authentik/passbook/core/models.py

"""passbook core models"""
import re
from logging import getLogger
from random import randrange
from time import sleep
from uuid import uuid4

import reversion
from django.contrib.auth.models import AbstractUser
from django.db import models
from django.utils.translation import gettext as _
from model_utils.managers import InheritanceManager

from passbook.lib.models import CreatedUpdatedModel, UUIDModel

LOGGER = getLogger(__name__)

@reversion.register()
class User(AbstractUser):
    """Custom User model to allow easier adding o f user-based settings"""

    uuid = models.UUIDField(default=uuid4, editable=False)
    sources = models.ManyToManyField('Source', through='UserSourceConnection')
    applications = models.ManyToManyField('Application')

@reversion.register()
class Provider(models.Model):
    """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""

    objects = InheritanceManager()

    # This class defines no field for easier inheritance
    def __str__(self):
        if hasattr(self, 'name'):
            return getattr(self, 'name')
        return super().__str__()

class RuleModel(UUIDModel, CreatedUpdatedModel):
    """Base model which can have rules applied to it"""

    rules = models.ManyToManyField('Rule', blank=True)

    def passes(self, user: User) -> bool:
        """Return true if user passes, otherwise False or raise Exception"""
        for rule in self.rules:
            if not rule.passes(user):
                return False
        return True

@reversion.register()
class Application(RuleModel):
    """Every Application which uses passbook for authentication/identification/authorization
    needs an Application record. Other authentication types can subclass this Model to
    add custom fields and other properties"""

    name = models.TextField()
    launch_url = models.URLField(null=True, blank=True)
    icon_url = models.TextField(null=True, blank=True)
    provider = models.OneToOneField('Provider', null=True,
                                    default=None, on_delete=models.SET_DEFAULT)
    skip_authorization = models.BooleanField(default=False)

    objects = InheritanceManager()

    def user_is_authorized(self, user: User) -> bool:
        """Check if user is authorized to use this application"""
        from passbook.core.rules import RuleEngine
        return RuleEngine(self).for_user(user).result

    def __str__(self):
        return self.name

@reversion.register()
class Source(RuleModel):
    """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""

    name = models.TextField()
    slug = models.SlugField()
    form = '' # ModelForm-based class ued to create/edit instance
    enabled = models.BooleanField(default=True)

    objects = InheritanceManager()

    def __str__(self):
        return self.name

@reversion.register()
class UserSourceConnection(CreatedUpdatedModel):
    """Connection between User and Source."""

    user = models.ForeignKey(User, on_delete=models.CASCADE)
    source = models.ForeignKey(Source, on_delete=models.CASCADE)

    class Meta:

        unique_together = (('user', 'source'),)

@reversion.register()
class Rule(UUIDModel, CreatedUpdatedModel):
    """Rules which specify if a user is authorized to use an Application. Can be overridden by
    other types to add other fields, more logic, etc."""

    ACTION_ALLOW = 'allow'
    ACTION_DENY = 'deny'
    ACTIONS = (
        (ACTION_ALLOW, ACTION_ALLOW),
        (ACTION_DENY, ACTION_DENY),
    )

    name = models.TextField(blank=True, null=True)
    action = models.CharField(max_length=20, choices=ACTIONS)
    negate = models.BooleanField(default=False)
    order = models.IntegerField(default=0)

    objects = InheritanceManager()

    def __str__(self):
        if self.name:
            return self.name
        return "%s action %s" % (self.name, self.action)

    def passes(self, user: User) -> bool:
        """Check if user instance passes this rule"""
        raise NotImplementedError()

@reversion.register()
class FieldMatcherRule(Rule):
    """Rule which checks if a field of the User model matches/doesn't match a
    certain pattern"""

    MATCH_STARTSWITH = 'startswith'
    MATCH_ENDSWITH = 'endswith'
    MATCH_CONTAINS = 'contains'
    MATCH_REGEXP = 'regexp'
    MATCH_EXACT = 'exact'
    MATCHES = (
        (MATCH_STARTSWITH, _('Starts with')),
        (MATCH_ENDSWITH, _('Ends with')),
        (MATCH_ENDSWITH, _('Contains')),
        (MATCH_REGEXP, _('Regexp')),
        (MATCH_EXACT, _('Exact')),
    )

    user_field = models.TextField()
    match_action = models.CharField(max_length=50, choices=MATCHES)
    value = models.TextField()

    form = 'passbook.core.forms.rules.FieldMatcherRuleForm'

    def __str__(self):
        description = "%s, user.%s %s '%s'" % (self.name, self.user_field,
                                               self.match_action, self.value)
        if self.name:
            description = "%s: %s" % (self.name, description)
        return description

