create SSOLoginPolicy, which allows factors to be applied when user comes from SSO login
implement SESSIION_IS_SSO_LOGIN for OAuth Client and core MFA
This commit is contained in:
parent
b46958d1f9
commit
5d1a3043b2
|
@ -29,6 +29,7 @@ class AuthenticationView(UserPassesTestMixin, View):
|
||||||
SESSION_PENDING_FACTORS = 'passbook_pending_factors'
|
SESSION_PENDING_FACTORS = 'passbook_pending_factors'
|
||||||
SESSION_PENDING_USER = 'passbook_pending_user'
|
SESSION_PENDING_USER = 'passbook_pending_user'
|
||||||
SESSION_USER_BACKEND = 'passbook_user_backend'
|
SESSION_USER_BACKEND = 'passbook_user_backend'
|
||||||
|
SESSION_IS_SSO_LOGIN = 'passbook_sso_login'
|
||||||
|
|
||||||
pending_user = None
|
pending_user = None
|
||||||
pending_factors = []
|
pending_factors = []
|
||||||
|
@ -79,6 +80,10 @@ class AuthenticationView(UserPassesTestMixin, View):
|
||||||
if AuthenticationView.SESSION_FACTOR not in request.session:
|
if AuthenticationView.SESSION_FACTOR not in request.session:
|
||||||
# Case when no factors apply to user, return error denied
|
# Case when no factors apply to user, return error denied
|
||||||
if not self.pending_factors:
|
if not self.pending_factors:
|
||||||
|
# Case when user logged in from SSO provider and no more factors apply
|
||||||
|
if AuthenticationView.SESSION_IS_SSO_LOGIN in request.session:
|
||||||
|
LOGGER.debug("User authenticated with SSO, logging in...")
|
||||||
|
return self._user_passed()
|
||||||
return self.user_invalid()
|
return self.user_invalid()
|
||||||
factor_uuid, factor_class = self.pending_factors[0]
|
factor_uuid, factor_class = self.pending_factors[0]
|
||||||
else:
|
else:
|
||||||
|
|
|
@ -5,7 +5,7 @@ from django.utils.translation import gettext as _
|
||||||
|
|
||||||
from passbook.core.models import (DebugPolicy, FieldMatcherPolicy,
|
from passbook.core.models import (DebugPolicy, FieldMatcherPolicy,
|
||||||
GroupMembershipPolicy, PasswordPolicy,
|
GroupMembershipPolicy, PasswordPolicy,
|
||||||
WebhookPolicy)
|
SSOLoginPolicy, WebhookPolicy)
|
||||||
|
|
||||||
GENERAL_FIELDS = ['name', 'action', 'negate', 'order', 'timeout']
|
GENERAL_FIELDS = ['name', 'action', 'negate', 'order', 'timeout']
|
||||||
|
|
||||||
|
@ -66,6 +66,18 @@ class GroupMembershipPolicyForm(forms.ModelForm):
|
||||||
'order': forms.NumberInput(),
|
'order': forms.NumberInput(),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class SSOLoginPolicyForm(forms.ModelForm):
|
||||||
|
"""Edit SSOLoginPolicy instances"""
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
model = SSOLoginPolicy
|
||||||
|
fields = GENERAL_FIELDS
|
||||||
|
widgets = {
|
||||||
|
'name': forms.TextInput(),
|
||||||
|
'order': forms.NumberInput(),
|
||||||
|
}
|
||||||
|
|
||||||
class PasswordPolicyForm(forms.ModelForm):
|
class PasswordPolicyForm(forms.ModelForm):
|
||||||
"""PasswordPolicy Form"""
|
"""PasswordPolicy Form"""
|
||||||
|
|
||||||
|
|
25
passbook/core/migrations/0024_ssologinpolicy.py
Normal file
25
passbook/core/migrations/0024_ssologinpolicy.py
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
# Generated by Django 2.2 on 2019-04-29 21:14
|
||||||
|
|
||||||
|
import django.db.models.deletion
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
('passbook_core', '0023_remove_user_applications'),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.CreateModel(
|
||||||
|
