Merge branch 'master' into 30-application-security-gateway

# Conflicts:
#	passbook/core/policies.py
#	passbook/core/settings.py
This commit is contained in:
Jens Langhammer 2019-03-21 14:58:10 +01:00
commit 10b7d99b37
37 changed files with 221 additions and 56 deletions

View file

@ -1,5 +1,5 @@
[bumpversion] [bumpversion]
current_version = 0.1.23-beta current_version = 0.1.24-beta
tag = True tag = True
commit = True commit = True
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*) parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

View file

@ -12,6 +12,7 @@ stages:
image: python:3.6 image: python:3.6
services: services:
- postgres:latest - postgres:latest
- redis:latest
variables: variables:
POSTGRES_DB: passbook POSTGRES_DB: passbook
@ -54,7 +55,7 @@ package-docker:
before_script: before_script:
- echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
script: script:
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.23-beta - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.24-beta
stage: build stage: build
only: only:
- tags - tags

View file

@ -3,7 +3,7 @@ from setuptools import setup
setup( setup(
name='django-allauth-passbook', name='django-allauth-passbook',
version='0.1.23-beta', version='0.1.24-beta',
description='passbook support for django-allauth', description='passbook support for django-allauth',
# long_description='\n'.join(read_simple('docs/index.md')[2:]), # long_description='\n'.join(read_simple('docs/index.md')[2:]),
long_description_content_type='text/markdown', long_description_content_type='text/markdown',

View file

@ -18,7 +18,7 @@ tests_require = [
setup( setup(
name='sentry-auth-passbook', name='sentry-auth-passbook',
version='0.1.23-beta', version='0.1.24-beta',
author='BeryJu.org', author='BeryJu.org',
author_email='support@beryju.org', author_email='support@beryju.org',
url='https://passbook.beryju.org', url='https://passbook.beryju.org',

8
debian/changelog vendored
View file

@ -1,3 +1,11 @@
passbook (0.1.24) stable; urgency=medium
* bump version: 0.1.22-beta -> 0.1.23-beta
* add modal for OAuth Providers showing the URLs
* remove user field from form. Closes #32
-- Jens Langhammer <jens.langhammer@beryju.org> Wed, 20 Mar 2019 21:59:21 +0000
passbook (0.1.23) stable; urgency=medium passbook (0.1.23) stable; urgency=medium
* add support for OpenID-Connect Discovery * add support for OpenID-Connect Discovery

2
debian/control vendored
View file

@ -8,7 +8,7 @@ Standards-Version: 3.9.6
Package: passbook Package: passbook
Architecture: all Architecture: all
Recommends: mysql-server, rabbitmq-server Recommends: mysql-server, rabbitmq-server, redis-server
Pre-Depends: adduser, libldap2-dev, libsasl2-dev Pre-Depends: adduser, libldap2-dev, libsasl2-dev
Depends: python3 (>= 3.5) | python3.6 | python3.7, python3-pip, dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends} Depends: python3 (>= 3.5) | python3.6 | python3.7, python3-pip, dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends}
Description: Authentication Provider/Proxy supporting protocols like SAML, OAuth, LDAP and more. Description: Authentication Provider/Proxy supporting protocols like SAML, OAuth, LDAP and more.

View file

@ -11,6 +11,8 @@ debug: false
secure_proxy_header: secure_proxy_header:
HTTP_X_FORWARDED_PROTO: https HTTP_X_FORWARDED_PROTO: https
rabbitmq: guest:guest@localhost/passbook rabbitmq: guest:guest@localhost/passbook
redis: localhost/0
# Error reporting, sends stacktrace to sentry.services.beryju.org # Error reporting, sends stacktrace to sentry.services.beryju.org
error_report_enabled: true error_report_enabled: true

View file

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
appVersion: "0.1.23-beta" appVersion: "0.1.24-beta"
description: A Helm chart for passbook. description: A Helm chart for passbook.
name: passbook name: passbook
version: "0.1.23-beta" version: "0.1.24-beta"
icon: https://passbook.beryju.org/images/logo.png icon: https://passbook.beryju.org/images/logo.png

Binary file not shown.

