authentik/passbook/flows/models.py

"""Flow models"""
from typing import Callable, Optional
from uuid import uuid4

from django.db import models
from django.http import HttpRequest
from django.utils.translation import gettext_lazy as _
from model_utils.managers import InheritanceManager
from structlog import get_logger

from passbook.core.types import UIUserSettings
from passbook.lib.utils.reflection import class_to_path
from passbook.policies.models import PolicyBindingModel

LOGGER = get_logger()


class FlowDesignation(models.TextChoices):
    """Designation of what a Flow should be used for. At a later point, this
    should be replaced by a database entry."""

    AUTHENTICATION = "authentication"
    AUTHORIZATION = "authorization"
    INVALIDATION = "invalidation"
    ENROLLMENT = "enrollment"
    UNRENOLLMENT = "unenrollment"
    RECOVERY = "recovery"
    STAGE_SETUP = "stage_setup"


class Stage(models.Model):
    """Stage is an instance of a component used in a flow. This can verify the user,
    enroll the user or offer a way of recovery"""

    stage_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)

    name = models.TextField()

    objects = InheritanceManager()
    type = ""
    form = ""

    @property
    def ui_user_settings(self) -> Optional[UIUserSettings]:
        """Entrypoint to integrate with User settings. Can either return None if no
        user settings are available, or an instanace of UIUserSettings."""
        return None

    def __str__(self):
        return f"Stage {self.name}"


def in_memory_stage(_type: Callable) -> Stage:
    """Creates an in-memory stage instance, based on a `_type` as view."""
    class_path = class_to_path(_type)
    stage = Stage()
    stage.type = class_path
    return stage


class Flow(PolicyBindingModel):
    """Flow describes how a series of Stages should be executed to authenticate/enroll/recover
    a user. Additionally, policies can be applied, to specify which users
    have access to this flow."""

    flow_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)

    name = models.TextField()
    slug = models.SlugField(unique=True)

    designation = models.CharField(max_length=100, choices=FlowDesignation.choices)

    stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)

    pbm = models.OneToOneField(
        PolicyBindingModel, parent_link=True, on_delete=models.CASCADE, related_name="+"
    )

    @staticmethod
    def with_policy(request: HttpRequest, **flow_filter) -> Optional["Flow"]:
        """Get a Flow by `**flow_filter` and check if the request from `request` can access it."""
        from passbook.policies.engine import PolicyEngine

        flows = Flow.objects.filter(**flow_filter)
        for flow in flows:
            engine = PolicyEngine(flow, request.user, request)
            engine.build()
            result = engine.result
            if result.passing:
                LOGGER.debug("with_policy: flow passing", flow=flow)
                return flow
            LOGGER.warning(
                "with_policy: flow not passing", flow=flow, messages=result.messages
            )
        LOGGER.debug("with_policy: no flow found", filters=flow_filter)
        return None

    def related_flow(self, designation: str, request: HttpRequest) -> Optional["Flow"]:
        """Get a related flow with `designation`. Currently this only queries
        Flows by `designation`, but will eventually use `self` for related lookups."""
        return Flow.with_policy(request, designation=designation)

    def __str__(self) -> str:
        return f"Flow {self.name} ({self.slug})"

    class Meta:

        verbose_name = _("Flow")
        verbose_name_plural = _("Flows")


class FlowStageBinding(PolicyBindingModel):
    """Relationship between Flow and Stage. Order is required and unique for
    each flow-stage Binding. Additionally, policies can be specified, which determine if
    this Binding applies to the current user"""

    fsb_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)

    flow = models.ForeignKey("Flow", on_delete=models.CASCADE)
    stage = models.ForeignKey(Stage, on_delete=models.CASCADE)

    re_evaluate_policies = models.BooleanField(
        default=False,
        help_text=_(
            "When this option is enabled, the planner will re-evaluate policies bound to this."
        ),
    )

    order = models.IntegerField()

    objects = InheritanceManager()

    def __str__(self) -> str:
        return f"Flow Stage Binding #{self.order} {self.flow} -> {self.stage}"

    class Meta:

        ordering = ["order", "flow"]

