diff --git a/.gitignore b/.gitignore index 606885d70..062bd9635 100644 --- a/.gitignore +++ b/.gitignore @@ -199,3 +199,4 @@ local.env.yml # Selenium Screenshots selenium_screenshots/** +backups/ diff --git a/README.md b/README.md index 592a4cbdf..e0eb6083b 100644 --- a/README.md +++ b/README.md @@ -13,9 +13,9 @@ passbook is an open-source Identity Provider focused on flexibility and versatil ## Installation -For small/test setups it is recommended to use docker-compose, see the [documentation](https://passbook.beryju.org/installation/docker-compose/) +For small/test setups it is recommended to use docker-compose, see the [documentation](https://passbook.beryju.org/docs/installation/docker-compose/) -For bigger setups, there is a Helm Chart in the `helm/` directory. This is documented [here](https://passbook.beryju.org//installation/kubernetes/) +For bigger setups, there is a Helm Chart in the `helm/` directory. This is documented [here](https://passbook.beryju.org/docs/installation/kubernetes/) ## Screenshots @@ -24,7 +24,7 @@ For bigger setups, there is a Helm Chart in the `helm/` directory. This is docum ## Development -To develop on passbook, you need a system with Python 3.7+ (3.8 is recommended). passbook uses [pipenv](https://pipenv.pypa.io/en/latest/) for managing dependencies. +To develop on passbook, you need a system with Python 3.8+ (3.9 is recommended). passbook uses [pipenv](https://pipenv.pypa.io/en/latest/) for managing dependencies. To get started, run diff --git a/docs/expressions/reference/user-object.md b/docs/expressions/reference/user-object.md deleted file mode 100644 index 6e1dc6d28..000000000 --- a/docs/expressions/reference/user-object.md +++ /dev/null @@ -1,26 +0,0 @@ -# Passbook User Object - -The User object has the following attributes: - -- `username`: User's username. -- `email` User's email. -- `name` User's display name. -- `is_staff` Boolean field if user is staff. -- `is_active` Boolean field if user is active. -- `date_joined` Date user joined/was created. -- `password_change_date` Date password was last changed. -- `attributes` Dynamic attributes. -- `pb_groups` This is a queryset of all the user's groups. - - You can do additional filtering like `user.pb_groups.filter(name__startswith='test')`, see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4) - - To get the name of all groups, you can do `[group.name for group in user.pb_groups.all()]` - -## Examples - -List all the User's group names: - -```python -for group in user.pb_groups.all(): - yield group.name -``` diff --git a/docs/flow/stages/otp/index.md b/docs/flow/stages/otp/index.md deleted file mode 100644 index c14f6af27..000000000 --- a/docs/flow/stages/otp/index.md +++ /dev/null @@ -1,7 +0,0 @@ -# OTP Stage - -This stage offers a generic Time-based One-time Password authentication step. - -You can optionally enforce this step, which will force every user without OTP setup to configure it. - -This stage uses a 6-digit Code with a 30 second time-drift. This is currently not changeable. diff --git a/docs/flow/stages/user_delete.md b/docs/flow/stages/user_delete.md deleted file mode 100644 index 040337a81..000000000 --- a/docs/flow/stages/user_delete.md +++ /dev/null @@ -1,8 +0,0 @@ -# User Delete Stage - -!!! danger - This stage deletes the `pending_user` without any confirmation. You have to make sure the user is aware of this. - -This stage is intended for an unenrollment flow. It deletes the currently pending user. - -The pending user is also removed from the current session. diff --git a/docs/installation/kubernetes.md b/docs/installation/kubernetes.md deleted file mode 100644 index e00a5612a..000000000 --- a/docs/installation/kubernetes.md +++ /dev/null @@ -1,73 +0,0 @@ -# Kubernetes - -For a mid to high-load installation, Kubernetes is recommended. passbook is installed using a helm-chart. - -This installation automatically applies database migrations on startup. After the installation is done, you can use `pbadmin` as username and password. - -```yaml -################################### -# Values directly affecting passbook -################################### -image: - name: beryju/passbook - name_static: beryju/passbook-static - tag: 0.12.10-stable - -serverReplicas: 1 -workerReplicas: 1 - -# Enable the Kubernetes integration which lets passbook deploy outposts into kubernetes -kubernetesIntegration: true - -config: - # Optionally specify fixed secret_key, otherwise generated automatically - # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o - # Enable error reporting - errorReporting: - enabled: