authentik/passbook/core/auth/view.py

"""passbook multi-factor authentication engine"""
from logging import getLogger

from django.contrib.auth import login
from django.contrib.auth.mixins import UserPassesTestMixin
from django.shortcuts import get_object_or_404, redirect, reverse
from django.views.generic import View

from passbook.core.models import Factor, User
from passbook.core.views.utils import PermissionDeniedView
from passbook.lib.utils.reflection import class_to_path, path_to_class
from passbook.lib.utils.urls import is_url_absolute

LOGGER = getLogger(__name__)


class AuthenticationView(UserPassesTestMixin, View):
    """Wizard-like Multi-factor authenticator"""

    SESSION_FACTOR = 'passbook_factor'
    SESSION_PENDING_FACTORS = 'passbook_pending_factors'
    SESSION_PENDING_USER = 'passbook_pending_user'
    SESSION_USER_BACKEND = 'passbook_user_backend'

    pending_user = None
    pending_factors = []

    _current_factor_class = None

    current_factor = None

    # Allow only not authenticated users to login
    def test_func(self):
        return self.request.user.is_authenticated is False

    def handle_no_permission(self):
        # Function from UserPassesTestMixin
        if 'next' in self.request.GET:
            return redirect(self.request.GET.get('next'))
        return redirect(reverse('passbook_core:overview'))

    def dispatch(self, request, *args, **kwargs):
        # Extract pending user from session (only remember uid)
        if AuthenticationView.SESSION_PENDING_USER in request.session:
            self.pending_user = get_object_or_404(
                User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])
        else:
            # No Pending user, redirect to login screen
            return redirect(reverse('passbook_core:auth-login'))
        # Write pending factors to session
        if AuthenticationView.SESSION_PENDING_FACTORS in request.session:
            self.pending_factors = request.session[AuthenticationView.SESSION_PENDING_FACTORS]
        else:
            # Get an initial list of factors which are currently enabled
            # and apply to the current user. We check policies here and block the request
            _all_factors = Factor.objects.filter(enabled=True).order_by('order').select_subclasses()
            self.pending_factors = []
            for factor in _all_factors:
                if factor.passes(self.pending_user):
                    self.pending_factors.append((factor.uuid.hex, factor.type))
        # Read and instantiate factor from session
        factor_uuid, factor_class = None, None
        if AuthenticationView.SESSION_FACTOR not in request.session:
            # Case when no factors apply to user, return error denied
            if not self.pending_factors:
                return self.user_invalid()
            factor_uuid, factor_class = self.pending_factors[0]
        else:
            factor_uuid, factor_class = request.session[AuthenticationView.SESSION_FACTOR]
        # Lookup current factor object
        self.current_factor = Factor.objects.filter(uuid=factor_uuid).select_subclasses().first()
        # Instantiate Next Factor and pass request
        factor = path_to_class(factor_class)
        self._current_factor_class = factor(self)
        self._current_factor_class.pending_user = self.pending_user
        self._current_factor_class.request = request
        return super().dispatch(request, *args, **kwargs)

    def get(self, request, *args, **kwargs):
        """pass get request to current factor"""
        LOGGER.debug("Passing GET to %s", class_to_path(self._current_factor_class.__class__))
        return self._current_factor_class.get(request, *args, **kwargs)

    def post(self, request, *args, **kwargs):
        """pass post request to current factor"""
        LOGGER.debug("Passing POST to %s", class_to_path(self._current_factor_class.__class__))
        return self._current_factor_class.post(request, *args, **kwargs)

    def user_ok(self):
        """Redirect to next Factor"""
        LOGGER.debug("Factor %s passed", class_to_path(self._current_factor_class.__class__))
        # Remove passed factor from pending factors
        current_factor_tuple = (self.current_factor.uuid.hex,
                                class_to_path(self._current_factor_class.__class__))
        if current_factor_tuple in self.pending_factors:
            self.pending_factors.remove(current_factor_tuple)
        next_factor = None
        if self.pending_factors:
            next_factor = self.pending_factors.pop()
            self.request.session[AuthenticationView.SESSION_PENDING_FACTORS] = \
                self.pending_factors
            self.request.session[AuthenticationView.SESSION_FACTOR] = next_factor
            LOGGER.debug("Rendering Factor is %s", next_factor)
            # return redirect(reverse('passbook_core:auth-process', kwargs={'factor': next_factor}))
            return redirect(reverse('passbook_core:auth-process'))
        # User passed all factors
        LOGGER.debug("User passed all factors, logging in")
        return self._user_passed()

