Merge branch '30-application-security-gateway' into 'master'

Resolve "Application Security Gateway (Reverse Proxy)" Closes #30 See merge request BeryJu.org/passbook!17
2019-03-21 15:41:34 +00:00 · 2019-03-21 15:41:34 +00:00 · 457375287c
parent 1c3b5889e5 7e87bfef5b
commit 457375287c
29 changed files with 572 additions and 10 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -53,3 +53,4 @@ values =
 [bumpversion:file:passbook/otp/__init__.py]
 [bumpversion:file:passbook/app_gw/__init__.py]
--- a/debian/etc/passbook/config.yml
+++ b/debian/etc/passbook/config.yml
@ -16,6 +16,8 @@ redis: localhost/0
 # Error reporting, sends stacktrace to sentry.services.beryju.org
 error_report_enabled: true
 primary_domain: passbook.local
 passbook:
  sign_up:
    # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true
--- a/helm/passbook/templates/passbook-configmap.yaml
+++ b/helm/passbook/templates/passbook-configmap.yaml
@ -47,6 +47,7 @@ data:
    secret_key: {{ randAlphaNum 50 }}
    {{- end }}
    primary_domain: {{ .Values.primary_domain }}
    domains:
        {{- range .Values.ingress.hosts }}
        - {{ . | quote }}
--- a/passbook/admin/templates/administration/property_mapping/list.html
+++ b/passbook/admin/templates/administration/property_mapping/list.html
@ -36,7 +36,7 @@
        <tbody>
            {% for property_mapping in object_list %}
            <tr>
-                <td>{{ property_mapping.name }} ({{ property_mapping.slug }})</td>
+                <td>{{ property_mapping.name }}</td>
                <td>{{ property_mapping|verbose_name }}</td>
                <td>
                    <a class="btn btn-default btn-sm"
--- a/passbook/app_gw/.DS_Store
+++ b/passbook/app_gw/.DS_Store
--- a/passbook/app_gw/init.py
+++ b/passbook/app_gw/init.py
@ -0,0 +1,2 @@
 """passbook Application Security Gateway Header"""
 __version__ = '0.1.23-beta'
--- a/passbook/app_gw/admin.py
+++ b/passbook/app_gw/admin.py
@ -0,0 +1,5 @@
 """passbook Application Security Gateway model admin"""
 from passbook.lib.admin import admin_autoregister
 admin_autoregister('passbook_app_gw')
--- a/passbook/app_gw/apps.py
+++ b/passbook/app_gw/apps.py
@ -0,0 +1,16 @@
 """passbook Application Security Gateway app"""
 from importlib import import_module
 from django.apps import AppConfig
 class PassbookApplicationApplicationGatewayConfig(AppConfig):
    """passbook app_gw app"""
    name = 'passbook.app_gw'
    label = 'passbook_app_gw'
    verbose_name = 'passbook Application Security Gateway'
    mountpoint = 'app_gw/'
    def ready(self):
        import_module('passbook.app_gw.signals')
--- a/passbook/app_gw/forms.py
+++ b/passbook/app_gw/forms.py
@ -0,0 +1,56 @@
 """passbook Application Security Gateway Forms"""
 from django import forms
 from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.forms import ValidationError
 from django.utils.translation import gettext as _
 from passbook.app_gw.models import ApplicationGatewayProvider, RewriteRule
 from passbook.lib.fields import DynamicArrayField
 class ApplicationGatewayProviderForm(forms.ModelForm):
    """Security Gateway Provider form"""
    def clean_server_name(self):
        """Check if server_name is in DB already, since
        Postgres ArrayField doesn't suppport keys."""
        current = self.cleaned_data.get('server_name')
        if ApplicationGatewayProvider.objects \
                .filter(server_name__overlap=current) \
                .exclude(pk=self.instance.pk).exists():
            raise ValidationError("Server Name already in use.")