false - environment: customer - sendPii: false - # Log level used by web and worker - # Can be either debug, info, warning, error - logLevel: warning - -# Enable Database Backups to S3 -# backup: -# accessKey: access-key -# secretKey: secret-key -# bucket: s3-bucket -# region: eu-central-1 -# host: s3-host - -ingress: - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - passbook.k8s.local - tls: [] - # - secretName: chart-example-tls - # hosts: - # - passbook.k8s.local - -################################### -# Values controlling dependencies -################################### - -install: - postgresql: true - redis: true - -# These values influence the bundled postgresql and redis charts, but are also used by passbook to connect -postgresql: - postgresqlDatabase: passbook - -redis: - cluster: - enabled: false - master: - persistence: - enabled: false - # https://stackoverflow.com/a/59189742 - disableCommands: [] -``` diff --git a/docs/integrations/services/tower-awx/index.md b/docs/integrations/services/tower-awx/index.md deleted file mode 100644 index 7729fe2e9..000000000 --- a/docs/integrations/services/tower-awx/index.md +++ /dev/null @@ -1,75 +0,0 @@ -# Ansible Tower / AWX Integration - -## What is Tower - -From https://docs.ansible.com/ansible/2.5/reference_appendices/tower.html - -!!! note "" - Ansible Tower (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks. - - Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies. - -!!! note - AWX is the open-source version of Tower. The term "AWX" will be used interchangeably throughout this document. - -## Preparation - -The following placeholders will be used: - -- `awx.company` is the FQDN of the AWX/Tower install. -- `passbook.company` is the FQDN of the passbook install. - -Create an application in passbook and note the slug, as this will be used later. Create a SAML provider with the following parameters: - -- ACS URL: `https://awx.company/sso/complete/saml/` -- Audience: `awx` -- Service Provider Binding: Post -- Issuer: `https://awx.company/sso/metadata/saml/` - -You can of course use a custom signing certificate, and adjust durations. - -## AWX Configuration - -Navigate to `https://awx.company/#/settings/auth` to configure SAML. Set the Field `SAML SERVICE PROVIDER ENTITY ID` to `awx`. - -For the fields `SAML SERVICE PROVIDER PUBLIC CERTIFICATE` and `SAML SERVICE PROVIDER PRIVATE KEY`, you can either use custom certificates, or use the self-signed pair generated by passbook. - -Provide metadata in the `SAML Service Provider Organization Info` field: - -```json -{ - "en-US": { - "name": "passbook", - "url": "https://passbook.company", - "displayname": "passbook" - } -} -``` - -Provide metadata in the `SAML Service Provider Technical Contact` and `SAML Service Provider Technical Contact` fields: - -```json -{ - "givenName": "Admin Name", - "emailAddress": "admin@company" -} -``` - -In the `SAML Enabled Identity Providers` paste the following configuration: - -```json -{ - "passbook": { - "attr_username": "urn:oid:2.16.840.1.113730.3.1.241", - "attr_user_permanent_id": "urn:oid:0.9.2342.19200300.100.1.1", - "x509cert": "MIIDEjCCAfqgAwIBAgIRAJZ9pOZ1g0xjiHtQAAejsMEwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UEAwwlcGFzc2Jvb2sgU2VsZi1zaWduZWQgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xOTEyMjYyMDEwNDFaFw0yMDEyMjYyMDEwNDFaMFkxLjAsBgNVBAMMJXBhc3Nib29rIFNlbGYtc2lnbmVkIFNBTUwgQ2VydGlmaWNhdGUxETAPBgNVBAoMCHBhc3Nib29rMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/ktBYZkY9xAijF4acvzX6Q1K8KoIZeyde8fVgcWBz4L5FgDQ4/dni4k2YAcPdwteGL4nKVzetUzjbRCBUNuO6lqU4J4WNNX4Xg4Ir7XLRoAQeo+omTPBdpJ1p02HjtN5jT01umN3bK2yto1e37CJhK6WJiaXqRewPxh4lI4aqdj3BhFkJ3I3r2qxaWOAXQ6X7fg3w/ny7QP53//ouZo7hSLY3GIcRKgvdjjVM3OW5C3WLpOq5Dez5GWVJ17aeFCfGQ8bwFKde6qfYqyGcU9xHB36TtVHB9hSFP/tUFhkiSOxtsrYwCgCyXm4UTSpP+wiNyjKfFw7qGLBvA2hGTNw8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh9PeAqPRQk1/SSygIFADZBi08O/DPCshFwEHvJATIcTzcDD8UGAjXh+H5OlkDyX7KyrcaNvYaafCUo63A+WprdtdY5Ty6SBEwTYyiQyQfwM9BfK+imCoif1Ai7xAelD7p9lNazWq7JU+H/Ep7U7Q7LvpxAbK0JArt+IWTb2NcMb3OWE1r0gFbs44O1l6W9UbJTbyLMzbGbe5i+NHlgnwPwuhtRMh0NUYabGHKcHbhwyFhfGAQv2dAp5KF1E5gu6ZzCiFePzc0FrqXQyb2zpFYcJHXquiqaOeG7cZxRHYcjrl10Vxzki64XVA9BpdELgKSnupDGUEJsRUt3WVOmvZuA==", - "url": "https://passbook.company/application/saml/awx/login/", - "attr_last_name": "User.LastName", - "entity_id": "https://awx.company/sso/metadata/saml/", - "attr_email": "urn:oid:0.9.2342.19200300.100.1.3", - "attr_first_name": "urn:oid:2.5.4.3" - } -} -``` - -`x509cert` is the certificate configured in passbook. Remove the `--BEGIN CERTIFICATE--` and `--END CERTIFICATE--` headers, then enter the cert as one non-breaking string. diff --git a/docs/integrations/services/vmware-vcenter/index.md b/docs/integrations/services/vmware-vcenter/index.md deleted file mode 100644 index 81196308e..000000000 --- a/docs/integrations/services/vmware-vcenter/index.md +++ /dev/null @@ -1,83 +0,0 @@ -# VMware vCenter Integration - -## What is vCenter - -From https://en.wikipedia.org/wiki/VCenter - -!!! note "" - - vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts. - -!!! warning - - This requires passbook 0.10.3 or newer. - -!!! warning - - This requires VMware vCenter 7.0.0 or newer. - -!!! note - - It seems that the vCenter still needs to be joined to the Active Directory Domain, otherwise group membership does not work correctly. We're working on a fix for this, for the meantime your vCenter should be part of your Domain. - -## Preparation - -The following placeholders will be used: - - - `vcenter.company` is the FQDN of the vCenter server. - - `passbook.company` is the FQDN of the passbook install. - -Since vCenter only allows OpenID-Connect in combination with Active Directory, it is recommended to have passbook sync with the same Active Directory. - -### Step 1 - -Under *Property Mappings*, create a *Scope Mapping*. Give it a name like "OIDC-Scope-VMware-vCenter". Set the scope name to `openid` and the expression to the following - -```python -return { - "domain": "", -} -``` - -### Step 2 - -!!! note - If your Active Directory Schema is the same as your Email address schema, skip to Step 3. - -Under *Sources*, click *Edit* and ensure that "Autogenerated Active Directory Mapping: userPrincipalName -> attributes.upn" has been added to your source. - -### Step 3 - -Under *Providers*, create an OAuth2/OpenID Provider with these settings: - - - Client Type: Confidential - - Response Type: code (ADFS Compatibility Mode, sends id_token as access_token) - - JWT Algorithm: RS256 - - Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode` - - Post Logout Redirect URIs: `https://vcenter.company/ui/login` - - Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...". - - Scopes: Select the Scope Mapping you've created in Step 1 - -![](./passbook_setup.png) - -### Step 4 - -Create an application which uses this provider. Optionally apply access restrictions to the application. - -Set the Launch URL to `https://vcenter.company/ui/login/oauth2`. This will skip vCenter's User Prompt and directly log you in. - -## vCenter Setup - -Login as local Administrator account (most likely ends with vsphere.local). Using the Menu in the Navigation bar, navigate to *Administration -> Single Sing-on -> Configuration*. - -Click on *Change Identity Provider* in the top-right corner. - -In the wizard, select "Microsoft ADFS" and click Next. - -Fill in the Client Identifier and Shared Secret from the Provider in passbook. For the OpenID Address, click on *View Setup URLs* in passbook, and copy the OpenID Configuration URL. - -On the next page, fill in your Active Directory Connection Details. These should be similar to what you have set in passbook. - -![](./vcenter_post_setup.png) - -If your vCenter was already setup with LDAP beforehand, your Role assignments will continue to work. diff --git a/docs/outposts/deploy-docker-compose.md b/docs/outposts/deploy-docker-compose.md deleted file mode 100644 index 081aec3de..000000000 --- a/docs/outposts/deploy-docker-compose.md +++ /dev/null @@ -1,20 +0,0 @@ -# Outpost deployment in docker-compose - -To deploy an outpost with docker-compose, use this snippet in your docker-compose file. - -You can also run the outpost in a separate docker-compose project, you just have to ensure that the outpost container can reach your application container. - -```yaml -version: '3.5' - -services: - passbook_proxy: - image: beryju/passbook-proxy:0.10.0-stable - ports: - - 4180:4180 - - 4443:4443 - environment: - PASSBOOK_HOST: https://your-passbook.tld - PASSBOOK_INSECURE: 'false' - PASSBOOK_TOKEN: token-generated-by-passbook -``` diff --git a/docs/outposts/deploy-kubernetes.md b/docs/outposts/deploy-kubernetes.md deleted file mode 100644 index eecaec11e..000000000 --- a/docs/outposts/deploy-kubernetes.md +++ /dev/null @@ -1,99 +0,0 @@ -# Outpost deployment on Kubernetes - -Use the following manifest, replacing all values surrounded with `__`. - -Afterwards, configure the proxy provider to connect to `..svc.cluster.local`, and update your Ingress to connect to the `passbook-outpost` service. - -```yaml -apiVersion: v1 -kind: Secret -metadata: - labels: - app.kubernetes.io/instance: test - app.kubernetes.io/managed-by: passbook.beryju.org - app.kubernetes.io/name: passbook-proxy - app.kubernetes.io/version: 0.10.0 - name: passbook-outpost-api -stringData: - passbook_host: '__PASSBOOK_URL__' - passbook_host_insecure: 'true' - token: '__PASSBOOK_TOKEN__' -type: Opaque ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: test - app.kubernetes.io/managed-by: passbook.beryju.org - app.kubernetes.io/name: passbook-proxy - app.kubernetes.io/version: 0.10.0 - name: passbook-outpost -spec: - ports: - - name: http - port: 4180 - protocol: TCP - targetPort: http - - name: https - port: 4443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/instance: test - app.kubernetes.io/managed-by: passbook.beryju.org - app.kubernetes.io/name: passbook-proxy - app.kubernetes.io/version: 0.10.0 - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/instance: test - app.kubernetes.io/managed-by: passbook.beryju.org - app.kubernetes.io/name: passbook-proxy - app.kubernetes.io/version: 0.10.0 - name: passbook-outpost -spec: - selector: - matchLabels: - app.kubernetes.io/instance: test - app.kubernetes.io/managed-by: passbook.beryju.org - app.kubernetes.io/name: passbook-proxy - app.kubernetes.io/version: 0.10.0 - template: - metadata: - labels: - app.kubernetes.io/instance: test - app.kubernetes.io/managed-by: passbook.beryju.org - app.kubernetes.io/name: passbook-proxy - app.kubernetes.io/version: 0.10.0 - spec: - containers: - - env: - - name: PASSBOOK_HOST - valueFrom: - secretKeyRef: - key: passbook_host - name: passbook-outpost-api - - name: PASSBOOK_TOKEN - valueFrom: - secretKeyRef: - key: token - name: passbook-outpost-api - - name: PASSBOOK_INSECURE - valueFrom: - secretKeyRef: - key: passbook_host_insecure - name: passbook-outpost-api - image: beryju/passbook-proxy:0.10.0-stable - name: proxy - ports: - - containerPort: 4180 - name: http - protocol: TCP - - containerPort: 4443 - name: https - protocol: TCP -``` diff --git a/docs/outposts/outposts.md b/docs/outposts/outposts.md deleted file mode 100644 index b71eff524..000000000 --- a/docs/outposts/outposts.md +++ /dev/null @@ -1,14 +0,0 @@ -# Outposts - -An outpost is a single deployment of a passbook component, which can be deployed in a completely separate environment. Currently, only the Proxy Provider is supported as outpost. - -![](outposts.png) - -Upon creation, a service account and a token is generated. The service account only has permissions to read the outpost and provider configuration. This token is used by the Outpost to connect to passbook. - -To deploy an outpost, see: - -- [Kubernetes](deploy-kubernetes.md) -- [docker-compose](deploy-docker-compose.md) - -In future versions, this snippet will be automatically generated. You will also be able to deploy an outpost directly into a kubernetes cluster. diff --git a/docs/policies/expression.md b/docs/policies/expression.md deleted file mode 100644 index 9c137646d..000000000 --- a/docs/policies/expression.md +++ /dev/null @@ -1,41 +0,0 @@ -# Expression Policies - -!!! notice - These variables are available in addition to the common variables/functions defined in [**Expressions**](../expressions/index.md) - -The passing of the policy is determined by the return value of the code. Use `return True` to pass a policy and `return False` to fail it. - -### Available Functions - -#### `pb_message(message: str)` - -Add a message, visible by the end user. This can be used to show the reason why they were denied. - -Example: - -```python -pb_message("Access denied") -return False -``` - -### Context variables - -- `request`: A PolicyRequest object, which has the following properties: - - `request.user`: The current user, against which the policy is applied. ([ref](../expressions/reference/user-object.md)) - - `request.http_request`: The Django HTTP Request. ([ref](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects)) - - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object. - - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution. -- `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider. -- `pb_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses), for example - - ```python - return pb_client_ip in ip_network('10.0.0.0/24') - ``` - -Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object. - -This includes the following: - -- `prompt_data`: Data which has been saved from a prompt stage or an external source. -- `application`: The application the user is in the process of authorizing. -- `pending_user`: The currently pending user diff --git