2018-12-13 17:02:08 +00:00
|
|
|
"""passbook multi-factor authentication engine"""
|
2020-05-08 14:10:27 +00:00
|
|
|
from typing import Optional
|
2018-12-13 17:02:08 +00:00
|
|
|
|
2018-12-14 08:49:34 +00:00
|
|
|
from django.contrib.auth import login
|
2020-02-18 15:20:38 +00:00
|
|
|
from django.http import HttpRequest, HttpResponse
|
2020-05-08 14:10:27 +00:00
|
|
|
from django.shortcuts import get_object_or_404, redirect
|
2018-12-14 08:49:34 +00:00
|
|
|
from django.views.generic import View
|
2019-10-01 08:24:10 +00:00
|
|
|
from structlog import get_logger
|
2018-12-13 17:02:08 +00:00
|
|
|
|
2020-05-08 14:10:27 +00:00
|
|
|
from passbook.core.models import Factor
|
2020-05-08 14:50:50 +00:00
|
|
|
from passbook.core.views.utils import PermissionDeniedView
|
2020-05-08 12:33:14 +00:00
|
|
|
from passbook.flows.exceptions import FlowNonApplicableError
|
|
|
|
from passbook.flows.models import Flow
|
2020-05-08 14:10:27 +00:00
|
|
|
from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner
|
2020-02-18 15:20:38 +00:00
|
|
|
from passbook.lib.config import CONFIG
|
2018-12-14 08:49:34 +00:00
|
|
|
from passbook.lib.utils.reflection import class_to_path, path_to_class
|
2020-05-08 14:10:27 +00:00
|
|
|
from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs
|
2020-02-21 14:04:37 +00:00
|
|
|
from passbook.lib.views import bad_request_message
|
2018-12-13 17:02:08 +00:00
|
|
|
|
2019-10-04 08:08:53 +00:00
|
|
|
LOGGER = get_logger()
|
2019-12-31 11:45:29 +00:00
|
|
|
# Argument used to redirect user after login
|
2019-12-31 11:51:16 +00:00
|
|
|
NEXT_ARG_NAME = "next"
|
2020-05-08 14:10:27 +00:00
|
|
|
SESSION_KEY_PLAN = "passbook_flows_plan"
|
2019-12-31 11:45:29 +00:00
|
|
|
|
2018-12-13 17:02:08 +00:00
|
|
|
|
2020-05-08 14:10:27 +00:00
|
|
|
class FlowExecutorView(View):
|
|
|
|
"""Stage 1 Flow executor, passing requests to Factor Views"""
|
2018-12-13 17:02:08 +00:00
|
|
|
|
2020-05-08 14:10:27 +00:00
|
|
|
flow: Flow
|
2019-02-25 11:29:40 +00:00
|
|
|
|
2020-05-08 14:10:27 +00:00
|
|
|
plan: FlowPlan
|
2019-10-01 08:17:39 +00:00
|
|
|
current_factor: Factor
|
2020-05-08 14:10:27 +00:00
|
|
|
current_factor_view: View
|
2018-12-13 17:02:08 +00:00
|
|
|
|
2020-05-08 14:10:27 +00:00
|
|
|
def setup(self, request: HttpRequest, flow_slug: str):
|
|
|
|
super().setup(request, flow_slug=flow_slug)
|
|
|
|
# TODO: Do we always need this?
|
|
|
|
self.flow = get_object_or_404(Flow, slug=flow_slug)
|
2018-12-18 14:34:26 +00:00
|
|
|
|
2020-02-18 15:20:38 +00:00
|
|
|
def _check_config_domain(self) -> Optional[HttpResponse]:
|
|
|
|
"""Checks if current request's domain matches configured Domain, and
|
|
|
|
adds a warning if not."""
|
|
|
|
current_domain = self.request.get_host()
|
2020-02-18 16:05:30 +00:00
|
|
|
if ":" in current_domain:
|
|
|
|
current_domain, _ = current_domain.split(":")
|
2020-02-18 15:20:38 +00:00
|
|
|
config_domain = CONFIG.y("domain")
|
|
|
|
if current_domain != config_domain:
|
|
|
|
message = (
|
|
|
|
f"Current domain of '{current_domain}' doesn't "
|
|
|
|
f"match configured domain of '{config_domain}'."