        return current
    class Meta:
        model = ApplicationGatewayProvider
        fields = ['server_name', 'upstream', 'enabled', 'authentication_header',
                  'default_content_type', 'upstream_ssl_verification', 'property_mappings']
        widgets = {
            'authentication_header': forms.TextInput(),
            'default_content_type': forms.TextInput(),
            'property_mappings': FilteredSelectMultiple(_('Property Mappings'), False)
        }
        field_classes = {
            'server_name': DynamicArrayField,
            'upstream': DynamicArrayField
        }
        labels = {
            'upstream_ssl_verification': _('Verify upstream SSL Certificates?'),
            'property_mappings': _('Rewrite Rules')
        }
 class RewriteRuleForm(forms.ModelForm):
    """Rewrite Rule Form"""
    class Meta:
        model = RewriteRule
        fields = ['name', 'match', 'halt', 'replacement', 'redirect', 'conditions']
        widgets = {
            'name': forms.TextInput(),
            'match': forms.TextInput(attrs={'data-is-monospace': True}),
            'replacement': forms.TextInput(attrs={'data-is-monospace': True}),
            'conditions': FilteredSelectMultiple(_('Conditions'), False)
        }
--- a/passbook/app_gw/middleware.py
+++ b/passbook/app_gw/middleware.py
@ -0,0 +1,227 @@
 """passbook app_gw middleware"""
 import mimetypes
 from logging import getLogger
 from urllib.parse import urlparse
 import certifi
 import urllib3
 from django.core.cache import cache
 from django.utils.http import urlencode
 from revproxy.exceptions import InvalidUpstream
 from revproxy.response import get_django_response
 from revproxy.utils import encode_items, normalize_request_headers
 from passbook.app_gw.models import ApplicationGatewayProvider
 from passbook.app_gw.rewrite import Rewriter
 from passbook.core.models import Application
 from passbook.core.policies import PolicyEngine
 IGNORED_HOSTNAMES_KEY = 'passbook_app_gw_ignored'
 LOGGER = getLogger(__name__)
 QUOTE_SAFE = r'<.;>\(}*+|~=-$/_:^@)[{]&\'!,"`'
 ERRORS_MESSAGES = {
    'upstream-no-scheme': ("Upstream URL scheme must be either "
                           "'http' or 'https' (%s).")
 }
 # pylint: disable=too-many-instance-attributes
 class ApplicationGatewayMiddleware:
    """Check if request should be proxied or handeled normally"""
    ignored_hosts = []
    request = None
    app_gw = None
    http = None
    http_no_verify = None
    host_header = ''
    _parsed_url = None
    _request_headers = None
    def __init__(self, get_response):
        self.get_response = get_response
        self.ignored_hosts = cache.get(IGNORED_HOSTNAMES_KEY, [])
        self.http_no_verify = urllib3.PoolManager()
        self.http = urllib3.PoolManager(
            cert_reqs='CERT_REQUIRED',
            ca_certs=certifi.where())
    def precheck(self, request):
        """Check if a request should be proxied or forwarded to passbook"""
        # Check if hostname is in cached list of ignored hostnames
        # This saves us having to query the database on each request
        self.host_header = request.META.get('HTTP_HOST')
        if self.host_header in self.ignored_hosts:
            LOGGER.debug("%s is ignored", self.host_header)
            return True, None
        # Look through all ApplicationGatewayProviders and check hostnames
        matches = ApplicationGatewayProvider.objects.filter(
            server_name__contains=[self.host_header],
            enabled=True)
        if not matches.exists():
            # Mo matching Providers found, add host header to ignored list
            self.ignored_hosts.append(self.host_header)
            cache.set(IGNORED_HOSTNAMES_KEY, self.ignored_hosts)
            LOGGER.debug("Ignoring %s", self.host_header)
            return True, None
        # At this point we're certain there's a matching ApplicationGateway
        if len(matches) > 1:
            # TODO This should never happen
            raise ValueError
        app_gw = matches.first()
        try:
            # Check if ApplicationGateway is associcaited with application
            getattr(app_gw, 'application')
            return False, app_gw
        except Application.DoesNotExist:
            LOGGER.debug("ApplicationGateway not associated with Application")
            return True, None
        return True, None
    def __call__(self, request):
        forward, self.app_gw = self.precheck(request)
        if forward:
            return self.get_response(request)
        self.request = request
        return self.dispatch(request)
    def get_upstream(self):
        """Get upstream as parsed url"""