name='SSOLoginPolicy',
|
||||||
|
fields=[
|
||||||
|
('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
|
||||||
|
],
|
||||||
|
options={
|
||||||
|
'verbose_name': 'SSO Login Policy',
|
||||||
|
'verbose_name_plural': 'SSO Login Policies',
|
||||||
|
},
|
||||||
|
bases=('passbook_core.policy',),
|
||||||
|
),
|
||||||
|
]
|
|
@ -165,9 +165,10 @@ class Source(PolicyModel):
|
||||||
|
|
||||||
name = models.TextField()
|
name = models.TextField()
|
||||||
slug = models.SlugField()
|
slug = models.SlugField()
|
||||||
form = '' # ModelForm-based class ued to create/edit instance
|
|
||||||
enabled = models.BooleanField(default=True)
|
enabled = models.BooleanField(default=True)
|
||||||
|
|
||||||
|
form = '' # ModelForm-based class ued to create/edit instance
|
||||||
|
|
||||||
objects = InheritanceManager()
|
objects = InheritanceManager()
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
@ -409,6 +410,21 @@ class GroupMembershipPolicy(Policy):
|
||||||
verbose_name = _('Group Membership Policy')
|
verbose_name = _('Group Membership Policy')
|
||||||
verbose_name_plural = _('Group Membership Policies')
|
verbose_name_plural = _('Group Membership Policies')
|
||||||
|
|
||||||
|
class SSOLoginPolicy(Policy):
|
||||||
|
"""Policy that applies to users that have authenticated themselves through SSO"""
|
||||||
|
|
||||||
|
form = 'passbook.core.forms.policies.SSOLoginPolicyForm'
|
||||||
|
|
||||||
|
def passes(self, user):
|
||||||
|
"""Check if user instance passes this policy"""
|
||||||
|
from passbook.core.auth.view import AuthenticationView
|
||||||
|
return user.session.get(AuthenticationView.SESSION_IS_SSO_LOGIN, False), ""
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
verbose_name = _('SSO Login Policy')
|
||||||
|
verbose_name_plural = _('SSO Login Policies')
|
||||||
|
|
||||||
class Invitation(UUIDModel):
|
class Invitation(UUIDModel):
|
||||||
"""Single-use invitation link"""
|
"""Single-use invitation link"""
|
||||||
|
|
||||||
|
|
|
@ -12,6 +12,7 @@ from django.urls import reverse
|
||||||
from django.utils.translation import ugettext as _
|
from django.utils.translation import ugettext as _
|
||||||
from django.views.generic import RedirectView, View
|
from django.views.generic import RedirectView, View
|
||||||
|
|
||||||
|
from passbook.core.auth.view import AuthenticationView, _redirect_with_qs
|
||||||
from passbook.lib.utils.reflection import app
|
from passbook.lib.utils.reflection import app
|
||||||
from passbook.oauth_client.clients import get_client
|
from passbook.oauth_client.clients import get_client
|
||||||
from passbook.oauth_client.models import OAuthSource, UserOAuthSourceConnection
|
from passbook.oauth_client.models import OAuthSource, UserOAuthSourceConnection
|
||||||
|
@ -128,11 +129,6 @@ class OAuthCallback(OAuthClientMixin, View):
|
||||||
"Return url to redirect on login failure."
|
"Return url to redirect on login failure."
|
||||||
return settings.LOGIN_URL
|
return settings.LOGIN_URL
|
||||||
|
|
||||||
# pylint: disable=unused-argument
|
|
||||||
def get_login_redirect(self, source, user, access, new=False):
|
|
||||||
"Return url to redirect authenticated users."
|
|
||||||
return 'passbook_core:overview'
|
|
||||||
|
|
||||||
def get_or_create_user(self, source, access, info):
|
def get_or_create_user(self, source, access, info):
|
||||||
"Create a shell auth.User."