View file

@ -5,5 +5,8 @@ dependencies:
- name: postgresql - name: postgresql
repository: https://kubernetes-charts.storage.googleapis.com/ repository: https://kubernetes-charts.storage.googleapis.com/
version: 3.10.1 version: 3.10.1
digest: sha256:c36e054785f7d706d7d3f525eb1b167dbc89b42f84da7fc167a18bbb6542c999 - name: redis
generated: 2019-03-11T20:36:35.125079+01:00 repository: https://kubernetes-charts.storage.googleapis.com/
version: 5.1.0
digest: sha256:8bf68bc928a2e3c0f05139635be05fa0840554c7bde4cecd624fac78fb5fa5a3
generated: 2019-03-21T11:06:51.553379+01:00

View file

@ -5,3 +5,6 @@ dependencies:
- name: postgresql - name: postgresql
version: 3.10.1 version: 3.10.1
repository: https://kubernetes-charts.storage.googleapis.com/ repository: https://kubernetes-charts.storage.googleapis.com/
- name: redis
version: 5.1.0
repository: https://kubernetes-charts.storage.googleapis.com/

View file

@ -37,6 +37,7 @@ data:
secure_proxy_header: secure_proxy_header:
HTTP_X_FORWARDED_PROTO: https HTTP_X_FORWARDED_PROTO: https
rabbitmq: "user:{{ .Values.rabbitmq.rabbitmq.password }}@{{ .Release.Name }}-rabbitmq" rabbitmq: "user:{{ .Values.rabbitmq.rabbitmq.password }}@{{ .Release.Name }}-rabbitmq"
redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master/0"
# Error reporting, sends stacktrace to sentry.services.beryju.org # Error reporting, sends stacktrace to sentry.services.beryju.org
error_report_enabled: {{ .Values.config.error_reporting }} error_report_enabled: {{ .Values.config.error_reporting }}

View file

@ -5,7 +5,7 @@
replicaCount: 1 replicaCount: 1
image: image:
tag: 0.1.23-beta tag: 0.1.24-beta
nameOverride: "" nameOverride: ""

View file

@ -1,2 +1,2 @@
"""passbook""" """passbook"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -1,2 +1,2 @@
"""passbook admin""" """passbook admin"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -57,6 +57,10 @@
<a class="btn btn-default btn-sm" <a class="btn btn-default btn-sm"
href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a> href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a>
{% endfor %} {% endfor %}
{% get_htmls provider as htmls %}
{% for html in htmls %}
{{ html|safe }}
{% endfor %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}

View file

@ -5,6 +5,8 @@ from logging import getLogger
from django import template from django import template
from django.db.models import Model from django.db.models import Model
from passbook.lib.utils.template import render_to_string
register = template.Library() register = template.Library()
LOGGER = getLogger(__name__) LOGGER = getLogger(__name__)
@ -29,3 +31,24 @@ def get_links(model_instance):
pass pass
return links return links
@register.simple_tag(takes_context=True)
def get_htmls(context, model_instance):
"""Find all html_ methods on an object instance, run them and return as dict"""
prefix = 'html_'
htmls = []
if not isinstance(model_instance, Model):
LOGGER.warning("Model %s is not instance of Model", model_instance)
return htmls
try:
for name, method in inspect.getmembers(model_instance, predicate=inspect.ismethod):
if name.startswith(prefix):
template, _context = method(context.get('request'))
htmls.append(render_to_string(template, _context))
except NotImplementedError:
pass
return htmls