        # TODO: How to choose upstream?
        upstream = self.app_gw.upstream[0]
        if not getattr(self, '_parsed_url', None):
            self._parsed_url = urlparse(upstream)
        if self._parsed_url.scheme not in ('http', 'https'):
            raise InvalidUpstream(ERRORS_MESSAGES['upstream-no-scheme'] %
                                  upstream)
        return upstream
    def _format_path_to_redirect(self, request):
        LOGGER.debug("Path before: %s", request.get_full_path())
        rewriter = Rewriter(self.app_gw, request)
        after = rewriter.build()
        LOGGER.debug("Path after: %s", after)
        return after
    def get_proxy_request_headers(self, request):
        """Get normalized headers for the upstream
        Gets all headers from the original request and normalizes them.
        Normalization occurs by removing the prefix ``HTTP_`` and
        replacing and ``_`` by ``-``. Example: ``HTTP_ACCEPT_ENCODING``
        becames ``Accept-Encoding``.
        .. versionadded:: 0.9.1
        :param request:  The original HTTPRequest instance
        :returns:  Normalized headers for the upstream
        """
        return normalize_request_headers(request)
    def get_request_headers(self):
        """Return request headers that will be sent to upstream.
        The header REMOTE_USER is set to the current user
        if AuthenticationMiddleware is enabled and
        the view's add_remote_user property is True.
        .. versionadded:: 0.9.8
        """
        request_headers = self.get_proxy_request_headers(self.request)
        request_headers[self.app_gw.authentication_header] = self.request.user.get_username()
        LOGGER.info("%s set", self.app_gw.authentication_header)
        return request_headers
    def check_permission(self):
        """Check if user is authenticated and has permission to access app"""
        if not hasattr(self.request, 'user'):
            return False
        if not self.request.user.is_authenticated:
            return False
        policy_engine = PolicyEngine(self.app_gw.application.policies.all())
        policy_engine.for_user(self.request.user).with_request(self.request).build()
        passing, _messages = policy_engine.result
        return passing
    def get_encoded_query_params(self):
        """Return encoded query params to be used in proxied request"""
        get_data = encode_items(self.request.GET.lists())
        return urlencode(get_data)
    def _created_proxy_response(self, request, path):
        request_payload = request.body
        LOGGER.debug("Request headers: %s", self._request_headers)
        request_url = self.get_upstream() + path
        LOGGER.debug("Request URL: %s", request_url)
        if request.GET:
            request_url += '?' + self.get_encoded_query_params()
            LOGGER.debug("Request URL: %s", request_url)
        http = self.http
        if not self.app_gw.upstream_ssl_verification:
            http = self.http_no_verify
        try:
            proxy_response = http.urlopen(request.method,
                                          request_url,
                                          redirect=False,
                                          retries=None,
                                          headers=self._request_headers,
                                          body=request_payload,
                                          decode_content=False,
                                          preload_content=False)
            LOGGER.debug("Proxy response header: %s",
                         proxy_response.getheaders())
        except urllib3.exceptions.HTTPError as error:
            LOGGER.exception(error)
            raise
        return proxy_response
    def _replace_host_on_redirect_location(self, request, proxy_response):
        location = proxy_response.headers.get('Location')
        if location:
            if request.is_secure():