    def passes(self, user: User) -> bool:
        """Check if user instance passes this role"""
        if not hasattr(user, self.user_field):
            raise ValueError("Field does not exist")
        user_field_value = getattr(user, self.user_field, None)
        LOGGER.debug("Checked '%s' %s with '%s'...",
                     user_field_value, self.match_action, self.value)
        passes = False
        if self.match_action == FieldMatcherRule.MATCH_STARTSWITH:
            passes = user_field_value.startswith(self.value)
        if self.match_action == FieldMatcherRule.MATCH_ENDSWITH:
            passes = user_field_value.endswith(self.value)
        if self.match_action == FieldMatcherRule.MATCH_CONTAINS:
            passes = self.value in user_field_value
        if self.match_action == FieldMatcherRule.MATCH_REGEXP:
            pattern = re.compile(self.value)
            passes = bool(pattern.match(user_field_value))
        if self.negate:
            passes = not passes
        LOGGER.debug("User got '%r'", passes)
        return passes

    class Meta:

        verbose_name = _('Field matcher Rule')
        verbose_name_plural = _('Field matcher Rules')

@reversion.register()
class WebhookRule(Rule):
    """Rule that asks webhook"""

    METHOD_GET = 'GET'
    METHOD_POST = 'POST'
    METHOD_PATCH = 'PATCH'
    METHOD_DELETE = 'DELETE'
    METHOD_PUT = 'PUT'

    METHODS = (
        (METHOD_GET, METHOD_GET),
        (METHOD_POST, METHOD_POST),
        (METHOD_PATCH, METHOD_PATCH),
        (METHOD_DELETE, METHOD_DELETE),
        (METHOD_PUT, METHOD_PUT),
    )

    url = models.URLField()
    method = models.CharField(max_length=10, choices=METHODS)
    json_body = models.TextField()
    json_headers = models.TextField()
    result_jsonpath = models.TextField()
    result_json_value = models.TextField()

    form = 'passbook.core.forms.rules.WebhookRuleForm'

    def passes(self, user: User):
        """Call webhook asynchronously and report back"""
        raise NotImplementedError()

    class Meta:

        verbose_name = _('Webhook Rule')
        verbose_name_plural = _('Webhook Rules')

@reversion.register()
class DebugRule(Rule):
    """Rule used for debugging the RuleEngine. Returns a fixed result,
    but takes a random time to process."""

    result = models.BooleanField(default=False)
    wait_min = models.IntegerField(default=5)
    wait_max = models.IntegerField(default=30)

    form = 'passbook.core.forms.rules.DebugRuleForm'

    def passes(self, user: User):
        """Wait random time then return result"""
        wait = randrange(self.wait_min, self.wait_max)
        LOGGER.debug("Rule '%s' waiting for %ds", self.name, wait)
        sleep(wait)
        return self.result

    class Meta:

        verbose_name = _('Debug Rule')
        verbose_name_plural = _('Debug Rules')
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""passbook core models"""`
			`import re`
			`from logging import getLogger`
core: add DebugRule which takes random amount of time to process 2018-12-09 20:06:21 +00:00			`from random import randrange`
			`from time import sleep`
core: add uuid to user, use as sub for OpenID 2018-12-09 20:05:25 +00:00			`from uuid import uuid4`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`import reversion`
			`from django.contrib.auth.models import AbstractUser`
			`from django.db import models`
Admin: add rule admin 2018-11-26 21:08:48 +00:00			`from django.utils.translation import gettext as _`
Many broken things 2018-11-16 08:10:35 +00:00			`from model_utils.managers import InheritanceManager`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
Many broken things 2018-11-16 08:10:35 +00:00			`from passbook.lib.models import CreatedUpdatedModel, UUIDModel`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`LOGGER = getLogger(__name__)`

			`@reversion.register()`
			`class User(AbstractUser):`
			`"""Custom User model to allow easier adding o f user-based settings"""`

core: add uuid to user, use as sub for OpenID 2018-12-09 20:05:25 +00:00			`uuid = models.UUIDField(default=uuid4, editable=False)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`sources = models.ManyToManyField('Source', through='UserSourceConnection')`
redo models again 2018-11-16 10:41:14 +00:00			`applications = models.ManyToManyField('Application')`

			`@reversion.register()`
			`class Provider(models.Model):`
core: add basic model against which rules can be checked 2018-11-22 12:12:59 +00:00			`"""Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""`
redo models again 2018-11-16 10:41:14 +00:00
core: add order to rule 2018-11-25 19:38:49 +00:00			`objects = InheritanceManager()`

redo models again 2018-11-16 10:41:14 +00:00			`# This class defines no field for easier inheritance`
Move skip_authorization to base Provider 2018-11-24 21:26:28 +00:00			`def __str__(self):`
			`if hasattr(self, 'name'):`
			`return getattr(self, 'name')`
			`return super().__str__()`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
core: add basic model against which rules can be checked 2018-11-22 12:12:59 +00:00			`class RuleModel(UUIDModel, CreatedUpdatedModel):`
			`"""Base model which can have rules applied to it"""`