View file

@ -1,2 +1,2 @@
"""passbook api""" """passbook api"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -1,2 +1,2 @@
"""passbook audit Header""" """passbook audit Header"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -1,2 +1,2 @@
"""passbook captcha_factor Header""" """passbook captcha_factor Header"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -1,2 +1,2 @@
"""passbook core""" """passbook core"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -3,7 +3,11 @@ from logging import getLogger
from amqp.exceptions import UnexpectedFrame from amqp.exceptions import UnexpectedFrame
from celery import group from celery import group
<<<<<<< HEAD
from celery.exceptions import TimeoutError as CeleryTimeoutError from celery.exceptions import TimeoutError as CeleryTimeoutError
=======
from django.core.cache import cache
>>>>>>> master
from ipware import get_client_ip from ipware import get_client_ip
from passbook.core.celery import CELERY_APP from passbook.core.celery import CELERY_APP
@ -11,6 +15,9 @@ from passbook.core.models import Policy, User
LOGGER = getLogger(__name__) LOGGER = getLogger(__name__)
def _cache_key(policy, user):
return "%s#%s" % (policy.uuid, user.pk)
@CELERY_APP.task() @CELERY_APP.task()
def _policy_engine_task(user_pk, policy_pk, **kwargs): def _policy_engine_task(user_pk, policy_pk, **kwargs):
"""Task wrapper to run policy checking""" """Task wrapper to run policy checking"""
@ -31,62 +38,81 @@ def _policy_engine_task(user_pk, policy_pk, **kwargs):
if policy_obj.negate: if policy_obj.negate:
policy_result = not policy_result policy_result = not policy_result
LOGGER.debug("Policy %r#%s got %s", policy_obj.name, policy_obj.pk.hex, policy_result) LOGGER.debug("Policy %r#%s got %s", policy_obj.name, policy_obj.pk.hex, policy_result)
cache_key = _cache_key(policy_obj, user_obj)
cache.set(cache_key, (policy_obj.action, policy_result, message))
LOGGER.debug("Cached entry as %s", cache_key)
return policy_obj.action, policy_result, message return policy_obj.action, policy_result, message
class PolicyEngine: class PolicyEngine:
"""Orchestrate policy checking, launch tasks and return result""" """Orchestrate policy checking, launch tasks and return result"""
__group = None
__cached = None
policies = None policies = None
_group = None __get_timeout = 0
_request = None __request = None
_user = None __user = None
_get_timeout = 0
def __init__(self, policies): def __init__(self, policies):
self.policies = policies self.policies = policies
self._request = None self.__request = None
self._user = None self.__user = None
def for_user(self, user): def for_user(self, user):
"""Check policies for user""" """Check policies for user"""
self._user = user self.__user = user
return self return self
def with_request(self, request): def with_request(self, request):
"""Set request""" """Set request"""
self._request = request self.__request = request
return self return self
def build(self): def build(self):
"""Build task group""" """Build task group"""
if not self._user: if not self.__user:
raise ValueError("User not set.") raise ValueError("User not set.")
signatures = [] signatures = []
cached_policies = []
kwargs = { kwargs = {
'__password__': getattr(self._user, '__password__', None), '__password__': getattr(self.__user, '__password__', None),
} }
if self._request: if self.__request:
kwargs['remote_ip'], _ = get_client_ip(self._request) kwargs['remote_ip'], _ = get_client_ip(self.__request)
if not kwargs['remote_ip']: if not kwargs['remote_ip']:
kwargs['remote_ip'] = '255.255.255.255' kwargs['remote_ip'] = '255.255.255.255'
for policy in self.policies: for policy in self.policies:
cached_policy = cache.get(_cache_key(policy, self.__user), None)
if cached_policy:
LOGGER.debug("Taking result from cache for %s", policy.pk.hex)
cached_policies.append(cached_policy)
else:
LOGGER.debug("Evaluating policy %s", policy.pk.hex)
signatures.append(_policy_engine_task.signature( signatures.append(_policy_engine_task.signature(
args=(self._user.pk, policy.pk.hex), args=(self._user.pk, policy.pk.hex),
kwargs=kwargs, kwargs=kwargs,
time_limit=policy.timeout)) time_limit=policy.timeout))
self._get_timeout += policy.timeout self.__get_timeout += policy.timeout
self._get_timeout += 3 self.__get_timeout += 3
self._get_timeout = (self._get_timeout / len(self.policies)) * 1.5 self.__get_timeout = (self.__get_timeout / len(self.policies)) * 1.5
LOGGER.debug("Set total policy timeout to %r", self._get_timeout) LOGGER.debug("Set total policy timeout to %r", self.__get_timeout)
self._group = group(signatures)() # If all policies are cached, we have an empty list here.
if signatures:
self.__group = group(signatures)()
self.__cached = cached_policies
return self return self
@property @property
def result(self): def result(self):
"""Get policy-checking result""" """Get policy-checking result"""
messages = [] messages = []
result = []
try: try:
group_result = self._group.get(timeout=self._get_timeout) if self.__group:
# ValueError can be thrown from _policy_engine_task when user is None
result += self.__group.get(timeout=self._get_timeout)
result += self.__cached
except ValueError as exc: except ValueError as exc:
# ValueError can be thrown from _policy_engine_task when user is None # ValueError can be thrown from _policy_engine_task when user is None
return False, [str(exc)] return False, [str(exc)]
@ -94,7 +120,7 @@ class PolicyEngine:
return False, [str(exc)] return False, [str(exc)]
except CeleryTimeoutError as exc: except CeleryTimeoutError as exc:
return False, [str(exc)] return False, [str(exc)]
for policy_action, policy_result, policy_message in group_result: for policy_action, policy_result, policy_message in result:
passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \ passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \
(policy_action == Policy.ACTION_DENY and not policy_result) (policy_action == Policy.ACTION_DENY and not policy_result)
LOGGER.debug('Action=%s, Result=%r => %r', policy_action, policy_result, passing) LOGGER.debug('Action=%s, Result=%r => %r', policy_action, policy_result, passing)