                scheme = 'https://'
            else:
                scheme = 'http://'
            request_host = scheme + self.host_header
            upstream_host_http = 'http://' + self._parsed_url.netloc
            upstream_host_https = 'https://' + self._parsed_url.netloc
            location = location.replace(upstream_host_http, request_host)
            location = location.replace(upstream_host_https, request_host)
            proxy_response.headers['Location'] = location
            LOGGER.debug("Proxy response LOCATION: %s",
                         proxy_response.headers['Location'])
    def _set_content_type(self, request, proxy_response):
        content_type = proxy_response.headers.get('Content-Type')
        if not content_type:
            content_type = (mimetypes.guess_type(request.path)[0] or
                            self.app_gw.default_content_type)
            proxy_response.headers['Content-Type'] = content_type
            LOGGER.debug("Proxy response CONTENT-TYPE: %s",
                         proxy_response.headers['Content-Type'])
    def dispatch(self, request):
        """Build proxied request and pass to upstream"""
        # if not self.check_permission():
        #     to_url = 'https://%s/?next=%s' % (CONFIG.get('domains')[0], request.get_full_path())
        #     return RedirectView.as_view(url=to_url)(request)
        self._request_headers = self.get_request_headers()
        path = self._format_path_to_redirect(request)
        proxy_response = self._created_proxy_response(request, path)
        self._replace_host_on_redirect_location(request, proxy_response)
        self._set_content_type(request, proxy_response)
        response = get_django_response(proxy_response, strict_cookies=False)
        LOGGER.debug("RESPONSE RETURNED: %s", response)
        return response
--- a/passbook/app_gw/migrations/.DS_Store
+++ b/passbook/app_gw/migrations/.DS_Store
--- a/passbook/app_gw/migrations/0001_initial.py
+++ b/passbook/app_gw/migrations/0001_initial.py
@ -0,0 +1,50 @@
 # Generated by Django 2.1.7 on 2019-03-20 21:38
 import django.contrib.postgres.fields
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ('passbook_core', '0020_groupmembershippolicy'),
    ]
    operations = [
        migrations.CreateModel(
            name='ApplicationGatewayProvider',
            fields=[
                ('provider_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Provider')),
                ('server_name', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
                ('upstream', django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), size=None)),
                ('enabled', models.BooleanField(default=True)),
                ('authentication_header', models.TextField(default='X-Remote-User')),
                ('default_content_type', models.TextField(default='application/octet-stream')),
                ('upstream_ssl_verification', models.BooleanField(default=True)),
            ],
            options={
                'verbose_name': 'Application Gateway Provider',
                'verbose_name_plural': 'Application Gateway Providers',
            },
            bases=('passbook_core.provider',),
        ),
        migrations.CreateModel(
            name='RewriteRule',
            fields=[
                ('propertymapping_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.PropertyMapping')),
                ('match', models.TextField()),
                ('halt', models.BooleanField(default=False)),
                ('replacement', models.TextField()),
                ('redirect', models.CharField(choices=[('internal', 'Internal'), (301, 'Moved Permanently'), (302, 'Found')], max_length=50)),
                ('conditions', models.ManyToManyField(to='passbook_core.Policy')),
            ],
            options={
                'verbose_name': 'Rewrite Rule',
                'verbose_name_plural': 'Rewrite Rules',
            },
