_required_objects(self) -> Iterable[models.Model]:
        required_models = [self]
        if self.certificate is not None:
            required_models.append(self.certificate)
        return required_models

    class Meta:

        verbose_name = _("Proxy Provider")
        verbose_name_plural = _("Proxy Providers")
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`"""passbook proxy models"""`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`import string`
			`from random import SystemRandom`
providers/proxy: use external_url for launch URL, hide setup URLs 2020-09-30 09:14:24 +00:00			`from typing import Iterable, Optional, Type`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`from urllib.parse import urljoin`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00
			`from django.db import models`
			`from django.forms import ModelForm`
providers/proxy: use external_url for launch URL, hide setup URLs 2020-09-30 09:14:24 +00:00			`from django.http import HttpRequest`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`from django.utils.translation import gettext as _`

Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`from passbook.crypto.models import CertificateKeyPair`
providers/proxy: add domainless URL Validator 2020-09-13 19:52:34 +00:00			`from passbook.lib.models import DomainlessURLValidator`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`from passbook.outposts.models import OutpostModel`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`from passbook.providers.oauth2.constants import (`
			`SCOPE_OPENID,`
			`SCOPE_OPENID_EMAIL,`
			`SCOPE_OPENID_PROFILE,`
			`)`
			`from passbook.providers.oauth2.models import (`
			`ClientTypes,`
			`JWTAlgorithms,`
			`OAuth2Provider,`
			`ResponseTypes,`
			`ScopeMapping,`
			`)`

providers/proxy: add pb_proxy scope for proxy that sends user_attributes 2020-09-30 09:13:59 +00:00			`SCOPE_PB_PROXY = "pb_proxy"`

OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`def get_cookie_secret():`
			`"""Generate random 32-character string for cookie-secret"""`
			`return "".join(`
			`SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32)`
			`)`


			`def _get_callback_url(uri: str) -> str:`
			`return urljoin(uri, "/pbprox/callback")`


			`class ProxyProvider(OutpostModel, OAuth2Provider):`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`"""Protect applications that don't support any of the other`
			`Protocols by using a Reverse-Proxy."""`

			`internal_host = models.TextField(`
providers/proxy: add domainless URL Validator 2020-09-13 19:52:34 +00:00			`validators=[DomainlessURLValidator(schemes=("http", "https"))]`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`)`
			`external_host = models.TextField(`
providers/proxy: add domainless URL Validator 2020-09-13 19:52:34 +00:00			`validators=[DomainlessURLValidator(schemes=("http", "https"))]`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`)`
providers/proxy: make upstream SSL Validation configurable 2020-09-23 10:20:09 +00:00			`internal_host_ssl_validation = models.BooleanField(`
providers/proxy: use external_url for launch URL, hide setup URLs 2020-09-30 09:14:24 +00:00			`default=True,`
			`help_text=_("Validate SSL Certificates of upstream servers"),`
			`verbose_name=_("Internal host SSL Validation"),`
providers/proxy: fix formatting 2020-09-23 10:33:33 +00:00			`)`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
providers/proxy: add option to skip authentication for paths matching regular expressions 2020-09-19 09:31:48 +00:00			`skip_path_regex = models.TextField(`
			`default="",`
			`blank=True,`
providers/proxy: fix formatting 2020-09-19 10:21:31 +00:00			`help_text=_(`
			`(`
providers/proxy: make upstream SSL Validation configurable 2020-09-23 10:20:09 +00:00			`"Regular expressions for which authentication is not required. "`
providers/proxy: fix formatting 2020-09-19 10:21:31 +00:00			`"Each new line is interpreted as a new Regular Expression."`
			`)`
			`),`
providers/proxy: add option to skip authentication for paths matching regular expressions 2020-09-19 09:31:48 +00:00			`)`