a/docs/property-mappings/expression.md b/docs/property-mappings/expression.md deleted file mode 100644 index 067386b52..000000000 --- a/docs/property-mappings/expression.md +++ /dev/null @@ -1,12 +0,0 @@ -# Property Mapping Expressions - -The property mapping should return a value that is expected by the Provider/Source. Supported types are documented in the individual Provider/Source. Returning `None` is always accepted and would simply skip the mapping for which `None` was returned. - -!!! notice - These variables are available in addition to the common variables/functions defined in [**Expressions**](../expressions/index.md) - -### Context Variables - -- `user`: The current user. This may be `None` if there is no contextual user. ([ref](../expressions/reference/user-object.md)) -- `request`: The current request. This may be `None` if there is no contextual request. ([ref](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects)) -- Other arbitrary arguments given by the provider, this is documented on the Provider/Source. diff --git a/docs/providers/oauth2.md b/docs/providers/oauth2.md deleted file mode 100644 index 336077666..000000000 --- a/docs/providers/oauth2.md +++ /dev/null @@ -1,31 +0,0 @@ -# OAuth2 Provider - -This provider supports both generic OAuth2 as well as OpenID Connect - -Scopes can be configured using Scope Mappings, a type of [Property Mappings](../property-mappings/index.md#scope-mapping). - -Endpoint | URL ----------|--- -Authorization | `/application/o/authorize/` -Token | `/application/o/token/` -User Info | `/application/o/userinfo/` -End Session | `/application/o/end-session/` -Introspect | `/application/o/end-session/` -JWKS | `/application/o//jwks/` -OpenID Configuration | `/application/o//.well-known/openid-configuration` - -## GitHub Compatibility - -This provider also exposes a GitHub-compatible endpoint. This endpoint can be used by applications, which support authenticating against GitHub Enterprise, but not generic OpenID Connect. - -To use any of the GitHub Compatibility scopes, you have to use the GitHub Compatibility Endpoints. - - -Endpoint | URL ----------|--- -Authorization | `/login/oauth/authorize` -Token | `/login/oauth/access_token` -User Info | `/user` -User Teams Info | `/user/teams` - -To access the user's email address, a scope of `user:email` is required. To access their groups, `read:org` is required. Because these scopes are handled by a different endpoint, they are not customisable as a Scope Mapping. diff --git a/docs/providers/proxy.md b/docs/providers/proxy.md deleted file mode 100644 index d269127b4..000000000 --- a/docs/providers/proxy.md +++ /dev/null @@ -1,24 +0,0 @@ -# Proxy Provider - -!!! info - This provider is to be used in conjunction with [Outposts](../outposts/outposts.md) - -This provider protects applications, which have no built-in support for OAuth2 or SAML. This is done by running a lightweight Reverse Proxy in front of the application, which authenticates the requests. - -passbook Proxy is based on [oauth2_proxy](https://github.com/oauth2-proxy/oauth2-proxy), but has been integrated more tightly with passbook. - -The Proxy these extra headers to the application: - -Header Name | Value --------------|------- -X-Forwarded-User | The user's unique identifier (**not the username**) -X-Forwarded-Email | The user's email address -X-Forwarded-Preferred-Username | The user's username -X-Auth-Username | The user's username - -Additionally, you can add more custom headers using `additionalHeaders` in the User or Group Properties, for example - -```yaml -additionalHeaders: - X-additional-header: bar -``` diff --git a/docs/providers/saml.md b/docs/providers/saml.md deleted file mode 100644 index f2952f38f..000000000 --- a/docs/providers/saml.md +++ /dev/null @@ -1,12 +0,0 @@ -# SAML Provider - -This provider allows you to integrate enterprise software using the SAML2 Protocol. It supports signed requests and uses [Property Mappings](../property-mappings/index.md#saml-property-mapping) to determine which fields are exposed and what values they return. This makes it possible to expose vendor-specific fields. -Default fields are exposed through auto-generated Property Mappings, which are prefixed with "Autogenerated". - - -Endpoint | URL ----------|--- -SSO (Redirect binding) | `/application/saml//sso/binding/redirect/` -SSO (POST binding) | `/application/saml//sso/binding/post/` -IdP-initiated login | `/application/saml//sso/binding/init/` -Metadata Download | `/application/saml//metadata/` diff --git a/docs/requirements.txt b/docs/requirements.txt deleted file