            bases=('passbook_core.propertymapping',),
        ),
    ]
--- a/passbook/app_gw/migrations/0002_auto_20190321_1521.py
+++ b/passbook/app_gw/migrations/0002_auto_20190321_1521.py
@ -0,0 +1,18 @@
 # Generated by Django 2.1.7 on 2019-03-21 15:21
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ('passbook_app_gw', '0001_initial'),
    ]
    operations = [
        migrations.AlterField(
            model_name='rewriterule',
            name='conditions',
            field=models.ManyToManyField(blank=True, to='passbook_core.Policy'),
        ),
    ]
--- a/passbook/app_gw/migrations/init.py
+++ b/passbook/app_gw/migrations/init.py
--- a/passbook/app_gw/models.py
+++ b/passbook/app_gw/models.py
@ -0,0 +1,74 @@
 """passbook app_gw models"""
 import re
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext as _
 from passbook.core.models import Policy, PropertyMapping, Provider
 class ApplicationGatewayProvider(Provider):
    """Virtual server which proxies requests to any hostname in server_name to upstream"""
    server_name = ArrayField(models.TextField())
    upstream = ArrayField(models.TextField())
    enabled = models.BooleanField(default=True)
    authentication_header = models.TextField(default='X-Remote-User')
    default_content_type = models.TextField(default='application/octet-stream')
    upstream_ssl_verification = models.BooleanField(default=True)
    form = 'passbook.app_gw.forms.ApplicationGatewayProviderForm'
    @property
    def name(self):
        """since this model has no name property, return a joined list of server_names as name"""
        return ', '.join(self.server_name)
    def __str__(self):
        return "Application Gateway %s" % ', '.join(self.server_name)
    class Meta:
        verbose_name = _('Application Gateway Provider')
        verbose_name_plural = _('Application Gateway Providers')
 class RewriteRule(PropertyMapping):
    """Rewrite requests matching `match` with `replacement`, if all polcies in `conditions` apply"""
    REDIRECT_INTERNAL = 'internal'
    REDIRECT_PERMANENT = 301
    REDIRECT_FOUND = 302
    REDIRECTS = (
        (REDIRECT_INTERNAL, _('Internal')),
        (REDIRECT_PERMANENT, _('Moved Permanently')),
        (REDIRECT_FOUND, _('Found')),
    )
    match = models.TextField()
    halt = models.BooleanField(default=False)
    conditions = models.ManyToManyField(Policy, blank=True)
    replacement = models.TextField() # python formatted strings, use {match.1}
    redirect = models.CharField(max_length=50, choices=REDIRECTS)
    form = 'passbook.app_gw.forms.RewriteRuleForm'
    _matcher = None
    @property
    def compiled_matcher(self):
        """Cache the compiled regex in memory"""
        if not self._matcher:
            self._matcher = re.compile(self.match)
        return self._matcher
    def __str__(self):
        return "Rewrite Rule %s" % self.name
    class Meta:
        verbose_name = _('Rewrite Rule')
        verbose_name_plural = _('Rewrite Rules')
--- a/passbook/app_gw/requirements.txt
+++ b/passbook/app_gw/requirements.txt
@ -0,0 +1,2 @@
 django-revproxy
 urllib3[secure]
--- a/passbook/app_gw/rewrite.py
+++ b/passbook/app_gw/rewrite.py
@ -0,0 +1,38 @@
 """passbook app_gw rewriter"""
 from passbook.app_gw.models import RewriteRule
 class Context:
    """Empty class which we dynamically add attributes to"""
 class Rewriter:
    """Apply rewrites"""
    __application = None
    __request = None
    def __init__(self, application, request):
        self.__application = application
        self.__request = request
    def __build_context(self, matches):
        """Build object with .0, .1, etc as groups and give access to request"""
        context = Context()
        for index, group_match in enumerate(matches.groups()):
            setattr(context, "g%d" % (index + 1), group_match)
        setattr(context, 'request', self.__request)
        return context
    def build(self):