        verbose_name = _("Flow Stage Binding")
        verbose_name_plural = _("Flow Stage Bindings")
        unique_together = (("flow", "stage", "order"),)
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`"""Flow models"""`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`from typing import Callable, Optional`
migrate to per-model UUID Primary key, remove UUIDModel (#26) * : migrate to per-model UUID Primary key, remove UUIDModel *: fix import order, fix unittests 2020-05-20 07:17:06 +00:00			`from uuid import uuid4`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00
			`from django.db import models`
flows: Correctly check initial policies on flow with context # Conflicts: # passbook/flows/planner.py # passbook/flows/tests/test_planner.py # passbook/flows/tests/test_views.py # passbook/flows/views.py 2020-05-23 18:23:09 +00:00			`from django.http import HttpRequest`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`from django.utils.translation import gettext_lazy as _`
factors: -> stage 2020-05-08 17:46:39 +00:00			`from model_utils.managers import InheritanceManager`
flows: Correctly check initial policies on flow with context # Conflicts: # passbook/flows/planner.py # passbook/flows/tests/test_planner.py # passbook/flows/tests/test_views.py # passbook/flows/views.py 2020-05-23 18:23:09 +00:00			`from structlog import get_logger`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00
factors: -> stage 2020-05-08 17:46:39 +00:00			`from passbook.core.types import UIUserSettings`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`from passbook.lib.utils.reflection import class_to_path`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`from passbook.policies.models import PolicyBindingModel`

flows: Correctly check initial policies on flow with context # Conflicts: # passbook/flows/planner.py # passbook/flows/tests/test_planner.py # passbook/flows/tests/test_views.py # passbook/flows/views.py 2020-05-23 18:23:09 +00:00			`LOGGER = get_logger()`

flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00
flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00			`class FlowDesignation(models.TextChoices):`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`"""Designation of what a Flow should be used for. At a later point, this`
			`should be replaced by a database entry."""`

			`AUTHENTICATION = "authentication"`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`AUTHORIZATION = "authorization"`
stages/user_delete: add user delete stage, remove view from core 2020-05-12 12:50:00 +00:00			`INVALIDATION = "invalidation"`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`ENROLLMENT = "enrollment"`
stages/user_delete: add user delete stage, remove view from core 2020-05-12 12:50:00 +00:00			`UNRENOLLMENT = "unenrollment"`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`RECOVERY = "recovery"`
flows: remove generic "password change" designation and add setup_stage 2020-06-29 09:12:30 +00:00			`STAGE_SETUP = "stage_setup"`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00

migrate to per-model UUID Primary key, remove UUIDModel (#26) * : migrate to per-model UUID Primary key, remove UUIDModel *: fix import order, fix unittests 2020-05-20 07:17:06 +00:00			`class Stage(models.Model):`
factors: -> stage 2020-05-08 17:46:39 +00:00			`"""Stage is an instance of a component used in a flow. This can verify the user,`
			`enroll the user or offer a way of recovery"""`

migrate to per-model UUID Primary key, remove UUIDModel (#26) * : migrate to per-model UUID Primary key, remove UUIDModel *: fix import order, fix unittests 2020-05-20 07:17:06 +00:00			`stage_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)`

factors: -> stage 2020-05-08 17:46:39 +00:00			`name = models.TextField()`

			`objects = InheritanceManager()`
			`type = ""`
			`form = ""`

			`@property`
			`def ui_user_settings(self) -> Optional[UIUserSettings]:`
			`"""Entrypoint to integrate with User settings. Can either return None if no`
			`user settings are available, or an instanace of UIUserSettings."""`
			`return None`

			`def __str__(self):`
			`return f"Stage {self.name}"`


WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`def in_memory_stage(_type: Callable) -> Stage:`
			"""Creates an in-memory stage instance, based on a `_type` as view."""
			`class_path = class_to_path(_type)`
			`stage = Stage()`
			`stage.type = class_path`
			`return stage`


migrate to per-model UUID Primary key, remove UUIDModel (#26) * : migrate to per-model UUID Primary key, remove UUIDModel *: fix import order, fix unittests 2020-05-20 07:17:06 +00:00			`class Flow(PolicyBindingModel):`
factors: -> stage 2020-05-08 17:46:39 +00:00			`"""Flow describes how a series of Stages should be executed to authenticate/enroll/recover`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`a user. Additionally, policies can be applied, to specify which users`
			`have access to this flow."""`

migrate to per-model UUID Primary key, remove UUIDModel (#26) * : migrate to per-model UUID Primary key, remove UUIDModel *: fix import order, fix unittests 2020-05-20 07:17:06 +00:00			`flow_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)`

flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`name = models.TextField()`
			`slug = models.SlugField(unique=True)`