|
|
|
|
)
|
2020-05-08 14:51:12 +00:00
|
|
|
LOGGER.warning(message, flow_slug=self.flow.slug)
|
2020-02-21 14:04:37 +00:00
|
|
|
return bad_request_message(self.request, message)
|
2020-02-18 15:20:38 +00:00
|
|
|
return None
|
|
|
|
|
2020-05-08 14:10:27 +00:00
|
|
|
def handle_flow_non_applicable(self) -> HttpResponse:
|
|
|
|
"""When a flow is non-applicable check if user is on the correct domain"""
|
2019-10-07 14:33:48 +00:00
|
|
|
if NEXT_ARG_NAME in self.request.GET:
|
|
|
|
return redirect(self.request.GET.get(NEXT_ARG_NAME))
|
2020-05-08 14:10:27 +00:00
|
|
|
incorrect_domain_message = self._check_config_domain()
|
|
|
|
if incorrect_domain_message:
|
|
|
|
return incorrect_domain_message
|
|
|
|
# TODO: Add message
|
|
|
|
return redirect("passbook_core:index")
|
2020-05-08 12:33:14 +00:00
|
|
|
|
|
|
|
def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
|
|
|
|
# Early check if theres an active Plan for the current session
|
|
|
|
if SESSION_KEY_PLAN not in self.request.session:
|
|
|
|
LOGGER.debug(
|
|
|
|
"No active Plan found, initiating planner", flow_slug=flow_slug
|
|
|
|
)
|
|
|
|
try:
|
|
|
|
self.plan = self._initiate_plan()
|
|
|
|
except FlowNonApplicableError as exc:
|
|
|
|
LOGGER.warning("Flow not applicable to current user", exc=exc)
|
2020-05-08 14:10:27 +00:00
|
|
|
return self.handle_flow_non_applicable()
|
2020-05-08 12:33:14 +00:00
|
|
|
else:
|
|
|
|
LOGGER.debug("Continuing existing plan", flow_slug=flow_slug)
|
|
|
|
self.plan = self.request.session[SESSION_KEY_PLAN]
|
|
|
|
# We don't save the Plan after getting the next factor
|
|
|
|
# as it hasn't been successfully passed yet
|
|
|
|
self.current_factor = self.plan.next()
|
2020-05-08 14:51:12 +00:00
|
|
|
LOGGER.debug("Current factor", current_factor=self.current_factor, flow_slug=self.flow.slug)
|
2020-05-08 12:33:14 +00:00
|
|
|
factor_cls = path_to_class(self.current_factor.type)
|
|
|
|
self.current_factor_view = factor_cls(self)
|
|
|
|
self.current_factor_view.request = request
|
|
|
|
return super().dispatch(request)
|
|
|
|
|
|
|
|
def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
|
|
|
|
"""pass get request to current factor"""
|
|
|
|
LOGGER.debug(
|
2020-05-08 14:51:12 +00:00
|
|
|
"Passing GET",
|
|
|
|
view_class=class_to_path(self.current_factor_view.__class__),
|
|
|
|
flow_slug=self.flow.slug,
|
2020-05-08 12:33:14 +00:00
|
|
|
)
|
|
|
|
return self.current_factor_view.get(request, *args, **kwargs)
|
|
|
|
|
|
|
|
def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
|
|
|
|
"""pass post request to current factor"""
|
|
|
|
LOGGER.debug(
|
|
|
|
"Passing POST",
|
|
|
|
view_class=class_to_path(self.current_factor_view.__class__),
|
2020-05-08 14:51:12 +00:00
|
|
|
flow_slug=self.flow.slug,
|
2020-05-08 12:33:14 +00:00
|
|
|
)
|
|
|
|
return self.current_factor_view.post(request, *args, **kwargs)
|
|
|
|
|