        """Run all rules over path and return final path"""
        path = self.__request.get_full_path()
        for rule in RewriteRule.objects.filter(provider__in=[self.__application]):
            matches = rule.compiled_matcher.search(path)
            if not matches:
                continue
            replace_context = self.__build_context(matches)
            path = rule.replacement.format(context=replace_context)
            if rule.halt:
                return path
        return path
--- a/passbook/app_gw/settings.py
+++ b/passbook/app_gw/settings.py
@ -0,0 +1,5 @@
 """Application Security Gateway settings"""
 # INSTALLED_APPS = [
 #     'revproxy'
 # ]
--- a/passbook/app_gw/signals.py
+++ b/passbook/app_gw/signals.py
@ -0,0 +1,20 @@
 """passbook app_gw cache clean signals"""
 from logging import getLogger
 from django.core.cache import cache
 from django.db.models.signals import post_save
 from django.dispatch import receiver
 from passbook.app_gw.middleware import IGNORED_HOSTNAMES_KEY
 from passbook.app_gw.models import ApplicationGatewayProvider
 LOGGER = getLogger(__name__)
@receiver(post_save)
 # pylint: disable=unused-argument
 def invalidate_app_gw_cache(sender, instance, **kwargs):
    """Invalidate Policy cache when app_gw is updated"""
    if isinstance(instance, ApplicationGatewayProvider):
        LOGGER.debug("Invalidating cache for ignored hostnames")
        cache.delete(IGNORED_HOSTNAMES_KEY)
--- a/passbook/app_gw/urls.py
+++ b/passbook/app_gw/urls.py
@ -0,0 +1,2 @@
 """passbook app_gw urls"""
 urlpatterns = []
--- a/passbook/core/forms/policies.py
+++ b/passbook/core/forms/policies.py
@ -7,7 +7,7 @@ from passbook.core.models import (DebugPolicy, FieldMatcherPolicy,
                                  GroupMembershipPolicy, PasswordPolicy,
                                  WebhookPolicy)
-GENERAL_FIELDS = ['name', 'action', 'negate', 'order', ]
+GENERAL_FIELDS = ['name', 'action', 'negate', 'order', 'timeout']
 class FieldMatcherPolicyForm(forms.ModelForm):
    """FieldMatcherPolicy Form"""
--- a/passbook/core/migrations/0021_policy_timeout.py
+++ b/passbook/core/migrations/0021_policy_timeout.py
@ -0,0 +1,18 @@
 # Generated by Django 2.1.7 on 2019-03-21 12:03
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ('passbook_core', '0020_groupmembershippolicy'),
    ]
    operations = [
        migrations.AddField(
            model_name='policy',
            name='timeout',
            field=models.IntegerField(default=30),
        ),
    ]
--- a/passbook/core/models.py
+++ b/passbook/core/models.py
@ -220,6 +220,7 @@ class Policy(UUIDModel, CreatedUpdatedModel):
    action = models.CharField(max_length=20, choices=ACTIONS)
    negate = models.BooleanField(default=False)
    order = models.IntegerField(default=0)
    timeout = models.IntegerField(default=30)
    objects = InheritanceManager()
--- a/passbook/core/policies.py
+++ b/passbook/core/policies.py
@ -1,7 +1,9 @@
 """passbook core policy engine"""
 from logging import getLogger
 from amqp.exceptions import UnexpectedFrame
 from celery import group
 from celery.exceptions import TimeoutError as CeleryTimeoutError
 from django.core.cache import cache
 from ipware import get_client_ip
@ -45,6 +47,7 @@ class PolicyEngine:
    __cached = None
    policies = None
    __get_timeout = 0
    __request = None
    __user = None
@ -83,10 +86,17 @@ class PolicyEngine:
                cached_policies.append(cached_policy)
            else:
                LOGGER.debug("Evaluating policy %s", policy.pk.hex)
-                signatures.append(_policy_engine_task.s(self.__user.pk, policy.pk.hex, **kwargs))
+                signatures.append(_policy_engine_task.signature(
                    args=(self.__user.pk, policy.pk.hex),
                    kwargs=kwargs,
                    time_limit=policy.timeout))
                self.__get_timeout += policy.timeout
        LOGGER.debug("Set total policy timeout to %r", self.__get_timeout)
