authentik/passbook/core/policies.py

"""passbook core policy engine"""
from logging import getLogger

from celery import group
from django.http import HttpRequest

from passbook.core.celery import CELERY_APP
from passbook.core.models import Policy, User

LOGGER = getLogger(__name__)


def get_remote_ip(request: HttpRequest) -> str:
    """Return the remote's IP"""
    if not request:
        return '0.0.0.0'  # nosec
    if request.META.get('HTTP_X_FORWARDED_FOR'):
        return request.META.get('HTTP_X_FORWARDED_FOR')
    return request.META.get('REMOTE_ADDR')

@CELERY_APP.task()
def _policy_engine_task(user_pk, policy_pk, **kwargs):
    """Task wrapper to run policy checking"""
    policy_obj = Policy.objects.filter(pk=policy_pk).select_subclasses().first()
    user_obj = User.objects.get(pk=user_pk)
    for key, value in kwargs.items():
        setattr(user_obj, key, value)
    LOGGER.debug("Running policy `%s`#%s for user %s...", policy_obj.name,
                 policy_obj.pk.hex, user_obj)
    policy_result = policy_obj.passes(user_obj)
    # Handle policy result correctly if result, message or just result
    message = None
    if isinstance(policy_result, (tuple, list)):
        policy_result, message = policy_result
    # Invert result if policy.negate is set
    if policy_obj.negate:
        policy_result = not policy_result
    LOGGER.debug("Policy %r#%s got %s", policy_obj.name, policy_obj.pk.hex, policy_result)
    return policy_obj.action, policy_result, message

class PolicyEngine:
    """Orchestrate policy checking, launch tasks and return result"""

    policies = None
    _group = None
    _request = None
    _user = None

    def __init__(self, policies):
        self.policies = policies
        self._request = None
        self._user = None

    def for_user(self, user):
        """Check policies for user"""
        self._user = user
        return self

    def with_request(self, request):
        """Set request"""
        self._request = request
        return self

    def build(self):
        """Build task group"""
        signatures = []
        kwargs = {
            '__password__': getattr(self._user, '__password__', None),
            'remote_ip': get_remote_ip(self._request)
        }
        for policy in self.policies:
            signatures.append(_policy_engine_task.s(self._user.pk, policy.pk.hex, **kwargs))
        self._group = group(signatures)()
        return self

    @property
    def result(self):
        """Get policy-checking result"""
        messages = []
        for policy_action, policy_result, policy_message in self._group.get():
            passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \
                      (policy_action == Policy.ACTION_DENY and not policy_result)
            if policy_message:
                messages.append(policy_message)
            if not passing:
                return False, messages
        return True, messages
Rule -> Policies 2019-02-16 09:24:31 +00:00			`"""passbook core policy engine"""`
			`from logging import getLogger`

			`from celery import group`
create suspicious request detector and policy, add request to policy engine 2019-03-03 19:26:25 +00:00			`from django.http import HttpRequest`
Rule -> Policies 2019-02-16 09:24:31 +00:00
			`from passbook.core.celery import CELERY_APP`
			`from passbook.core.models import Policy, User`

			`LOGGER = getLogger(__name__)`

create suspicious request detector and policy, add request to policy engine 2019-03-03 19:26:25 +00:00
			`def get_remote_ip(request: HttpRequest) -> str:`
			`"""Return the remote's IP"""`
			`if not request:`
			`return '0.0.0.0' # nosec`
			`if request.META.get('HTTP_X_FORWARDED_FOR'):`
			`return request.META.get('HTTP_X_FORWARDED_FOR')`
			`return request.META.get('REMOTE_ADDR')`

Rule -> Policies 2019-02-16 09:24:31 +00:00			`@CELERY_APP.task()`
			`def _policy_engine_task(user_pk, policy_pk, **kwargs):`
			`"""Task wrapper to run policy checking"""`
			`policy_obj = Policy.objects.filter(pk=policy_pk).select_subclasses().first()`
			`user_obj = User.objects.get(pk=user_pk)`
			`for key, value in kwargs.items():`
			`setattr(user_obj, key, value)`
			LOGGER.debug("Running policy `%s`#%s for user %s...", policy_obj.name,
			`policy_obj.pk.hex, user_obj)`
Better handle Policy.action and Policy.negate 2019-03-03 16:12:53 +00:00			`policy_result = policy_obj.passes(user_obj)`
			`# Handle policy result correctly if result, message or just result`
			`message = None`
			`if isinstance(policy_result, (tuple, list)):`
			`policy_result, message = policy_result`
			`# Invert result if policy.negate is set`
			`if policy_obj.negate:`
			`policy_result = not policy_result`
Fix negate on FieldMatcherPolicy 2019-03-03 16:21:58 +00:00			`LOGGER.debug("Policy %r#%s got %s", policy_obj.name, policy_obj.pk.hex, policy_result)`
Better handle Policy.action and Policy.negate 2019-03-03 16:12:53 +00:00			`return policy_obj.action, policy_result, message`
Rule -> Policies 2019-02-16 09:24:31 +00:00
			`class PolicyEngine:`
			`"""Orchestrate policy checking, launch tasks and return result"""`

			`policies = None`
			`_group = None`
create suspicious request detector and policy, add request to policy engine 2019-03-03 19:26:25 +00:00			`_request = None`
			`_user = None`
Rule -> Policies 2019-02-16 09:24:31 +00:00
			`def __init__(self, policies):`
			`self.policies = policies`
create suspicious request detector and policy, add request to policy engine 2019-03-03 19:26:25 +00:00			`self._request = None`
			`self._user = None`
Rule -> Policies 2019-02-16 09:24:31 +00:00
			`def for_user(self, user):`
			`"""Check policies for user"""`
create suspicious request detector and policy, add request to policy engine 2019-03-03 19:26:25 +00:00			`self._user = user`
			`return self`

			`def with_request(self, request):`
			`"""Set request"""`
			`self._request = request`
			`return self`

			`def build(self):`
			`"""Build task group"""`
Rule -> Policies 2019-02-16 09:24:31 +00:00			`signatures = []`
			`kwargs = {`
create suspicious request detector and policy, add request to policy engine 2019-03-03 19:26:25 +00:00			`'__password__': getattr(self._user, '__password__', None),`
			`'remote_ip': get_remote_ip(self._request)`
Rule -> Policies 2019-02-16 09:24:31 +00:00			`}`
			`for policy in self.policies:`
create suspicious request detector and policy, add request to policy engine 2019-03-03 19:26:25 +00:00			`signatures.append(_policy_engine_task.s(self._user.pk, policy.pk.hex, **kwargs))`
Rule -> Policies 2019-02-16 09:24:31 +00:00			`self._group = group(signatures)()`
			`return self`

			`@property`
			`def result(self):`
			`"""Get policy-checking result"""`
implement password policy checking on signup and password change closes #8 2019-02-26 14:40:58 +00:00			`messages = []`
Better handle Policy.action and Policy.negate 2019-03-03 16:12:53 +00:00			`for policy_action, policy_result, policy_message in self._group.get():`
			`passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \`
			`(policy_action == Policy.ACTION_DENY and not policy_result)`
			`if policy_message:`
implement password policy checking on signup and password change closes #8 2019-02-26 14:40:58 +00:00			`messages.append(policy_message)`
Better handle Policy.action and Policy.negate 2019-03-03 16:12:53 +00:00			`if not passing:`
implement password policy checking on signup and password change closes #8 2019-02-26 14:40:58 +00:00			`return False, messages`
			`return True, messages`