|
|
|
def _initiate_plan(self) -> FlowPlan:
|
|
|
|
planner = FlowPlanner(self.flow)
|
|
|
|
plan = planner.plan(self.request)
|
|
|
|
self.request.session[SESSION_KEY_PLAN] = plan
|
|
|
|
return plan
|
2020-05-08 14:10:27 +00:00
|
|
|
|
|
|
|
def _flow_done(self) -> HttpResponse:
|
|
|
|
"""User Successfully passed all factors"""
|
|
|
|
backend = self.plan.context[PLAN_CONTEXT_PENDING_USER].backend
|
|
|
|
login(
|
|
|
|
self.request, self.plan.context[PLAN_CONTEXT_PENDING_USER], backend=backend
|
|
|
|
)
|
2020-05-08 14:51:12 +00:00
|
|
|
LOGGER.debug(
|
|
|
|
"Logged in",
|
|
|
|
user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
|
|
|
|
flow_slug=self.flow.slug,
|
|
|
|
)
|
2020-05-08 14:10:27 +00:00
|
|
|
self.cancel()
|
|
|
|
next_param = self.request.GET.get(NEXT_ARG_NAME, None)
|
|
|
|
if next_param and not is_url_absolute(next_param):
|
|
|
|
return redirect(next_param)
|
|
|
|
return redirect_with_qs("passbook_core:overview")
|
|
|
|
|
|
|
|
def factor_ok(self) -> HttpResponse:
|
|
|
|
"""Callback called by factors upon successful completion.
|
|
|
|
Persists updated plan and context to session."""
|
|
|
|
LOGGER.debug(
|
2020-05-08 14:51:12 +00:00
|
|
|
"Factor ok",
|
|
|
|
factor_class=class_to_path(self.current_factor_view.__class__),
|
|
|
|
flow_slug=self.flow.slug,
|
2020-05-08 14:10:27 +00:00
|
|
|
)
|
|
|
|
self.request.session[SESSION_KEY_PLAN] = self.plan
|
|
|
|
if self.plan.factors:
|
|
|
|
LOGGER.debug(
|
2020-05-08 14:51:12 +00:00
|
|
|
"Continuing with next factor",
|
|
|
|
reamining=len(self.plan.factors),
|
|
|
|
flow_slug=self.flow.slug,
|
2020-05-08 14:10:27 +00:00
|
|
|
)
|
|
|
|
return redirect_with_qs(
|
|
|
|
"passbook_flows:flow-executor", self.request.GET, **self.kwargs
|
|
|
|
)
|
|
|
|
# User passed all factors
|
|
|
|
LOGGER.debug(
|
2020-05-08 14:51:12 +00:00
|
|
|
"User passed all factors",
|
|
|
|
user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
|
|
|
|
flow_slug=self.flow.slug,
|
2020-05-08 14:10:27 +00:00
|
|
|
)
|
|
|
|
return self._flow_done()
|
|
|
|
|
|
|
|
def factor_invalid(self) -> HttpResponse:
|
|
|
|
"""Callback used factor when data is correct but a policy denies access
|
|
|
|
or the user account is disabled."""
|
2020-05-08 14:51:12 +00:00
|
|
|
LOGGER.debug("User invalid", flow_slug=self.flow.slug)
|
2020-05-08 14:10:27 +00:00
|
|
|
self.cancel()
|
2020-05-08 14:50:50 +00:00
|
|
|
return redirect_with_qs("passbook_flows:denied", self.request.GET)
|
2020-05-08 14:10:27 +00:00
|
|
|
|
|
|
|
def cancel(self) -> HttpResponse:
|
|
|
|
"""Cancel current execution and return a redirect"""
|
|
|
|
del self.request.session[SESSION_KEY_PLAN]
|
2020-05-08 14:50:50 +00:00
|
|
|
return redirect_with_qs("passbook_flows:denied", self.request.GET)
|
|
|
|
|
|
|
|
|
|
|
|
class FlowPermissionDeniedView(PermissionDeniedView):
|
|
|
|
"""User could not be authenticated"""
|