View file

@ -1,12 +1,13 @@
django>=2.0 celery
django-model-utils cherrypy
colorlog
django-ipware django-ipware
django-model-utils
django-redis
django>=2.0
djangorestframework djangorestframework
idna<2.8,>=2.5
markdown
psycopg2
PyYAML PyYAML
raven raven
markdown
colorlog
celery
psycopg2
idna<2.8,>=2.5
cherrypy

View file

@ -46,6 +46,8 @@ AUTH_USER_MODEL = 'passbook_core.User'
CSRF_COOKIE_NAME = 'passbook_csrf' CSRF_COOKIE_NAME = 'passbook_csrf'
SESSION_COOKIE_NAME = 'passbook_session' SESSION_COOKIE_NAME = 'passbook_session'
SESSION_COOKIE_DOMAIN = CONFIG.get('primary_domain') SESSION_COOKIE_DOMAIN = CONFIG.get('primary_domain')
SESSION_ENGINE = "django.contrib.sessions.backends.cache"
SESSION_CACHE_ALIAS = "default"
LANGUAGE_COOKIE_NAME = 'passbook_language' LANGUAGE_COOKIE_NAME = 'passbook_language'
AUTHENTICATION_BACKENDS = [ AUTHENTICATION_BACKENDS = [
@ -101,6 +103,16 @@ REST_FRAMEWORK = {
] ]
} }
CACHES = {
"default": {
"BACKEND": "django_redis.cache.RedisCache",
"LOCATION": "redis://%s" % CONFIG.get('redis'),
"OPTIONS": {
"CLIENT_CLASS": "django_redis.client.DefaultClient",
}
}
}
MIDDLEWARE = [ MIDDLEWARE = [
'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware',

View file

@ -1,10 +1,15 @@
"""passbook core signals""" """passbook core signals"""
from logging import getLogger
from django.core.cache import cache
from django.core.signals import Signal from django.core.signals import Signal
from django.db.models.signals import post_save
from django.dispatch import receiver from django.dispatch import receiver
from passbook.core.exceptions import PasswordPolicyInvalid from passbook.core.exceptions import PasswordPolicyInvalid
LOGGER = getLogger(__name__)
user_signed_up = Signal(providing_args=['request', 'user']) user_signed_up = Signal(providing_args=['request', 'user'])
invitation_created = Signal(providing_args=['request', 'invitation']) invitation_created = Signal(providing_args=['request', 'invitation'])
invitation_used = Signal(providing_args=['request', 'invitation', 'user']) invitation_used = Signal(providing_args=['request', 'invitation', 'user'])
@ -24,3 +29,14 @@ def password_policy_checker(sender, password, **kwargs):
passing, messages = policy_engine.result passing, messages = policy_engine.result
if not passing: if not passing:
raise PasswordPolicyInvalid(*messages) raise PasswordPolicyInvalid(*messages)
@receiver(post_save)
# pylint: disable=unused-argument
def invalidate_policy_cache(sender, instance, **kwargs):
"""Invalidate Policy cache when policy is updated"""
from passbook.core.models import Policy
if isinstance(instance, Policy):
LOGGER.debug("Invalidating cache for %s", instance.pk)
keys = cache.keys("%s#*" % instance.pk)
cache.delete_many(keys)
LOGGER.debug("Deleted %d keys", len(keys))

View file

@ -1,2 +1,2 @@
"""passbook hibp_policy""" """passbook hibp_policy"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -1,2 +1,2 @@
"""Passbook ldap app Header""" """Passbook ldap app Header"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -1,2 +1,2 @@
"""passbook lib""" """passbook lib"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -30,6 +30,7 @@ debug: false
secure_proxy_header: secure_proxy_header:
HTTP_X_FORWARDED_PROTO: https HTTP_X_FORWARDED_PROTO: https
rabbitmq: guest:guest@localhost/passbook rabbitmq: guest:guest@localhost/passbook
redis: localhost/0
# Error reporting, sends stacktrace to sentry.services.beryju.org # Error reporting, sends stacktrace to sentry.services.beryju.org
error_report_enabled: true error_report_enabled: true
secret_key: 9$@r!d^1^jrn#fk#1#@ks#9&i$^s#1)_13%$rwjrhd=e8jfi_s secret_key: 9$@r!d^1^jrn#fk#1#@ks#9&i$^s#1)_13%$rwjrhd=e8jfi_s