Move skip_authorization to base Provider 2018-11-24 21:26:28 +00:00			`rules = models.ManyToManyField('Rule', blank=True)`
core: add basic model against which rules can be checked 2018-11-22 12:12:59 +00:00
			`def passes(self, user: User) -> bool:`
			`"""Return true if user passes, otherwise False or raise Exception"""`
			`for rule in self.rules:`
			`if not rule.passes(user):`
			`return False`
			`return True`

add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`@reversion.register()`
core: add basic model against which rules can be checked 2018-11-22 12:12:59 +00:00			`class Application(RuleModel):`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""Every Application which uses passbook for authentication/identification/authorization`
			`needs an Application record. Other authentication types can subclass this Model to`
			`add custom fields and other properties"""`

			`name = models.TextField()`
			`launch_url = models.URLField(null=True, blank=True)`
			`icon_url = models.TextField(null=True, blank=True)`
core: change provider to one-to-one field 2018-11-25 19:38:37 +00:00			`provider = models.OneToOneField('Provider', null=True,`
			`default=None, on_delete=models.SET_DEFAULT)`
Move skip_authorization to base Provider 2018-11-24 21:26:28 +00:00			`skip_authorization = models.BooleanField(default=False)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
Many broken things 2018-11-16 08:10:35 +00:00			`objects = InheritanceManager()`

add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`def user_is_authorized(self, user: User) -> bool:`
			`"""Check if user is authorized to use this application"""`
core: cleanup 2018-12-09 20:07:38 +00:00			`from passbook.core.rules import RuleEngine`
			`return RuleEngine(self).for_user(user).result`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`def __str__(self):`
			`return self.name`

			`@reversion.register()`
core: add basic model against which rules can be checked 2018-11-22 12:12:59 +00:00			`class Source(RuleModel):`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""`

			`name = models.TextField()`
			`slug = models.SlugField()`
Many broken things 2018-11-16 08:10:35 +00:00			`form = '' # ModelForm-based class ued to create/edit instance`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`enabled = models.BooleanField(default=True)`

Many broken things 2018-11-16 08:10:35 +00:00			`objects = InheritanceManager()`

add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`def __str__(self):`
			`return self.name`

			`@reversion.register()`
			`class UserSourceConnection(CreatedUpdatedModel):`
			`"""Connection between User and Source."""`

			`user = models.ForeignKey(User, on_delete=models.CASCADE)`
			`source = models.ForeignKey(Source, on_delete=models.CASCADE)`

			`class Meta:`

			`unique_together = (('user', 'source'),)`

			`@reversion.register()`
core: Remove AppTask Inheritance from Models 2018-11-28 13:01:46 +00:00			`class Rule(UUIDModel, CreatedUpdatedModel):`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""Rules which specify if a user is authorized to use an Application. Can be overridden by`
			`other types to add other fields, more logic, etc."""`

			`ACTION_ALLOW = 'allow'`
			`ACTION_DENY = 'deny'`
			`ACTIONS = (`
			`(ACTION_ALLOW, ACTION_ALLOW),`
			`(ACTION_DENY, ACTION_DENY),`
			`)`

			`name = models.TextField(blank=True, null=True)`
			`action = models.CharField(max_length=20, choices=ACTIONS)`
			`negate = models.BooleanField(default=False)`
core: add order to rule 2018-11-25 19:38:49 +00:00			`order = models.IntegerField(default=0)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
Many broken things 2018-11-16 08:10:35 +00:00			`objects = InheritanceManager()`

add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`def __str__(self):`
			`if self.name:`
			`return self.name`
core: add basic model against which rules can be checked 2018-11-22 12:12:59 +00:00			`return "%s action %s" % (self.name, self.action)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
core: add basic model against which rules can be checked 2018-11-22 12:12:59 +00:00			`def passes(self, user: User) -> bool:`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""Check if user instance passes this rule"""`
			`raise NotImplementedError()`

			`@reversion.register()`
			`class FieldMatcherRule(Rule):`
			`"""Rule which checks if a field of the User model matches/doesn't match a`
			`certain pattern"""`