    def user_invalid(self):
        """Show error message, user cannot login.
        This should only be shown if user authenticated successfully, but is disabled/locked/etc"""
        LOGGER.debug("User invalid")
        self._cleanup()
        return redirect(reverse('passbook_core:auth-denied'))

    def _user_passed(self):
        """User Successfully passed all factors"""
        # user = authenticate(request=self.request, )
        backend = self.request.session[AuthenticationView.SESSION_USER_BACKEND]
        login(self.request, self.pending_user, backend=backend)
        LOGGER.debug("Logged in user %s", self.pending_user)
        # Cleanup
        self._cleanup()
        next_param = self.request.GET.get('next', None)
        if next_param and is_url_absolute(next_param):
            return redirect(next_param)
        return redirect(reverse('passbook_core:overview'))

    def _cleanup(self):
        """Remove temporary data from session"""
        session_keys = [self.SESSION_FACTOR, self.SESSION_PENDING_FACTORS,
                        self.SESSION_PENDING_USER, self.SESSION_USER_BACKEND, ]
        for key in session_keys:
            if key in self.request.session:
                del self.request.session[key]
        LOGGER.debug("Cleaned up sessions")

class FactorPermissionDeniedView(PermissionDeniedView):
    """User could not be authenticated"""
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`"""passbook multi-factor authentication engine"""`
			`from logging import getLogger`

core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from django.contrib.auth import login`
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00			`from django.contrib.auth.mixins import UserPassesTestMixin`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`from django.shortcuts import get_object_or_404, redirect, reverse`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from django.views.generic import View`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`from passbook.core.models import Factor, User`
core,oauth_provider: cleanup templates, add MFA error view 2018-12-14 14:18:02 +00:00			`from passbook.core.views.utils import PermissionDeniedView`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`from passbook.lib.utils.reflection import class_to_path, path_to_class`
cleanup, fix Permission Denied when Cancelling login, fix display of messages on login template 2019-02-25 12:02:50 +00:00			`from passbook.lib.utils.urls import is_url_absolute`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
			`LOGGER = getLogger(__name__)`

core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`class AuthenticationView(UserPassesTestMixin, View):`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`"""Wizard-like Multi-factor authenticator"""`

			`SESSION_FACTOR = 'passbook_factor'`
			`SESSION_PENDING_FACTORS = 'passbook_pending_factors'`
			`SESSION_PENDING_USER = 'passbook_pending_user'`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`SESSION_USER_BACKEND = 'passbook_user_backend'`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
			`pending_user = None`
			`pending_factors = []`

totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`_current_factor_class = None`

			`current_factor = None`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00			`# Allow only not authenticated users to login`
			`def test_func(self):`
			`return self.request.user.is_authenticated is False`

			`def handle_no_permission(self):`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`# Function from UserPassesTestMixin`
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00			`if 'next' in self.request.GET:`
			`return redirect(self.request.GET.get('next'))`
			`return redirect(reverse('passbook_core:overview'))`

core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`def dispatch(self, request, args, *kwargs):`
			`# Extract pending user from session (only remember uid)`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`if AuthenticationView.SESSION_PENDING_USER in request.session:`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`self.pending_user = get_object_or_404(`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`else:`
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00			`# No Pending user, redirect to login screen`
			`return redirect(reverse('passbook_core:auth-login'))`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`# Write pending factors to session`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`if AuthenticationView.SESSION_PENDING_FACTORS in request.session:`
			`self.pending_factors = request.session[AuthenticationView.SESSION_PENDING_FACTORS]`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`else:`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`# Get an initial list of factors which are currently enabled`
Rule -> Policies 2019-02-16 09:24:31 +00:00			`# and apply to the current user. We check policies here and block the request`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`_all_factors = Factor.objects.filter(enabled=True).order_by('order').select_subclasses()`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`self.pending_factors = []`
			`for factor in _all_factors:`
			`if factor.passes(self.pending_user):`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`self.pending_factors.append((factor.uuid.hex, factor.type))`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`# Read and instantiate factor from session`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`factor_uuid, factor_class = None, None`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`if AuthenticationView.SESSION_FACTOR not in request.session:`
fix inconsistent naming again 2019-02-16 10:13:00 +00:00			`# Case when no factors apply to user, return error denied`
			`if not self.pending_factors:`
			`return self.user_invalid()`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`factor_uuid, factor_class = self.pending_factors[0]`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`else:`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`factor_uuid, factor_class = request.session[AuthenticationView.SESSION_FACTOR]`
			`# Lookup current factor object`
			`self.current_factor = Factor.objects.filter(uuid=factor_uuid).select_subclasses().first()`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`# Instantiate Next Factor and pass request`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`factor = path_to_class(factor_class)`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`self._current_factor_class = factor(self)`
			`self._current_factor_class.pending_user = self.pending_user`
			`self._current_factor_class.request = request`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`return super().dispatch(request, args, *kwargs)`