View file

@ -1,2 +1,2 @@
"""passbook oauth_client Header""" """passbook oauth_client Header"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -1,2 +1,2 @@
"""passbook oauth_provider Header""" """passbook oauth_provider Header"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -11,5 +11,5 @@ class OAuth2ProviderForm(forms.ModelForm):
class Meta: class Meta:
model = OAuth2Provider model = OAuth2Provider
fields = ['name', 'user', 'redirect_uris', 'client_type', fields = ['name', 'redirect_uris', 'client_type',
'authorization_grant_type', 'client_id', 'client_secret', ] 'authorization_grant_type', 'client_id', 'client_secret', ]

View file

@ -1,5 +1,6 @@
"""Oauth2 provider product extension""" """Oauth2 provider product extension"""
from django.shortcuts import reverse
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
from oauth2_provider.models import AbstractApplication from oauth2_provider.models import AbstractApplication
@ -14,6 +15,20 @@ class OAuth2Provider(Provider, AbstractApplication):
def __str__(self): def __str__(self):
return "OAuth2 Provider %s" % self.name return "OAuth2 Provider %s" % self.name
def html_setup_urls(self, request):
"""return template and context modal with URLs for authorize, token, openid-config, etc"""
return "oauth2_provider/setup_url_modal.html", {
'provider': self,
'authorize_url': request.build_absolute_uri(
reverse('passbook_oauth_provider:oauth2-authorize')),
'token_url': request.build_absolute_uri(
reverse('passbook_oauth_provider:token')),
'userinfo_url': request.build_absolute_uri(
reverse('passbook_api:openid')),
'openid_url': request.build_absolute_uri(
reverse('passbook_oauth_provider:openid-discovery'))
}
class Meta: class Meta:
verbose_name = _('OAuth2 Provider') verbose_name = _('OAuth2 Provider')

View file

@ -0,0 +1,49 @@
{% load i18n %}
<button class="btn btn-default btn-sm" data-toggle="modal" data-target="#{{ provider.pk }}">{% trans 'View Setup URLs' %}</button>
<div class="modal fade" id="{{ provider.pk }}" tabindex="-1" role="dialog" aria-labelledby="{{ provider.pk }}Label" aria-hidden="true">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true" aria-label="Close">
<span class="pficon pficon-close"></span>
</button>
<h4 class="modal-title" id="{{ provider.pk }}Label">{% trans 'Setup URLs' %}</h4>
</div>
<div class="modal-body">
<form class="form-horizontal">
<div class="form-group">
<label class="col-sm-3 control-label">{% trans 'Authroize URL' %}</label>
<div class="col-sm-9">
<input type="text"class="form-control" readonly value="{{ authorize_url }}">
</div>
</div>
<div class="form-group">
<label class="col-sm-3 control-label">{% trans 'Token URL' %}</label>
<div class="col-sm-9">
<input type="text" class="form-control" readonly value="{{ token_url }}">
</div>
</div>
<div class="form-group">
<label class="col-sm-3 control-label">{% trans 'Userinfo Endpoint' %}</label>
<div class="col-sm-9">
<input type="text" class="form-control" readonly value="{{ userinfo_url }}">
</div>
</div>
</form>
<hr>
<form class="form-horizontal">
<div class="form-group">
<label class="col-sm-3 control-label">{% trans 'OpenID Configuration URL' %}</label>
<div class="col-sm-9">
<input type="text"class="form-control" readonly value="{{ openid_url }}">
</div>
</div>
</form>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-primary" data-dismiss="modal">{% trans 'Close' %}</button>
</div>
</div>
</div>
</div>

View file

@ -1,2 +1,2 @@
"""passbook otp Header""" """passbook otp Header"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -1,2 +1,2 @@
"""passbook password_expiry""" """passbook password_expiry"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'

View file

@ -1,2 +1,2 @@
"""passbook saml_idp Header""" """passbook saml_idp Header"""
__version__ = '0.1.23-beta' __version__ = '0.1.24-beta'