        # If all policies are cached, we have an empty list here.
        if signatures:
            self.__group = group(signatures)()
            self.__get_timeout += 3
            self.__get_timeout = (self.__get_timeout / len(self.policies)) * 1.5
        self.__cached = cached_policies
        return self
@ -98,10 +108,15 @@ class PolicyEngine:
        try:
            if self.__group:
                # ValueError can be thrown from _policy_engine_task when user is None
-                result += self.__group.get()
+                result += self.__group.get(timeout=self.__get_timeout)
            result += self.__cached
        except ValueError as exc:
-            return False, str(exc)
+            # ValueError can be thrown from _policy_engine_task when user is None
            return False, [str(exc)]
        except UnexpectedFrame as exc:
            return False, [str(exc)]
        except CeleryTimeoutError as exc:
            return False, [str(exc)]
        for policy_action, policy_result, policy_message in result:
            passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \
                      (policy_action == Policy.ACTION_DENY and not policy_result)
--- a/passbook/core/settings.py
+++ b/passbook/core/settings.py
@ -34,7 +34,7 @@ SECRET_KEY = CONFIG.get('secret_key')
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = CONFIG.get('debug')
 INTERNAL_IPS = ['127.0.0.1']
-ALLOWED_HOSTS = CONFIG.get('domains', [])
+ALLOWED_HOSTS = CONFIG.get('domains', []) + [CONFIG.get('primary_domain')]
 SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 LOGIN_URL = 'passbook_core:auth-login'
@ -45,6 +45,7 @@ AUTH_USER_MODEL = 'passbook_core.User'
 CSRF_COOKIE_NAME = 'passbook_csrf'
 SESSION_COOKIE_NAME = 'passbook_session'
 SESSION_COOKIE_DOMAIN = CONFIG.get('primary_domain')
 SESSION_ENGINE = "django.contrib.sessions.backends.cache"
 SESSION_CACHE_ALIAS = "default"
 LANGUAGE_COOKIE_NAME = 'passbook_language'
@ -81,6 +82,7 @@ INSTALLED_APPS = [
    'passbook.pretend.apps.PassbookPretendConfig',
    'passbook.password_expiry_policy.apps.PassbookPasswordExpiryPolicyConfig',
    'passbook.suspicious_policy.apps.PassbookSuspiciousPolicyConfig',
    'passbook.app_gw.apps.PassbookApplicationApplicationGatewayConfig',
 ]
 # Message Tag fix for bootstrap CSS Classes
@ -112,11 +114,12 @@ CACHES = {
 }
 MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'passbook.app_gw.middleware.ApplicationGatewayMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'raven.contrib.django.raven_compat.middleware.SentryResponseErrorIdMiddleware',
--- a/passbook/core/static/css/passbook.css
+++ b/passbook/core/static/css/passbook.css
@ -195,3 +195,7 @@ form .form-row p.datetime {
 .selector-remove {
    background: url(../admin/img/selector-icons.svg) 0 -64px no-repeat;
 }
 input[data-is-monospace] {
    font-family: monospace;
 }
--- a/passbook/core/views/utils.py
+++ b/passbook/core/views/utils.py
@ -1,5 +1,4 @@
 """passbook core utils view"""
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.utils.translation import ugettext as _
 from django.views.generic import TemplateView
@ -21,7 +20,7 @@ class LoadingView(TemplateView):
        kwargs['target_url'] = self.get_url()
        return super().get_context_data(**kwargs)
-class PermissionDeniedView(LoginRequiredMixin, TemplateView):
+class PermissionDeniedView(TemplateView):
    """Generic Permission denied view"""
    template_name = 'login/denied.html'
--- a/passbook/lib/default.yml
+++ b/passbook/lib/default.yml
@ -35,6 +35,8 @@ redis: localhost/0
 error_report_enabled: true
 secret_key: 9$@r!d^1^jrn#fk#1#@ks#9&i$^s#1)_13%$rwjrhd=e8jfi_s
 primary_domain: 'localhost'
 passbook:
  sign_up:
    # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true
--- a/requirements.txt
+++ b/requirements.txt
@ -7,3 +7,4 @@
 -r passbook/captcha_factor/requirements.txt
 -r passbook/admin/requirements.txt
 -r passbook/api/requirements.txt
 -r passbook/app_gw/requirements.txt
`@ -53,3 +53,4 @@ values =`

	`[bumpversion:file:passbook/otp/__init__.py]`	`[bumpversion:file:passbook/otp/__init__.py]`

		`[bumpversion:file:passbook/app_gw/__init__.py]`
		`@ -0,0 +1,2 @@`
							`"""passbook Application Security Gateway Header"""`
							`__version__ = '0.1.23-beta'`
		`@ -0,0 +1,2 @@`
							`"""passbook app_gw urls"""`
							`urlpatterns = []`