providers/proxy: start implementing basic_auth_enabled see #244 2020-09-30 09:15:17 +00:00			`basic_auth_enabled = models.BooleanField(`
			`default=False,`
			`verbose_name=_("Set HTTP-Basic Authentication"),`
			`help_text=_(`
			`"Set a custom HTTP-Basic Authentication header based on values from passbook."`
			`),`
			`)`
			`basic_auth_user_attribute = models.TextField(`
			`blank=True,`
providers/proxy: update phrasing for basic_auth_* attributes closes #265 2020-10-07 17:22:30 +00:00			`verbose_name=_("HTTP-Basic Username Key"),`
providers/proxy: start implementing basic_auth_enabled see #244 2020-09-30 09:15:17 +00:00			`help_text=_(`
			`(`
providers/proxy: update phrasing for basic_auth_* attributes closes #265 2020-10-07 17:22:30 +00:00			`"User/Group Attribute used for the user part of the HTTP-Basic Header. "`
providers/proxy: start implementing basic_auth_enabled see #244 2020-09-30 09:15:17 +00:00			`"If not set, the user's Email address is used."`
			`)`
			`),`
			`)`
			`basic_auth_password_attribute = models.TextField(`
			`blank=True,`
providers/proxy: update phrasing for basic_auth_* attributes closes #265 2020-10-07 17:22:30 +00:00			`verbose_name=_("HTTP-Basic Password Key"),`
providers/proxy: start implementing basic_auth_enabled see #244 2020-09-30 09:15:17 +00:00			`help_text=_(`
providers/proxy: update phrasing for basic_auth_* attributes closes #265 2020-10-07 17:22:30 +00:00			`(`
			`"User/Group Attribute used for the password part of the HTTP-Basic Header."`
			`)`
providers/proxy: start implementing basic_auth_enabled see #244 2020-09-30 09:15:17 +00:00			`),`
			`)`

Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`certificate = models.ForeignKey(`
*: apply new black styling 2020-09-30 17:34:22 +00:00			`CertificateKeyPair,`
			`on_delete=models.SET_NULL,`
			`null=True,`
			`blank=True,`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`)`

providers/proxy: make upstream SSL Validation configurable 2020-09-23 10:20:09 +00:00			`cookie_secret = models.TextField(default=get_cookie_secret)`

policies: change .form() and .serializer() to properties, add tests 2020-09-29 08:32:41 +00:00			`@property`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`def form(self) -> Type[ModelForm]:`
			`from passbook.providers.proxy.forms import ProxyProviderForm`

			`return ProxyProviderForm`

providers/proxy: use external_url for launch URL, hide setup URLs 2020-09-30 09:14:24 +00:00			`@property`
			`def launch_url(self) -> Optional[str]:`
			`"""Use external_host as launch URL"""`
			`return self.external_host`

			`def html_setup_urls(self, request: HttpRequest) -> Optional[str]:`
			`"""Overwrite Setup URLs as they are not needed for proxy"""`
			`return None`

OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`def set_oauth_defaults(self):`
			`"""Ensure all OAuth2-related settings are correct"""`
			`self.client_type = ClientTypes.CONFIDENTIAL`
			`self.response_type = ResponseTypes.CODE`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`self.jwt_alg = JWTAlgorithms.RS256`
			`self.rsa_key = CertificateKeyPair.objects.first()`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`scopes = ScopeMapping.objects.filter(`
providers/proxy: add pb_proxy scope for proxy that sends user_attributes 2020-09-30 09:13:59 +00:00			`scope_name__in=[`
			`SCOPE_OPENID,`
			`SCOPE_OPENID_PROFILE,`
			`SCOPE_OPENID_EMAIL,`
			`SCOPE_PB_PROXY,`
			`]`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`)`
			`self.property_mappings.set(scopes)`
			`self.redirect_uris = "\n".join(`
			`[`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`_get_callback_url(self.external_host),`
			`_get_callback_url(self.internal_host),`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00			`]`
			`)`

			`def __str__(self):`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`return f"Proxy Provider {self.name}"`

			`def get_required_objects(self) -> Iterable[models.Model]:`
			`required_models = [self]`
			`if self.certificate is not None:`
			`required_models.append(self.certificate)`
			`return required_models`
OAuth Provider Rewrite (#182) 2020-08-19 08:32:44 +00:00
			`class Meta:`

			`verbose_name = _("Proxy Provider")`
			`verbose_name_plural = _("Proxy Providers")`