mode 100644 index 9a8a4ca47..000000000 --- a/docs/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -mkdocs -mkdocs-material diff --git a/docs/runtime.txt b/docs/runtime.txt deleted file mode 100644 index 548d71365..000000000 --- a/docs/runtime.txt +++ /dev/null @@ -1 +0,0 @@ -3.7 \ No newline at end of file diff --git a/docs/upgrading/to-0.10.md b/docs/upgrading/to-0.10.md deleted file mode 100644 index 462156d35..000000000 --- a/docs/upgrading/to-0.10.md +++ /dev/null @@ -1,73 +0,0 @@ -# Upgrading to 0.10 - -This update brings a lot of big features, such as: - -- New OAuth2/OpenID Provider - - This new provider merges both OAuth2 and OpenID. It is based on the codebase of the old provider, which has been simplified and cleaned from the ground up. Support for Property Mappings has also been added. Because of this change, OpenID and OAuth2 Providers will have to be re-created. - -- Proxy Provider - - Due to this new OAuth2 Provider, the Application Gateway Provider, now simply called "Proxy Provider" has been revamped as well. The new passbook Proxy integrates more tightly with passbook via the new Outposts system. The new proxy also supports multiple applications per proxy instance, can configure TLS based on passbook Keypairs, and more. - - See [Proxy](../providers/proxy.md) - -- Outpost System - - This is a new Object type, currently used only by the Proxy Provider. It manages the creation and permissions of service accounts, which are used by the outposts to communicate with passbook. - - See [Outposts](../outposts/outposts.md) - -- Flow Import/Export - - Flows can now be imported and exported. This feature can be used as a backup system, or to share complex flows with other people. Example flows have also been added to the documentation to help you get going with passbook. - -## Under the hood - -- passbook now runs on Django 3.1 and Channels with complete ASGI enabled -- uwsgi has been replaced with Gunicorn and uvicorn -- Elastic APM has been replaced with Sentry Performance metrics -- Flow title is now configurable separately from the name -- All logging output is now json - -## Upgrading - -### docker-compose - -The docker-compose file has been updated, please download the latest from `https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml`. -By default, the new compose file uses a fixed version to prevent unintended updates. - -Before updating the file, stop all containers. Then download the file, pull the new containers and start the database. - -``` -docker-compose down -docker-compose pull -docker-compose up --no-start -docker-compose start redis postgrseql -docker-compose run --rm server migrate -docker-compose up -d -``` - -### Helm - -A few options have changed: - -- `error_reporting` was changed from a simple boolean to a dictionary: - -```yaml - error_reporting: - enabled: false - environment: customer - send_pii: false -``` - -- The `apm` and `monitoring` blocks have been removed. -- `serverReplicas` and `workerReplicas` have been added - -### Upgrading - -This upgrade only applies if you are upgrading from a running 0.9 instance. Passbook detects this on startup, and automatically executes this upgrade. - -Because this upgrade brings the new OAuth2 Provider, the old providers will be lost in the process. Make sure to take note of the providers you want to bring over. - -Another side-effect of this upgrade is the change of OAuth2 URLs, see [here](../providers/oauth2.md). diff --git a/docs/upgrading/to-0.11.md b/docs/upgrading/to-0.11.md deleted file mode 100644 index dac287d95..000000000 --- a/docs/upgrading/to-0.11.md +++ /dev/null @@ -1,20 +0,0 @@ -# Upgrading to 0.11 - -This update brings these headline features: - -- Add Backup and Restore, currently only externally schedulable, documented [here](https://passbook.beryju.org/maintenance/backups/) -- New Admin Dashboard with more metrics and Charts - - Shows successful and failed logins from the last 24 hours, as well as the most used applications -- Add search to all table views -- Outpost now supports a Docker Controller, which installs the Outpost on the same host as passbook, updates and manages it -- Add Token Identifier - - Tokens now have an identifier which is used to reference to them, so the Primary key is not shown in URLs -- `core/applications/list` API now shows applications the user has access to via policies - -## Upgrading - -This upgrade can be done as with minor upgrades, the only external change is the new docker-compose file, which enabled the Docker Integration for Outposts. To use this feature, please download