|
"Create a shell auth.User."
|
||||||
raise NotImplementedError()
|
raise NotImplementedError()
|
||||||
|
@ -149,14 +145,22 @@ class OAuthCallback(OAuthClientMixin, View):
|
||||||
except KeyError:
|
except KeyError:
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
def handle_login(self, user, source, access):
|
||||||
|
"""Prepare AuthenticationView, redirect users to remaining Factors"""
|
||||||
|
user = authenticate(source=access.source,
|
||||||
|
identifier=access.identifier, request=self.request)
|
||||||
|
self.request.session[AuthenticationView.SESSION_PENDING_USER] = user.pk
|
||||||
|
self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend
|
||||||
|
self.request.session[AuthenticationView.SESSION_IS_SSO_LOGIN] = True
|
||||||
|
return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
|
||||||
|
|
||||||
# pylint: disable=unused-argument
|
# pylint: disable=unused-argument
|
||||||
def handle_existing_user(self, source, user, access, info):
|
def handle_existing_user(self, source, user, access, info):
|
||||||
"Login user and redirect."
|
"Login user and redirect."
|
||||||
login(self.request, user)
|
|
||||||
messages.success(self.request, _("Successfully authenticated with %(source)s!" % {
|
messages.success(self.request, _("Successfully authenticated with %(source)s!" % {
|
||||||
'source': self.source.name
|
'source': self.source.name
|
||||||
}))
|
}))
|
||||||
return redirect(self.get_login_redirect(source, user, access))
|
return self.handle_login(user, source, access)
|
||||||
|
|
||||||
def handle_login_failure(self, source, reason):
|
def handle_login_failure(self, source, reason):
|
||||||
"Message user and redirect on error."
|
"Message user and redirect on error."
|
||||||
|
@ -176,12 +180,9 @@ class OAuthCallback(OAuthClientMixin, View):
|
||||||
access.user = user
|
access.user = user
|
||||||
access.save()
|
access.save()
|
||||||
UserOAuthSourceConnection.objects.filter(pk=access.pk).update(user=user)
|
UserOAuthSourceConnection.objects.filter(pk=access.pk).update(user=user)
|
||||||
if not was_authenticated:
|
|
||||||
user = authenticate(source=access.source,
|
|
||||||
identifier=access.identifier, request=self.request)
|
|
||||||
login(self.request, user)
|
|
||||||
if app('passbook_audit'):
|
if app('passbook_audit'):
|
||||||
pass
|
pass
|
||||||
|
# TODO: Create audit entry
|
||||||
# from passbook.audit.models import something
|
# from passbook.audit.models import something
|
||||||
# something.event(user=user,)
|
# something.event(user=user,)
|
||||||
# Event.create(
|
# Event.create(
|
||||||
|
@ -197,10 +198,13 @@ class OAuthCallback(OAuthClientMixin, View):
|
||||||
return redirect(reverse('passbook_oauth_client:oauth-client-user', kwargs={
|
return redirect(reverse('passbook_oauth_client:oauth-client-user', kwargs={
|
||||||
'source_slug': self.source.slug
|
'source_slug': self.source.slug
|
||||||
}))
|
}))
|
||||||
|
# User was not authenticated, new user has been created
|
||||||
|
user = authenticate(source=access.source,
|
||||||
|
identifier=access.identifier, request=self.request)
|
||||||
messages.success(self.request, _("Successfully authenticated with %(source)s!" % {
|
messages.success(self.request, _("Successfully authenticated with %(source)s!" % {
|
||||||
'source': self.source.name
|
'source': self.source.name
|
||||||
}))
|
}))
|
||||||
return redirect(self.get_login_redirect(source, user, access, True))
|
return self.handle_login(user, source, access)
|
||||||
|
|
||||||
|
|
||||||
class DisconnectView(LoginRequiredMixin, View):
|
class DisconnectView(LoginRequiredMixin, View):
|
||||||
|
|
Reference in a new issue