flows: enum to django TextChoices 2020-05-09 18:54:56 +00:00			`designation = models.CharField(max_length=100, choices=FlowDesignation.choices)`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00
factors: -> stage 2020-05-08 17:46:39 +00:00			`stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00
			`pbm = models.OneToOneField(`
			`PolicyBindingModel, parent_link=True, on_delete=models.CASCADE, related_name="+"`
			`)`

flows: Correctly check initial policies on flow with context # Conflicts: # passbook/flows/planner.py # passbook/flows/tests/test_planner.py # passbook/flows/tests/test_views.py # passbook/flows/views.py 2020-05-23 18:23:09 +00:00			`@staticmethod`
			`def with_policy(request: HttpRequest, **flow_filter) -> Optional["Flow"]:`
			"""Get a Flow by `**flow_filter` and check if the request from `request` can access it."""
			`from passbook.policies.engine import PolicyEngine`

			`flows = Flow.objects.filter(**flow_filter)`
			`for flow in flows:`
			`engine = PolicyEngine(flow, request.user, request)`
			`engine.build()`
			`result = engine.result`
			`if result.passing:`
			`LOGGER.debug("with_policy: flow passing", flow=flow)`
			`return flow`
			`LOGGER.warning(`
			`"with_policy: flow not passing", flow=flow, messages=result.messages`
			`)`
			`LOGGER.debug("with_policy: no flow found", filters=flow_filter)`
			`return None`

			`def related_flow(self, designation: str, request: HttpRequest) -> Optional["Flow"]:`
stages/identification: show sign up url when related flow exists 2020-05-10 16:14:10 +00:00			"""Get a related flow with `designation`. Currently this only queries
			Flows by `designation`, but will eventually use `self` for related lookups."""
flows: Correctly check initial policies on flow with context # Conflicts: # passbook/flows/planner.py # passbook/flows/tests/test_planner.py # passbook/flows/tests/test_views.py # passbook/flows/views.py 2020-05-23 18:23:09 +00:00			`return Flow.with_policy(request, designation=designation)`
stages/identification: show sign up url when related flow exists 2020-05-10 16:14:10 +00:00
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`def __str__(self) -> str:`
			`return f"Flow {self.name} ({self.slug})"`

			`class Meta:`

			`verbose_name = _("Flow")`
			`verbose_name_plural = _("Flows")`


migrate to per-model UUID Primary key, remove UUIDModel (#26) * : migrate to per-model UUID Primary key, remove UUIDModel *: fix import order, fix unittests 2020-05-20 07:17:06 +00:00			`class FlowStageBinding(PolicyBindingModel):`
factors: -> stage 2020-05-08 17:46:39 +00:00			`"""Relationship between Flow and Stage. Order is required and unique for`
			`each flow-stage Binding. Additionally, policies can be specified, which determine if`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`this Binding applies to the current user"""`

migrate to per-model UUID Primary key, remove UUIDModel (#26) * : migrate to per-model UUID Primary key, remove UUIDModel *: fix import order, fix unittests 2020-05-20 07:17:06 +00:00			`fsb_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)`

flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`flow = models.ForeignKey("Flow", on_delete=models.CASCADE)`
factors: -> stage 2020-05-08 17:46:39 +00:00			`stage = models.ForeignKey(Stage, on_delete=models.CASCADE)`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00
flows/: more migration progress, consolidate views 2020-05-07 19:30:52 +00:00			`re_evaluate_policies = models.BooleanField(`
			`default=False,`
			`help_text=_(`
			`"When this option is enabled, the planner will re-evaluate policies bound to this."`
			`),`
			`)`

flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`order = models.IntegerField()`

admin: add flow-stage-bindings, add policy-bindings, add prompts 2020-05-16 17:55:59 +00:00			`objects = InheritanceManager()`

flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00			`def __str__(self) -> str:`
factors: -> stage 2020-05-08 17:46:39 +00:00			`return f"Flow Stage Binding #{self.order} {self.flow} -> {self.stage}"`
flows/*: Initial flows stage1 implementation 2020-05-07 18:51:06 +00:00
			`class Meta:`

flows: implement planner, start new executor 2020-05-08 12:33:14 +00:00			`ordering = ["order", "flow"]`

factors: -> stage 2020-05-08 17:46:39 +00:00			`verbose_name = _("Flow Stage Binding")`
			`verbose_name_plural = _("Flow Stage Bindings")`
			`unique_together = (("flow", "stage", "order"),)`