the latest docker-compose from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml). - -Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`. diff --git a/docs/upgrading/to-0.12.md b/docs/upgrading/to-0.12.md deleted file mode 100644 index ace41a6bd..000000000 --- a/docs/upgrading/to-0.12.md +++ /dev/null @@ -1,63 +0,0 @@ -# Upgrading to 0.12 - -This update brings these headline features: - -- Rewrite Outpost state Logic, which now supports multiple concurrent Outpost instances. -- Add Kubernetes Integration for Outposts, which deploys and maintains Outposts with High Availability in a Kubernetes Cluster -- Add System Task Overview to see all background tasks, their status, the log output, and retry them -- Alerts now disappear automatically -- Audit Logs are now searchable -- Users can now create their own Tokens to access the API -- docker-compose deployment now uses traefik 2.3 - -Fixes: - -- Fix high CPU Usage of the proxy when Websocket connections fail - -## Upgrading - -### docker-compose - -Docker-compose users should download the latest docker-compose file from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml). This includes the new traefik 2.3. - -Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`. - -### Kubernetes - -For Kubernetes users, there are some changes to the helm values. - -The values change from - -```yaml -config: - # Optionally specify fixed secret_key, otherwise generated automatically - # secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o - # Enable error reporting - error_reporting: - enabled: false - environment: customer - send_pii: false - # Log level used by web and worker - # Can be either debug, info, warning, error - log_level: warning -``` - -to - -```yaml -config: - # Optionally specify fixed secret_key, otherwise generated automatically - # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o - # Enable error reporting - errorReporting: - enabled: false - environment: customer - sendPii: false - # Log level used by web and worker - # Can be either debug, info, warning, error - logLevel: warning -``` - -in order to be consistent with the rest of the settings. - -There is also a new setting called `kubernetesIntegration`, which controls the Kubernetes integration for passbook. When enabled (the default), a Service Account is created, which allows passbook to deploy and update Outposts. diff --git a/helm/README.md b/helm/README.md index cd9c148e2..b7118770c 100644 --- a/helm/README.md +++ b/helm/README.md @@ -25,4 +25,4 @@ | install.redis | true | Enables/disables the packaged Redis Chart | postgresql.postgresqlPassword | | Password used for PostgreSQL, generated automatically. -For more info, see https://passbook.beryju.org/ and https://passbook.beryju.org/installation/kubernetes/ +For more info, see https://passbook.beryju.org/ and https://passbook.beryju.org/docs/installation/kubernetes/ diff --git a/mkdocs.yml b/mkdocs.yml deleted file mode 100644 index f246df78f..000000000 --- a/mkdocs.yml +++ /dev/null @@ -1,95 +0,0 @@ -site_name: passbook Docs -site_url: https://passbook.beryju.org/ -copyright: "Copyright © 2019 - 2020 BeryJu.org" - -nav: - - Home: index.md - - Terminology: terminology.md - - Installation: - - docker-compose: installation/docker-compose.md - - Kubernetes: installation/kubernetes.md - - Reverse Proxy: installation/reverse-proxy.md - - Flows: - Overview: flow/flows.md - Examples: flow/examples/examples.md - - Stages: - - Captcha Stage: flow/stages/captcha/index.md - - Dummy Stage: flow/stages/dummy/index.md - - Email Stage: flow/stages/email/index.md - - Identification Stage: flow/stages/identification/index.md - - Invitation Stage: flow/stages/invitation/index.md - - OTP Stage: flow/stages/otp/index.md - - Password Stage: flow/stages/password/index.md - - Prompt Stage: flow/stages/prompt/index.md - - Prompt Stage Validation: flow/stages/prompt/validation.md - - User Delete Stage: flow/stages/user_delete.md - - User Login Stage: flow/stages/user_login.md - - User Logout Stage: flow/stages/user_logout.md - - User Write Stage: flow/stages/user_write.md - - Sources: sources.md - - Providers: - - OAuth2: providers/oauth2.md - - SAML: providers/saml.md - - Proxy: providers/proxy.md - - Outposts: - - Overview: outposts/outposts.md - - Upgrading: outposts/upgrading.md - - Deploy on docker-compose: outposts/deploy-docker-compose.md - - Deploy on Kubernetes: outposts/deploy-kubernetes.md - - Expressions: - - Overview: expressions/index.md - - Reference: - - User Object: expressions/reference/user-object.md - - Property Mappings: - - Overview: property-mappings/index.md - - Expressions: property-mappings/expression.md - - Policies: - - Overview: policies/index.md - - Expression: policies/expression.md - - Integrations: - - as Source: - - Active Directory: integrations/sources/active-directory/index.md - - as Provider: - - Amazon Web Services: integrations/services/aws/index.md - - GitLab: integrations/services/gitlab/index.md - - Rancher: integrations/services/rancher/index.md - - Harbor: integrations/services/harbor/index.md - - Sentry: integrations/services/sentry/index.md - - Ansible Tower/AWX: integrations/services/tower-awx/index.md - - VMware vCenter: integrations/services/vmware-vcenter/index.md - - Ubuntu Landscape: integrations/services/ubuntu-landscape/index.md - - Sonarr: integrations/services/sonarr/index.md - - Tautulli: integrations/services/tautulli/index.md - - Maintenance: - - Backups: maintenance/backups/index.md - - Upgrading: - - to 0.9: upgrading/to-0.9.md - - to 0.10: upgrading/to-0.10.md - - to 0.11: upgrading/to-0.11.md - - to 0.12: upgrading/to-0.12.md - - Troubleshooting: - - Access problems: troubleshooting/access.md - -repo_name: "BeryJu/passbook" -repo_url: https://github.com/BeryJu/passbook -theme: - name: material - logo: images/logo.svg - favicon: images/logo.svg - palette: - scheme: slate - primary: white - -markdown_extensions: - - toc: - permalink: "¶" - - admonition - - codehilite - - pymdownx.betterem: - smart_enable: all - - pymdownx.inlinehilite - - pymdownx.magiclink - - attr_list - -plugins: - - search diff --git a/passbook/admin/views/flows.py b/passbook/admin/views/flows.py index b67ad35af..c45dbaf1b 100644 --- a/passbook/admin/views/flows.py +++ b/passbook/admin/views/flows.py @@ -147,5 +147,5 @@ class FlowExportView(LoginRequiredMixin, PermissionRequiredMixin, DetailView): flow: Flow = self.get_object() exporter = FlowExporter(flow) response = JsonResponse(exporter.export(), encoder=DataclassEncoder, safe=False) - response["Content-Disposition"] = f'attachment; filename="{flow.slug}.json"' + response["Content-Disposition"] = f'attachment; filename="{flow.slug}.pbflow"' return response diff --git a/passbook/flows/forms.py b/passbook/flows/forms.py index bc2f01c74..c0ac69749 100644 --- a/passbook/flows/forms.py +++ b/passbook/flows/forms.py @@ -1,6 +1,7 @@ """Flow and Stage forms""" from django import forms +from django.core.validators import FileExtensionValidator from django.forms import ValidationError from django.utils.translation import gettext_lazy as _ @@ -62,7 +63,9 @@ class FlowStageBindingForm(forms.ModelForm): class FlowImportForm(forms.Form): """Form used for flow importing""" - flow = forms.FileField() + flow = forms.FileField( + validators=[FileExtensionValidator(allowed_extensions=["pbflow"])] + ) def clean_flow(self): """Check if the flow is valid and rewind the file to the start""" diff --git a/passbook/flows/tests/test_transfer_docs.py b/passbook/flows/tests/test_transfer_docs.py index 9208c9c6e..cad4a9536 100644 --- a/passbook/flows/tests/test_transfer_docs.py +++ b/passbook/flows/tests/test_transfer_docs.py @@ -12,7 +12,7 @@ class TestTransferDocs(TransactionTestCase): """Empty class, test methods are added dynamically""" -def generic_view_tester(file_name: str) -> Callable: +def pbflow_tester(file_name: str) -> Callable: """This is used instead of subTest for better visibility""" def tester(self: TestTransferDocs): @@ -24,8 +24,6 @@ def generic_view_tester(file_name: str) -> Callable: return tester -for flow_file in glob("docs/flow/examples/*.json"): +for flow_file in glob("website/static/flows/*.pbflow"): method_name = Path(flow_file).stem.replace("-", "_").replace(".", "_") - setattr( - TestTransferDocs, f"test_flow_{method_name}", generic_view_tester(flow_file) - ) + setattr(TestTransferDocs, f"test_flow_{method_name}", pbflow_tester(flow_file)) diff --git a/passbook/lib/default.yml b/passbook/lib/default.yml index 5d911a651..f23cb4f47 100644 --- a/passbook/lib/default.yml +++ b/passbook/lib/default.yml @@ -30,6 +30,6 @@ passbook: # Optionally add links to the footer on the login page footer_links: - name: Documentation - href: https://passbook.beryju.org/ + href: https://passbook.beryju.org/docs/ # - name: test # href: https://test diff --git a/passbook/outposts/templates/outposts/deployment_modal.html b/passbook/outposts/templates/outposts/deployment_modal.html index f0c612c93..f18b2a7bc 100644 --- a/passbook/outposts/templates/outposts/deployment_modal.html +++ b/passbook/outposts/templates/outposts/deployment_modal.html @@ -12,7 +12,7 @@

{% trans 'Outpost Deployment Info' %}