			`def get(self, request, args, *kwargs):`
			`"""pass get request to current factor"""`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`LOGGER.debug("Passing GET to %s", class_to_path(self._current_factor_class.__class__))`
			`return self._current_factor_class.get(request, args, *kwargs)`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
			`def post(self, request, args, *kwargs):`
			`"""pass post request to current factor"""`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`LOGGER.debug("Passing POST to %s", class_to_path(self._current_factor_class.__class__))`
			`return self._current_factor_class.post(request, args, *kwargs)`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
			`def user_ok(self):`
			`"""Redirect to next Factor"""`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`LOGGER.debug("Factor %s passed", class_to_path(self._current_factor_class.__class__))`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`# Remove passed factor from pending factors`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`current_factor_tuple = (self.current_factor.uuid.hex,`
			`class_to_path(self._current_factor_class.__class__))`
			`if current_factor_tuple in self.pending_factors:`
			`self.pending_factors.remove(current_factor_tuple)`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`next_factor = None`
			`if self.pending_factors:`
			`next_factor = self.pending_factors.pop()`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`self.request.session[AuthenticationView.SESSION_PENDING_FACTORS] = \`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`self.pending_factors`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`self.request.session[AuthenticationView.SESSION_FACTOR] = next_factor`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`LOGGER.debug("Rendering Factor is %s", next_factor)`
Rules -> Policies, more things 2019-02-21 15:06:57 +00:00			`# return redirect(reverse('passbook_core:auth-process', kwargs={'factor': next_factor}))`
			`return redirect(reverse('passbook_core:auth-process'))`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`# User passed all factors`
			`LOGGER.debug("User passed all factors, logging in")`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`return self._user_passed()`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00
			`def user_invalid(self):`
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00			`"""Show error message, user cannot login.`
			`This should only be shown if user authenticated successfully, but is disabled/locked/etc"""`
core: implement new mfa authentication 2018-12-13 17:02:08 +00:00			`LOGGER.debug("User invalid")`
Rules -> Policies, more things 2019-02-21 15:06:57 +00:00			`self._cleanup()`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`return redirect(reverse('passbook_core:auth-denied'))`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00
			`def _user_passed(self):`
			`"""User Successfully passed all factors"""`
			`# user = authenticate(request=self.request, )`
Move Factor instances to database 2019-02-16 08:52:37 +00:00			`backend = self.request.session[AuthenticationView.SESSION_USER_BACKEND]`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`login(self.request, self.pending_user, backend=backend)`
			`LOGGER.debug("Logged in user %s", self.pending_user)`
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00			`# Cleanup`
			`self._cleanup()`
cleanup, fix Permission Denied when Cancelling login, fix display of messages on login template 2019-02-25 12:02:50 +00:00			`next_param = self.request.GET.get('next', None)`
			`if next_param and is_url_absolute(next_param):`
			`return redirect(next_param)`
core: fix mfa, split up into multiple files, move factors to settings 2018-12-14 08:49:34 +00:00			`return redirect(reverse('passbook_core:overview'))`
core,oauth_provider: cleanup templates, add MFA error view 2018-12-14 14:18:02 +00:00
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00			`def _cleanup(self):`
			`"""Remove temporary data from session"""`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`session_keys = [self.SESSION_FACTOR, self.SESSION_PENDING_FACTORS,`
			`self.SESSION_PENDING_USER, self.SESSION_USER_BACKEND, ]`
core: mfa cleanup session after successful login 2018-12-18 14:34:26 +00:00			`for key in session_keys:`
			`if key in self.request.session:`
			`del self.request.session[key]`
			`LOGGER.debug("Cleaned up sessions")`

fix duplicate Class naming 2019-02-16 09:54:15 +00:00			`class FactorPermissionDeniedView(PermissionDeniedView):`
core,oauth_provider: cleanup templates, add MFA error view 2018-12-14 14:18:02 +00:00			`"""User could not be authenticated"""`