			`MATCH_STARTSWITH = 'startswith'`
			`MATCH_ENDSWITH = 'endswith'`
			`MATCH_CONTAINS = 'contains'`
			`MATCH_REGEXP = 'regexp'`
			`MATCH_EXACT = 'exact'`
			`MATCHES = (`
Admin: add rule admin 2018-11-26 21:08:48 +00:00			`(MATCH_STARTSWITH, _('Starts with')),`
			`(MATCH_ENDSWITH, _('Ends with')),`
			`(MATCH_ENDSWITH, _('Contains')),`
			`(MATCH_REGEXP, _('Regexp')),`
			`(MATCH_EXACT, _('Exact')),`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`)`

			`user_field = models.TextField()`
			`match_action = models.CharField(max_length=50, choices=MATCHES)`
			`value = models.TextField()`

Admin: add rule admin 2018-11-26 21:08:48 +00:00			`form = 'passbook.core.forms.rules.FieldMatcherRuleForm'`

add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`def __str__(self):`
core: add basic model against which rules can be checked 2018-11-22 12:12:59 +00:00			`description = "%s, user.%s %s '%s'" % (self.name, self.user_field,`
			`self.match_action, self.value)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`if self.name:`
			`description = "%s: %s" % (self.name, description)`
			`return description`

core: add basic model against which rules can be checked 2018-11-22 12:12:59 +00:00			`def passes(self, user: User) -> bool:`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""Check if user instance passes this role"""`
			`if not hasattr(user, self.user_field):`
			`raise ValueError("Field does not exist")`
			`user_field_value = getattr(user, self.user_field, None)`
			`LOGGER.debug("Checked '%s' %s with '%s'...",`
			`user_field_value, self.match_action, self.value)`
			`passes = False`
			`if self.match_action == FieldMatcherRule.MATCH_STARTSWITH:`
			`passes = user_field_value.startswith(self.value)`
			`if self.match_action == FieldMatcherRule.MATCH_ENDSWITH:`
			`passes = user_field_value.endswith(self.value)`
			`if self.match_action == FieldMatcherRule.MATCH_CONTAINS:`
			`passes = self.value in user_field_value`
			`if self.match_action == FieldMatcherRule.MATCH_REGEXP:`
			`pattern = re.compile(self.value)`
core: fix rule engine not working 2018-11-30 13:33:33 +00:00			`passes = bool(pattern.match(user_field_value))`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`if self.negate:`
			`passes = not passes`
			`LOGGER.debug("User got '%r'", passes)`
			`return passes`
Admin: add rule admin 2018-11-26 21:08:48 +00:00
			`class Meta:`

			`verbose_name = _('Field matcher Rule')`
			`verbose_name_plural = _('Field matcher Rules')`
core: switch role evaluating to celery worker 2018-11-27 15:23:29 +00:00
core: Add Webhook Rule 2018-11-27 15:23:04 +00:00			`@reversion.register()`
			`class WebhookRule(Rule):`
			`"""Rule that asks webhook"""`

			`METHOD_GET = 'GET'`
			`METHOD_POST = 'POST'`
			`METHOD_PATCH = 'PATCH'`
			`METHOD_DELETE = 'DELETE'`
			`METHOD_PUT = 'PUT'`

			`METHODS = (`
			`(METHOD_GET, METHOD_GET),`
			`(METHOD_POST, METHOD_POST),`
			`(METHOD_PATCH, METHOD_PATCH),`
			`(METHOD_DELETE, METHOD_DELETE),`
			`(METHOD_PUT, METHOD_PUT),`
			`)`

			`url = models.URLField()`
			`method = models.CharField(max_length=10, choices=METHODS)`
			`json_body = models.TextField()`
			`json_headers = models.TextField()`
			`result_jsonpath = models.TextField()`
			`result_json_value = models.TextField()`

			`form = 'passbook.core.forms.rules.WebhookRuleForm'`

			`def passes(self, user: User):`
			`"""Call webhook asynchronously and report back"""`
			`raise NotImplementedError()`

			`class Meta:`

			`verbose_name = _('Webhook Rule')`
			`verbose_name_plural = _('Webhook Rules')`
core: add DebugRule which takes random amount of time to process 2018-12-09 20:06:21 +00:00
			`@reversion.register()`
			`class DebugRule(Rule):`
			`"""Rule used for debugging the RuleEngine. Returns a fixed result,`
			`but takes a random time to process."""`

			`result = models.BooleanField(default=False)`
			`wait_min = models.IntegerField(default=5)`
			`wait_max = models.IntegerField(default=30)`

			`form = 'passbook.core.forms.rules.DebugRuleForm'`

			`def passes(self, user: User):`
			`"""Wait random time then return result"""`
			`wait = randrange(self.wait_min, self.wait_max)`
			`LOGGER.debug("Rule '%s' waiting for %ds", self.name, wait)`
			`sleep(wait)`
			`return self.result`

			`class Meta:`

			`verbose_name = _('Debug Rule')`
			`verbose_name_plural = _('Debug Rules')`